[Samba] Authentication failure

Rafal Pietrak rafal at zorro.isa-geek.com
Fri May 7 12:40:14 GMT 2004


I'm configuring samba-3.0.2a-Debian. I have it configured with LDAP.

I get samba decline access for a W98 clinet when using user authentication
(NT domain), and the following entries get into /var/log/smb/machine.log:

[2004/05/07 13:46:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X(772)
  Domain=[WORKGROUP]  NativeOS=[Windows 4.0] NativeLanMan=[Windows 4.0]
[2004/05/07 13:46:07, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/05/07 13:46:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X(787)
[2004/05/07 13:46:07, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[WORKGROUP]\[LENEC]@[protel] with the new password interface
[2004/05/07 13:46:07, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [MORIA]\[LENEC]@[protel]
[2004/05/07 13:46:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
  init_sam_from_ldap: Entry found for user: lenec
[2004/05/07 13:46:07, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(235)
  fetch sid from gid cache 513 ->
[2004/05/07 13:46:07, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: sam authentication for user [LENEC] succeeded
[2004/05/07 13:46:07, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/05/07 13:46:07, 3] smbd/uid.c:push_conn_ctx(287)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/05/07 13:46:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/05/07 13:46:07, 0] auth/pampass.c:smb_pam_account(573)
  smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: lenec                                                         
               [2004/05/07 13:46:07, 2]
  smb_pam_error_handler: PAM: Account Check Failed : Authentication
service cannot retrieve authentication info.                            
                   [2004/05/07 13:46:07, 0]
  smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
[2004/05/07 13:46:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/05/07 13:46:07, 3] auth/auth.c:check_ntlm_password(295)
  check_ntlm_password:  PAM Account for user [lenec] FAILED with error
[2004/05/07 13:46:07, 2] auth/auth.c:check_ntlm_password(312)             
       check_ntlm_password:  Authentication for user [LENEC] -> [LENEC]

What looks strange, is that initially, there is a success with
check_ntlm_password(), but sugsequently the process fails.... attemping a
sort of 'second stage authentication'? Why?

There is a certain twick to my configuration. This server will provide
authentication/file/printing servicies for wider audience, but will allow
local /bin/sh access only to local admins. I try to achieve this using the
following nsswitch configuration:
passwd:         compat ldap
shadow:         compat
(Note the missing ldap in shadow configuration above). So:
  model$ getent passwd lenec
  lenec:x:1081:513:User Lenec:/root:/bin/false
is quite correct (the entry comes from LDAP), while:
  model# passwd lenec
  passwd: Authentication service cannot retrieve authentication info.
fails as expected (/etc/shadow does not contain it).

Does anyone have any idea why w98 in such situation does not get access
granted? I don't have any other client (apart local smbclient) to test the
setup on.

Or may be my attempt to have ldap serve passwd and NOT serve shadow is
inapropriate and there is simpler and *working* other setup to achieve the
same target?



More information about the samba mailing list