[Samba] Samba3.0.1pre3 LDAP Login problem

Charles Hamel hamelc at videotron.ca
Sat Dec 6 05:47:50 GMT 2003


I read all the HOWTOs I could find on the net about the LDAP PDC and 
still, I can't get it to work.
Here are some infos about the server
Samba version 3.0.1pre3 running Redhat 8.0 with a OpenLDAP server 
version 2.0.27.

I want to do a new domain named DOMAINB from the users I imported from 
DOMAINA (NT4 PDC) using net rpc vampire.
It went well and every user is in the DB, including the machine 
accounts and the groups ( groups mappings too ). I don't know if this 
is right but I changed every SIDs from the original accounts to the new 
server SID (got it from net getlocalsid) please tell me if this is 

The problem occurs when I try to join the domain using a Windows 2000 
SP2 client (signorseal=0). I constantly get the message : User / 
Password is wrong from the client.
The root/nobody are also created.

Here are the debug messages I get, starting by the LDAP logs :

daemon: conn=0 fd=9 connection from IP= (IP= 
conn=0 op=0 BIND dn="CN=ROOT,O=GARAGE,DC=QC,DC=CA" method=128
ber_flush: 14 bytes to sd 9
deferring operation
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="o=garage,dc=qc,dc=ca" scope=2 
ber_flush: 271 bytes to sd 9
ber_flush: 14 bytes to sd 9
conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
conn=0 op=2 SRCH base="o=garage,dc=qc,dc=ca" scope=2 
ber_flush: 672 bytes to sd 9
ber_flush: 14 bytes to sd 9
daemon: conn=1 fd=16 connection from IP= (IP= 
conn=0 op=2 SEARCH RESULT tag=101 err=0 text=
conn=1 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 16
deferring operation
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 SRCH base="o=garage,dc=qc,dc=ca" scope=2 
ber_flush: 14 bytes to sd 16
conn=1 op=1 SEARCH RESULT tag=101 err=0 text=
conn=-1 fd=9 closed
conn=-1 fd=16 closed

Now goes the SAMBA log :

[2003/12/06 00:37:23, 4] auth/auth_sam.c:sam_password_ok(224)
   sam_password_ok: Checking NT MD4 password
[2003/12/06 00:37:23, 4] auth/auth_sam.c:sam_account_ok(325)
   sam_account_ok: Checking SMB password for user ADMINAM
[2003/12/06 00:37:23, 1] auth/auth_util.c:make_server_info_sam(821)
   User ADMINAM in passdb, but getpwnam() fails!
[2003/12/06 00:37:23, 5] auth/auth_util.c:free_server_info(1251)
   attempting to free (and zero) a server_info structure
[2003/12/06 00:37:23, 0] auth/auth_sam.c:check_sam_security(464)
   check_sam_security: make_server_info_sam() failed with 
[2003/12/06 00:37:23, 5] auth/auth.c:check_ntlm_password(268)
   check_ntlm_password: sam authentication for user [ADMINAM] FAILED 
[2003/12/06 00:37:23, 3] auth/auth_winbind.c:check_winbind_security(79)
   check_winbind_security: Not using winbind, requested domain was for 
this SAM.
[2003/12/06 00:37:23, 10] auth/auth.c:check_ntlm_password(256)
   check_ntlm_password: winbind had nothing to say
[2003/12/06 00:37:23, 2] auth/auth.c:check_ntlm_password(309)
   check_ntlm_password:  Authentication for user [ADMINAM] -> [ADMINAM] 
[2003/12/06 00:37:23, 5] auth/auth_util.c:free_user_info(1226)
   attempting to free (and zero) a user_info structure
[2003/12/06 00:37:23, 10] auth/auth_util.c:free_user_info(1229)
   structure was created for ADMINAM

Here is the ADMINAM entry in the backend :

dn: uid=ADMINAM,ou=Users,o=garage,dc=qc,dc=ca
displayName: Admin
sambaLogonTime: 1070401736
sambaLogoffTime: 1025783704
sambaPwdLastSet: 1056543798
sambaAcctFlags: [UX         ]
objectClass: sambaSamAccount
objectClass: account
sambaDomainName: GARAGE
sambaSID: S-1-5-21-3655003630-1527190663-3647291254-1009
sambaPrimaryGroupSID: S-1-5-21-3655003630-1527190663-3647191254-513

Here is my samba config file :

# Global parameters

add machine script = /usr/local/samba/share/smbldap-useradd.pl -w %ms"
add user script = /usr/local/samba/share/smbldap-useradd.pl -a %u
delete user script = /usr/local/samba/share/smbldap-userdel.pl %u
add group script = /usr/local/samba/share/smbldap-groupadd.pl %g
delete group script = /usr/local/samba/share/smbldap-groupdel.pl %g
add user to group script = /usr/local/samba/share/smbldap-groupmod.pl" 
-m %u %g
delete user from group script = 
/usr/local/samba/share/smbldap-groupmod.pl -x %u %g
set primary group script = /usr/local/samba/share/smbldap-usermod.pl -G 
%g %u

null passwords = yes
unix charset = UTF-8
passdb backend = ldapsam:ldap://localhost/
ldap suffix = o=garage,dc=qc,dc=ca
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=root,o=garage,dc=qc,dc=ca
workgroup = GARAGE
netbios name = PDC
comment = Server
security = user
encrypt passwords = yes
logon script = scripts\%U.bat
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
share modes = No
wins support = yes
         read only = No
         create mask = 0700
         directory mask = 0700
         locking = No
         oplocks = No

         path = /usr/local/samba/netlogon
         locking = no
         read only = yes
         write list = ntadmin

path = /home/domainusers/profiles
read only = no
writeable = yes
create mask = 0600
directory mask = 0700

nsswitch.conf is passwd/group/shadow are set to : files ldap

I think this is all, thank you for your help and thanks to the samba 
team for writing such a useful software!

Charles Hamel
hamelc at videotron.ca

More information about the samba mailing list