[Samba] SAMBA 3.0.8 Authentication/Configuration problems with LDAP (SunOne Directory Server 5.2)

khalid.m.alvi at census.gov khalid.m.alvi at census.gov
Wed Dec 8 19:40:48 GMT 2004 

Q#1.  What SAMBA related object classes and attributes I must add to a
POSIX user in LDAP (SunOne DS 5.2) before it can be used by SAMBA for
authentication?

Q#2.  Why does the SAMBA log for the user show the error “FAILED with error
NT_STATUS_WRONG_PASSWORD” even before the user is prompted for username and
password on the SAMBA client?  Also in this log, I saw another error “NT
MD4 password check failed for <username>”.  I know that my LDAP uses CRYPT
as the password storage scheme.  Other options available are CLEAR, SHA,
and SSHA but we must use CRYPT because other apps require it.

When I do put the valid POSIX username and password in the SAMBA client’s
dialog box, I get an error “Incorrect password or unknown username.”

I am using Samba version 3.0.8 which I compiled with the –with-ldapsam and
-with-pam_smbpass options and also used OpenLDAP libraries.  It is running
on Solaris 9 as a stand-alone server.  My goal is to simply allow Win2K
users to map UNIX directories on their PCs.  In the past, we used the
smbpasswd file but on a new system, we want to use LDAP (SunOne DS 5.2).  I
already have a POSIX account in LDAP that works just fine for UNIX logins.
Based on the netscape-5.x schema from the examples/LDAP directory, I added
6 object classes (sambaSamAccount, sambaGroupMapping, sambaDomain,
sambaUnixIdPool, sambaIdmapEntry, and sambaSidEntry) and several attributes
including sambaLMPassword, sambaAcctFlags, sambaDomainName, smabaSID, and
sambaNTPassword to my LDAP server’s schema.

An account has been added to LDAP (under ou=people) for the Solaris host
where Samba is running.  Both SAMBA stand-alone server and LDAP server are
running on the same Solaris server.  The Samba users log on to their Win2K
PCs after being authenticated from their own network service.  My SAMBA
server is just a stand-alone server and not a PDC or BDC.

From my LDAP server logs, I can see that samba binds to the LDAP server
successfully.  It searched for the user but it used a filter that put
sambaSID=S-1-5-21-43403935-1067099457-3807174611-501 in it which resulted
in user not being found.  Next, I added the sambaSID attribute to the user
and assigned this value.  Now I don’t get the error but am still unable to
map a drive as this user.  Samba starts up fine and I am able to do
smbclient –L localhost –U% to list the shares etc.

Here are the contents of my smb.conf file:
[global]

        workgroup = MYGROUP
        netbios name = DEVWS2
        server string = Samba Server DEVWS2
        encrypt passwords = Yes
        update encrypted = Yes
        password level = 8
        obey pam restrictions = Yes
        pam password change = No
        restrict anonymous = Yes
        debug uid = Yes
        preferred master = No
        domain master = No
        security = user
        hosts allow = 148. 127.
        log file = /usr/local/samba/var/log.%m
        log level = 5
        max log size = 500
        passdb backend = ldapsam:ldap://localhost:389
        dns proxy = no
        ldap admin dn="cn=Directory Manager"
        ldap server = DEVws2.DEV.xxxxxx.com
        ldap ssl = off
        ldap port = 389
        ldap suffix = "ou=people,dc=DEV,dc=xxxxxx,dc=com"

[homes]
   comment = Users' Home Directories
   path = /export/home
   public = no
   writable = yes
   printable = no
   create mask = 0765
[tmp]
        comment = temp
        path = /tmp
        read only = No

Logs of the user from the /usr/local/samba/var directory:

smbldap_search: base => [ou=people,dc=xxxx,dc=xxxxxx,dc=com], filter =>
[(&(uid=userxxxx)(objectclass=sambaSamAccount))], scope => [2]
[2004/12/08 12:53:47, 2, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:init_sam_from_ldap(511)
  init_sam_from_ldap: Entry found for user: userxxxx
[2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)]
lib/substitute.c:automount_server(323)
  Home server: devws2
[2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)]
lib/substitute.c:automount_server(323)
  Home server: devws2
[2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)]
smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)]
libsmb/ntlm_check.c:ntlm_password_check(326)
  ntlm_password_check: Checking NT MD4 password
[2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)]
libsmb/ntlm_check.c:ntlm_password_check(344)
  ntlm_password_check: NT MD4 password check failed for user userxxxx
[2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)]
smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)]
smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)]
smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/12/08 12:53:47, 5, effective(0, 0), real(0, 0)]
auth/auth_util.c:debug_nt_user_token(486)
  NT user token: (NULL)
[2004/12/08 12:53:47, 5, effective(0, 0), real(0, 0)]
auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:ldapsam_update_sam_account(1704)
  ldapsam_update_sam_account: user userxxxx to be modified has dn:
uid=userxxxx,ou=People, dc=dev,dc=xxxxxx,dc=com
[2004/12/08 12:53:47, 2, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:init_ldap_from_sam(893)
  init_ldap_from_sam: Setting entry for user: userxxxx
[2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:ldapsam_update_sam_account(1717)
  ldapsam_update_sam_account: mods is empty: nothing to update for user:
userxxxx
[2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)]
smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/12/08 12:53:47, 5, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: sam authentication for user [userxxxx] FAILED with
error NT_STATUS_WRONG_PASSWORD
[2004/12/08 12:53:47, 2, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [userxxxx] -> [userxxxx]
FAILED with error NT_STATUS_WRONG_PASSWORD
[2004/12/08 12:53:47, 5, effective(0, 0), real(0, 0)]
auth/auth_util.c:free_user_info(1318)
  attempting to free (and zero) a user_info structure

I have spent weeks on reading available documentation to try to find the
answer to these problems.  I am now hoping that SAMBA experts out there can
help me resolve these problems.  Any help would be greatly appreciated.

More information about the samba mailing list