[Samba] Samba + LDAP + TLS

Jukka Hienola jukka.hienola at helsinki.fi
Mon Oct 24 11:59:32 GMT 2005 

Hi!

I'm a bit new to Samba+LDAP integration, and most likely because of that 
I experienced this morning something I can't fully understand. I would 
appreciate if someone could explain to me what was really wrong.

So, our name server was unavailable this morning due to OS update. 
Division's Samba and LDAP services are running on same server, and Samba 
is using TLS in connecting to LDAP service. Because some of the network 
names were not resolvable, I changed "passdb backend = 
ldapsam:ldap://ldap.server.name/" to "passdb backend = 
ldapsam:ldap://127.0.0.1/" in smb.conf, although I have ldap.server.name 
also in /etc/hosts, just in case. In file /etc/nsswitch.conf  I have 
line "hosts:      files dns". After I restarted Samba, I just couldn't 
login to domain anymore either with any machine or domain user accounts. 
Samba gave me errors like

smbd[1956]: [2005/10/24 11:03:17, 0] 
lib/smbldap.c:smbldap_open_connection(677)
smbd[1956]:   Failed to issue the StartTLS instruction: Connect error
smbd[1956]: [2005/10/24 11:03:17, 1] lib/smbldap.c:another_ldap_try(1011)
smbd[1956]:   Connection to LDAP server failed for the 1 try!
smbd[1956]: [2005/10/24 11:03:18, 2] 
passdb/pdb_ldap.c:init_sam_from_ldap(499)
smbd[1956]:   init_sam_from_ldap: Entry found for user: myusr
smbd[1956]: [2005/10/24 11:03:18, 1] 
passdb/pdb_ldap.c:init_sam_from_ldap(553)
smbd[1956]:   init_sam_from_ldap: no sambaSID or sambaSID attribute 
found for this user myusr
smbd[1956]: [2005/10/24 11:03:18, 1] 
passdb/pdb_ldap.c:ldapsam_getsampwnam(1346)
smbd[1956]:   ldapsam_getsampwnam: init_sam_from_ldap failed for user 
'myusr'!
smbd[1956]: [2005/10/24 11:03:18, 2] auth/auth.c:check_ntlm_password(312)
smbd[1956]:   check_ntlm_password:  Authentication for user [myusr] -> 
[myusr] FAILED with error NT_STATUS_NO_SUCH_USER

so I assume that this issue was somehow related to changes I made in 
smb.conf file. At the same time I could login to server using ssh, and 
also e,g, command "smbclient -L ldap.server.name -U myusr" gave me list 
of all available services. Also I could authenticate myself through 
Apache, which also uses TLS to connect to LDAP server.

My question is, how changing "passdb backend" from ldap.server,name to 
127.0.0.1 can have this effect, since the server name should have been 
resolvable with /etc/hosts file? Does it has something to do with my 
certificate files, which are generated using ldap.server.name? However, 
I was able to login with TLS and Apache, so I don't think that's the case.

Thanks in advance,
Jukka Hienola

More information about the samba mailing list