Samba on HP-UX 11i, MC ServiceGuard, Network aliases, LDAP issue - Samba does not seem to see lmPassword or ntPassword for *some* accounts.

ulairi ulairi at ulairi.org
Fri Sep 12 18:34:59 GMT 2003 

Hi all. Trying to troubleshoot an odd problem.

OS: HP-UX 11i
Samba: 2.2.8a with --ldap-sam, linked against an OpenLDAP SDK.

Issue: *some* people cannot login - error is: NT_STATUS_LOGON_FAILURE

Both a working account and a "broken" account have ObjectClass:
sambaAccount and both objects have lmPassword and ntPassword attributes
set. Here's the debug dump snippet from a 'broken' account login
attempt:
(XXXXXXXXXXXX's represent information I do not feel like sharing at the
moment) :)

ldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server as "XXXXXXXXXXXXXXXXXXXXXXX"
ldap_connect_system: succesful connection to the LDAP server
ldap_search_one_user: searching
for:[(&(uid=atellez)(objectclass=sambaAccount))]
get_single_attribute: [uid] = [atellez]
Entry found for user: atellez
get_single_attribute: [pwdLastSet] = [1063319146]
get_single_attribute: [logonTime] = [<does not exist>]
get_single_attribute: [logoffTime] = [<does not exist>]
get_single_attribute: [kickoffTime] = [<does not exist>]
get_single_attribute: [pwdCanChange] = [<does not exist>]
get_single_attribute: [pwdMustChange] = [<does not exist>]
get_single_attribute: [cn] = [Armando Tellez]
get_single_attribute: [homeDrive] = [<does not exist>]
get_single_attribute: [smbHome] = [<does not exist>]
get_single_attribute: [scriptPath] = [<does not exist>]
get_single_attribute: [profilePath] = [<does not exist>]
get_single_attribute: [description] = [<does not exist>]
get_single_attribute: [userWorkstations] = [<does not exist>]
get_single_attribute: [rid] = [100416]
get_single_attribute: [primaryGroupID] = [<does not exist>]
init_sam_from_ldap: User [atellez] does not ave a uid!
pass_check_smb failed - invalid password for user [atellez]
NT Password did not match for user 'atellez'!
Defaulting to Lanman password for atellez
ldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server as "XXXXXXXXXXXXXXXXXXXXXXX"
ldap_connect_system: succesful connection to the LDAP server
ldap_search_one_user: searching
for:[(&(uid=atellez)(objectclass=sambaAccount))]
get_single_attribute: [uid] = [atellez]
Entry found for user: atellez
get_single_attribute: [pwdLastSet] = [1063319146]
get_single_attribute: [logonTime] = [<does not exist>]
get_single_attribute: [logoffTime] = [<does not exist>]
get_single_attribute: [kickoffTime] = [<does not exist>]
get_single_attribute: [pwdCanChange] = [<does not exist>]
get_single_attribute: [pwdMustChange] = [<does not exist>]
get_single_attribute: [cn] = [Armando Tellez]
get_single_attribute: [homeDrive] = [<does not exist>]
get_single_attribute: [smbHome] = [<does not exist>]
get_single_attribute: [scriptPath] = [<does not exist>]
get_single_attribute: [profilePath] = [<does not exist>]
get_single_attribute: [description] = [<does not exist>]
get_single_attribute: [userWorkstations] = [<does not exist>]
get_single_attribute: [rid] = [100416]
get_single_attribute: [primaryGroupID] = [<does not exist>]
init_sam_from_ldap: User [atellez] does not ave a uid!
pass_check_smb failed - invalid password for user [atellez]
Rejecting user 'atellez': authentication failed
error packet at smbd/reply.c(1025) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE


Here's the same snippet for an account which works:

ldap_connect_system: succesful connection to the LDAP server
ldap_search_one_user: searching
for:[(&(uid=ulairi)(objectclass=sambaAccount))]
get_single_attribute: [uid] = [ulairi]
Entry found for user: ulairi
get_single_attribute: [pwdLastSet] = [1062707545]
get_single_attribute: [logonTime] = [0]
get_single_attribute: [logoffTime] = [2147483647]
get_single_attribute: [kickoffTime] = [2147483647]
get_single_attribute: [pwdCanChange] = [0]
get_single_attribute: [pwdMustChange] = [2147483647]
get_single_attribute: [cn] = [Me]
get_single_attribute: [homeDrive] = [<does not exist>]
get_single_attribute: [smbHome] = [\\%N\]
get_single_attribute: [scriptPath] = [<does not exist>]
get_single_attribute: [profilePath] = [\\%N\\profile]
get_single_attribute: [description] = [Ulairi's account. Whatcha want?]
get_single_attribute: [userWorkstations] = [<does not exist>]
get_single_attribute: [rid] = [161010]
get_single_attribute: [primaryGroupID] = [11007]
get_single_attribute: [lmPassword] = [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
get_single_attribute: [ntPassword] = [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
get_single_attribute: [acctFlags] = [[UX         ]]
adding home directory ulairi at /home/users0/ccs/ulairi
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
get_current_groups: user is in 8 groups: 5003, 59000, 301, 5250, 1003,
59005, 10058, 5033
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
get_current_groups: user is in 8 groups: 5003, 59000, 301, 5250, 1003,
59005, 10058, 5033
uid 161010 registered to name ulairi
Clearing default real name


TCPDump shows that in both cases the lmPassword and ntPassword
attributes actually make it onto the box's NIC and up the stack, but in
the first instance (the 'broken account', the debug output does not show
those). 

What would cause this behavior - samba, for all intents and purposes,
ignoring the lmPassword and ntPassword LDAP attributes for one uid but
not for another? I've tried debug levels all the way up to 20, but
cannot seem to determine what causes this (quite possibly because I have
no clue what I'm looking for). 

Help, pointers to RTFM with hints as to for what to look are all
appreciated.

More information about the samba-technical mailing list