[Samba] samba 3.0.2a-Debian +ldapsam +smbldap-tools 3.0rc4-1= newly
created users can't log in
Bradley W. Langhorst
brad at langhorst.com
Thu Mar 18 18:15:12 GMT 2004
There is something very strange going on with new users...
i've created a new user using the smbldap-tools
creation goes fine...
smbldap-useradd -a -g labusers -G power_users -n -c 'test user' -m -P
I've set the password and i see this in my ldap dir:
ldapsearch -x -D cn=ldapadmin,dc=bitc,dc=unh,dc=edu -W
# testuser, People, bitc.unh.edu
gecos: test user
description: test user
displayName: test user
sambaLMPassword: changed here
sambaNTPassword: changed here
sambaAcctFlags: [U ]
This user can't log in on any workstation in the domain.
It is able to log in via ssh to the samba server (so libnss-ldap is able
to parse it fine)
I cranked up the log to 100 and watched what's going on during login...
It finds the user using the same filter as i did above.
It finds all the attributes except the NT and LM passwords.
But then i find this:
2004/03/18 11:58:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (2007, 100) - sec_ctx_stack_ndx = 0
[2004/03/18 11:58:52, 3] libsmb/ntlm_check.c:ntlm_password_check(182)
ntlm_password_check: NO NT password stored for user mcmahon.
[2004/03/18 11:58:52, 3] libsmb/ntlm_check.c:ntlm_password_check(309)
ntlm_password_check: NO LanMan password set for user mcmahon (and no
[2004/03/18 11:58:52, 4] libsmb/ntlm_check.c:ntlm_password_check(325)
ntlm_password_check: LM password check failed for user, no NT password
[2004/03/18 11:58:52, 5] auth/auth.c:check_ntlm_password(271)
check_ntlm_password: sam authentication for user [mcmahon] FAILED with
These missing attribs are serious errors - i think they should be at
level 2 at least...
So the first thing to occur to me is that there is a directory security
problem on the the password attribs. Samba is accessing the ldap store
as the admin user so it shouldn't matter, but i tried removing the
security permissions anyway to no avail.
Looks like the smbldap tools switched to inetorgperson from account,
that's the only thing that i can tell is different between old users and
new users. But samba is able to find the account...
could it be that there is a "sniffing" of the store to see which
objectclasses are in use and my mix of
I'm stumped - about to dump and re-init my ldap store (urg)
thanks for any suggestion!
Bradley W. Langhorst <brad at langhorst.com>
More information about the samba