[Samba] LDAP passwords not working after upgrading to Samba 3
Chris Snider
Chris.Snider at Tagtmi.com
Mon Apr 19 15:47:46 GMT 2004
Hi All,
I apologize in advance for the length of this post but I wanted to be as
thorough as possible and get this problem fixed. I'm trying to upgrade our
existing Samba 2.2.7 server with an OpenLDAP 2.0.27 backend to Samba 3 using
the same LDAP database. After I did the upgrade(in a test environment),
user passwords no longer work. I've read articles upon articles explaining
how to do this but I still can't get it to work. All of the articles I've
read said things like "remove ldap filters", "upgrade smbldaptools"(still
trying to figure out why this would help), and several other suggestions
which I've done and plain just don't work. I think it's probably something
very simple but I can't find it. Any help would be appreciated.
HISTORY:
Currently I have a Redhat 9.0 box running Samba 2.2.7 with openldap 2.0.27
as a PDC
Domain logins work great with this setup. I can add, remove, modify
computers and users all day long without a glitch.
I do not store usernames in the local smbpasswd or passwd files.
User information is stored in ou=Users,dc=mydomain,dc=com
Group information is stored in ou=Groups,dc=mydomain,dc=com
Computer information is stored in ou=Computers,dc=mydomain,dc=com
My problem appeared when I attempted to create the same setup using Samba
3.0.2a. Here is what I did.
1. I created a working PDC using Samba 2.2.7 and openldap 2.0.27 on
RH9. I was able to login as user bsmith from a W2k machine called
bob-smith.
2. I then compiled Samba 3.0.2a from source making sure I added the
"--with-ldapsam" flag
3. Configure --with-acl-support --with-ldapsam --prefix=/usr
--localstatedir=/var --with-configdir=/etc/samba
--with-privatedir=/etc/samba/private --with-lockdir=/var/lock
--with-piddir=/var/run --with-logfilebase=/var/log --with-smbmount
--with-utmp --with-syslog
4. Make
5. Make install
No errors were generated during the compile.
6. Made the changes to my smb.conf file to allow for the ldapsam_compat
mode.(see smb.conf at the end of this message)
7. Edited the samba.schema file to use the Version 2 schema and copied
it to /etc/openldap/schema/
8. Installed the new version of smbldap tools which came bundled with
Samba 3.0.2a
9. Ran the smbpasswd -w password to store my Manager password in the
secrets.tdb file
10. Started smbd -D and nmbd -D
Everything to this point seems to work fine
When I attempt to login as user bsmith from a computer(bob-smith) I get a
"bad username or password" message. I checked the
/var/logs/samba/bob-smith.log and this is what I see.
[2004/04/16 12:27:01, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/04/16 12:27:01, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/04/16 12:27:01, 2] lib/smbldap.c:smbldap_open_connection(626)
smbldap_open_connection: connection opened
[2004/04/16 12:27:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: nobody
[2004/04/16 12:27:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1668)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No
such object)
[2004/04/16 12:27:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1668)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No
such object)
[2004/04/16 12:27:10, 2] rpc_parse/parse_prs.c:netsec_decode(1575)
netsec_decode: FAILED: packet sequence number:
[2004/04/16 12:27:10, 2] lib/util.c:dump_data(1830)
[000] 87 F0 07 93 7D 17 F1 80 ....}...
[2004/04/16 12:27:10, 2] rpc_parse/parse_prs.c:netsec_decode(1577)
should be:
[2004/04/16 12:27:10, 2] lib/util.c:dump_data(1830)
[000] 00 00 00 00 80 00 00 00 ........
[2004/04/16 12:27:10, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1371)
failed to decode PDU
[2004/04/16 12:27:10, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
process_request_pdu: failed to do schannel processing.
[2004/04/16 12:27:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: bob-smith$
[2004/04/16 12:27:17, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: nobody
[2004/04/16 12:27:18, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: bsmith
[2004/04/16 12:27:18, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [bsmith] -> [bsmith] FAILED
with error NT_STATUS_WRONG_PASSWORD
[2004/04/16 12:29:43, 2] smbd/server.c:exit_server(558)
Closing connections
I know this password is valid since it was working fine with Samba
2.2.7/LDAP
It's like Samba3 doesn't understand the password encryption or something.
I've tried changing bsmiths password using smbldap-passwd.pl bsmith and,
again, there are no error messages and it appears to have changed his
password. When I attempt to login again I get the same error. The only way
I can get Samba to accept the password is if I set it using smbpasswd
bsmith. Then it will accept my password but another error message pops up
saying "The name or security ID(SID) of the domain specified is inconsistent
with the trust information for that domain" I have no idea what that means
but it doesn't sound good. I'm sure I'll be making another post to fix
that. I would appreciate any help you can provide.
Here is my SMB.CONF file
# Global parameters
[global]
workgroup = MYDOMAIN
netbios name = TESTPDC
server string = My Test Ldap Aware Samba Server
passdb backend = ldapsam_compat:ldap://127.0.0.1
passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
username level = 8
unix password sync = Yes
log level = 2
log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
add user script = /usr/local/sbin/smbldap-useradd.pl -m -d /dev/null
-g 1000 -s /bin/false
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
wins support = Yes
ldap server = 127.0.0.1
ldap port = 389
ldap suffix = dc=mydomain,dc=com
ldap machine suffix = ou=Computers,dc= mydomain,dc=com
ldap user suffix = ou=Users,dc= mydomain,dc=com
ldap group suffix = ou=Groups,dc= mydomain,dc=com
ldap admin dn = cn=Manager,dc= mydomain,dc=com
ldap ssl = no
utmp = Yes
remote announce = 192.168.0.0
[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0640
browseable = No
[netlogon]
comment = Network Logon Service
path = /samba/netlogon
guest ok = Yes
Thanks,
Chris Snider
More information about the samba
mailing list