Strange behavior with ldapsam.

Andrew Bartlett abartlet at
Mon Nov 18 09:34:00 GMT 2002

On Mon, 2002-11-18 at 20:15, Ignacio Coupeau wrote:
> Luciano Di Lucrezia wrote:
> > Hello everybody,
> > 
> > after some not-so-successful searching on the mailing list archives, I
> > joined this mailing list to report a strange behavior of Samba's I have
> > found using the LDAP SAM backend, which hopefully may be of some
> > interest to the developers.
> > 
> > I'm using the LDAP backend mainly to have a single source of
> > authentication data for Unix and Windows on a server which may someday
> > grow to a cluster of servers. I've been experimenting with the two
> > versions of Samba available in Debian GNU/Linux (2.2.3 in the "stable"
> > branch and 2.999-3.0alpha in the "unstable" branch) 
> is better make the tests with the 2.2.6 stable version...
> and both work fine
> > even using LDAP over SSL (provided that the client connects to the
> > server using only the hostname specified in the server's certificate,
> > which has cost me more than 3 weeks of headaches), but there seems to be
> > a problem arising when the Samba server and the LDAP server (which in my
> > case is OpenLDAP 2.0.23) are not on the same machine.
> it must work fine in different servers... always the startTLS need start 
> with the server's FQDN or fails, you can use alias but is a bit OT (is 
> documented in the OpenLdap list).
> > The point is that a lot of connections are made to the LDAP server
> > (which may be ok), but some of them are done using the parameters
> > contained in smb.conf (which IS ok), and some others look like they are
> > made using "hardwired" defaults: namely, host localhost and port 389.
> > Actually, if I use a ssh tunnel to forward port 389 locally on the
> > "slave" Samba server, authentication works just fine. Otherwise,
> > smbclient fails and reports a NT_STATUS_LOGON_FAILURE.
> > 
> when run the configure --with-ldapsam, brows the output for "start_tls 
> yes"... if not, the libraries/includes are misplaced.

Just as a note here - in Samba 3.0, configuring --with-ldapsam does not
change the use of ldap.  Instead, we detect it based on headers etc, and
build it as an optional module.  

However, we changed the parameters around a bit - see 'passdb backend'
in smb.conf(5).  I re-added the --with-ldapsam option to configure, and
now it controls a 'backwards compatibility mode', where we should
operate with Samba 2.2 compatible settings.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list