[Samba] Weird: Samba 3.0.2a (PDC) and OpenLDAP = Windows can't logon to PDC

Craig White craigwhite at azapple.com
Sun Mar 14 02:02:33 GMT 2004 

On Sat, 2004-03-13 at 11:04, Joost van der Locht wrote:
> Hello
> 
> I have a weird problem. I have installed on a Fedora Core 1 server the 
> following:
> Samba 3.0.2a
> Openldap 2.1.22
> Smbldaptools 0.8.4
> 
> Everything works for this setup until I try to logon to the domain from 
> a Windows XP Pro workstation.
> 
> I can:
> - join the domain
> - create users with the smbldap tools
> - Logon to Linux localy
> - use smbclient tools
> - Access shares from my Windows XP (when logged on localy)
> - See my personal homedirectory and mapped to a personal share
> 
> I Can't
> - Logon to the domain.
> 
> When I try to do that Windows gives the error:
> The system could not log you on. Make sure your User name and domain are 
> correct, then type your password again. Letters in passwords must be 
> typed using the correct case.
> 
> I tried it with a non ldap setup and then it seemed to work.
> 
> Now with ldap it doesn't.
> As far as I could monitor the log files I see a SUCCEED comming up when 
> it checks the ldap directory. But still no luck logging in.
> 
> What is wrong? I followed every instructions I could find online 
> regarding ldap.....
----
Not enough info to be certain but usually when users post this problem,
their problem is either failure to access ldap with the rootdn as
specified in smb.conf 

(you must smbpasswd -w PASSWD_FOR_ROOTDN_AS_SPECIFIED_IN_SMB.CONF)

or

the SID's don't match up. 
net getlocalsid

ldapsearch -x -h localhost -D 'rootdn_in_full' -W
'(sambaDomainName=*)'|grep sambaSID
# the sambaSID for the domain needs to match the above

ldapsearch -x -h localhost -D 'rootdn_in_full' -W '(uid=*)'|grep SID
'(sambaDomainName=*)'|grep sambaSID
# for users, the sambaSID and the sambaPrimaryGroupSID needs to match as
well (up to the RID)

ldapsearch -x -h localhost -D 'rootdn_in_full' -W '(cn=*)'|grep SID
'(sambaDomainName=*)'|grep sambaSID
# for groups, the sambaSID (up to the RID) needs to match too

to be certain, the logs - typically /var/log/samba/smbd.log,
/var/log/samba/log.ip_address_of_machine_failing_to_log_in should tell
you what is breaking.

Craig

More information about the samba mailing list