Samba on HP-UX 11i, MC ServiceGuard, Network aliases, LDAP issue - Samba does not seem to see lmPassword or ntPassword for *some* accounts.

ulairi ulairi at ulairi.org
Mon Sep 22 16:16:15 GMT 2003 

Figured it out - you were right, but with a twist (HP-UX, grin).

We use LDAP-UX at the backend, and it seems that unless LDAP-UX finds a
host: <localhostname> attribute in the user's object, the getpwnam()
function call will return a null. Since LDAP-UX is based on PADL
software, there should be a way to override that (I hope) - but that is
for a different list. :)


On Fri, 2003-09-12 at 11:47, Don McCall wrote:
> the failure you are seeing comes when samba is using getpwnam() with
> the username; this should work with ldap, but it's going to be getting
> THIS information NOT from the 'sambaAccount' object, but from the
> posix account object, the one that has the uid and gid, etc for the
> user.  Look at ALL attributes for the broken and working user, and I
> think you will find that on the broken one, you may ONLY have the
> sambaAccount object, which won't be sufficient.
> I think.
> I haven't played with the ldap stuff enough to be sure.
> Don
> 
> ulairi <ulairi at ulairi.org> wrote:
>         Hi all. Trying to troubleshoot an odd problem.
>         
>         OS: HP-UX 11i
>         Samba: 2.2.8a with --ldap-sam, linked against an OpenLDAP SDK.
>         
>         Issue: *some* people cannot login - error is:
>         NT_STATUS_LOGON_FAILURE
>         
>         Both a working account and a "broken" account have
>         ObjectClass:
>         sambaAccount and both objects have lmPassword and ntPassword
>         attributes
>         set. Here's the debug dump snippet from a 'broken' account
>         login
>         attempt:
>         (XXXXXXXXXXXX's represent information I do not feel like
>         sharing at the
>         moment) :)
>         
>         ldap_open_connection: connection opened
>         ldap_connect_system: Binding to ldap server as
>         "XXXXXXXXXXXXXXXXXXXXXXX"
>         ldap_connect_system: succesful connection to the LDAP server
>         ldap_search_one_user: searching
>         for:[(&(uid=atellez)(objectclass=sambaAccount))]
>         get_single_attribute: [uid] = [atellez]
>         Entry found for user: atellez
>         get_single_attribute: [pwdLastSet] = [1063319146]
>         get_single_attribute: [logonTime] = []
>         get_single_attribute: [logoffTime] = []
>         get_single_attribute: [kickoffTime] = []
>         get_single_attribute: [pwdCanChange] = []
>         get_single_attribute: [pwdMustChange] = []
>         get_single_attribute: [cn] = [Armando Tellez]
>         get_single_attribute: [homeDrive] = []
>         get_single_attribute: [smbHome] = []
>         get_single_attribute: [scriptPath] = []
>         get_single_attribute: [profilePath] = []
>         get_single_attribute: [description] = []
>         get_single_attribute: [userWorkstations] = []
>         get_single_attribute: [rid] = [100416]
>         get_single_attribute: [primaryGroupID] = []
>         init_sam_from_ldap: User [atellez] does not ave a uid!
>         pass_check_smb failed - invalid password for user [atellez]
>         NT Password did not match for user 'atellez'!
>         Defaulting to Lanman password for atellez
>         ldap_open_connection: connection opened
>         ldap_connect_system: Binding to ldap server as
>         "XXXXXXXXXXXXXXXXXXXXXXX"
>         ldap_connect_system: succesful connection to the LDAP server
>         ldap_search_one_user: searching
>         for:[(&(uid=atellez)(objectclass=sambaAccount))]
>         get_single_attribute: [uid] = [atellez]
>         Entry found for user: atellez
>         get_single_attribute: [pwdLastSet] = [1063319146]
>         get_single_attribute: [logonTime] = []
>         get_single_attribute: [logoffTime] = []
>         get_single_attribute: [kickoffTime] = []
>         get_single_attribute: [pwdCanChange] = []
>         get_single_attribute: [pwdMustChange] = []
>         get_single_attribute: [cn] = [Armando Tellez]
>         get_single_attribute: [homeDrive] = []
>         get_single_attribute: [smbHome] = []
>         get_single_attribute: [scriptPath] = []
>         get_single_attribute: [profilePath] = []
>         get_single_attribute: [description] = []
>         get_single_attribute: [userWorkstations] = []
>         get_single_attribute: [rid] = [100416]
>         get_single_attribute: [primaryGroupID] = []
>         init_sam_from_ldap: User [atellez] does not ave a uid!
>         pass_check_smb failed - invalid password for user [atellez]
>         Rejecting user 'atellez': authentication failed
>         error packet at smbd/reply.c(1025) cmd=115 (SMBsesssetupX)
>         NT_STATUS_LOGON_FAILURE
>         
>         
>         Here's the same snippet for an account which works:
>         
>         ldap_connect_system: succesful connection to the LDAP server
>         ldap_search_one_user: searching
>         for:[(&(uid=ulairi)(objectclass=sambaAccount))]
>         get_single_attribute: [uid] = [ulairi]
>         Entry found for user: ulairi
>         get_single_attribute: [pwdLastSet] = [1062707545]
>         get_single_attribute: [logonTime] = [0]
>         get_single_attribute: [logoffTime] = [2147483647]
>         get_single_attribute: [kickoffTime] = [2147483647]
>         get_single_attribute: [pwdCanChange] = [0]
>         get_single_attribute: [pwdMustChange] = [2147483647]
>         get_single_attribute: [cn] = [Me]
>         get_single_attribute: [homeDrive] = []
>         get_single_attribute: [smbHome] = [\\%N\]
>         get_single_attribute: [scriptPath] = []
>         get_single_attribute: [profilePath] = [\\%N\\profile]
>         get_single_attribute: [description] = [Ulairi's account.
>         Whatcha want?]
>         get_single_attribute: [userWorkstations] = []
>         get_single_attribute: [rid] = [161010]
>         get_single_attribute: [primaryGroupID] = [11007]
>         get_single_attribute: [lmPassword] =
>         [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
>         get_single_attribute: [ntPassword] =
>         [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
>         get_single_attribute: [acctFlags] = [[UX ]]
>         adding home directory ulairi at /home/users0/ccs/ulairi
>         push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>         push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>         setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>         get_current_groups: user is in 8 groups: 5003, 59000, 301,
>         5250, 1003,
>         59005, 10058, 5033
>         pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>         get_current_groups: user is in 8 groups: 5003, 59000, 301,
>         5250, 1003,
>         59005, 10058, 5033
>         uid 161010 registered to name ulairi
>         Clearing default real name
>         
>         
>         TCPDump shows that in both cases the lmPassword and ntPassword
>         attributes actually make it onto the box's NIC and up the
>         stack, but in
>         the first instance (the 'broken account', the debug output
>         does not show
>         those). 
>         
>         What would cause this behavior - samba, for all intents and
>         purposes,
>         ignoring the lmPassword and ntPassword LDAP attributes for one
>         uid but
>         not for another? I've tried debug levels all the way up to 20,
>         but
>         cannot seem to determine what causes this (quite possibly
>         because I have
>         no clue what I'm looking for). 
>         
>         Help, pointers to RTFM with hints as to for what to look are
>         all
>         appreciated.
> 
> ______________________________________________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software

More information about the samba-technical mailing list