[Samba] using LDAP and PDC together

Terry Katz katz at advanced.org
Fri Sep 6 04:33:01 GMT 2002 

Hello,

I'm having a similar problem .. here's my scenario ..

Set up two samba PDC's on completely, different sites... started with 
Debian's 3.0pre from 0723, and using LDAP as the backend (currently 
using ldapsam_nua).. I've been seeing some issues with this version and 
one of the sites Citrix server (first thing I noticed was that if I 
used that 2*uid+1000 algorithm to generate rid's, Citrix didn't like it 
.. I had to use rid's > 10000 in order for it not to crash on logon ..

So, I updated to the "latest" that debian has .. CVS from 0827 + 
various debian-ized patches .. all of a sudden now I get 
NT_TRUSTED_RELATIONSHIP_FAILURE (from smbclient .. ) whenever I try to 
log in via a workstation (smbclient'n directly to the server works 
fine).. However, I CAN add machines to the domain!  spnego is "no" .. 
reg patch applied to xp's etc... It worked with the one from 0723!  
This happens on two separate PDC's I've set up ...

So i dug deeper and looked at the logs, this is what I found:

[2002/09/06 00:19:23, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(422)
   ldapsam_search_one_user: searching 
for:[(&(uid=)(objectclass=sambaAccount))]
[2002/09/06 00:19:23, 2] auth/auth.c:check_ntlm_password(273)
   check_password:  Authentication for user [] -> [] FAILED with error 
NT_STATUS_NO_SUCH_USER


hmmm .. interesting ... ??

with the log level set higher (10) I see this:

[2002/09/06 00:27:52, 5] auth/auth.c:make_auth_context_text_list(364)
   auth method sam has a valid init
[2002/09/06 00:27:52, 5] auth/auth_util.c:make_user_info(95)
   attempting to make a user_info for  ()
[2002/09/06 00:27:52, 5] auth/auth_util.c:make_user_info(105)
   making strings for 's user_info struct
[2002/09/06 00:27:52, 5] auth/auth_util.c:make_user_info(147)
   making blobs for 's user_info struct
[2002/09/06 00:27:52, 10] auth/auth_util.c:make_user_info(156)
   made an encrypted user_info for  ()
[2002/09/06 00:27:52, 3] auth/auth.c:check_ntlm_password(191)
   check_password:  Checking password for unmapped user []\[]@[] with 
the new password interface
[2002/09/06 00:27:52, 3] auth/auth.c:check_ntlm_password(194)
   check_password:  mapped user is: []\[]@[]
[2002/09/06 00:27:52, 10] auth/auth.c:check_ntlm_password(198)
   challenge is:

It seems to not be reading the user information from the workstation 
properly??

I haven't touched anything in my configs from the version from 0723, 
and it worked fine at that time..

I also grabbed a new cvs revision and tried it out (to be honest, I 
grabbed the cvs source, and to save time, I just dropped the debian 
build directory into it and just ran the debian package building stuff 
to configure/make/package it), same problems ..

any ideas?  I'll post my smb.conf if necessary...

-Terry

On Thursday, September 5, 2002, at 01:58  PM, Bradley W. Langhorst 
wrote:

> On Thu, 2002-09-05 at 10:46, Louis-David Mitterrand wrote:
>>
>> Hello,
>>
>> I am in the process of migrating to
>>
>> passdb backend = ldapsam
>>
>> on debian unstable with the latest 3.0pre samba package.
>>
>> All users have a ldap sambaAccount object which was added by hand 
>> after
>> using migrationtools from padl.com. Testing auth with smbclient works
>> fine, however when using samba as a PDC from WinXP I can't log into 
>> the
>> domain as I used to when "passdb backend = smbpasswd". However adding
>> the machine to the domain seems to work.
> when? during the install or after?
> you may need to set use spnego= no in your smb.conf (if your use pre18
> or earlier)
> I assume you applied the signorseal reg patch to the clients since you
> mention that using a different backend works for you.
>
>> I haven't dug very deep into the problem, at this point I am just
>> wondering if there is any known issue with using LDAP and PDC
>> functionalities together?
> i'm using this with no problems
>>
>> Also in the sambaAccount ldap object I noticed a mandatory "rid" 
>> field.
>> What does relative id mean? I populated the rid's with unix id's, is 
>> it
>> a good or bad idea?
> a bad idea - i think they're supposed to be unique from unix uid
> try making them unique (the old formula is 1000+uid*2)
>
>
> here is an entry from my ldap db:
>
> dn: uid=lauelab,ou=People,dc=bitc,dc=unh,dc=edu
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: sambaAccount
> userPassword:: passwd here
> shadowLastChange: 11715
> shadowMax: 99999
> loginShell: /bin/bash
> gidNumber: 100
> homeDirectory: /home/lauelab
> gecos: generic lab user
> uidNumber: 4491
> uid: lauelab
> pwdLastSet: 1027535857
> logonTime: 0
> logoffTime: 2147483647
> kickoffTime: 2147483647
> pwdCanChange: 0
> pwdMustChange: 2147483647
> displayName: generic lab user
> cn: generic lab user
> rid: 9982
> primaryGroupID: 1201
> lmPassword: lm hash here
> ntPassword: nt hash here
> acctFlags: [U          ]
>
>
>
> it was a bit of a hassle getting this set up but i'm pretty happy with
> the reliablity and ease of adding new applications that authenticate
> against the common password db. (ie phpgroupware)
>
>
> good luck!
>
> brad
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list