[Samba] Problems with NT passwords using Samba3 and LDAP
Chris Snider
Chris.Snider at Tagtmi.com
Tue Apr 20 14:47:05 GMT 2004
Jose,
I finally figured out my problem yesterday and it ended up being the value
set in the pwdLastSet field in the LDAP database. If this entry was set to
0 then that user would be unable to login.
If you are able to get your users to login by rejoining their workstation to
the domain then that may not be the issue. Try running smbclient -L
localhost -U brokenuser on the server and see if it authenticates them. If
it doesn't then check the pwdLastSet field and make sure it's not set to 0.
I found this to only be an issue with Samba 3. Another thing to try is open
up two ldap records, one that works and one that doesn't, and simply look at
what's different between the two. That's how I was able to find my problem.
Hope this helps.
Thanks,
Chris
-----Original Message-----
From: Jose Martinez [mailto:jvm_vi at bellsouth.net]
Sent: Tuesday, April 20, 2004 9:17 AM
To: Chris.Snider at Tagtmi.com
Subject: Re: [Samba] Problems with NT passwords using Samba3 and LDAP
Chris
Have you been able to find a fix to your problem. I have a similar situation
in where I can have one user be able to login fine from multiple
workstations but cant from say one or 2 others. However, I know those couple
problematic workstations are ok because other users can login with no
problem to those "problematic" machines. My fix has been to remove the
workstation from the domain and readd it. This is a horrible fix because of
the amount of boxes we have. Also, I am realizing that even though it fixes
the problem temporarily, it does not fix it forever because another user
might experience the same problem. Very confusing. Please let me know if
you have found a fix.
Jose
jmartinez at bellsouth.net
"Chris Snider" <Chris.Snider at Tagtmi.com> wrote in message
news:<1LHP5-49U-25 at gated-at.bofh.it>...
I'm at my wits end here so hopefully someone can help me.
Currently I have a Redhat 9.0 box running Samba 2.2.7 with openldap 2.0.27
as a PDC
Domain logins work great with this setup. I can add, remove, modify
computers and users all day long without a glitch.
I do not store usernames in the local smbpasswd or passwd files.
User information is stored in ou=Users,dc=mydomain,dc=com
Group information is stored in ou=Groups,dc=mydomain,dc=com
Computer information is stored in ou=Computers,dc=mydomain,dc=com
My problem appeared when I attempted to create the same setup using Samba
3.0.2a. Here is what I did.
1. I created a working PDC using Samba 2.2.7 and openldap 2.0.27 on
RH9. I was able to login as user bsmith from a W2k machine called
bob-smith.
2. I then compiled Samba 3.0.2a from source making sure I added the
"--with-ldapsam" flag
3. Configure --with-acl-support --with-ldapsam --prefix=/usr
--localstatedir=/var --with-configdir=/etc/samba
--with-privatedir=/etc/samba/private --with-lockdir=/var/lock
--with-piddir=/var/run --with-logfilebase=/var/log --with-smbmount
--with-utmp --with-syslog
4. Make
5. Make install
No errors were generated during the compile.
6. Made the changes to my smb.conf file to allow for the ldapsam_compat
mode.(see smb.conf at the end of this message)
7. Edited the samba.schema file to use the Version 2 schema and copied
it to /etc/openldap/schema/
8. Installed the new version of smbldap tools which came bundled with
Samba 3.0.2a
9. Ran the smbpasswd -w password to store my Manager password in the
secrets.tdb file
10. Started smbd -D and nmbd -D
Everything to this point seems to work fine
When I attempt to login as user bsmith from a computer(bob-smith) I get a
"bad username or password" message. I checked the
/var/logs/samba/bob-smith.log and this is what I see.
[2004/04/16 12:27:01, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/04/16 12:27:01, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/04/16 12:27:01, 2] lib/smbldap.c:smbldap_open_connection(626)
smbldap_open_connection: connection opened
[2004/04/16 12:27:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: nobody
[2004/04/16 12:27:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1668)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No
such object)
[2004/04/16 12:27:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1668)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No
such object)
[2004/04/16 12:27:10, 2] rpc_parse/parse_prs.c:netsec_decode(1575)
netsec_decode: FAILED: packet sequence number:
[2004/04/16 12:27:10, 2] lib/util.c:dump_data(1830)
[000] 87 F0 07 93 7D 17 F1 80 ....}...
[2004/04/16 12:27:10, 2] rpc_parse/parse_prs.c:netsec_decode(1577)
should be:
[2004/04/16 12:27:10, 2] lib/util.c:dump_data(1830)
[000] 00 00 00 00 80 00 00 00 ........
[2004/04/16 12:27:10, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1371)
failed to decode PDU
[2004/04/16 12:27:10, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
process_request_pdu: failed to do schannel processing.
[2004/04/16 12:27:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: bob-smith$
[2004/04/16 12:27:17, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: nobody
[2004/04/16 12:27:18, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: bsmith
[2004/04/16 12:27:18, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [bsmith] -> [bsmith] FAILED
with error NT_STATUS_WRONG_PASSWORD
[2004/04/16 12:29:43, 2] smbd/server.c:exit_server(558)
Closing connections
I know this password is valid since it was working fine with Samba
2.2.7/LDAP
It's like Samba3 doesn't understand the password encryption or something.
I've tried changing bsmiths password using smbldap-passwd.pl bsmith and,
again, there are no error messages and it appears to have changed his
password. When I attempt to login again I get the same error. The only way
I can get Samba to accept the password is if I set it using smbpasswd
bsmith. Then it will accept my password but another error message pops up
saying "The name or security ID(SID) of the domain specified is inconsistent
with the trust information for that domain" I have no idea what that means
but it doesn't sound good. I'm sure I'll be making another post to fix
that. I would appreciate any help you can provide.
Here is my SMB.CONF file
# Global parameters
[global]
workgroup = MYDOMAIN
netbios name = TESTPDC
server string = My Test Ldap Aware Samba Server
passdb backend = ldapsam_compat:ldap://127.0.0.1
passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
username level = 8
unix password sync = Yes
log level = 2
log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
add user script = /usr/local/sbin/smbldap-useradd.pl -m -d /dev/null
-g 1000 -s /bin/false
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
wins support = Yes
ldap server = 127.0.0.1
ldap port = 389
ldap suffix = dc=mydomain,dc=com
ldap machine suffix = ou=Computers,dc= mydomain,dc=com
ldap user suffix = ou=Users,dc= mydomain,dc=com
ldap group suffix = ou=Groups,dc= mydomain,dc=com
ldap admin dn = cn=Manager,dc= mydomain,dc=com
ldap ssl = no
utmp = Yes
remote announce = 192.168.0.0
[homes]
comment = Home Directories
valid users = %U
read only = No
create mask = 0640
browseable = No
[netlogon]
comment = Network Logon Service
path = /samba/netlogon
guest ok = Yes
Thanks,
Chris Snider
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
----------
More information about the samba
mailing list