[Samba] Help with Samba (net vampire) not pulling passwords into openLDAP backend - fails pam_ldap authentication - pam_unix used instead ?

Franciszek Michal Misa fmisa at sympatico.ca
Sat Jan 8 04:01:07 GMT 2005

Hi All,

Hope someone here can help me ?

*See end for background and system information...

I'm looking for advice or links to clear documentation on the use and
configuration of "net vampire" and it's ability to download PDC accounts
with passwords intact.

I have successfully used "net vampire" to synchronize my Samba BDC --
with my companies PDC.  I've switched my linux box authentication --
using "authconfig" -- to authenticate against LDAP.

Seems to be working for all but accounts "net vampired" over.....

My original users (root - stored in /etc/passwd) as well as newly
created users (created with smbldap-useradd - stored in LDAP) -- can log
into my system fine -- OK.

My problem....  all the newly created users (from PDC using net vampire)
can be switched to as root using: 
    su - newDomainAccountUser
BUT -- These users cannot log into the system console themselves....
All the /home/userX directories have been created -- and LDAP is
populated with everything it seems but the correct password -- I think ?

tail -f /var/log/message reveals:
>>Jan  7 17:05:04 host06 su(pam_unix)[26618]: check pass; user unknown
>>Jan  7 17:05:04 host06 su(pam_unix)[26618]: authentication failure;  
       logname=fXXXX uid=500 euid=0 tty= ruser=fXXXX rhost=
>>Jan  7 17:05:04 host06 su[26618]: pam_ldap: error trying to bind as
       user "uid=product,ou=Users,dc=XXXXX,dc=ca" (Invalid credentials)
NOTE:  XXXX replaced sensitive information...

An ldap client I'm using reveals {CRYPT} X  -- in place of the NT
password hashes....

I'm unclear why -- "net vampire" -- did not pull down the user passwords
correctly. I've searched the internet/forums etc. -- and cannot find any
solution that helps or clearly explains what's going on;  though many
people seem to be having similar issues with "net vampire"

I've tried the following:
    - different pam_ldap versions  (156 & 176)
    - tweaking /etc/ldap.conf settings including pam_password key
    - tweaking various pam.d config files
    - confirm my local SID matches the PDC/remote SID

I'm unclear about the following -- and see many conflicting suggestions
on the internet:
*) Should /etc/samba/smb.conf => encrypt passwords =yes
*) My BDC /etc/samba/smb.conf is setup with:
   security = user
   password level = 8                                          
   username level = 8 
   encrypt passwords = yes                                     
   smb passwd file = /etc/samba/smbpasswd 
   obey pam restrictions = no                                    
   ldap passwd sync = yes  
   domain master = no 
   preferred master = no
   domain logons = yes
   name resolve order = wins lmhosts bcast
   wins server = X.X.X.X  (our company WINS server...)
   dns proxy = no
   passdb backend = ldapsam:ldap://
   ... And all remaining LDAP settings/scripts/admin/suffix etc.
   Dos charset =850                                             
   Unix charset = ISO8859-1 
*) Should /etc/ldap.conf    => pam_password md5    or    crypt
*) Should my /etc/openldap/slapd.conf   roopw==> be encrypted ?  for now
I'm using plain text with /etc/ldap.conf: bindpw & rootbinddn used in
combination with  plain text /etc/ldap.secret
*) Beside removing my host from the PDC's list of detected BDC prior to:
       net rpc join -S MY_PDC -UAdministrator%myAdminPassWd
I'm not doing anything on the remote PDC machine ?
Is there any remote configuration I need to perform for "trust" ?

   Note:  My BDC -- has the same SID and Workgroup name as my PDC and
   I'm able to "join" the domain OK... no errors.
*) I'm using IDEALX scripts -- why doesn't Samba provide similar
utilities ?  Are there better 3rd party scripts out there ?
**) What might I be missing ?  What must I do to get "net vampire" to
pull and store the PDC/SAM passwords OK ?
*) Should I be using SambaTNG instead ?
*) Could I use "net rpc samdump" instead -- and manual scripts to
convert to LDIF ?

All I want to do is reproduce MSWinNT&2000-PDC/SAM user/computer/group
information in LDAP so I can authenticate web applications and other
applications without having to manually maintain all this user
information by hand.  Later I may also want to synch. with
account/address information in LotusNotes and ADP....
I dont't care to have my host as fulltime BDC -- I don't need my host to
replace the PDC -- I don't need the host to authenticate Windows users
on the WinDOMAIN;  A cron job to synch with PDC each night -- and then
shutdown would be OK.

uname -a
     >>Linux host06 2.4.21-20.ELsmp #1 SMP 
     >>Wed Aug 18 20:46:40 EDT 2004 i686 i686 i386 GNU/Linux
cat /etc/redhat-release
     >>Red Hat Enterprise Linux ES release 3 (Taroon Update 3)
rpm -qa | grep -i '???'
     >>Note: I've tried pam_ldap v156   & v176 ? no difference
SambaPDC/LDAP Scripts
     >> I'm using IDEALX scripts and tried several documents/guides
     >> most follow the following link closely:
Samba Schema
     >> I had to download the samba.schema from the Samba groups CVS
     >> server Note: My samba.schema was from source base for:
     >> Samba v3.1.0

More information about the samba mailing list