Samba with LDAP backend :: Invalid credentials.

praveenkv1988 praveen at happy-hosting.com
Wed Oct 27 08:11:11 MDT 2010


I just wanted to checkout samba. So, I installed on a CentOS 5.5 64bit
server. The version I used is 3.5.6.

I followed this guide.
http://www.howtoforge.com/centos-5.x-samba-domain-controller-with-ldap-backend

LDAP is working good. When I use the following command: (net groupmap list)
I am getting the error.

Here is the error:
[root at server1 samba]# net groupmap list
[2010/10/26 16:26:09.135901,  0] lib/smbldap.c:1151(smbldap_connect_system)
  failed to bind to server ldap://127.0.0.1 / with
dn="cn=root,dc=mtm,dc=testdomain,dc=com" Error: Invalid credentials
  
[2010/10/26 16:26:39.180063,  0] passdb/pdb_ldap.c:3448(ldapsam_setsamgrent)
  ldapsam_setsamgrent: LDAP search failed: Time limit exceeded
[2010/10/26 16:26:39.180109,  0]
passdb/pdb_ldap.c:3523(ldapsam_enum_group_mapping)
  ldapsam_enum_group_mapping: Unable to open passdb

I am sure that I have set the correct password in  smbpassword -w mypassword

I am able to use ldapsearch with the password. Also, phpldapadmin works. But
samba fails.

Here is the smb.conf

# Global parameters
[global]
	ldap ssl = off
	nt acl support = yes
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE
	workgroup = TESTDOMAIN
	netbios name = SERVER1
	security = user
	enable privileges = yes
	#interfaces = 192.168.5.11
	#username map = /etc/samba/smbusers
	server string = Samba Server %v
	#security = ads
	encrypt passwords = Yes
	#min passwd length = 3
	#pam password change = no
	#obey pam restrictions = No

	# method 1:
	#unix password sync = no
	#ldap passwd sync = yes

	# method 2:
	unix password sync = yes
	ldap passwd sync = no
	passwd program = /usr/sbin/smbldap-passwd -u "%u"
	passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*"
%n\n"

	log level = 10
	syslog = 0
	log file = /var/log/samba/log.%U
	max log size = 50
	time server = Yes
	#socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	mangling method = hash2
	Dos charset = 850
	Unix charset = ISO8859-1

	logon script = logon.bat
	logon drive = H:
        logon home = 
        logon path = 

	domain logons = Yes
	domain master = Yes
	os level = 65
	preferred master = Yes
	wins support = yes
	passdb backend = ldapsam:ldap://127.0.0.1/
	ldap admin dn = cn=root,dc=mtm,dc=testdomain,dc=c om
	#ldap admin dn = cn=samba,ou=DSA,dc=company,dc=c om
	ldap suffix = dc=mtm,dc=testdomain,dc=c om
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
	#ldap idmap suffix = ou=Idmap
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        #ldap delete dn = Yes
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g" 
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
	set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

	# printers configuration
	#printer admin = @"Print Operators"
	load printers = Yes
	create mask = 0640
	directory mask = 0750
	#force create mode = 0640
	#force directory mode = 0750
	#nt acl support = No
	printing = cups
	printcap name = cups
	deadtime = 10
	guest account = nobody
	map to guest = Bad User
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	show add printer wizard = yes
	; to maintain capital letters in shortcuts in any of the profile folders:
	preserve case = yes
	short preserve case = yes
	case sensitive = no

[netlogon]
	path = /home/netlogon/
	browseable = No
	read only = yes

[profiles]
	path = /home/profiles
	read only = no
	create mask = 0600
	directory mask = 0700
	browseable = No
	guest ok = Yes
	profile acls = yes
	csc policy = disable
	# next line is a great way to secure the profiles 
	#force user = %U 
	# next line allows administrator to access all profiles 
	#valid users = %U "Domain Admins"

[printers]
        comment = Network Printers
        #printer admin = @"Print Operators"
        guest ok = yes 
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j
        # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
        # lpq command = /usr/bin/lpq -U%U@%M -P%p
        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
        # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
        # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
        # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
        # queueresume command = /usr/sbin/lpc -U%U@%M start %p

[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

[public]
	path = /tmp
	guest ok = yes
	browseable = Yes
	writable = yes

============================================================

Here is the ldap log.

==============================================================
Oct 27 12:07:51 server1 slapd[25420]: slapd starting 
Oct 27 12:08:32 server1 slapd[25420]: conn=0 fd=13 ACCEPT from
IP=127.0.0.1:57574 (IP=0.0.0.0:389) 
Oct 27 12:08:32 server1 slapd[25420]: conn=0 op=0 BIND dn="" method=128 
Oct 27 12:08:32 server1 slapd[25420]: conn=0 op=0 RESULT tag=97 err=0 text= 
Oct 27 12:08:32 server1 slapd[25420]: conn=0 op=1 SRCH
base="cn=root,dc=mtm,dc=testdomain,dc=com" scope=2 deref=0
filter="(objectClass=*)" 
Oct 27 12:08:32 server1 slapd[25420]: conn=0 op=2 UNBIND 
Oct 27 12:08:32 server1 slapd[25420]: conn=0 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text= 
Oct 27 12:08:32 server1 slapd[25420]: conn=0 fd=13 closed 
Oct 27 12:09:21 server1 slapd[25420]: conn=1 fd=13 ACCEPT from
IP=127.0.0.1:57575 (IP=0.0.0.0:389) 
Oct 27 12:09:21 server1 slapd[25420]: conn=1 op=0 BIND
dn="cn=root,dc=mtm,dc=testdomain,dc=com" method=128 
Oct 27 12:09:21 server1 slapd[25420]: conn=1 op=0 RESULT tag=97 err=49 text= 
Oct 27 12:09:21 server1 slapd[25420]: conn=1 op=1 UNBIND 
Oct 27 12:09:21 server1 slapd[25420]: conn=1 fd=13 closed 
Oct 27 12:09:22 server1 slapd[25420]: conn=2 op=0 BIND
dn="cn=root,dc=mtm,dc=testdomain,dc=com" method=128 
Oct 27 12:09:22 server1 slapd[25420]: conn=2 op=0 RESULT tag=97 err=49 text= 
Oct 27 12:09:22 server1 slapd[25420]: conn=2 op=1 UNBIND 
Oct 27 12:09:22 server1 slapd[25420]: conn=2 fd=13 closed 
Oct 27 12:09:22 server1 slapd[25420]: conn=2 fd=13 ACCEPT from
IP=127.0.0.1:57576 (IP=0.0.0.0:389)
=========================================================================

Later I found, when samba connectes, the log file dont have the following
line.

BIND dn="cn=root,dc=mtm,dc=testdomain,dc=com" mech=SIMPLE ssf=0

So, the ldap returns error "49" (invalid credentials).

Plz. help.

-- 
View this message in context: http://samba.2283325.n4.nabble.com/Samba-with-LDAP-backend-Invalid-credentials-tp3015546p3015546.html
Sent from the Samba - samba-technical mailing list archive at Nabble.com.


More information about the samba-technical mailing list