[Samba] samba failed to authenticate to openLDAP

Steve Zeng szeng at mainframe.ca
Fri Mar 4 00:58:33 GMT 2005


Paul and Craig,

I finally got it working. The reason it failed before is the way I built 
the LDAP DIT. I also found a problem in smbldap-populate script which I 
will describe below.

Here were what I did:

1) run configure.pl

2) edit smbldap-populate and change the following line:

my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*),dc=(.*)$/);

to:
my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*)$/);

The reason is I only have a single name for my domain, i.e. "dc=mfelc". 
but the perl script will suppose we have exactly two names, for example, 
dc=idealx, dc=org. It also won't work if you have three names in your 
domain. (dc=mydept, dc=mycompany, dc=com)

3) run smbldap-populate
    it works perfectly to build the DIT

4) use smbldap-migrate-unix-accounts to migrate NIS accounts

5) use smbldap-migrate-unix-groups to migrate NIS group

this time when I use smbclient with a NIS account, the log will show 
wrong password. So I run smbpasswd to give this account a new samba 
password and run smbclient again. it works.

There are two problems here:

1) how to migrate NIS hosts into LDAP?

2) I checked the LDAP attributes and found three password fieds:

SambaLMPassword
SambaNTPassword
userPassword

How can I sync them so that I don't have to keep two or more password 
for one user account?

Best Regards,

Steve









> Paul,
> 
> I downloaded smbldap-tools-0.8.7 and tried the following:
> 
> 1) run configure.pl
> 
> 2) initialize LDAP base and then start LDAP server
> dn: dc=mfelc
> dc: mfelc
> objectClass: top
> objectClass: domain
> 
> 3) run smbldap-populate
> 
> 4) run the following migration tool to import users from NIS:
> smbldap-migrate-unix-accounts -a -P /tmp/passwd.nis
> 
> 5) run the following migration tool to import groups from NIS:
> smbldap-migrate-unix-groups -a -G /tmp/group.nis
> 
> 6) smbldap-useradd -a -m testuser1
>    smbldap-passwd testuser1
> 
> 6) smbclient //enzo/testuser1 -U testuser1
> 
> 
> got the following errors:
> -------------------------------------
>   User testuser1 in passdb, but getpwnam() fails!
> [2005/03/01 18:12:11, 5] auth/auth_util.c:free_server_info(1344)
>   attempting to free (and zero) a server_info structure
> [2005/03/01 18:12:11, 0] auth/auth_sam.c:check_sam_security(306)
>   check_sam_security: make_server_info_sam() failed with 
> 'NT_STATUS_NO_SUCH_USER'
> [2005/03/01 18:12:11, 5] auth/auth.c:check_ntlm_password(271)
>   check_ntlm_password: sam authentication for user [testuser1] FAILED 
> with error NT_STATUS_NO_SUCH_USER
> [2005/03/01 18:12:11, 3] auth/auth_winbind.c:check_winbind_security(80)
>   check_winbind_security: Not using winbind, requested domain [TESTDM] 
> was for this SAM.
> [2005/03/01 18:12:11, 10] auth/auth.c:check_ntlm_password(259)
>   check_ntlm_password: winbind had nothing to say
> [2005/03/01 18:12:11, 2] auth/auth.c:check_ntlm_password(312)
>   check_ntlm_password:  Authentication for user [testuser1] -> 
> [testuser1] FAILED with error NT_STATUS_NO_SUCH_USER
> --------------------------------------------------
> 
> No idea what is missing. Thanks a lot for any hints.
> 
> Steve
> 
>> Judicious snippage, post at the bottom.
>>
>>> I tried to let Samba authenticate against LDAP but could not figure 
>>> out how to build the LDAP tree for Samba.
>>>
>>> Fedora core 2
>>> Samba 3.0.10
>>> OpenLDAP 2.1.29
>>>
>>> dc=mydomain
>>>  |
>>>  `--- ou=People    : to store user accounts for Unix and Windows
>>>  |
>>>  `--- ou=Hosts     : to store computer accounts for UNIXX & Windows
>>>  |
>>>  `--- ou=Groups    : to store system groups for Unix and Windows
>>>
>>>
>>> What I did were:
>>
>>
>>
>>>    [global]
>>>         workgroup = TESTDM
>>>         passdb backend = ldapsam:ldap://10.10.0.101/
>>>         log level = 1 passdb:8 auth:8
>>>         domain logons = Yes
>>>         wins support = Yes
>>>         ldap admin dn = cn=root,dc=mydomain
>>>         ldap delete dn = Yes
>>>         ldap group suffix = ou=Group
>>>         ldap machine suffix = ou=Hosts
>>>         ldap user suffix = ou=People
>>>         ldap suffix = dc=mfelc
>>>         ldap passwd sync = Yes
>>>         ldap ssl = no
>>> 3) start Samba server
>>>
>>> 4) run smbclient //smbserver -U myid
>>>    Password:
>>>    session setup failed: NT_STATUS_LOGON_FAILURE
>>
>>
>>
>>> Attached is the smbd.log, I deleted the normal log and keep failed 
>>> messages as below:
>>>   check_sam_security: Couldn't find user 'szeng' in passdb file.
>>> auth/auth.c:check_ntlm_password(271)
>>>   check_ntlm_password: sam authentication for user [szeng] FAILED 
>>> with error NT_STATUS_NO_SUCH_USER
>>
>>
>>
>>> Is there anybody who might have some idea of what is wrong.
>>
>>
>>
>> Yep.  You did nothing to create the samba attributes that will have to 
>> exist in each user account for the users to log in.   I suggest you 
>> read the documentation on setting up an LDAP/PDC system that is on the 
>> samba.org web site.  You've missed quite a few steps here, so you may 
>> want to read it through to get a complete idea.  Your solution is 
>> going to include the following:
>>
>> 1. Obtain and configure the smbldap-tools package.
>> 2. Run the smbldap-populate script
>> 3. Make sure you've got a sambaDomain (I think that's the object type) 
>> in the base of your DIT.
>> 4. Join the machine to the domain (since you appear to want a domain 
>> setup)
>> 4. Add samba attributes to each user's account.
>>
>> Yes there are 2 #4 entries.  Doesn't matter which one comes first.  As 
>> far as I can remember, those will be the critical steps to not miss.   
>> If you've followed the documentation and not done those steps, you've 
>> missed something.
>>
>>
> 

-- 
Regards,

Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293


More information about the samba mailing list