samba - Sep 2022 - Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389

On 23/09/2022 11:31, Alexander Harm || ApfelQ via samba
wrote:
> I couldn?t help myself but dig some more. I compared the ldif as suggested
and they are identical. From what I gather, the results that LDAP returns are
fine but the process fails at a non-LDAP stage:
> 
> The LDAP server is successfully connected
> pdb backend ldapsam:ldap://ldap1.example.com has a valid init
> smbldap_search_ext: base => [dc=example,dc=com], filter =>
[(&(uid=johndoe)(objectclass=sambaSamAccount))], scope => [2]
> init_sam_from_ldap: Entry found for user: johndoe
> pdb_set_username: setting username johndoe, was
> pdb_set_domain: setting domain EXAMPLE, was
> pdb_set_nt_username: setting nt username johndoe, was
> pdb_set_user_sid_from_string: setting user sid
S-1-5-21-1926693724-44905045-1282156110-25724
> pdb_set_user_sid: setting user sid
S-1-5-21-1926693724-44905045-1282156110-25724
> attribute sambaLogonTime does not exist
> attribute sambaLogoffTime does not exist
> attribute sambaPwdCanChange does not exist
> pdb_set_full_name: setting full name Doe, John, was
> pdb_set_dir_drive: setting dir drive E:, was NULL
> pdb_set_homedir: setting home dir \\univers\homes, was
> pdb_set_logon_script: setting logon script johndoe, was
> attribute sambaProfilePath does not exist
> pdb_set_profile_path: setting profile path , was
> attribute description does not exist
> attribute sambaUserWorkstations does not exist
> attribute sambaMungedDial does not exist
> attribute sambaLMPassword does not exist
> Opening cache file at /var/lib/samba/lock/gencache.tdb
> attribute sambaBadPasswordCount does not exist
> attribute sambaBadPasswordTime does not exist
> attribute sambaLogonHours does not exist
> Opening cache file at /var/lib/samba/login_cache.tdb
> Looking up login cache for user johndoe
> No cache entry found
> No cache entry, bad count = 0, bad time = 0
> Finding user johndoe
> Trying _Get_Pwnam(), username as lowercase is johndoe
> Trying _Get_Pwnam(), username as uppercase is JOHNDOE
> Checking combinations of 0 uppercase letters in johndoe
> Get_Pwnam_internals didn't find user [johndoe]!
> Failed to find a Unix account for johndoe
> pdb_set_username: setting username johndoe, was
> pdb_set_domain: setting domain EXAMPLE, was
> pdb_set_nt_username: setting nt username johndoe, was
> pdb_set_full_name: setting full name Doe, John, was
> pdb_set_homedir: setting home dir \\univers\homes, was
> pdb_set_dir_drive: setting dir drive E:, was NULL
> pdb_set_logon_script: setting logon script johndoe, was
> pdb_set_profile_path: setting profile path , was
> pdb_set_workstations: setting workstations , was
> pdb_set_user_sid: setting user sid
S-1-5-21-1926693724-44905045-1282156110-25724
> pdb_set_user_sid_from_rid:
> setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 from rid
25724
> Unix username: johndoe
> NT username: johndoe
> Account Flags: [U ]
> User SID: S-1-5-21-1926693724-44905045-1282156110-25724
> Finding user johndoe
> Trying _Get_Pwnam(), username as lowercase is johndoe
> Trying _Get_Pwnam(), username as uppercase is JOHNDOE
> Checking combinations of 0 uppercase letters in johndoe
> Get_Pwnam_internals didn't find user [johndoe]!
> Failed to find a Unix account for johndoe
> 
> So where the two differ are here:
> 
> Finding user johndoe
> Trying _Get_Pwnam(), username as lowercase is johndoe
> Trying _Get_Pwnam(), username as uppercase is JOHNDOE
> Checking combinations of 0 uppercase letters in johndoe
> Get_Pwnam_internals didn't find user [johndoe]!
> Failed to find a Unix account for johndoe
> 
> and on the old server it just returns the user straight away. Is that a
problem of PAM configuration?
I take it that you are running winbind, but what is in /etc/nsswitch.conf ?

Rowland

No, winbind is not running.

#/etc/nsswitch.conf
passwd: files ldap
group: files ldap
> On Friday, Sep 23, 2022 at 12:39 PM, Rowland Penny via samba <samba at
lists.samba.org (mailto:samba at lists.samba.org)> wrote:
>
>
> On 23/09/2022 11:31, Alexander Harm || ApfelQ via samba wrote:
> > I couldn?t help myself but dig some more. I compared the ldif as
suggested and they are identical. From what I gather, the results that LDAP
returns are fine but the process fails at a non-LDAP stage:
> >
> > The LDAP server is successfully connected
> > pdb backend ldapsam:ldap://ldap1.example.com has a valid init
> > smbldap_search_ext: base => [dc=example,dc=com], filter =>
[(&(uid=johndoe)(objectclass=sambaSamAccount))], scope => [2]
> > init_sam_from_ldap: Entry found for user: johndoe
> > pdb_set_username: setting username johndoe, was
> > pdb_set_domain: setting domain EXAMPLE, was
> > pdb_set_nt_username: setting nt username johndoe, was
> > pdb_set_user_sid_from_string: setting user sid
S-1-5-21-1926693724-44905045-1282156110-25724
> > pdb_set_user_sid: setting user sid
S-1-5-21-1926693724-44905045-1282156110-25724
> > attribute sambaLogonTime does not exist
> > attribute sambaLogoffTime does not exist
> > attribute sambaPwdCanChange does not exist
> > pdb_set_full_name: setting full name Doe, John, was
> > pdb_set_dir_drive: setting dir drive E:, was NULL
> > pdb_set_homedir: setting home dir \\univers\homes, was
> > pdb_set_logon_script: setting logon script johndoe, was
> > attribute sambaProfilePath does not exist
> > pdb_set_profile_path: setting profile path , was
> > attribute description does not exist
> > attribute sambaUserWorkstations does not exist
> > attribute sambaMungedDial does not exist
> > attribute sambaLMPassword does not exist
> > Opening cache file at /var/lib/samba/lock/gencache.tdb
> > attribute sambaBadPasswordCount does not exist
> > attribute sambaBadPasswordTime does not exist
> > attribute sambaLogonHours does not exist
> > Opening cache file at /var/lib/samba/login_cache.tdb
> > Looking up login cache for user johndoe
> > No cache entry found
> > No cache entry, bad count = 0, bad time = 0
> > Finding user johndoe
> > Trying _Get_Pwnam(), username as lowercase is johndoe
> > Trying _Get_Pwnam(), username as uppercase is JOHNDOE
> > Checking combinations of 0 uppercase letters in johndoe
> > Get_Pwnam_internals didn't find user [johndoe]!
> > Failed to find a Unix account for johndoe
> > pdb_set_username: setting username johndoe, was
> > pdb_set_domain: setting domain EXAMPLE, was
> > pdb_set_nt_username: setting nt username johndoe, was
> > pdb_set_full_name: setting full name Doe, John, was
> > pdb_set_homedir: setting home dir \\univers\homes, was
> > pdb_set_dir_drive: setting dir drive E:, was NULL
> > pdb_set_logon_script: setting logon script johndoe, was
> > pdb_set_profile_path: setting profile path , was
> > pdb_set_workstations: setting workstations , was
> > pdb_set_user_sid: setting user sid
S-1-5-21-1926693724-44905045-1282156110-25724
> > pdb_set_user_sid_from_rid:
> > setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 from
rid 25724
> > Unix username: johndoe
> > NT username: johndoe
> > Account Flags: [U ]
> > User SID: S-1-5-21-1926693724-44905045-1282156110-25724
> > Finding user johndoe
> > Trying _Get_Pwnam(), username as lowercase is johndoe
> > Trying _Get_Pwnam(), username as uppercase is JOHNDOE
> > Checking combinations of 0 uppercase letters in johndoe
> > Get_Pwnam_internals didn't find user [johndoe]!
> > Failed to find a Unix account for johndoe
> >
> > So where the two differ are here:
> >
> > Finding user johndoe
> > Trying _Get_Pwnam(), username as lowercase is johndoe
> > Trying _Get_Pwnam(), username as uppercase is JOHNDOE
> > Checking combinations of 0 uppercase letters in johndoe
> > Get_Pwnam_internals didn't find user [johndoe]!
> > Failed to find a Unix account for johndoe
> >
> > and on the old server it just returns the user straight away. Is that
a problem of PAM configuration?
>
> I take it that you are running winbind, but what is in /etc/nsswitch.conf ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba