User in passdb, but getpwnam() fails!

9k views Asked by At

Attempting to set up Samba + OpenLDAP using nss_ldap.

After joining Windows7 to Samba stand alone PDC, I can not login with a domain account unless that account is also added to the /etc/passwd file.

I get: user in passdb, but getpwnam() fails!

Everything I've read points to an NSS_LDAP issue yet, getent passwd shows users perfectly fine and I am able to ssh into the same Linux host using a user account that is only in the LDAP database.

Additionally, if I crack open the /etc/passwd file and add a line for the user in question, I can then login.

I'm not using PAM. I added the two Windows7 registry updates required per the Samba.org site.

Software stack is as follows: Samba 3.5.3 OpenLDAP 2.4.21 nss_ldap 264

Thoughts/suggestions?

--------------------------------- UPDATE ---------------------------------

Getting closer! My nsswitch.conf did have files ldap so I reversed the order (now ldap files) and something odd happen. Notice, before, I said I could login with SSH and getent passwd dumped users in both ldap and files. After making the nsswitch.conf change, ldap before files, simple commands like ls took a long time. Additionally I observed nss_ldap errors as follows:

ls: nss_ldap: could not search LDAP server - Server is unavailable

and

ls: nss_ldap: failed to bind to LDAP server ldap://tsrvr.example.corp: Invalid credentials

I commented out the rootbinddn line in ldap.conf and these errors went away and getent passwd immediately began working again. The order of the output changed also: ldap entries listed before files entries.

Still, though, my Windows7 client will not login to the domain and I continue to get the same Samba error message

User test in passdb, but getpwnam() fails!

In my smb.conf, I tried removing ldapsam:trusted = yes line and when I do, I get domain authentication errors.

I'm not using SSL/TLS with OpenLDAP and I have the SSL = no setting. I also have the ldap.secret file set. I'm running slapd under the root account. My rootbinddn, before commenting out, referenced an LDAP root user of uid=root,ou=Users,dc=example,dc=corp. root's userPassword using CRYPT matches the bindpw as well as the one in /etc/shadow.

Looking at LDAP log activity for when I get the Samba error, it appears as if LDAP is returning the correct result against a Samba query:

Jun 19 14:20:14 tsrvr slapd[3803]: conn=1025 op=15 SRCH base="dc=example,dc=corp" scope=2 deref=0 filter="(&(uid=test)(objectClass=sambaSamAccount))" Jun 19 14:20:14 tsrvr slapd[3803]: conn=1025 op=15 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sam baNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestam p uidNumber gidNumber homeDirectory loginShell gecos Jun 19 14:20:14 tsrvr slapd[3803]: conn=1025 op=15 SEARCH RESULT tag=101 err=0 nentries=1 text=

Any other suggestions?

Much appreciated

2

There are 2 answers

1
Craig Trader On BEST ANSWER

Sounds like a problem with /etc/nsswitch.conf. Specifically, the passwd and group lines should refer to ldap before compat or file. Have you looked at this Samba wiki entry?

0
Eric On

SOLVED!!!!!!!!!!!

I have a script that was starting Samba (NMBD, SMBD) as well as OpenLDAP (SLAPD). It's an RC script that reads configuration data from a file to determine, among other things, which processes are already running or if a dependent process fails to start, etc... Here is a snippet of the relevant part in the script. The last line copies a version of the nsswitch.conf into place that specifies to use LDAP lookups.

while [ $i -lt $MAXPROCS ];
  do
   PID=${PROC[$i]}
   StartProc $PID

   if test $? != 0; then
    echo "!!! Aborting Any Remaining Start-up Processes !!!"
    exit 1
   fi

  i=$(($i+1))
done

 cp /etc/rc.d/pozix/nsswitch.conf.ldap /etc/nsswitch.conf

And upon shutdown I was doing the following; notice I copy a nsswitch.conf file that has "noldap" entries in it.

while [ $i -lt $MAXPROCS ];
do
  PID=${PROC[$i]}
  StopProc $PID
  i=$(($i+1))
done

cp /etc/rc.d/pozix/nsswitch.conf.noldap /etc/nsswitch.conf

It turns out that in the start-up scenario, samba wants the nsswtich.conf content to have the ldap entries there prior to invocation. Here is what I did to fix my issues:

cp /etc/rc.d/pozix/nsswitch.conf.ldap /etc/nsswitch.conf

while [ $i -lt $MAXPROCS ];
  do
   PID=${PROC[$i]}
   StartProc $PID

   if test $? != 0; then
    cp /etc/rc.d/pozix/nsswitch.conf.noldap /etc/nsswitch.conf
    echo "!!! Aborting Any Remaining Start-up Processes !!!"
    exit 1
   fi

  i=$(($i+1))
done

In summary, it appears that how you start SMBD is just as important as when you start it. If you start SMBD when nsswitch.conf has no LDAP entries, you get a version of smbd running linked to nss_ldap.so thinking it should only rely upon /etc/passwd (if that is all that is in the nsswitch.conf file) and changing the nsswitch.conf contents after SMBD is running has no effect.

Hope this helps other system builders....