smbpasswd: Failed to add entry for user
Solution 1
I found the best way to debug this issue is to see what's happening from the point of view of LDAP. Firstly do a "ps aux |grep slapd" to get the arguments being passed to the daemon, on my system (CentOS 5.6) I get:
/usr/sbin/slapd -h ldap:/// -u ldap
Stop the slapd daemon (/etc/init.d/slapd stop or similiar) and then run the daemon interactively (i.e. from the command line) using the "-d" flag. -1 (as an argument for -d) is a good starting point, i.e. it logs everything, i.e.
/usr/sbin/slapd -h ldap:/// -u ldap -d -1
If this is too much info, read up on the parameters to "-d" - from memory I used 256 quite a bit. The idea is to get slapd giving some useful output and then replicate the problem. You may get some useful output which is showing where things are going wrong.
Solution 2
Just Add the User into your local login User
For Ex :
useradd smbuser
smbpasswd -a smbuser
Then only you can able to add the user as samba user
Mr. Shickadance
Updated on September 18, 2022Comments
-
Mr. Shickadance almost 2 years
tl;dr Assuming a basic (but functioning) LDAP/PAM configuration, how come smbpasswd fails with this error message when I try to add an existing UNIX/LDAP user to Samba?
I have a basic, but working LDAP setup on a Debian server which has few accounts loaded with passwords and such, and their corresponding UNIX accounts have been created. I also have a basic PAM/NSS configuration which seems to be working.
I can login and use the accounts via LDAP. Now I want to configure a simple file share using Samba and have it authenticate users via the PAM/LDAP backend. I am at the point where I need to create Samba users using the
smbpasswd
utility, however this results in an error.First, I set the LDAP password:
# smbpasswd -W
Then I tried adding a user which is already configured in LDAP:
# smbpasswd -a new_user New SMB password: Retype SMB password: Failed to add entry for user new_user.
So I don't know why this command is failing. At first I figured it was because I needed to make the users in the LDAP directory be
sambaSamAccount
s. So I updated my user's LDIF file to look like this:dn: cn=new_user,ou=group,dc=example,dc=com cn: new_user gidNumber: 1000 objectClass: top objectClass: posixGroup dn: uid=new_user,ou=people,dc=example,dc=com objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount uid: new_user uidNumber: 1000 gidNumber: 1000 cn: test user sn: new_user mail: [email protected] loginShell: /bin/bash homeDirectory: /home/new_user sambaSID: 3000 sambaDomainName: TEST-ROME
The only changes made to the above LDIF were the additions of
sambaSamAccount
as anobjectClass
andsambaSID
andsambaDomainName
. Eventually I want to implement a PDC, so I am pretty sure I need asambaSamAccount
anyway.However, after all that I still get the same error.
So how can one debug this error?
SOLVED After debugging the daemon as suggested, I found that
smbpasswd
was executing queries with an emptybase dn
field, thus returning no results. This was fixed by adding theldap suffix
andldap user suffix
fields into mysmb.conf
. After that I realized I needed a correct way to generate sambaSIDs as well, but that is a separate issue. -
Mr. Shickadance over 12 yearsOk I'll try that, but shouldn't samba be logging something for this? That is, shouldn't samba have a more detailed explanation of why smbpasswd is failing?
-
Patrick Rynhart over 12 yearsQuite possibly :-) However, my experience is that Samba tends to through some vanilla exception "NT_STATUS_ACCESS_DENIED", e.g. - looking at the actual LDAP queries and result/errors that slapd is providing was the best option for debugging.
-
Mr. Shickadance over 12 yearsI think I noticed this before, but I am looking at some of the SRCH output, and I see that the
base
field is empty. For exampleSRCH base="" scope=2 deref=0 filter="(&(uid=androadm)(objectClass=sambaSamAccount))"
. Shouldn't thatbase
field have my base dn likedc=example,dc=com
? -
Mr. Shickadance over 12 yearsOk, to answer my own comment, manually running a search both with and without the base dn replicates the problem. If I search with
base=""
, no results are returned (can't find the user in LDAP), but when I specify the base dn manually (base="dc=example,dc=com"
) it works fine. Note I didn't getsmbpasswd
working yet, but I think I've identified a problem. I replicated this by usingldapsearch
and watching the log. Somehow I need to figure out whysmbpasswd
is searching with a null base dn. -
Mr. Shickadance over 12 yearsOk, continuing on my little thread here, I added the
ldap suffix
andldap user suffix
options to smb.conf, and it's moved a bit further. Now I am getting a different error that I think is related to my users LDAP entry, but the point was that by not specifying theldap suffix
options,smbpasswd
ended up executing queries with emptybase dn
fields, thus returning no results. -
Patrick Rynhart over 12 yearsExcellent - great to learn that the output from slapd was useful in being able to troubleshoot the issue :-)