Samba on HP-UX 11i, MC ServiceGuard, Network aliases, LDAP issue - Samba does not seem to see lmPassword or ntPassword for *some* accounts.

[Don McCall]

the failure you are seeing comes when samba is using getpwnam() with the username; this should work with ldap, but it's going to be getting THIS information NOT from the 'sambaAccount' object, but from the posix account object, the one that has the uid and gid, etc for the user.  Look at ALL attributes for the broken and working user, and I think you will find that on the broken one, you may ONLY have the sambaAccount object, which won't be sufficient.
I think.
I haven't played with the ldap stuff enough to be sure.
Don

ulairi <ulairi at ulairi.org> wrote:
Hi all. Trying to troubleshoot an odd problem.

OS: HP-UX 11i
Samba: 2.2.8a with --ldap-sam, linked against an OpenLDAP SDK.

Issue: *some* people cannot login - error is: NT_STATUS_LOGON_FAILURE

Both a working account and a "broken" account have ObjectClass:
sambaAccount and both objects have lmPassword and ntPassword attributes
set. Here's the debug dump snippet from a 'broken' account login
attempt:
(XXXXXXXXXXXX's represent information I do not feel like sharing at the
moment) :)

ldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server as "XXXXXXXXXXXXXXXXXXXXXXX"
ldap_connect_system: succesful connection to the LDAP server
ldap_search_one_user: searching
for:[(&(uid=atellez)(objectclass=sambaAccount))]
get_single_attribute: [uid] = [atellez]
Entry found for user: atellez
get_single_attribute: [pwdLastSet] = [1063319146]
get_single_attribute: [logonTime] = []
get_single_attribute: [logoffTime] = []
get_single_attribute: [kickoffTime] = []
get_single_attribute: [pwdCanChange] = []
get_single_attribute: [pwdMustChange] = []
get_single_attribute: [cn] = [Armando Tellez]
get_single_attribute: [homeDrive] = []
get_single_attribute: [smbHome] = []
get_single_attribute: [scriptPath] = []
get_single_attribute: [profilePath] = []
get_single_attribute: [description] = []
get_single_attribute: [userWorkstations] = []
get_single_attribute: [rid] = [100416]
get_single_attribute: [primaryGroupID] = []
init_sam_from_ldap: User [atellez] does not ave a uid!
pass_check_smb failed - invalid password for user [atellez]
NT Password did not match for user 'atellez'!
Defaulting to Lanman password for atellez
ldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server as "XXXXXXXXXXXXXXXXXXXXXXX"
ldap_connect_system: succesful connection to the LDAP server
ldap_search_one_user: searching
for:[(&(uid=atellez)(objectclass=sambaAccount))]
get_single_attribute: [uid] = [atellez]
Entry found for user: atellez
get_single_attribute: [pwdLastSet] = [1063319146]
get_single_attribute: [logonTime] = []
get_single_attribute: [logoffTime] = []
get_single_attribute: [kickoffTime] = []
get_single_attribute: [pwdCanChange] = []
get_single_attribute: [pwdMustChange] = []
get_single_attribute: [cn] = [Armando Tellez]
get_single_attribute: [homeDrive] = []
get_single_attribute: [smbHome] = []
get_single_attribute: [scriptPath] = []
get_single_attribute: [profilePath] = []
get_single_attribute: [description] = []
get_single_attribute: [userWorkstations] = []
get_single_attribute: [rid] = [100416]
get_single_attribute: [primaryGroupID] = []
init_sam_from_ldap: User [atellez] does not ave a uid!
pass_check_smb failed - invalid password for user [atellez]
Rejecting user 'atellez': authentication failed
error packet at smbd/reply.c(1025) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE


Here's the same snippet for an account which works:

ldap_connect_system: succesful connection to the LDAP server
ldap_search_one_user: searching
for:[(&(uid=ulairi)(objectclass=sambaAccount))]
get_single_attribute: [uid] = [ulairi]
Entry found for user: ulairi
get_single_attribute: [pwdLastSet] = [1062707545]
get_single_attribute: [logonTime] = [0]
get_single_attribute: [logoffTime] = [2147483647]
get_single_attribute: [kickoffTime] = [2147483647]
get_single_attribute: [pwdCanChange] = [0]
get_single_attribute: [pwdMustChange] = [2147483647]
get_single_attribute: [cn] = [Me]
get_single_attribute: [homeDrive] = []
get_single_attribute: [smbHome] = [\\%N\]
get_single_attribute: [scriptPath] = []
get_single_attribute: [profilePath] = [\\%N\\profile]
get_single_attribute: [description] = [Ulairi's account. Whatcha want?]
get_single_attribute: [userWorkstations] = []
get_single_attribute: [rid] = [161010]
get_single_attribute: [primaryGroupID] = [11007]
get_single_attribute: [lmPassword] = [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
get_single_attribute: [ntPassword] = [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
get_single_attribute: [acctFlags] = [[UX ]]
adding home directory ulairi at /home/users0/ccs/ulairi
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
get_current_groups: user is in 8 groups: 5003, 59000, 301, 5250, 1003,
59005, 10058, 5033
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
get_current_groups: user is in 8 groups: 5003, 59000, 301, 5250, 1003,
59005, 10058, 5033
uid 161010 registered to name ulairi
Clearing default real name


TCPDump shows that in both cases the lmPassword and ntPassword
attributes actually make it onto the box's NIC and up the stack, but in
the first instance (the 'broken account', the debug output does not show
those). 

What would cause this behavior - samba, for all intents and purposes,
ignoring the lmPassword and ntPassword LDAP attributes for one uid but
not for another? I've tried debug levels all the way up to 20, but
cannot seem to determine what causes this (quite possibly because I have
no clue what I'm looking for). 

Help, pointers to RTFM with hints as to for what to look are all
appreciated.


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software