After merging samba-3.0.20a I found that I could not connect with my samba shares. When samba is built with ldap support, it seems to deny all access unless an ldap server can be contacted. Re-merging with USE=-ldap works around the problem, but since ldap is on by default, many people are likely to build samba with ldap support. Also, adding "passdb backend = smbpasswd" to /etc/samba/smb.conf also resolves the problem. However, according to the smb.conf man page, that should already be the default setting. Maybe enabling ldap changes the default for the backend? Reproducible: Always Steps to Reproduce: 1. Merge samba-3.0.20a with USE=ldap on a network without an LDAP server 2. Try to connect to a samba share Actual Results: The following output is seen in /var/log/samba3/log.smbd: [2005/10/07 07:58:36, 0] passdb/secrets.c:fetch_ldap_pw(578) fetch_ldap_pw: neither ldap secret retrieved! [2005/10/07 07:58:36, 0] lib/smbldap.c:smbldap_connect_system(751) ldap_connect_system: Failed to retrieve password from secrets.tdb [2005/10/07 07:58:36, 1] lib/smbldap.c:another_ldap_try(951) Connection to LDAP server failed for the 1 try! [2005/10/07 07:58:37, 0] passdb/secrets.c:fetch_ldap_pw(578) fetch_ldap_pw: neither ldap secret retrieved! [2005/10/07 07:58:37, 0] lib/smbldap.c:smbldap_connect_system(751) ldap_connect_system: Failed to retrieve password from secrets.tdb [2005/10/07 07:58:37, 1] lib/smbldap.c:another_ldap_try(951) Connection to LDAP server failed for the 2 try! [2005/10/07 07:58:38, 0] passdb/secrets.c:fetch_ldap_pw(578) fetch_ldap_pw: neither ldap secret retrieved! [2005/10/07 07:58:38, 0] lib/smbldap.c:smbldap_connect_system(751) ldap_connect_system: Failed to retrieve password from secrets.tdb [2005/10/07 07:58:38, 1] lib/smbldap.c:another_ldap_try(951) Connection to LDAP server failed for the 3 try! <snip> [2005/10/07 07:58:50, 1] lib/smbldap.c:another_ldap_try(951) Connection to LDAP server failed for the 15 try! [2005/10/07 07:58:51, 0] passdb/secrets.c:fetch_ldap_pw(578) fetch_ldap_pw: neither ldap secret retrieved! [2005/10/07 07:58:51, 0] lib/smbldap.c:smbldap_connect_system(751) ldap_connect_system: Failed to retrieve password from secrets.tdb [2005/10/07 07:58:51, 0] lib/smbldap.c:smbldap_search_suffix(1246) smbldap_search_suffix: Problem during the LDAP search: (unknown) (Time limit exceeded) Packet trace of connection attempts: 1 0.000000 192.168.233.10 192.168.233.1 SMB 148 Tree Connect AndX Request, Path: \\192.168.233.1\RJF 2 0.000299 192.168.233.1 192.168.233.10 SMB 93 Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED 3 0.003736 192.168.233.10 192.168.233.1 SMB 148 Tree Connect AndX Request, Path: \\192.168.233.1\RJF 4 0.003896 192.168.233.1 192.168.233.10 SMB 93 Expected Results: At the very least, the 3.0.20a ebuild should probably output a big fat warning message when compiling with ldap support. Ideally, the default value for "passdb backend" should not be affected by ldap. emerge info: Portage 2.0.53_rc4 (default-linux/x86/2005.0, gcc-3.4.4, glibc-2.3.5-r2, 2.6.13-suspend2-r4 i686) ================================================================= System uname: 2.6.13-suspend2-r4 i686 Intel(R) Pentium(R) M processor 2.13GHz Gentoo Base System version 1.12.0_pre8 dev-lang/python: 2.4.2 sys-apps/sandbox: 1.2.13 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium-m -Os -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/init.d /etc/splash /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-march=pentium-m -Os -fomit-frame-pointer -pipe" DISTDIR="/mnt/archive/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo/" MAKEOPTS="-j1" PKGDIR="/mnt/archive/gentoo-packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X alsa apm arts avi berkdb bitmap-fonts cdr crypt cups curl directfb doc eds emboss encode fam flac foomaticdb fortran gdbm gif gpm gtk gtk2 guile imagemagick imlib ipv6 java jpeg junit kde kdeenablefinal ldap libg++ libwww mad mikmod mmx motif mp3 mpeg ncurses nls ogg oggvorbis pam pdflib perl png python qt quicktime readline ruby samba scanner sdl spell sse ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts vorbis xine xml2 xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS carcharias ~ # grep samba /etc/portage/* /etc/portage/package.use:net-fs/samba winbind Global section of /etc/samba/smb.conf: [global] workgroup = fishnet printcap name = cups load printers = yes printing = cups log file = /var/log/samba3/log.%m max log size = 8192 log level = 1 interfaces = 192.168.232.1/24 192.168.233.1/24 127.0.0.1/32 bind interfaces only = yes map to guest = bad user security = user encrypt passwords = yes smb passwd file = /var/lib/samba/private/smbpasswd username map = /etc/samba/smbusers socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 SO_KEEPALIVE=1 local master = no dns proxy = no wins proxy = yes case sensitive = auto preserve case = yes disable netbios = no hide dot files = yes lm announce = no wins support = no include = /etc/samba/wins_servers.conf name resolve order = lmhosts wins host bcast announce as = NT Workstation change notify timeout = 10 time server = yes
Exact same error here. I added this: net-fs/samba -ldap to my /etc/portage/package.use file and recompiled. It works fine now. The 'ldap' use flag is in my 'emerge info', but it's not part of my 'make.conf'. Is this added automatically?
(In reply to comment #1) > Is this added automatically? Yes, and the fact that it is on by default is the main reason I filed the bug report.
actually it is caused by ldap USE keyword indirectly. using ldap enables also with-ldapsam configure option, which seems not to work correctly. my samba is configured to use ADS + local users. default compile of samba 3.0.20a from portage made major auth problems for domain users with errors such as in original post. adding passdb backend only helped partially - it allowed domain users which are mapped to local users login OK, but mapping to guest (bad user = nobody) stopped working for other domain users. compiling with -without-ldapsam made it work as expected. just my $0.02
(In reply to comment #1) > The 'ldap' use flag is in my 'emerge info', but it's not part of my 'make.conf'. > Is this added automatically? > Yep, it is ! http://www.gentoo-portage.com/net-fs/samba/USE Therefore, this affects pretty much everyone, including me (thanks for the fix). Next 'world' upgrade ? I think I'll pass. El Fabre
from the samba configure help: "--with-ldapsam: Include LDAP SAM 2.2 compatible configuration" Without the ldapsam support, the new stable brach of ldap can't be used with filters (see bug #107614). However, it is true that 'passdb backend' changes with the ldapsam configuration. A note can be raised on this, with a remark in the example file as well. I need more info: barthek and richard, could you attach your 'testparm -v -s 2>&1' output? (obscure the sensible parts, of course)
sure, here goes the working configuration (without ldapsam): [global] dos charset = 852 unix charset = ISO8859-2 display charset = ISO8859-2 workgroup = PWDNT realm = DOMAINNAME.PL netbios name = LINUX netbios aliases = netbios scope = server string = Samba 3.0.20a interfaces = bind interfaces only = No security = ADS auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes hosts equiv = map to guest = Bad User null passwords = No obey pam restrictions = No password server = domaincontrollerhost smb passwd file = /var/lib/samba/private/smbpasswd private dir = /var/lib/samba/private passdb backend = smbpasswd algorithmic rid base = 1000 root directory = guest account = nobody enable privileges = No pam password change = No passwd program = passwd chat = *new*password* %n\n *new*password* %n\n *changed* passwd chat debug = No passwd chat timeout = 2 check password script = username map = /etc/samba/smbusers password level = 0 username level = 0 unix password sync = No restrict anonymous = 0 lanman auth = Yes ntlm auth = Yes client NTLMv2 auth = No client lanman auth = Yes client plaintext auth = Yes preload modules = use kerberos keytab = No log level = 1 syslog = 1 syslog only = No log file = /var/log/samba/log.%m max log size = 50 debug timestamp = Yes debug hires timestamp = No debug pid = No debug uid = No smb ports = 445 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No acl compatibility = defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 16644 name resolve order = lmhosts wins host bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes enable asu support = Yes enable svcctl = Spooler, NETLOGON change notify timeout = 60 deadtime = 0 getwd cache = Yes keepalive = 300 kernel change notify = Yes lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 1000 socket options = TCP_NODELAY SO_RCVBUF=32768 SO_SNDBUF=32768 use mmap = Yes hostname lookups = No name cache timeout = 660 load printers = No printcap cache time = 750 printcap name = cups server = disable spoolss = No enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = mangling method = hash2 mangle prefix = 1 max stat cache size = 0 stat cache = Yes machine password timeout = 604800 add user script = delete user script = add group script = delete group script = add user to group script = delete user from group script = set primary group script = add machine script = shutdown script = abort shutdown script = username map script = logon script = logon path = \\%N\%U\profile logon drive = logon home = \\%N\%U domain logons = No os level = 20 lm announce = Auto lm interval = 60 preferred master = Auto local master = Yes domain master = Auto browse list = Yes enhanced browsing = Yes dns proxy = Yes wins proxy = No wins server = wins support = No wins hook = wins partners = kernel oplocks = Yes lock spin count = 3 lock spin time = 10 oplock break wait time = 0 ldap admin dn = ldap delete dn = No ldap group suffix = ldap idmap suffix = ldap machine suffix = ldap passwd sync = no ldap replication sleep = 1000 ldap suffix = ldap ssl = ldap timeout = 15 ldap page size = 1024 ldap user suffix = add share command = change share command = delete share command = eventlog open command = eventlog read command = eventlog clear command = eventlog num records command = eventlog oldest record command = eventlog list = config file = preload = lock directory = /var/cache/samba pid directory = /var/run/samba utmp directory = wtmp directory = utmp = No default service = message command = dfree command = get quota command = set quota command = remote announce = remote browse sync = socket address = 0.0.0.0 homedir map = afs username map = afs token lifetime = 604800 log nt token command = time offset = 0 NIS homedir = No panic action = host msdfs = No enable rid algorithm = Yes idmap backend = idmap uid = 45000-60000 idmap gid = 45000-60000 template homedir = /home/%D/%U template shell = /bin/false winbind separator = \ winbind cache time = 300 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = No winbind trusted domains only = No winbind nested groups = No winbind max idle children = 3 winbind nss info = template comment = Linux Samba server path = username = invalid users = valid users = admin users = read list = write list = printer admin = force user = force group = read only = Yes acl check permissions = Yes acl group control = No acl map full control = Yes create mask = 0744 force create mode = 00 security mask = 0777 force security mode = 00 directory mask = 0755 force directory mode = 00 directory security mask = 0777 force directory security mode = 00 force unknown acl user = No inherit permissions = No inherit acls = No inherit owner = No guest only = No guest ok = No only user = No hosts allow = XXX hosts deny = allocation roundup size = 1048576 aio read size = 0 aio write size = 0 aio write behind = ea support = No nt acl support = Yes profile acls = No map acl inherit = No afs share = No block size = 1024 max connections = 0 min print space = 0 strict allocate = No strict sync = No sync always = No use sendfile = No write cache size = 0 max reported print jobs = 0 max print jobs = 1000 printable = No printing = bsd cups options = print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j lppause command = lpresume command = queuepause command = queueresume command = printer name = use client driver = No default devmode = No force printername = No default case = lower case sensitive = No preserve case = Yes short preserve case = Yes mangling char = ~ hide dot files = Yes hide special files = No hide unreadable = No hide unwriteable files = No delete veto files = No veto files = hide files = veto oplock files = map system = No map hidden = No map archive = Yes mangled names = Yes mangled map = store dos attributes = No browseable = Yes blocking locks = Yes csc policy = manual fake oplocks = No locking = Yes oplocks = Yes level2 oplocks = Yes oplock contention limit = 2 posix locking = Yes strict locking = Yes share modes = Yes copy = include = preexec = preexec close = No postexec = root preexec = root preexec close = No root postexec = available = Yes volume = fstype = NTFS set directory = No wide links = Yes follow symlinks = Yes dont descend = magic script = magic output = delete readonly = No dos filemode = No dos filetimes = Yes dos filetime resolution = No fake directory create times = No vfs objects = msdfs root = No msdfs proxy = [homes] comment = Katalog domowy read only = No browseable = No [samba] comment = samba mia path = /opt/samba admin users = doli read only = No guest ok = Yes [archive] comment = Archive path = /lvm/archive valid users = @archive, PWDNT\maciek, PWDNT\andrzej, PWDNT\arnold, PWDNT\przemko, PWDNT\marcinp, PWDNT\darekb, PWDNT\marekw, PWDNT\pawelk, PWDNT\marcinkob, PWDNT\mariusz, PWDNT\marcinm, PWDNT\mariuszb, PWDNT\jacekf, PWDNT\tomekj admin users = doli, leszek force group = archive read only = No create mask = 0740 force create mode = 0740 browseable = No
Just for reference, to narrow the reasons of samba behaviour changes: 0) 'testparm -s -v > ${your_actual_conf} 2>&1' 1) using '/usr/sbin/quickpkg samba', you'll place a binary tarball of your actual samba package in /usr/portage/packages/All. This archive can later be restored with 'emerge -k =samba-version'. 2) Save the tarball in a secure place. 3) Re-emerge samba with the 'ldap' USE flag, and lauch 'quickpkg' again. Secure this tarball also. 4) 'testparm -s -v > ${your_new_conf} 2>&1' 5) restore the first tarball in /usr/portage/packages. 'emerge -k samba' 6) 'diff -Nu ${your_actual_conf} ${your_new_conf}' With this procedure, on an empty config installation, these are the changes: [-ldap] passdb backend = smbpasswd [-ldap] ldap ssl = [+ldap] passdb backend = ldapsam_compat [+ldap] ldap server = localhost [+ldap] ldap port = 636 [+ldap] ldap ssl = Yes Nothing should affect the 'nobody' mapping. Anyway, before looking at your nsswitch.conf and nobody account in your smbpasswd file, search the /usr/doc/.../WHATSNEW.txt.gz for upstream changes in 'bad user' mapping behaviour.
--with-ldapsam should be handled via its own use flag, it's only for supporting old Samba 2.2 LDAP backends, it is normally not built by default. --with-ldap is normally built by default and those that don't want LDAP support built in need a way to turn this off.
(In reply to comment #7) > With this procedure, on an empty config installation, these are the changes: > > [-ldap] passdb backend = smbpasswd > [-ldap] ldap ssl = > [+ldap] passdb backend = ldapsam_compat > [+ldap] ldap server = localhost > [+ldap] ldap port = 636 > [+ldap] ldap ssl = Yes Same set of changes here: carcharias Temp # diff -Nu noldap_conf.txt ldap_conf.txt --- noldap_conf.txt 2005-10-13 21:24:02.000000000 -0700 +++ ldap_conf.txt 2005-10-13 22:10:37.000000000 -0700 @@ -33,7 +33,7 @@ password server = * smb passwd file = /var/lib/samba/private/smbpasswd private dir = /var/lib/samba/private - passdb backend = smbpasswd + passdb backend = ldapsam_compat algorithmic rid base = 1000 root directory = guest account = nobody @@ -156,6 +156,8 @@ lock spin count = 3 lock spin time = 10 oplock break wait time = 0 + ldap server = localhost + ldap port = 636 ldap admin dn = ldap delete dn = No ldap group suffix = @@ -164,7 +166,7 @@ ldap passwd sync = no ldap replication sleep = 1000 ldap suffix = - ldap ssl = + ldap ssl = Yes ldap timeout = 15 ldap page size = 1024 ldap user suffix =
chris (comment #8): 1) ldapsam USE flag: I agree 2) ldap USE flag: while it is active by default, I've never seen it cause any touble. Counterexamples welcome. I plan to resolve this while bumping 3.0.20b
samba-3.0.20b in portage. Thanks to all for you contribs. Please reopen if needed
>2) ldap USE flag: while it is active by default, I've never seen it cause any touble. Counterexamples welcome. No counter examples that I know of. Just nice to have the ability to leave out what you don't need; making the installation smaller, more secure, and possibly faster.