[Samba] ldap guest account mapping looks broken

Eric A. Hall ehall at ehsco.com
Fri Sep 16 03:20:29 GMT 2005

On 9/1/2005 1:18 AM, Eric A. Hall wrote:

> Guest access does not appear to be working correctly, and it looks
> like the problem is due to guest not getting mapped into the LDAP
> query correctly.
> Specifically, I can login with local account, join workstation to the
> domain, browse shares, and everything else that requires
> authentication, but cannot login to domain nor browse the domain in
> explorer or anything else that requires guest access.


> Judging from these lines in the log.smbd file:
> | [2005/09/01 01:00:02, 4] lib/smbldap.c:smbldap_open(869)
> |   The LDAP server is succesfully connected
> | [2005/09/01 01:00:02, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1335)
> |   ldapsam_getsampwnam: Unable to locate user [] count=0
> and the detailed output from ldap log file:
> | Sep  1 01:00:02 rhino slapd[8360]: conn=123 op=2 SRCH
> | base="dc=labs,dc=ntrg,dc=com" scope=2 deref=0
> | filter="(&(?=undefined)(objectClass=sambaSamAccount))"
> it would indeed appear that the "(?=undefined)" LDAP search filter is
> being generated by pdb_ldap.c but a grep through that file doesn't return
> any obvious hits

Found the problem. Some gremlin (probably one of the Samba config tools I
tried using) had added "auth methods = sam" to the smb.conf file. The
"guest" method was not listed so it wasn't being processed.

The man page for smb.conf is pretty clear about explaining this. Would be
good if the logger could spit up a statement too, like "guest processing
is not enabled" or the like.

Eric A. Hall                                        http://www.ehsco.com/
Internet Core Protocols          http://www.oreilly.com/catalog/coreprot/

More information about the samba mailing list