I asked this question on stackoverflow and realized I might get better responses here.
Attempting to set up Samba + OpenLDAP using nss_ldap uner Linux. Alls software is compiled by me from source so no RPMs, YUM, etc...
Using Pozix Linux which is our own distribution - vanilla login system meaning out of the box the distro relies on standard /etc/passwd, /etc/group.
Installed all necessary software to convert system to an LDAP based system which seems to work with other software such as SSH except SAMBA.
Was able to join Windows7 to Samba stand alone PDC, I can not login with a domain account unless that account is also added to the /etc/passwd file.
I get: user in passdb, but getpwnam() fails!
Everything I've read points to an NSS_LDAP issue. Here is a list of things I've done:
- getent passwd shows users perfectly fine
- I am able to ssh into the same Linux host using a user account that is only in the LDAP database.
- id test (test is my test account only in LDAP) that works
- ./pdbedit -Lv test works
- ./net rpc rights list accounts -Uroot works, I see root has all necessary rights
- per suggestion from stackoverflow, I changed my nsswitch.conf file from (files ldap) to (ldap files) which essentially changed the dump order of getent passwd & didn't resolve the issue.
- commented out rootbinddn and add the bindpw with clear-text version of the password to eliminate any questions with ldap.secret
- smb.conf has ldapsam:trusted = yes
- smb.conf and ldap.conf both have ssl off a
- Not running nscd
Everyting on the samba.org site chapter-5 about making users happy works except for:
./smbclient //tsrvr/test -Utest
This produces the subject error message in log.smbd and ldap debug log shows a query for test with no errors and a successful return value.
If I put 'test' into /etc/passwd, then it works!
It's as if the relationship between nss_ldap and smbd is broken and I stress relationship because LDAP appears OK (slapcat, ldapsearch, etc... all work)... It appears that nss_ldap library is getting a return value that when handed back to smbd, it somehow is not understood.
I would really appreciate any suggestions. I see this problem listed often. Often related to PAM but I'm not using PAM.
Additionally, if I crack open the /etc/passwd file and add a line for the user in question, I can then login.
I'm not using PAM. I added the two Windows7 registry updates required per the Samba.org site.
Software stack is as follows: Samba 3.5.3 OpenLDAP 2.4.21 nss_ldap 264
---------------------[ update ]---------------------
I began looking at Samba source code.
I found this function in samba3/auth/auth_util.c (about line 580)
auth_serversupplied_info *result;
const char *username = pdb_get_username(sampass);
pwd = getpwnam_alloc(result, username);
pwd evaluates to NULL even though username is valid. getpwnam_alloc allocates memory for result structure and fills it with the Unix UID, primary GID, etc...
Everything I read says that this call uses NSS. I hope someone from Samba team who has knowledge of this than I can chime in.
---------------------[ update ]--------------------- Examining samba source code here is what I'm discovering:
The failure is happening in auth/auth_util.c (line 580) with a call to getpwnam_alloc
getpwnam_alloc attempts to do some sort of caching and if the username is not found in recent cache the code falls through with a call to:
sys_getpwnam found in lib/system.c which is just a wrapper for getpwnam
Documented here: http://opengroup.org/onlinepubs/007908775/xsh/getpwnam.html
Doesn't appear as of Samba checks the errno described; will add some debug and report back.
Definitely a failure to the OS library implementing getpwnam but not sure what yet.
SOLVED!!!!!!!!!!!
I have a script that was starting Samba (NMBD, SMBD) as well as OpenLDAP (SLAPD). It's an RC script that reads configuration data from a file to determine, among other things, which processes are already running or if a dependent process fails to start, etc... Here is a snippet of the relevant part in the script. The last line copies a version of the nsswitch.conf into place that specifies to use LDAP lookups.
And upon shutdown I was doing the following; notice I copy a nsswitch.conf file that has "noldap" entries in it.
It turns out that in the start-up scenario, samba wants the nsswtich.conf content to have the ldap entries there prior to invocation. Here is what I did to fix my issues:
In summary, it appears that how you start SMBD is just as important as when you start it. If you start SMBD when nsswitch.conf has no LDAP entries, you get a version of smbd running linked to nss_ldap.so thinking it should only rely upon /etc/passwd (if that is all that is in the nsswitch.conf file) and changing the nsswitch.conf contents after SMBD is running has no effect.
Hope this helps other system builders....
nss_ldap configures the Linux login system to use LDAP for authentication, not Samba. You still have to tell Samba to use ldap for authentication. For example:
Of course, Samba has to have been built with LDAP support.
Now get smbldap-tools for creating users/groups/etc in your LDAP database. smbldap-tools will create the user accounts with the proper password formats (one for Linux, one for Samba) and other required attributes.
Here is what a complete LDAP entry would look like: