On Thu, 2017-11-16 at 09:53 +0100, Daniel Berteaud via samba wrote:> Le Jeudi, Novembre 16, 2017 09:35 CET, Rowland Penny <rpenny at samba.org> a écrit: > > > > This may have nothing to do with Samba, if you are running sssd, then > > this will be doing the authentication. > > sssd was providing the NSS -> LDAP layer, just like nss-ldap would do > (it also provides a pam module equivalent to pam-ldap for UNIX > accounts) > > > If you are running sssd, try turning it off and use Samba instead, > > see > > if this fixes your problem. > > But unlike nss-ldap, sssd does provide some caching mecanism that's > why I think it's this part which breaks something. > > Switching to nss-ldap+pam-ldap instead of sssd makes everything > working. I just don't understand why. How can this makes samba > ignore "add machine script" and instead try to create the entry > directly ?This is executed when the posix account doesn't exist, so it depends on the return value of getpwnam(), which in turn makes nss calls. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Le 16/11/2017 à 19:30, Andrew Bartlett via samba a écrit :> >> But unlike nss-ldap, sssd does provide some caching mecanism that's >> why I think it's this part which breaks something. >> >> Switching to nss-ldap+pam-ldap instead of sssd makes everything >> working. I just don't understand why. How can this makes samba >> ignore "add machine script" and instead try to create the entry >> directly ? > This is executed when the posix account doesn't exist, so it depends on > the return value of getpwnam(), which in turn makes nss calls.It's still not very clear to me. When the posix account does not exist, samba should call the "add machine script". But in my case, the account didn't existed, but instead of calling add machine script, samba tried to create directly the user in the LDAP tree, not through my custom script. It's this part that I don't understand. ++ -- Logo FWS *Daniel Berteaud* FIREWALL-SERVICES SAS. Société de Services en Logiciels Libres Tel : 05 56 64 15 32 <tel:0556641532> Matrix: @dani:fws.fr /www.firewall-services.com/
On Fri, 2017-11-17 at 09:03 +0100, Daniel Berteaud via samba wrote:> Le 16/11/2017 à 19:30, Andrew Bartlett via samba a écrit : > > > > > But unlike nss-ldap, sssd does provide some caching mecanism that's > > > why I think it's this part which breaks something. > > > > > > Switching to nss-ldap+pam-ldap instead of sssd makes everything > > > working. I just don't understand why. How can this makes samba > > > ignore "add machine script" and instead try to create the entry > > > directly ? > > > > This is executed when the posix account doesn't exist, so it depends on > > the return value of getpwnam(), which in turn makes nss calls. > > It's still not very clear to me. When the posix account does not exist, > samba should call the "add machine script". But in my case, the account > didn't existed, but instead of calling add machine script, samba tried > to create directly the user in the LDAP tree, not through my custom > script. It's this part that I don't understand.The two parts are de-coupled, we add entries to LDAP if they don't exist. This is independent of the add user script. The only time we combine it all is with the editposix thing, which in hindsight is what we should have done by default all along. Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Fri, 17 Nov 2017 09:03:25 +0100 Daniel Berteaud via samba <samba at lists.samba.org> wrote:> Le 16/11/2017 à 19:30, Andrew Bartlett via samba a écrit : > > > >> But unlike nss-ldap, sssd does provide some caching mecanism that's > >> why I think it's this part which breaks something. > >> > >> Switching to nss-ldap+pam-ldap instead of sssd makes everything > >> working. I just don't understand why. How can this makes samba > >> ignore "add machine script" and instead try to create the entry > >> directly ? > > This is executed when the posix account doesn't exist, so it > > depends on the return value of getpwnam(), which in turn makes nss > > calls. > > It's still not very clear to me. When the posix account does not > exist, samba should call the "add machine script". But in my case, > the account didn't existed, but instead of calling add machine > script, samba tried to create directly the user in the LDAP tree, not > through my custom script. It's this part that I don't understand. > > ++ >I think the problem was that you were using sssd (which has nothing to do with Samba), it is quite possible that this tried to create the machine account and couldn't (did you read the sssd logs ?). It is also quite possible that sssd stopped smbd creating the machine account, so when (possibly) sssd tried and and failed, further code in Samba realised the machine account didn't exist and tried to create it and couldn't because of your ACLs. nss-ldap is a much simpler program than sssd and probably doesn't have any code to create anything, just read from ldap. There have been a lot of question on here asking about problems when using sssd with Samba, most of which have fixed by the simple means of stopping using sssd. The only place I would consider using sssd is on a DC and this only because there is an open bug report about winbind not obtaining the full rfc2307 attributes from AD. This hasn't been fixed yet because the main devs are fixing other, more urgent, problems. Rowland