[Samba] samba failed to authenticate to openLDAP

Steve Zeng szeng at mainframe.ca
Wed Mar 2 02:18:17 GMT 2005 

Paul,

I downloaded smbldap-tools-0.8.7 and tried the following:

1) run configure.pl

2) initialize LDAP base and then start LDAP server
dn: dc=mfelc
dc: mfelc
objectClass: top
objectClass: domain

3) run smbldap-populate

4) run the following migration tool to import users from NIS:
smbldap-migrate-unix-accounts -a -P /tmp/passwd.nis

5) run the following migration tool to import groups from NIS:
smbldap-migrate-unix-groups -a -G /tmp/group.nis

6) smbldap-useradd -a -m testuser1
    smbldap-passwd testuser1

6) smbclient //enzo/testuser1 -U testuser1


got the following errors:
-------------------------------------
   User testuser1 in passdb, but getpwnam() fails!
[2005/03/01 18:12:11, 5] auth/auth_util.c:free_server_info(1344)
   attempting to free (and zero) a server_info structure
[2005/03/01 18:12:11, 0] auth/auth_sam.c:check_sam_security(306)
   check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_NO_SUCH_USER'
[2005/03/01 18:12:11, 5] auth/auth.c:check_ntlm_password(271)
   check_ntlm_password: sam authentication for user [testuser1] FAILED 
with error NT_STATUS_NO_SUCH_USER
[2005/03/01 18:12:11, 3] auth/auth_winbind.c:check_winbind_security(80)
   check_winbind_security: Not using winbind, requested domain [TESTDM] 
was for this SAM.
[2005/03/01 18:12:11, 10] auth/auth.c:check_ntlm_password(259)
   check_ntlm_password: winbind had nothing to say
[2005/03/01 18:12:11, 2] auth/auth.c:check_ntlm_password(312)
   check_ntlm_password:  Authentication for user [testuser1] -> 
[testuser1] FAILED with error NT_STATUS_NO_SUCH_USER
--------------------------------------------------

No idea what is missing. Thanks a lot for any hints.

Steve

> Judicious snippage, post at the bottom.
> 
>> I tried to let Samba authenticate against LDAP but could not figure 
>> out how to build the LDAP tree for Samba.
>>
>> Fedora core 2
>> Samba 3.0.10
>> OpenLDAP 2.1.29
>>
>> dc=mydomain
>>  |
>>  `--- ou=People    : to store user accounts for Unix and Windows
>>  |
>>  `--- ou=Hosts     : to store computer accounts for UNIXX & Windows
>>  |
>>  `--- ou=Groups    : to store system groups for Unix and Windows
>>
>>
>> What I did were:
> 
> 
>>    [global]
>>         workgroup = TESTDM
>>         passdb backend = ldapsam:ldap://10.10.0.101/
>>         log level = 1 passdb:8 auth:8
>>         domain logons = Yes
>>         wins support = Yes
>>         ldap admin dn = cn=root,dc=mydomain
>>         ldap delete dn = Yes
>>         ldap group suffix = ou=Group
>>         ldap machine suffix = ou=Hosts
>>         ldap user suffix = ou=People
>>         ldap suffix = dc=mfelc
>>         ldap passwd sync = Yes
>>         ldap ssl = no
>> 3) start Samba server
>>
>> 4) run smbclient //smbserver -U myid
>>    Password:
>>    session setup failed: NT_STATUS_LOGON_FAILURE
> 
> 
>> Attached is the smbd.log, I deleted the normal log and keep failed 
>> messages as below:
>>   check_sam_security: Couldn't find user 'szeng' in passdb file.
>> auth/auth.c:check_ntlm_password(271)
>>   check_ntlm_password: sam authentication for user [szeng] FAILED with 
>> error NT_STATUS_NO_SUCH_USER
> 
> 
>> Is there anybody who might have some idea of what is wrong.
> 
> 
> Yep.  You did nothing to create the samba attributes that will have to 
> exist in each user account for the users to log in.   I suggest you read 
> the documentation on setting up an LDAP/PDC system that is on the 
> samba.org web site.  You've missed quite a few steps here, so you may 
> want to read it through to get a complete idea.  Your solution is going 
> to include the following:
> 
> 1. Obtain and configure the smbldap-tools package.
> 2. Run the smbldap-populate script
> 3. Make sure you've got a sambaDomain (I think that's the object type) 
> in the base of your DIT.
> 4. Join the machine to the domain (since you appear to want a domain setup)
> 4. Add samba attributes to each user's account.
> 
> Yes there are 2 #4 entries.  Doesn't matter which one comes first.  As 
> far as I can remember, those will be the critical steps to not miss.   
> If you've followed the documentation and not done those steps, you've 
> missed something.
> 
> 

-- 
Regards,

Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293

More information about the samba mailing list