SAMBA4 provision against LDAP backend getting SASL error

Joe Comeaux joe.comeaux at
Fri Dec 3 10:11:26 MST 2010

Attempting to get Samba4 installed using an OpenLDAP back end on an Ubuntu
Linux install (10.10).
Currently getting :
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <SASL(-13): user
not found: no secret in database>
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <SASL(-13):
authentication failure: incorrect NTLM response>
errors, depending on name mangling against the LDAP back end.

Technical details as follows :
clean ubuntu 10.10 install
instructions of installation of openldap and samba4 taken mainly from two

openldap 2.4.23 installed from repository ( sudo apt-get install slapd
ldap-utils ssl-cert gnutls-bin )
basic ldap population :
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif

/etc/init.d/slapd start

vi ~/backend.ldif
--begin backend.ldif--
# Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb

# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: secret
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by
anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
--end backend.ldif--
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ~/backend.ldif
vi ~/frontend.ldif
--begin frontend.ldif--
# Create top-level object in domain
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Example Organization
dc: Example
description: LDAP Example

# Admin user.
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: secret

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

# Test user John.
dn: uid=john,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: john.doe at
postalCode: 31000
l: Toulouse
o: Example
mobile: +33 (0)6 xx xx xx xx
homePhone: +33 (0)5 xx xx xx xx
title: System Administrator
initials: JD
--end frontend.ldif--
sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f frontend.ldif

verify ldap installed and working properly, everything checks out
sudo ldapsearch -xLLL -D "cn=admin,dc=example,dc=com" -W -b
displays elements in directory properly

Next up, samba4 installation from repository
sudo apt-get install samba4 samba4-clients bind9
( missing library /usr/lmodules/ldb/ referenced by provision script
created manually )
sudo mkdir /usr/modules
sudo mkdir /usr/modules/ldb
sudo ln -s /usr/lib/ldb/ /usr/modules/ldb/
( provision script can't start second instance of slapd, so stop the first
one )
sudo /etc/init.d/slapd stop
( provision script references ldap back end at
/var/lib/samba/private/ldap/slapd.d, so i remove current -blank- directory,
and just create symlink to actual ldap back end )
sudo rmdir /var/lib/samba/private/ldap/slapd.d
sudo ln -s /etc/ldap/slapd.d /var/lib/samba/private/ldap/slapd.d
( time to launch provision script. latest ubuntu provision script compiled
against incorrect, so need to fix that with LD parameter )
sudo LD_PRELOAD=/usr/lib/
/usr/share/samba/setup/provision --domain=EXAMPLE
--server-role='domain controller'
--simple-bind-dn="cn=admin,dc=example,dc=com" --password=secret
--adminpass=secret --ldap-backend-type=openldap
--slapd-path="/usr/sbin/slapd" --username="cn=admin,dc=example,dc=com"

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <SASL(-13): user
not found: no secret in database> <>
Failed to connect to 'ldapi://%2Fvar%2Flib%2Fsamba%2Fprivate%2Fldap%2Fldapi'

modifying vi /usr/lib/python2.6/dist-packages/samba/ and
changing debug level to 99 yields :
do_bind: dn () SASL mech NTLM
slap_sasl_getdn: u:id converted to uid=samba-admin,cn=NTLM,cn=auth
>>> dnNormalize: <uid=samba-admin,cn=NTLM,cn=auth>
<<< dnNormalize: <uid=samba-admin,cn=ntlm,cn=auth>
==>slap_sasl2dn: converting SASL name uid=samba-admin,cn=ntlm,cn=auth to a
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL [conn=1008] Failure: no secret in database
( doesnt look like username nor bind-dn parameters are really doing
anything, still trying to authenticate with uid=samba-admin... )
( try to fix it with Regexp, convert samba-admin to rootdn of ldap to see if
that does anything )

adding olcAuthzRegexp: {0}uid=samba-admin,cn=ntlm,cn=auth
changes error to :
Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <SASL(-13):
authentication failure: incorrect NTLM response> <>
( now, authenticating as uid=samba-admin gets converted to
cn=admin,dc=example,dc=com, but now getting NTLM response )

I've tried numerous variations on the provision parameters, but can't find
any that seem to work. Any idea what I'm missing here?
-Joe Comeaux

More information about the samba-technical mailing list