tl;dr Assuming a basic (but functioning) LDAP/PAM configuration, how come smbpasswd fails with this error message when I try to add an existing UNIX/LDAP user to Samba?
I have a basic, but working LDAP setup on a Debian server which has few accounts loaded with passwords and such, and their corresponding UNIX accounts have been created. I also have a basic PAM/NSS configuration which seems to be working.
I can login and use the accounts via LDAP. Now I want to configure a simple file share using Samba and have it authenticate users via the PAM/LDAP backend. I am at the point where I need to create Samba users using the smbpasswd utility, however this results in an error.
First, I set the LDAP password:
# smbpasswd -W
Then I tried adding a user which is already configured in LDAP:
# smbpasswd -a new_user
New SMB password:
Retype SMB password:
Failed to add entry for user new_user.
So I don't know why this command is failing. At first I figured it was because I needed to make the users in the LDAP directory be sambaSamAccounts. So I updated my user's LDIF file to look like this:
dn: cn=new_user,ou=group,dc=example,dc=com
cn: new_user
gidNumber: 1000
objectClass: top
objectClass: posixGroup
dn: uid=new_user,ou=people,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: new_user
uidNumber: 1000
gidNumber: 1000
cn: test user
sn: new_user
mail: new_user@example.com
loginShell: /bin/bash
homeDirectory: /home/new_user
sambaSID: 3000
sambaDomainName: TEST-ROME
The only changes made to the above LDIF were the additions of sambaSamAccount as an objectClass and sambaSID and sambaDomainName. Eventually I want to implement a PDC, so I am pretty sure I need a sambaSamAccount anyway.
However, after all that I still get the same error.
So how can one debug this error?
SOLVED After debugging the daemon as suggested, I found that smbpasswd was executing queries with an empty base dn field, thus returning no results. This was fixed by adding the ldap suffix and ldap user suffix fields into my smb.conf. After that I realized I needed a correct way to generate sambaSIDs as well, but that is a separate issue.
Best Answer
I found the best way to debug this issue is to see what's happening from the point of view of LDAP. Firstly do a "ps aux |grep slapd" to get the arguments being passed to the daemon, on my system (CentOS 5.6) I get:
/usr/sbin/slapd -h ldap:/// -u ldap
Stop the slapd daemon (/etc/init.d/slapd stop or similiar) and then run the daemon interactively (i.e. from the command line) using the "-d" flag. -1 (as an argument for -d) is a good starting point, i.e. it logs everything, i.e.
/usr/sbin/slapd -h ldap:/// -u ldap -d -1
If this is too much info, read up on the parameters to "-d" - from memory I used 256 quite a bit. The idea is to get slapd giving some useful output and then replicate the problem. You may get some useful output which is showing where things are going wrong.