[Samba] using LDAP and PDC together

abartlet at dp.samba.org abartlet at dp.samba.org
Fri Sep 6 04:57:00 GMT 2002

On Fri, Sep 06, 2002 at 12:32:48AM -0400, Terry Katz wrote:
> Hello,
> I'm having a similar problem .. here's my scenario ..
> Set up two samba PDC's on completely, different sites... started with 
> Debian's 3.0pre from 0723, and using LDAP as the backend (currently 
> using ldapsam_nua).. I've been seeing some issues with this version and 
> one of the sites Citrix server (first thing I noticed was that if I 
> used that 2*uid+1000 algorithm to generate rid's, Citrix didn't like it 
> .. I had to use rid's > 10000 in order for it not to crash on logon ..
> So, I updated to the "latest" that debian has .. CVS from 0827 + 
> various debian-ized patches .. all of a sudden now I get 
> NT_TRUSTED_RELATIONSHIP_FAILURE (from smbclient .. ) whenever I try to 
> log in via a workstation (smbclient'n directly to the server works 
> fine).. However, I CAN add machines to the domain!  spnego is "no" .. 
> reg patch applied to xp's etc... It worked with the one from 0723!  
> This happens on two separate PDC's I've set up ...
> So i dug deeper and looked at the logs, this is what I found:
> [2002/09/06 00:19:23, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(422)
>    ldapsam_search_one_user: searching 
> for:[(&(uid=)(objectclass=sambaAccount))]
> [2002/09/06 00:19:23, 2] auth/auth.c:check_ntlm_password(273)
>    check_password:  Authentication for user [] -> [] FAILED with error 

You must put the guest user (RID 501 I think) into ldap, or run 'unixsam' to 
get it via smb.conf's 'guest account' and the system getpw* calls.

Without a guest account, the system cannot operate correctly.  Furthermore, 
the guest account is used by the Workstation in the user authenticaion 

Andrew Bartlett

More information about the samba mailing list