Samba on HP-UX 11i, MC ServiceGuard, Network aliases, LDAP issue - Samba does not seem to see lmPassword or ntPassword for *some* accounts.

[ulairi]

Hrmmm... If I understand you correctly, you're saying that the atellez
object needs to have PosixAccount attribs in addition to the
sambaAccount ones (objectclass and all). If that is the case, both the
"broken" and the "working" objects are fully decorated as posixAccount
objects.

Neither of the UIDs are in the /etc/passwd, uid=ulairi and uid=atellez
are in LDAP only. 

What else can it be?


On Fri, 2003-09-12 at 11:47, Don McCall wrote:
> the failure you are seeing comes when samba is using getpwnam() with
> the username; this should work with ldap, but it's going to be getting
> THIS information NOT from the 'sambaAccount' object, but from the
> posix account object, the one that has the uid and gid, etc for the
> user.  Look at ALL attributes for the broken and working user, and I
> think you will find that on the broken one, you may ONLY have the
> sambaAccount object, which won't be sufficient.
> I think.
> I haven't played with the ldap stuff enough to be sure.
> Don
> 
> ulairi <ulairi at ulairi.org> wrote:
>         Hi all. Trying to troubleshoot an odd problem.
>         
>         OS: HP-UX 11i
>         Samba: 2.2.8a with --ldap-sam, linked against an OpenLDAP SDK.
>         
>         Issue: *some* people cannot login - error is:
>         NT_STATUS_LOGON_FAILURE
>         
>         Both a working account and a "broken" account have
>         ObjectClass:
>         sambaAccount and both objects have lmPassword and ntPassword
>         attributes
>         set. Here's the debug dump snippet from a 'broken' account
>         login
>         attempt:
>         (XXXXXXXXXXXX's represent information I do not feel like
>         sharing at the
>         moment) :)
>         
>         ldap_open_connection: connection opened
>         ldap_connect_system: Binding to ldap server as
>         "XXXXXXXXXXXXXXXXXXXXXXX"
>         ldap_connect_system: succesful connection to the LDAP server
>         ldap_search_one_user: searching
>         for:[(&(uid=atellez)(objectclass=sambaAccount))]
>         get_single_attribute: [uid] = [atellez]
>         Entry found for user: atellez
>         get_single_attribute: [pwdLastSet] = [1063319146]
>         get_single_attribute: [logonTime] = []
>         get_single_attribute: [logoffTime] = []
>         get_single_attribute: [kickoffTime] = []
>         get_single_attribute: [pwdCanChange] = []
>         get_single_attribute: [pwdMustChange] = []
>         get_single_attribute: [cn] = [Armando Tellez]
>         get_single_attribute: [homeDrive] = []
>         get_single_attribute: [smbHome] = []
>         get_single_attribute: [scriptPath] = []
>         get_single_attribute: [profilePath] = []
>         get_single_attribute: [description] = []
>         get_single_attribute: [userWorkstations] = []
>         get_single_attribute: [rid] = [100416]
>         get_single_attribute: [primaryGroupID] = []
>         init_sam_from_ldap: User [atellez] does not ave a uid!
>         pass_check_smb failed - invalid password for user [atellez]
>         NT Password did not match for user 'atellez'!
>         Defaulting to Lanman password for atellez
>         ldap_open_connection: connection opened
>         ldap_connect_system: Binding to ldap server as
>         "XXXXXXXXXXXXXXXXXXXXXXX"
>         ldap_connect_system: succesful connection to the LDAP server
>         ldap_search_one_user: searching
>         for:[(&(uid=atellez)(objectclass=sambaAccount))]
>         get_single_attribute: [uid] = [atellez]
>         Entry found for user: atellez
>         get_single_attribute: [pwdLastSet] = [1063319146]
>         get_single_attribute: [logonTime] = []
>         get_single_attribute: [logoffTime] = []
>         get_single_attribute: [kickoffTime] = []
>         get_single_attribute: [pwdCanChange] = []
>         get_single_attribute: [pwdMustChange] = []
>         get_single_attribute: [cn] = [Armando Tellez]
>         get_single_attribute: [homeDrive] = []
>         get_single_attribute: [smbHome] = []
>         get_single_attribute: [scriptPath] = []
>         get_single_attribute: [profilePath] = []
>         get_single_attribute: [description] = []
>         get_single_attribute: [userWorkstations] = []
>         get_single_attribute: [rid] = [100416]
>         get_single_attribute: [primaryGroupID] = []
>         init_sam_from_ldap: User [atellez] does not ave a uid!
>         pass_check_smb failed - invalid password for user [atellez]
>         Rejecting user 'atellez': authentication failed
>         error packet at smbd/reply.c(1025) cmd=115 (SMBsesssetupX)
>         NT_STATUS_LOGON_FAILURE
>         
>         
>         Here's the same snippet for an account which works:
>         
>         ldap_connect_system: succesful connection to the LDAP server
>         ldap_search_one_user: searching
>         for:[(&(uid=ulairi)(objectclass=sambaAccount))]
>         get_single_attribute: [uid] = [ulairi]
>         Entry found for user: ulairi
>         get_single_attribute: [pwdLastSet] = [1062707545]
>         get_single_attribute: [logonTime] = [0]
>         get_single_attribute: [logoffTime] = [2147483647]
>         get_single_attribute: [kickoffTime] = [2147483647]
>         get_single_attribute: [pwdCanChange] = [0]
>         get_single_attribute: [pwdMustChange] = [2147483647]
>         get_single_attribute: [cn] = [Me]
>         get_single_attribute: [homeDrive] = []
>         get_single_attribute: [smbHome] = [\\%N\]
>         get_single_attribute: [scriptPath] = []
>         get_single_attribute: [profilePath] = [\\%N\\profile]
>         get_single_attribute: [description] = [Ulairi's account.
>         Whatcha want?]
>         get_single_attribute: [userWorkstations] = []
>         get_single_attribute: [rid] = [161010]
>         get_single_attribute: [primaryGroupID] = [11007]
>         get_single_attribute: [lmPassword] =
>         [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
>         get_single_attribute: [ntPassword] =
>         [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
>         get_single_attribute: [acctFlags] = [[UX ]]
>         adding home directory ulairi at /home/users0/ccs/ulairi
>         push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>         push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>         setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>         get_current_groups: user is in 8 groups: 5003, 59000, 301,
>         5250, 1003,
>         59005, 10058, 5033
>         pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>         get_current_groups: user is in 8 groups: 5003, 59000, 301,
>         5250, 1003,
>         59005, 10058, 5033
>         uid 161010 registered to name ulairi
>         Clearing default real name
>         
>         
>         TCPDump shows that in both cases the lmPassword and ntPassword
>         attributes actually make it onto the box's NIC and up the
>         stack, but in
>         the first instance (the 'broken account', the debug output
>         does not show
>         those). 
>         
>         What would cause this behavior - samba, for all intents and
>         purposes,
>         ignoring the lmPassword and ntPassword LDAP attributes for one
>         uid but
>         not for another? I've tried debug levels all the way up to 20,
>         but
>         cannot seem to determine what causes this (quite possibly
>         because I have
>         no clue what I'm looking for). 
>         
>         Help, pointers to RTFM with hints as to for what to look are
>         all
>         appreciated.
> 
> ______________________________________________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software