Strange behavior with ldapsam.

Ignacio Coupeau icoupeau at
Mon Nov 18 09:16:02 GMT 2002

Luciano Di Lucrezia wrote:
> Hello everybody,
> after some not-so-successful searching on the mailing list archives, I
> joined this mailing list to report a strange behavior of Samba's I have
> found using the LDAP SAM backend, which hopefully may be of some
> interest to the developers.
> I'm using the LDAP backend mainly to have a single source of
> authentication data for Unix and Windows on a server which may someday
> grow to a cluster of servers. I've been experimenting with the two
> versions of Samba available in Debian GNU/Linux (2.2.3 in the "stable"
> branch and 2.999-3.0alpha in the "unstable" branch) 

is better make the tests with the 2.2.6 stable version...

and both work fine
> even using LDAP over SSL (provided that the client connects to the
> server using only the hostname specified in the server's certificate,
> which has cost me more than 3 weeks of headaches), but there seems to be
> a problem arising when the Samba server and the LDAP server (which in my
> case is OpenLDAP 2.0.23) are not on the same machine.

it must work fine in different servers... always the startTLS need start 
with the server's FQDN or fails, you can use alias but is a bit OT (is 
documented in the OpenLdap list).

> The point is that a lot of connections are made to the LDAP server
> (which may be ok), but some of them are done using the parameters
> contained in smb.conf (which IS ok), and some others look like they are
> made using "hardwired" defaults: namely, host localhost and port 389.
> Actually, if I use a ssh tunnel to forward port 389 locally on the
> "slave" Samba server, authentication works just fine. Otherwise,
> smbclient fails and reports a NT_STATUS_LOGON_FAILURE.

when run the configure --with-ldapsam, brows the output for "start_tls 
yes"... if not, the libraries/includes are misplaced.

Also you can test an <ldap_distribution>/bin/ldapsearch -ZZ -h 
<FQDN_server_name> ...

if this fails, your problem is the ldap distribution/libs/binaries.

Ignacio Coupeau, Ph.D.     e-mail: icoupeau at
CTI, Director              fax:    948 425619
University of Navarra      voice:  948 425600
Pamplona, SPAIN  

More information about the samba-technical mailing list