[Samba] ldap guest account mapping looks broken

Eric A. Hall ehall at ehsco.com
Thu Sep 1 05:18:26 GMT 2005 

I'm running the samba-client-3.0.20-0.1 SUSE RPM. I was using the
version that came with 9.3 but upgraded to see if this specific
problem would go away.

Guest access does not appear to be working correctly, and it looks
like the problem is due to guest not getting mapped into the LDAP
query correctly.

Specifically, I can login with local account, join workstation to the
domain, browse shares, and everything else that requires
authentication, but cannot login to domain nor browse the domain in
explorer or anything else that requires guest access.

Looking at the smbd log with loglevel 4 shows:

[2005/09/01 01:00:02, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
  Got user=[] domain=[] workstation=[RHINO-VM-PC-1] len1=1 len2=0
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[]\[]@[RHINO-VM-PC-1] with the new password interface
[2005/09/01 01:00:02, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [LABS]\[]@[RHINO-VM-PC-1]
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/09/01 01:00:02, 3] smbd/uid.c:push_conn_ctx(388)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/09/01 01:00:02, 2] lib/smbldap.c:smbldap_open_connection(630)
  smbldap_open_connection: connection opened
[2005/09/01 01:00:02, 3] lib/smbldap.c:smbldap_connect_system(805)
  ldap_connect_system: succesful connection to the LDAP server
[2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
  The LDAP server is succesfully connected
[2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
  ldapsam_getsampwnam: Unable to locate user [] count=0
[2005/09/01 01:00:02, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/09/01 01:00:02, 3] auth/auth_sam.c:check_sam_security(260)
  check_sam_security: Couldn't find user '' in passdb.
[2005/09/01 01:00:02, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [] -> [] FAILED with
error NT_STATUS_NO_SUCH_USER

Looking in the slapd log with loglevel 256 shows:

Sep  1 01:00:02 rhino slapd[8360]: conn=123 fd=28 ACCEPT from
IP=207.65.71.3:55418 (IP=0.0.0.0:389)
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
dn="***hidden***" method=128
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 BIND
dn="uid=root,ou=Users,dc=labs,dc=ntrg,dc=com" mech=SIMPLE ssf=0
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=0 RESULT tag=97 err=0
text=
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SRCH
attr=supportedControl
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
filter="(&(?=undefined)(objectClass=sambaSamAccount))"
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp
Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SEARCH RESULT tag=101
err=0 nentries=0 text=
Sep  1 01:00:13 rhino slapd[8360]: conn=123 fd=28 closed

It looks like "filter="(&(?=undefined)(objectClass=sambaSamAccount))""
produces zero responses (as would be expected), which is resulting in
the "Unable to locate user [] count=0" SMB error.

smb.conf has "guest account = guest"

The output for "pdbedit --user=guest --verbose" is:

Unix username:        guest
NT username:          guest
Account Flags:        [U          ]
User SID:             S-1-5-21-284210356-3264030311-3336521042-501
Primary Group SID:    S-1-5-21-284210356-3264030311-3336521042-514
Full Name:            Unknown or guest user
Home Directory:       \\rhino\guest\.9xprofile
HomeDir Drive:        P:
Logon Script:         logon.cmd
Profile Path:         \\rhino\profiles\.msprofile
Domain:               LABS
Account desc:         Unknown or guest user
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 22:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 22:14:07 GMT
Password last set:    Wed, 31 Aug 2005 22:44:22 GMT
Password can change:  Wed, 31 Aug 2005 22:44:22 GMT
Password must change: Mon, 18 Jan 2038 22:14:07 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

The guest account is defined, is valid, and has a password.

I'm pretty sure the whole problem here is with the malformed LDAP
lookup but I could be wrong.

Anybody got any ideas or suggestions here?

Thanks

More information about the samba mailing list