[Samba] Windows logon doesn't work, Samba says it's fine
Chris St. Pierre
stpierre at NebrWesleyan.edu
Thu Jun 2 21:50:47 GMT 2005
This is an immensely frustrating problem.
I try to logon to my Samba 3.0.11 PDC running on SuSE, and the Samba
logs report that it all went swimmingly:
[2005/06/02 16:34:45, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [stpierre] ->
[stpierre] -> [stpierre] succeeded
So w00t, right. But no! Windows rejects my login with a "bad
password" error. The strange thing is that I can mount volumes from
that server without a problem -- it's only domain logons that are
broken.
Googling didn't turn up much, but it seemed in general to be a problem
with mismatched SIDs. Here are mine:
>From the server:
# net getlocalsid
SID for domain FLUFFY is: S-1-5-21-2946021175-1172358965-46922411
In my LDAP backend (all of these were copied directly from the results
of ldapsearch):
The machine account:
sambaSID=S-1-5-21-2946021175-1172358965-46922411-3048
The user account:
sambaSID=S-1-5-21-2946021175-1172358965-46922411-5546
The domain account:
sambaSID=S-1-5-21-2946021175-1172358965-46922411
As you can see, they're all identical. I dearly wish the problem
could be mismatched SIDs, but it doesn't appear to be. My full
smb.conf is below. Any ideas?
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
-------------------------------
smb.conf:
-------------------------------
[global]
server string = Fluffy
workgroup = NWU_FLUFFY
netbios name = FLUFFY
log level = 2
encrypt passwords = yes
max smbd processes = 0
socket options = TCP_NODELAY
use sendfile = no
add machine script = /usr/local/samba/scripts/trust-acct.pl '%u'
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
wins server = 10.9.1.12
security = user
admin users = stpierre
os level = 33
passdb backend = ldapsam:ldap://ldap.nebrwesleyan.edu
ldap suffix = o=nebrwesleyan.edu,o=isp
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap filter = (uid=%u)
ldap admin dn = cn=manager
ldap ssl = no
#idmap backend = ldap:ldap://newman.nebrwesleyan.edu
idmap uid = 10000-20000
idmap gid = 10000-20000
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/var/netlogon
guest ok = yes
locking = No
[profiles]
[profiles]
comment = Profile Share
path = /usr/local/samba/var/profiles
read only = No
create mask = 0600
directory mask = 0700
nt acl support = Yes
csc policy = disable
share modes = no
profile acls = yes
[tmp]
comment = temporary files
path = /tmp
read only = yes
More information about the samba
mailing list