[Samba] Samba and LDAP backend - howto docs problems?

Norman Dressler ndressler at dinmar.com
Wed Mar 10 00:36:27 GMT 2004

I had this problem too and found the solution.  In your LDAP directory, you 
should have a domain entry for your domain.  Make sure the sambaSID of that 
domain matches the first part of the sambaSID of the user you are using to 
connect with.  This is assuming you are using the new schema.

This can also be a symptom of not having the guest account properly mapped to 
a nobody or similar account.  Could also happen if you don't have a 'root' 
account in your ldap directory.  You must also have the proper configurations 
for the Domain groups like Domain Users and Domain Guests, etc.

As you can see, I had to learn the hard (best?) way -- trial and error.  I've 
been bitten by all of them at one time or another.


On Tuesday 09 March 2004 06:36 pm, John H Terpstra wrote:
> On Wed, 10 Mar 2004, Graham Leggett wrote:
> > Hi all,
> >
> > I have followed the instructions at
> > http://samba.mirror.ac.uk/samba/docs/man/passdb.html in an attempt to
> Ok. I am one of the authors of that. It should work. Email me you
> smb.conf file and I will try to help.
> > set up a Samba v3.0.2 (supplied by Redhat as part of RHEL v3.0) PDC.
> >
> > I have got as far as trying to get a windows 2k box to join this new
> > domain that I have created, however this fails with the error "Logon
> > failure: unknown user name or password".
> >
> > Samba itself logs nothing of this failure.
> >
> > Looking at the LDAP logs, I see that Samba is trying to do the following
> > LDAP search:
> > (&(&(uid=admin)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount
> >))
> >
> > This search fails, because the ldif displayed in the howto does not
> > include the sambaSamAccount objectclass in the admin object:
> >
> > dn: cn=admin,ou=People,dc=quenya,dc=org
> > cn: admin
> > objectclass: top
> > objectclass: organizationalRole
> > objectclass: simpleSecurityObject
> > userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
> >
> > Does anyone have any step by step instructions for getting a Win2k box
> > to join a Samba domain that is known to work?
> Fully documented step-by-step instructions that work with SuSE and Red Hat
> are in the new book "Samba-3 by Example" - can be ordered from Amazon.Com
> now. Will ship starting March 26th.
> Have you also checked chapter 2 of TOSHARG (The Official Samba-3 HOWTO and
> Reference Guide)? While not as comprehensive as the new book, this chapter
> was the seed that started the avalance of the "Give us more ..." litany
> that resulted in "Samba-3 by Example".
> Have you set up your scripts?
> 	- add user script
> 	- delete user script
> 	- add machine script
> 	- add group script
> 	- delete group script
> 	- add user to group script
> 	- etc.
> Have you test driven each manually to prove that it works?
> Have you configured nss_ldap and proven that it works?
> 	ie: getent passwd
> 	    getent group
> Does:
> 	pdbedit -Lw
> list the users in the old smbpasswd format?
> Many, many more questions ... what have you done to demonstrate that each
> element of your configuration works?
> Cheers,
> John T.
> --
> John H Terpstra
> Email: jht at samba.org

More information about the samba mailing list