[Samba] PDC with LDAP backend login issue

dennis vijlbrief dennis.vijlbrief at gmail.com
Thu Jun 9 22:43:32 GMT 2005 

Hi all,

I'm very close to having a working setup after blundering through a
couple of typing errors that cost me several days of my life, with the
following config:
Samba 3.0.14a as a PDC
Suse 9.2 Professional
LDAP (eDirectory 8.7.3) passwd backend
Idealx scripts
Windows XP SP1

I can connect to any of the samba shares just fine using any of the
users I've created, from XP and from linux using SMBCLIENT. I can join
workstations to the Domain and I can log on from a WindowsXP
workstation, but only as root. This is the problem, or the symtom ;-)
If I try logging on as a different user I get the same error message
as when I use a non-existing user. I've tried users I've created
manually, users created with smbldap-useradd and users created by
smbldap-populate.

The only thing I did that was not described anywhere to get the idealx
scripts working was exporting to an ldif file and adding the entry:
"objectClass: Group" to all the groups the script wants to create. I
had to do this otherwise smbldap-populate couldn't create groups like
"Domain Admins" because of "OBJECT CLASS VIOLATION" errors.

Also I put users, workstations and groups in the same container now to
minimize the risk of running into some issues I've been reading.

I don't see how it can be possible to have access to all shares but
not be able to really logon. Unless it has something to do with the
netlogon service or IPC$ ¡? But I can connect just fine to those
shares to using a different user.

Below are extracts from a log I made using the loggin level: 0
passdb:4 auth:4 tdb:4
Hope anyone can shed some light on this.

Any help would be appreciated.

My log show this:

check_ntlm_password:  Checking password for unmapped user
[NDSDOM]\[testuser3]@[SCLXPWD4104] with the new password interface
[2005/06/06 05:36:24, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [NDSDOM]\[testuser3]@[SCLXPWD4104]
[2005/06/06 05:36:24, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: testuser3
[2005/06/06 05:36:24, 4] auth/auth_sam.c:sam_account_ok(119)
  sam_account_ok: Checking SMB password for user testuser3
[2005/06/06 05:36:24, 1] auth/auth_util.c:make_server_info_sam(840)
  User testuser3 in passdb, but getpwnam() fails!
[2005/06/06 05:36:24, 0] auth/auth_sam.c:check_sam_security(324)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2005/06/06 05:36:24, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain [NDSDOM]
was for this SAM.


In case of the user root I don't see any reference to getpwnam():

[2005/06/06 05:36:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: root
[2005/06/06 05:36:11, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[]\[]@[SCLXPWD4104] with the new password interface
[2005/06/06 05:36:11, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [NDSDOM]\[]@[SCLXPWD4104]
[2005/06/06 05:36:11, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: guest authentication for user [] succeeded

This is the log when I successfully map to a samba share from the XP
machine (logged on locally):

[2005/06/06 06:20:16.569305, 3, pid=7535, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[SCLLSTST]\[testuser]@[SCLXPWD4104] with the new password interfac
e
[2005/06/06 06:20:16.570605, 3, pid=7535, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [NDSDOM]\[testuser]@[SCLXPWD4104]
[2005/06/06 06:20:16.596668, 2, pid=7535, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: testuser
[2005/06/06 06:20:16.603283, 4, pid=7535, effective(0, 0), real(0, 0)]
libsmb/ntlm_check.c:ntlm_password_check(326)
  ntlm_password_check: Checking NT MD4 password
[2005/06/06 06:20:16.604362, 4, pid=7535, effective(0, 0), real(0, 0)]
auth/auth_sam.c:sam_account_ok(119)
  sam_account_ok: Checking SMB password for user testuser
[2005/06/06 06:20:16.904762, 4, pid=7535, effective(0, 0), real(0, 0)]
passdb/pdb_ldap.c:ldapsam_getgroup(2106)
  ldapsam_getgroup: Did not find group
[2005/06/06 06:20:16.908227, 3, pid=7535, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: sam authentication for user [testuser] succeeded
[2005/06/06 06:20:16.910629, 2, pid=7535, effective(0, 0), real(0, 0)]
auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [testuser] ->
[testuser] -> [testuser] succeeded

More information about the samba mailing list