[Samba] Local account login failed when samba join to LDAP

FC Mario Patty fcmario76 at gmail.com
Wed Mar 26 09:43:45 MDT 2014 

Johnson,
Is this a samba pdc or file server? A file server doesn't need "domain
logons = yes" parameter. I'm going to check my configuration tomorrow for
I'm at home right now. I believe it has something to do with pam.

# switch passdb backend from ldap to tdbsam will sure bring back your local
samba account - that's where your local accounts live; wbinfo will give you
nothing unless you configured samba to be one and you got winbind running.


On Fri, Mar 21, 2014 at 4:53 PM, Johnson Cheng <
Johnson.Cheng at qsantechnology.com> wrote:

> Dears,
>
> My samba version is 3.6.4
> I have a problem to co-work with open LDAP server. When samba join to open
> LDAP server, my local account can NOT login samba anymore, only LDAP
> account can login.
> When my samba come back to standalone, the local account is OK. Did I miss
> something?
>
> The following is my configuration files, I list the part of them,
> smb.conf
> server string = "Samba Server"
> workgroup = WORKGROUP
> security = user
> obey pam restrictions = yes
> passdb backend = ldapsam:ldap://192.168.8.143
> ldap admin dn = cn=admin, dc=ff,dc=com
> ldap suffix = dc=ff,dc=com
> domain logons = yes
> ldap ssl = off
> ldap passwd sync = yes
> ldap group suffix = ou=Groups
> ldap user suffix = ou=Users
> ldap machine suffix = ou=Machines
> ldap delete dn = yes
>
> nslcd.conf
> uid admin
> gid Administrator_Group
> uri ldap://192.168.8.143
> base dc=ff,dc=com
>
> /etc/nssswitch.conf
> passwd: files ldap
> group:  files ldap
> shadow: files ldap
>
> /etc/pam.d/samba
> auth    sufficient      /usr/lib/security/pam_ldap.so
> auth    sufficient      /usr/lib/security/pam_unix.so
> account sufficient      /usr/lib/security/pam_ldap.so
> account sufficient      /usr/lib/security/pam_unix.so
> session sufficient      /usr/lib/security/pam_ldap.so
> session sufficient      /usr/lib/security/pam_unix.so
>
> I can use LDAP account to login samba via the below command,
> smbclient -L 192.168.8.75 -U kevin2%123456123456
>
> But when I use local account to login samba via smbclient, it reports
> "session setup failed: NT_STATUS_LOGON_FAILURE"
> smbclient -L 192.168.8.75 -U qq%qq
>
> One thing is interested that when I change "passdb backend =
> ldapsam:ldap://192.168.8.143" to "passdb backend = tdbsam", local account
> can login samba but LDAP account will fail to login.
> The below is samba output debug message,
> [2014/03/21 17:44:25.780867,  5] lib/smbldap.c:1439(smbldap_search_ext)
>   smbldap_search_ext: base => [dc=ff,dc=com], filter =>
> [(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2]
> [2014/03/21 17:44:25.781685,  4]
> passdb/pdb_ldap.c:1581(ldapsam_getsampwnam)
>   ldapsam_getsampwnam: Unable to locate user [qq] count=0
> [2014/03/21 17:44:25.781846,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2014/03/21 17:44:25.781931,  3]
> auth/check_samsec.c:399(check_sam_security)
>   check_sam_security: Couldn't find user 'qq' in passdb.
> [2014/03/21 17:44:25.782108,  5] auth/auth.c:271(check_ntlm_password)
>   check_ntlm_password: sam authentication for user [qq] FAILED with error
> NT_STATUS_NO_SUCH_USER
> [2014/03/21 17:44:25.782213, 10]
> auth/auth_winbind.c:50(check_winbind_security)
>   Check auth for: [qq]
> [2014/03/21 17:44:25.782293,  3]
> auth/auth_winbind.c:60(check_winbind_security)
>   check_winbind_security: Not using winbind, requested domain [WORKGROUP]
> was for this SAM.
> [2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password)
>   check_ntlm_password: winbind had nothing to say
> [2014/03/21 17:44:25.787728,  2] auth/auth.c:334(check_ntlm_password)
>   check_ntlm_password:  Authentication for user [qq] -> [qq] FAILED with
> error NT_STATUS_NO_SUCH_USER
> [2014/03/21 17:44:25.787936,  3] smbd/error.c:81(error_packet_set)
>   error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
>
>
> Any suggestion will be appreciated.
>
> Regards,
> Johnson
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list