Strange behavior with ldapsam.
Luciano Di Lucrezia
radiance at tin.it
Sat Nov 16 18:24:01 GMT 2002
after some not-so-successful searching on the mailing list archives, I
joined this mailing list to report a strange behavior of Samba's I have
found using the LDAP SAM backend, which hopefully may be of some
interest to the developers.
I'm using the LDAP backend mainly to have a single source of
authentication data for Unix and Windows on a server which may someday
grow to a cluster of servers. I've been experimenting with the two
versions of Samba available in Debian GNU/Linux (2.2.3 in the "stable"
branch and 2.999-3.0alpha in the "unstable" branch) and both work fine
even using LDAP over SSL (provided that the client connects to the
server using only the hostname specified in the server's certificate,
which has cost me more than 3 weeks of headaches), but there seems to be
a problem arising when the Samba server and the LDAP server (which in my
case is OpenLDAP 2.0.23) are not on the same machine.
The point is that a lot of connections are made to the LDAP server
(which may be ok), but some of them are done using the parameters
contained in smb.conf (which IS ok), and some others look like they are
made using "hardwired" defaults: namely, host localhost and port 389.
Actually, if I use a ssh tunnel to forward port 389 locally on the
"slave" Samba server, authentication works just fine. Otherwise,
smbclient fails and reports a NT_STATUS_LOGON_FAILURE.
Is there something I'm doing wrong (perhaps there's an hidden LDAP
parameter somewhere which I have overlooked?) or is this a real bug?
Additionally, when setting up the experimental slave server, I forgot to
specify the "encrypt passwords = yes" option, I could get smbclient to
authenticate one user, but not others. Perhaps it was thanks to PAM, but
I'm not sure and couldn't figure it out.
Any help would be appreciated. (-: Thanks in advance.
Luciano Di Lucrezia
_ ___ ____
| | /| / (_)_ / >>> aka Luciano Di Lucrezia
| |/ |/ / / / /_ . Radiance BBS: http://www.radiance.ods.org/
|__/|__/_/ /___/ . Ban Micro$oft from Universities! Support Free Software.
Sometimes, for a moment of bliss
and the passion we're craving,
there's a message we miss. (Dream Theater)
More information about the samba-technical