# Can't connect to a samba PDC/LDAP

## slam_head

I setup a PDC using the SMBLDAP howto a little while ago and had to put it down to work on some other projects.  I've got it back up but can't seem to connect to it.  Here is the relevent section from the logs.

```
[2005/03/25 05:05:52, 1] auth/auth_util.c:make_server_info_sam(808)

  User dsonenberg in passdb, but getpwnam() fails!

[2005/03/25 05:05:52, 0] auth/auth_sam.c:check_sam_security(306)

  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

[2005/03/25 05:05:52, 3] auth/auth_winbind.c:check_winbind_security(80)

  check_winbind_security: Not using winbind, requested domain [STROZLLC] was for this SAM.

[2005/03/25 05:05:52, 2] auth/auth.c:check_ntlm_password(312)

  check_ntlm_password:  Authentication for user [dsonenberg] -> [dsonenberg] FAILED with error NT_STATUS_NO_SUCH_USER
```

and here is the smb.conf:

```
# Global parameters

[global]

        workgroup = STROZLLC

        netbios name = NYHAND

        server string = Samba Server %v

        passdb backend = ldapsam:ldap://127.0.0.1

        enable privileges = Yes

        log level = 3

        syslog = 0

        log file = /var/log/samba/log.%m

        max log size = 100000

        add user script = /usr/share/samba/scripts/smbldap-useradd -m "%u"

        add group script = /usr/share/samba/scripts/smbldap-groupadd -p "%g"

        add user to group script = /usr/share/samba/scripts/smbldap-groupmod -m "%u" "%g"

        delete user from group script = /usr/share/samba/scripts/smbldap-groupmod -x "%u" "%g"

        set primary group script = /usr/share/samba/scripts/smbldap-usermod -g "%g" "%u"

        add machine script = /usr/share/samba/scripts/smbldap-useradd -w "%u"

        logon script = logon.bat

        logon path =

        logon drive = H:

        logon home =

        domain logons = Yes

        os level = 35

        preferred master = Yes

        domain master = Yes

        wins support = Yes

        ldap admin dn = cn=samba,ou=DSA,dc=strozllc,dc=com

        ldap delete dn = Yes

        ldap group suffix = ou=Groups

        ldap idmap suffix = ou=Users

        ldap machine suffix = ou=Computers

        ldap passwd sync = Yes

        ldap suffix = dc=strozllc,dc=com

        ldap user suffix = ou=Users

[homes]

        comment = repertoire de %U, %u

        read only = No

        create mask = 0644

        directory mask = 0775

        browseable = No

[netlogon]

        path = /home/netlogon/

        browseable = No

[profiles]

        path = /home/profiles

        read only = No

        create mask = 0600

        directory mask = 0700

        guest ok = Yes

        profile acls = Yes

        browseable = No

        csc policy = disable
```

----------

## slam_head

I noticed that if I do an 

```
smbldap-usershow
```

Hash is set to {SSHA} but if I do the same on our secure side domain controller(seperate network, and is working fine) it's set to {CRYPT}.  Could this be the problem, and if so how do I fix it?

----------

## slam_head

It looks like it's a problem with the nsswitch.conf.

```
hand root # cat /etc/nsswitch.conf

# /etc/nsswitch.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      files ldap

shadow:      files ldap

group:       files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns wins

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

Now if I try a getent...

```
getent passwd SambaUser
```

I get nothing back.  It looks like the system is ignoring the ldap entries in the nsswitch.

----------

## b52_

Hi

i have the same issue and thought the whole time my ldap/samba config is bugy. But if i try

#getent passwd testuser1

i get also no entry....

Here is my /etc/nsswitch.conf

```

passwd:     files ldap   

shadow:     files ldap

group:      files ldap   

hosts:          files dns

networks:       files

services:       files

protocols:      files

rpc:            files

ethers:         files

netmasks:       files

netgroup:       files

bootparams:     files

automount:      files

aliases:        files

```

And the /etc/pam.d/system-auth

```

auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_ldap.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok

auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_ldap.so

account     sufficient    /lib/security/pam_unix.so

account     required      /lib/security/pam_deny.so

password    required      /lib/security/pam_cracklib.so retry=3 type=

password    sufficient    /lib/security/pam_ldap.so

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

session     optional      /lib/security/pam_ldap.so

```

But i don't have an idea what could be wrong....

Thanks for helping....

bye,b52

----------

## scotepi

i'm having this same exact problome. has anyone came accrost a solution yet?

----------

## mocsokmike

I have the same issue:

check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

I think it is because the system runs a wrong ldap query. I copy here some parts of my syslog:

It looks after the user called "mocsok"...

 *Quote:*   

> Dec 21 15:14:19 zaphod slapd[9021]: conn=7 op=2 SRCH base="dc=zaphod,dc=globalunion,dc=hu" scope=2 deref=0 filter="(&(uid=mocsok)(objectClass=sambaSamAccount))"

 

One entry is found, that is OK so far...

 *Quote:*   

> Dec 21 15:14:19 zaphod slapd[9021]: conn=7 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

 

It looks after the user's group, but in ou=Groups it won't find any entries with (displayName=mocsok) nor (cn=mocsok), as the user's name is only appears in the "memberUid" field!

 *Quote:*   

> Dec 21 15:14:19 zaphod slapd[8991]: conn=3 op=6 SRCH base="ou=Groups,dc=zaphod,dc=globalunion,dc=hu" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(displayName=mocsok)(cn=mocsok)))"

 

No entries found, of course...

 *Quote:*   

> Dec 21 15:14:19 zaphod slapd[8991]: conn=3 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text=

 

And it returns this error message.

 *Quote:*   

> Dec 21 15:14:19 zaphod smbd[9033]:   check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

 

In case I use a system user (who also exists in the ldap database), the group search filter is correct.

I have checked every possible config files, even /usr/sbin/smbldap_tools.pm, but did not find a solution so far. Do you have any idea where to look to change this filter, or what can cause this bug?

----------

## rack

i got the same problem even without ldap. windows 2003 client, samba 3.0.14a server. does anyone have that working with a newer samba version perhaps? btw, works with w2k and wxp.

----------

## Alakhai

same here!

and no ideas left :/

----------

## fbcyborg

Hi!

same problem here!

I also tried without ldap USE flag, but it's the same!

Why it is not possible to log in?   :Evil or Very Mad: 

----------

