[Samba] Windows logon doesn't work, Samba says it's fine

Chris St. Pierre stpierre at NebrWesleyan.edu
Thu Jun 2 21:50:47 GMT 2005

This is an immensely frustrating problem.

I try to logon to my Samba 3.0.11 PDC running on SuSE, and the Samba
logs report that it all went swimmingly:

[2005/06/02 16:34:45, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [stpierre] ->
  [stpierre] -> [stpierre] succeeded

So w00t, right.  But no!  Windows rejects my login with a "bad
password" error.  The strange thing is that I can mount volumes from
that server without a problem -- it's only domain logons that are

Googling didn't turn up much, but it seemed in general to be a problem
with mismatched SIDs.  Here are mine:

>From the server:

# net getlocalsid
SID for domain FLUFFY is: S-1-5-21-2946021175-1172358965-46922411

In my LDAP backend (all of these were copied directly from the results
of ldapsearch):

The machine account:

The user account:

The domain account:

As you can see, they're all identical.  I dearly wish the problem
could be mismatched SIDs, but it doesn't appear to be.  My full
smb.conf is below.  Any ideas?

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

server string = Fluffy
workgroup = NWU_FLUFFY
netbios name = FLUFFY

log level = 2
encrypt passwords = yes
max smbd processes = 0
socket options = TCP_NODELAY
use sendfile = no

add machine script = /usr/local/samba/scripts/trust-acct.pl '%u'

logon script = scripts\logon.bat
logon path = \\%L\profiles\%U

domain logons = yes
domain master = yes
local master = yes
preferred master = yes
wins server =
security = user
admin users = stpierre
os level = 33

passdb backend = ldapsam:ldap://ldap.nebrwesleyan.edu
ldap suffix = o=nebrwesleyan.edu,o=isp
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap filter = (uid=%u)
ldap admin dn = cn=manager
ldap ssl = no

#idmap backend = ldap:ldap://newman.nebrwesleyan.edu
idmap uid = 10000-20000
idmap gid = 10000-20000

comment = Network Logon Service
path = /usr/local/samba/var/netlogon
guest ok = yes
locking = No


comment = Profile Share
path = /usr/local/samba/var/profiles
read only = No
create mask = 0600
directory mask = 0700
nt acl support = Yes
csc policy = disable
share modes = no
profile acls = yes

comment = temporary files
path = /tmp
read only = yes

More information about the samba mailing list