[Samba] 3.0alpha23 not authenticating with LDAP (RedHat 9) - Help needed!

Gordon Pritchard gordonp at sfu.ca
Tue May 13 21:10:54 GMT 2003


	I am trying to migrate to a new server, with a shiny-new installation
of RedHat 9.  I have downloaded the 3.0alpha23 rpm intended for RedHat

	I am also using the stock RedHat 9 version of OpenLDAP.  By itself,
LDAP is working fine:  this is how I log onto my Linux boxes.  I am
including one sample user (me) below, which I extracted using
"ldapsearch -x".

	Great - this is 1/2 of what I am trying to reproduce (from my prior


	Now for the Samba bit:

	I take it for a test-drive, firstly by using 'testparm'.  Everything
looks great; initially I got a warning that may be relevant:

Unknown parameter encountered: "ldap port"
Ignoring unknown parameter "ldap port"
Unknown parameter encountered: "ldap server"
Ignoring unknown parameter "ldap server"

	I have commented out these smb.conf entries; essentially crossing my
fingers that Samba knows I am using Port 389 and the server is

	Now, testparm is clean.

	Moving onto 'smbclient'... I have my super-duper-domain-joining-
pseudo-user entered into smbpasswd (chosen to be 'root').  If I run
smbclient as 'root' (either supplied on the command-line with '-U root',
or invoking smbclient while I am the system root user), then it behaves
as it should - I get a listing of available shares.  A typical

[2003/05/13 13:57:51, 2] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password:  authentication for user [root] -> [root] ->
[root] suceeded

	So far, so good.
	Now, same thing, but as any old user but supplying no password.  This
also allows me to see the available shares, as an anonymous user, but
logs this:

[2003/05/13 13:59:41, 2] auth/auth.c:check_ntlm_password(275)
  check_ntlm_password:  Authentication for user [gordonp] -> [gordonp]

	Hmmm... there is no smbpasswd user 'gordonp', nor an /etc/passwd user
'gordonp', but there certainly *is* an LDAP user 'gordonp'.  Further, if
I now supply a password for 'gordonp', smbclient responds thusly:

Doing spnego session setup (blob length=58)
session setup failed: NT_STATUS_LOGON_FAILURE

	and the following is logged:

[2003/05/13 14:01:29, 2] auth/auth.c:check_ntlm_password(275)
  check_ntlm_password:  Authentication for user [gordonp] -> [gordonp]

	For the purposes of this note, log level was set to '2'.

QUESTION:  Can anyone direct me how to get my Samba to use LDAP for

Reference Information

===== Relevant smb.conf

   hosts allow = 192.168.0. 127.
   security = user
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd
# SAMBA - LDAP declarations
   ldap suffix = dc=WHITEROCK
   ldap admin dn = cn=Manager,dc=WHITEROCK
#####   ldap port = 389
#####   ldap server =
   ldap ssl = no

===== Example (partial) LDAP extraction, which works for Linux login:

# Domain Admins, Groups, WHITEROCK
dn: cn=Domain Admins,ou=Groups,dc=WHITEROCK
objectClass: posixGroup
gidNumber: 200
cn: Domain Admins
description: Windows Domain Users
memberUid: administrator
memberUid: gordonp
memberUid: margaret
memberUid: chris
memberUid: root

# gordonp, Users, WHITEROCK
dn: uid=gordonp,ou=Users,dc=WHITEROCK
cn: gordonp
sn: gordonp
uid: gordonp
uidNumber: 1001
gidNumber: 200
homeDirectory: /home/gordonp
loginShell: /bin/bash
gecos: System User
description: System User
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaAccount
pwdLastSet: 0
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
displayName: System User
acctFlags: [UX]
rid: 3002
primaryGroupID: 1401
homeDrive: H:
smbHome: \\PDC-SRV\homes
profilePath: \\PDC-SRV\profiles\gordonp
scriptPath: gordonp.cmd
lmPassword: 6224B0199F8273C3AAD3B435B51404EE
ntPassword: 8747D6F1DF9E9C1034D3754CC0350D6B
userPassword:: e1NTSEF9cmxIUkRJWVJCdWVQaW15QmNTSGwxbVh4bUE1UENqSXU=

	Thanks for any/all tips or pointers!

Gordon Pritchard, P.Eng.         | Institute of Electrical and
Research Labs Manager            |      Electronics Engineers
Simon Fraser University, Surrey  | Quarter Century Wireless Ass'n
gordonp at sfu.ca                   | Telephone Pioneers of America
phone:  604.268.7509             | Amateur Radio:  VA7SFU, VA7GP

More information about the samba mailing list