[Samba] samba failed to authenticate to openLDAP

Steve Zeng szeng at mainframe.ca
Tue Mar 1 17:17:57 GMT 2005 

Paul,


Great Tips... Thanks you. I will take a look at smbldap-tools and try again.

Steve

> Judicious snippage, post at the bottom.
> 
>> I tried to let Samba authenticate against LDAP but could not figure 
>> out how to build the LDAP tree for Samba.
>>
>> Fedora core 2
>> Samba 3.0.10
>> OpenLDAP 2.1.29
>>
>> dc=mydomain
>>  |
>>  `--- ou=People    : to store user accounts for Unix and Windows
>>  |
>>  `--- ou=Hosts     : to store computer accounts for UNIXX & Windows
>>  |
>>  `--- ou=Groups    : to store system groups for Unix and Windows
>>
>>
>> What I did were:
> 
> 
>>    [global]
>>         workgroup = TESTDM
>>         passdb backend = ldapsam:ldap://10.10.0.101/
>>         log level = 1 passdb:8 auth:8
>>         domain logons = Yes
>>         wins support = Yes
>>         ldap admin dn = cn=root,dc=mydomain
>>         ldap delete dn = Yes
>>         ldap group suffix = ou=Group
>>         ldap machine suffix = ou=Hosts
>>         ldap user suffix = ou=People
>>         ldap suffix = dc=mfelc
>>         ldap passwd sync = Yes
>>         ldap ssl = no
>> 3) start Samba server
>>
>> 4) run smbclient //smbserver -U myid
>>    Password:
>>    session setup failed: NT_STATUS_LOGON_FAILURE
> 
> 
>> Attached is the smbd.log, I deleted the normal log and keep failed 
>> messages as below:
>>   check_sam_security: Couldn't find user 'szeng' in passdb file.
>> auth/auth.c:check_ntlm_password(271)
>>   check_ntlm_password: sam authentication for user [szeng] FAILED with 
>> error NT_STATUS_NO_SUCH_USER
> 
> 
>> Is there anybody who might have some idea of what is wrong.
> 
> 
> Yep.  You did nothing to create the samba attributes that will have to 
> exist in each user account for the users to log in.   I suggest you read 
> the documentation on setting up an LDAP/PDC system that is on the 
> samba.org web site.  You've missed quite a few steps here, so you may 
> want to read it through to get a complete idea.  Your solution is going 
> to include the following:
> 
> 1. Obtain and configure the smbldap-tools package.
> 2. Run the smbldap-populate script
> 3. Make sure you've got a sambaDomain (I think that's the object type) 
> in the base of your DIT.
> 4. Join the machine to the domain (since you appear to want a domain setup)
> 4. Add samba attributes to each user's account.
> 
> Yes there are 2 #4 entries.  Doesn't matter which one comes first.  As 
> far as I can remember, those will be the critical steps to not miss.   
> If you've followed the documentation and not done those steps, you've 
> missed something.
> 
> 

-- 
Regards,

Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293

More information about the samba mailing list