[Samba] Samba PDC (3.0.14a) with LDAP cannot add machines

Jan Evert van Grootheest j.e.van.grootheest at hccnet.nl
Tue Sep 6 11:49:19 GMT 2005


I am setting up a Samba PDC which uses LDAP for account information.
It is a debian installation with samba 3.0.14a and slapd 2.2.23 (I'm 
also using ldap-account-manager, but I don't think that has anything to 
do with this).

I have checked the release notes whether it might have been fixed in a 
new release, but there's nothing I recognize that seems related to this.

The problem is that when I attempt to join a w2k machine (the first one, 
actually) to the domain it reports 'Logon failure: unknown user name or 
Samba, at the same time, reports in the logfile for that machine:

[2005/09/06 13:12:58, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (1000, 1000) - sec_ctx_stack_ndx = 0
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:_samr_set_userinfo(3077)
  _samr_set_userinfo:  does not possess sufficient rights
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2961)
  Attempting administrator password change for user krauq$
[2005/09/06 13:12:58, 10] lib/account_pol.c:account_policy_get(210)
  account_policy_get: maximum password age:-1
[2005/09/06 13:12:58, 10] lib/account_pol.c:account_policy_get(210)
  account_policy_get: minimum password age:0
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2981)
  Changing trust account or non-unix-user password, not updating /etc/passwd
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2999)
  set_user_info_pw: pdb_update_pwd()
[2005/09/06 13:12:58, 5] lib/smbldap.c:smbldap_search(1038)
  smbldap_search: base => [dc=XXX,dc=XXX,dc=org], filter => 
[(&(uid=krauq$)(objectclass=sambaSamAccount))], scope => [2]

[2005/09/06 13:12:58, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2005/09/06 13:12:58, 1] lib/smbldap.c:another_ldap_try(1011)
  Connection to LDAP server failed for the 1 try!

These last two are repeasted 15 times and then gives up.

[2005/09/06 13:13:13, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2005/09/06 13:13:13, 0] lib/smbldap.c:smbldap_search_suffix(1176)
  smbldap_search_suffix: Problem during the LDAP search:  (Timed out)
[2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_set_userinfo
[2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
      0000 status: NT_STATUS_ACCESS_DENIED
[2005/09/06 13:13:13, 5] rpc_server/srv_pipe.c:api_rpcTNP(1578)
  api_rpcTNP: called samr successfully
[2005/09/06 13:13:13, 10] rpc_server/srv_pipe.c:api_rpcTNP(1587)
  api_rpcTNP: rpc input buffer underflow (parse error?)
[2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_uint8s(729)
  021c : 00

I don't understand this as smbd and nmbd are running as root, so why is 
it complaining about not being root?

I am sure that there is no problem with the LDAP connection itself. It 
is already used for unix authentication (using pam_ldap) and also on 
this w2k machine I can browse (windows explorer) the shares on the PDC 
using the same username/password used to join the machine to the domain. 
So I guess that samba is getting information from LDAP just fine (the 
logfile also shows this in other places).

I have a logfile with loglevel 10. I will not publish it on this list (I 
think it is too much), but I can share sections with interested developers.
If there is other information that is useful, please just ask.

Has this been fixed already and did I miss it in the releasenotes?
Is there a work-around that I can use?

This has been filed as 3064 with the samba bugzilla.

Jan Evert van Grootheest

More information about the samba mailing list