[Samba] Solved: pdc+ldap newly created users can't log in
xpoinsard at openpricer.com
Tue Jan 13 15:39:09 GMT 2004
Xavier Poinsard wrote:
> I am facing a very strange problem with samba running as PDC and using
> LDAP. The new users that I create using smbldap-tools aren't able to log
> in, but they can browse shares on the server.
> I had the problem with samba 2.2 and hoped it would be solved with 3.0.
> I spent two days testing without success even with samba 3.0.2pre1.
> In the log I can't see anything wrong : it says "sam authentication for
> user [testuser2] succeeded" and "check_password returned status
> NT_STATUS_OK" and then nothing valuable but the user can't log in on a
> W2K workstation.
> When comparing logs between users who can log and others, the difference
> start at line 250 where unlucky users have :
> [2004/01/09 16:47:53, 4] rpc_parse/parse_net.c:init_dom_sid2s(867)
> instead of :
> [2004/01/08 11:51:03, 10]
> Got NT session key of length 16
> But I can't figure why...
It was due to the "logon caching feature" of Windows who allowed users
who already logged to continue logging and refusing new users.
It was refusing logging because of a SID domain change.
Restoring old domain SID solved it.
=> I don't know exactly where this is handled but may be an explicit
error message about mismatched SID could be added.
> Attached is the unsuccessful logon log.
> Thanks for any help.
> Xavier Poinsard
More information about the samba