[Samba] samba 3.0.2a-Debian +ldapsam +smbldap-tools 3.0rc4-1= newly created users can't log in

Bradley W. Langhorst brad at langhorst.com
Thu Mar 18 18:15:12 GMT 2004 

There is something very strange going on with new users...
i've created a new user using the smbldap-tools

creation goes fine...
smbldap-useradd -a -g labusers -G power_users -n -c 'test user' -m -P
testuser
I've set the password and i see this in my ldap dir:

ldapsearch -x -D cn=ldapadmin,dc=bitc,dc=unh,dc=edu -W
'(&(uid=testuser)(objectclass=SambaSamAccount))'
# testuser, People, bitc.unh.edu
dn: uid=testuser,ou=People,dc=bitc,dc=unh,dc=edu
cn: testuser
sn: testuser
uid: testuser
uidNumber: 2014
gidNumber: 100
loginShell: /bin/bash
gecos: test user
description: test user
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSAMAccount
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: test user
sambaSID: S-1-5-21-3603135777-1134410093-4029533982-5028
sambaPrimaryGroupSID: S-1-5-21-3603135777-1134410093-4029533982-1201
sambaHomeDrive: H:
sambaHomePath: \\BITC\homes
sambaProfilePath: \\BITC\profiles\testuser
sambaLogonScript: mcmahon.cmd
sambaLMPassword: changed here
sambaNTPassword: changed here
userPassword:: changed=
homeDirectory: /home/testuser
sambaAcctFlags: [U          ]

This user can't log in on any workstation in the domain.
It is able to log in via ssh to the samba server (so libnss-ldap is able
to parse it fine)

I cranked up the log to 100 and watched what's going on during login...
It finds the user using the same filter as i did above.
It finds all the attributes except the NT and LM passwords.
But then i find this:
2004/03/18 11:58:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (2007, 100) - sec_ctx_stack_ndx = 0
[2004/03/18 11:58:52, 3] libsmb/ntlm_check.c:ntlm_password_check(182)
  ntlm_password_check: NO NT password stored for user mcmahon.
[2004/03/18 11:58:52, 3] libsmb/ntlm_check.c:ntlm_password_check(309)
  ntlm_password_check: NO LanMan password set for user mcmahon (and no
NT passwo
rd supplied)
[2004/03/18 11:58:52, 4] libsmb/ntlm_check.c:ntlm_password_check(325)
  ntlm_password_check: LM password check failed for user, no NT password
mcmahon
[2004/03/18 11:58:52, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: sam authentication for user [mcmahon] FAILED with
error N
T_STATUS_WRONG_PASSWORD

These missing attribs are serious errors - i think they should be at
level 2 at least...

So the first thing to occur to me is that there is a directory security
problem on the the password attribs. Samba is accessing the ldap store
as the admin user so it shouldn't matter, but i tried removing the
security permissions anyway to no avail.

Looks like the smbldap tools switched to inetorgperson from account,
that's the only thing that i can tell is different between old users and
new users. But samba is able to find the account...
could it be that there is a "sniffing" of the store to see which
objectclasses are in use and my mix of 

I'm stumped - about to dump and re-init my ldap store (urg)

thanks for any suggestion!

brad


-- 
Bradley W. Langhorst <brad at langhorst.com>

More information about the samba mailing list