samba - Feb 2013 - Problem with User and Group Ownership listing

I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools.  I've
previously installed a similar configuration on RHEL4 using smb 3.0 but
CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the
configurations cannot be moved straight across.

When I do a listing of a share directory that should have user and group
ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
than the UIDs and GIDs.

    [root at edgar2 openldap]# ls -l /data/home | tail
    drwx------.  2  30634 30080 4096 Mar 18  2009 userdir1
    drwx------. 33  30548 30075 4096 Jan 29 15:20 userdir2
    drwx------.  3  30554 30075 4096 Jan 26  2009 userdir3
    drwx------. 12  30467 30075 4096 Jun 21  2012 userdir4
    drwx------.  4  30543 30075 4096 Oct 21  2008 userdir5
    drwx------.  8  30555 30075 4096 Oct 31 10:36 userdir5

Other details:  centos 6.2, samba 3.5, smbldap-tools 0.9.6, openldap 2.4.23

I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
/etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. 
And selinux is off.

I know the machine is successfully connecting to LDAP.  An ldapsearch
works from this machine, and I can even connect to a samba share with an
ldap login through smbclient.

Relevant parts of /etc/nsswitch:

    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
   
    #hosts:     db files nisplus nis dns
    hosts:      files dns
   
    bootparams: nisplus [NOTFOUND=return] files
   
    ethers:     files
    netmasks:   files
    networks:   files
    protocols:  files ldap
    rpc:        files
    services:   files ldap
   
    netgroup:   nisplus ldap
    #netgroup:   ldap
   
    publickey:  nisplus
   
    automount:  files nisplus ldap
    #automount:  files ldap
    aliases:    files nisplus

Relevant parts of /etc/pam_ldap.conf (everything else is commented out):

    host dir1.ourdomain.com
    base dc=.ourdomain,dc=com
    #uri ldaps://dir1.ourdomain.com
    uri ldap://dir1.ourdomain.com
   
    # basic auth config
    binddn cn=admin,dc=ourdomain,dc=com
    rootbinddn cn=admin,dc=ourdomain,dc=com
   
    # random stuff
    #timelimit 120
    #bind_timelimit 120
    #bind_policy hard
    # brought these times down wmodes Aug 11, 2008
    timelimit 30
    bind_timelimit 30
    bind_policy soft
    idle_timelimit 3600
    nss_initgroups_ignoreusers root,ldap
   
    # pam config
    #pam_password md5
    pam_password md5
   
    # config for nss
    nss_base_passwd ou=people,dc=ourdomain,dc=com?one
    nss_base_shadow ou=people,dc=ourdomain,dc=com?one
    nss_base_group  ou=group,dc=ourdomain,dc=com?one
   
    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    ssl no
   
    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    #tls_checkpeer yes
   
    # CA certificates for server certificate verification
    tls_cacertfile /etc/openldap/cacerts/cacert.pem
    tls_cacertdir /etc/openldap/cacerts
   
    # Client certificate and key
    tls_cert /etc/openldap/cacerts/servercert.pem
    tls_key /etc/openldap/cacerts/serverkey.pem

Relevant parts of /etc/pam.d/system-auth:

    auth        required      pam_env.so
    auth        sufficient    pam_fprintd.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        sufficient    pam_ldap.so use_first_pass
    auth        required      pam_deny.so
   
    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account     required      pam_permit.so
   
    password    requisite     pam_cracklib.so try_first_pass retry=3 type   
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
    password    sufficient    pam_ldap.so use_authtok
    password    required      pam_deny.so
   
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
    session     required      pam_unix.so
    session     optional      pam_ldap.so
    session     optional      pam_mkhomedir.so skel=/etc/skel umask=077

And the only line in /etc/sysconfig/authconfig I changed was:

    USELDAP=yes

Any thoughts?  For those who are experienced with nis and pam, I'm sure
this is a no brainer, but I could sure use the little bit of your brain
that knows how to fix this.

Wes

-- 
Wes Modes
Systems Designer, Developer, and Administrator
University Library ITS
University of California, Santa Cruz

I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools.  I've
previously installed a similar configuration on RHEL4 using smb 3.0 but
CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the
configurations cannot be moved straight across.

When I do a listing of a share directory that should have user and group
ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
than the UIDs and GIDs.

    [root at edgar2 openldap]# ls -l /data/home | tail
    drwx------.  2  30634 30080 4096 Mar 18  2009 userdir1
    drwx------. 33  30548 30075 4096 Jan 29 15:20 userdir2
    drwx------.  3  30554 30075 4096 Jan 26  2009 userdir3
    drwx------. 12  30467 30075 4096 Jun 21  2012 userdir4
    drwx------.  4  30543 30075 4096 Oct 21  2008 userdir5
    drwx------.  8  30555 30075 4096 Oct 31 10:36 userdir5

Other details:  centos 6.2, samba 3.5, smbldap-tools 0.9.6, openldap 2.4.23

I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
/etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. 
And selinux is off.

I know the machine is successfully connecting to LDAP.  An ldapsearch
works from this machine, and I can even connect to a samba share with an
ldap login through smbclient.

Relevant parts of /etc/nsswitch:

    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
   
    #hosts:     db files nisplus nis dns
    hosts:      files dns
   
    bootparams: nisplus [NOTFOUND=return] files
   
    ethers:     files
    netmasks:   files
    networks:   files
    protocols:  files ldap
    rpc:        files
    services:   files ldap
   
    netgroup:   nisplus ldap
    #netgroup:   ldap
   
    publickey:  nisplus
   
    automount:  files nisplus ldap
    #automount:  files ldap
    aliases:    files nisplus

Relevant parts of /etc/pam_ldap.conf (everything else is commented out):

    host dir1.ourdomain.com
    base dc=.ourdomain,dc=com
    #uri ldaps://dir1.ourdomain.com
    uri ldap://dir1.ourdomain.com
   
    # basic auth config
    binddn cn=admin,dc=ourdomain,dc=com
    rootbinddn cn=admin,dc=ourdomain,dc=com
   
    # random stuff
    #timelimit 120
    #bind_timelimit 120
    #bind_policy hard
    # brought these times down wmodes Aug 11, 2008
    timelimit 30
    bind_timelimit 30
    bind_policy soft
    idle_timelimit 3600
    nss_initgroups_ignoreusers root,ldap
   
    # pam config
    #pam_password md5
    pam_password md5
   
    # config for nss
    nss_base_passwd ou=people,dc=ourdomain,dc=com?one
    nss_base_shadow ou=people,dc=ourdomain,dc=com?one
    nss_base_group  ou=group,dc=ourdomain,dc=com?one
   
    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    ssl no
   
    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    #tls_checkpeer yes
   
    # CA certificates for server certificate verification
    tls_cacertfile /etc/openldap/cacerts/cacert.pem
    tls_cacertdir /etc/openldap/cacerts
   
    # Client certificate and key
    tls_cert /etc/openldap/cacerts/servercert.pem
    tls_key /etc/openldap/cacerts/serverkey.pem

Relevant parts of /etc/pam.d/system-auth:

    auth        required      pam_env.so
    auth        sufficient    pam_fprintd.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        sufficient    pam_ldap.so use_first_pass
    auth        required      pam_deny.so
   
    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account     required      pam_permit.so
   
    password    requisite     pam_cracklib.so try_first_pass retry=3 type   
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
    password    sufficient    pam_ldap.so use_authtok
    password    required      pam_deny.so
   
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
    session     required      pam_unix.so
    session     optional      pam_ldap.so
    session     optional      pam_mkhomedir.so skel=/etc/skel umask=077

And the only line in /etc/sysconfig/authconfig I changed was:

    USELDAP=yes

Any thoughts?  For those who are experienced with nis and pam, I'm sure
this is a no brainer, but I could sure use the little bit of your brain
that knows how to fix this.

Wes

-- 
Wes Modes
Systems Designer, Developer, and Administrator
University Library ITS
University of California, Santa Cruz