[Samba] samba failed to authenticate to openLDAP

Paul Gienger pgienger at ae-solutions.com
Tue Mar 1 14:11:29 GMT 2005

Judicious snippage, post at the bottom.

> I tried to let Samba authenticate against LDAP but could not figure 
> out how to build the LDAP tree for Samba.
> Fedora core 2
> Samba 3.0.10
> OpenLDAP 2.1.29
> dc=mydomain
>  |
>  `--- ou=People    : to store user accounts for Unix and Windows
>  |
>  `--- ou=Hosts     : to store computer accounts for UNIXX & Windows
>  |
>  `--- ou=Groups    : to store system groups for Unix and Windows
> What I did were:

>    [global]
>         workgroup = TESTDM
>         passdb backend = ldapsam:ldap://
>         log level = 1 passdb:8 auth:8
>         domain logons = Yes
>         wins support = Yes
>         ldap admin dn = cn=root,dc=mydomain
>         ldap delete dn = Yes
>         ldap group suffix = ou=Group
>         ldap machine suffix = ou=Hosts
>         ldap user suffix = ou=People
>         ldap suffix = dc=mfelc
>         ldap passwd sync = Yes
>         ldap ssl = no
> 3) start Samba server
> 4) run smbclient //smbserver -U myid
>    Password:
>    session setup failed: NT_STATUS_LOGON_FAILURE

> Attached is the smbd.log, I deleted the normal log and keep failed 
> messages as below:
>   check_sam_security: Couldn't find user 'szeng' in passdb file.
> auth/auth.c:check_ntlm_password(271)
>   check_ntlm_password: sam authentication for user [szeng] FAILED with 

> Is there anybody who might have some idea of what is wrong.

Yep.  You did nothing to create the samba attributes that will have to 
exist in each user account for the users to log in.   I suggest you read 
the documentation on setting up an LDAP/PDC system that is on the 
samba.org web site.  You've missed quite a few steps here, so you may 
want to read it through to get a complete idea.  Your solution is going 
to include the following:

1. Obtain and configure the smbldap-tools package.
2. Run the smbldap-populate script
3. Make sure you've got a sambaDomain (I think that's the object type) 
in the base of your DIT.
4. Join the machine to the domain (since you appear to want a domain setup)
4. Add samba attributes to each user's account.

Yes there are 2 #4 entries.  Doesn't matter which one comes first.  As 
far as I can remember, those will be the critical steps to not miss.   
If you've followed the documentation and not done those steps, you've 
missed something.

Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger at ae-solutions.com

More information about the samba mailing list