On Thu, 16 Nov 2017 08:20:03 +0100 Daniel Berteaud via samba <samba at lists.samba.org> wrote:> Now, the "funny" thing is that, it did work, something like 3 times > in over 50 tries. It's not just the config because, once it worked, I > removed the same workstation from the domain, removed the LDAP entry, > made no configuration change, not service restart and tried again, > without success. It might be related to some caching effect of sssd, > I need to dig a bit deepper. > > Regards, Daniel >This may have nothing to do with Samba, if you are running sssd, then this will be doing the authentication. If you are running sssd, try turning it off and use Samba instead, see if this fixes your problem. Rowland
Le Jeudi, Novembre 16, 2017 09:35 CET, Rowland Penny <rpenny at samba.org> a écrit: >> This may have nothing to do with Samba, if you are running sssd, then > this will be doing the authentication.sssd was providing the NSS -> LDAP layer, just like nss-ldap would do (it also provides a pam module equivalent to pam-ldap for UNIX accounts)> If you are running sssd, try turning it off and use Samba instead, see > if this fixes your problem.But unlike nss-ldap, sssd does provide some caching mecanism that's why I think it's this part which breaks something. Switching to nss-ldap+pam-ldap instead of sssd makes everything working. I just don't understand why. How can this makes samba ignore "add machine script" and instead try to create the entry directly ? Anyway, it's working now, even if I don't understand why Regards, Daniel -- Daniel Berteaud FIREWALL-SERVICES SAS. Société de Services en Logiciels Libres Tel : 05 56 64 15 32 Visio: https://vroom.fws.fr/dani Web : http://www.firewall-services.com
On Thu, 2017-11-16 at 09:53 +0100, Daniel Berteaud via samba wrote:> Le Jeudi, Novembre 16, 2017 09:35 CET, Rowland Penny <rpenny at samba.org> a écrit: > > > > This may have nothing to do with Samba, if you are running sssd, then > > this will be doing the authentication. > > sssd was providing the NSS -> LDAP layer, just like nss-ldap would do > (it also provides a pam module equivalent to pam-ldap for UNIX > accounts) > > > If you are running sssd, try turning it off and use Samba instead, > > see > > if this fixes your problem. > > But unlike nss-ldap, sssd does provide some caching mecanism that's > why I think it's this part which breaks something. > > Switching to nss-ldap+pam-ldap instead of sssd makes everything > working. I just don't understand why. How can this makes samba > ignore "add machine script" and instead try to create the entry > directly ?This is executed when the posix account doesn't exist, so it depends on the return value of getpwnam(), which in turn makes nss calls. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba