[Samba] ldap authentication fails

Andy Kesterson tc2617 at gmail.com
Tue Jan 24 01:00:19 GMT 2006

Hi folks,

  We are using Samba 3.0.10 and are using OpenLdap to manage users. We
are also usign PAM to track the users on the computer.
   The problem that we are having is when Samba has the "encrypt
passwords" option is enabled, we recieve an "session setup failed:
NT_STATUS_LOGON_FAILURE" message. When "encrypt passwords" is disabled
the login is succesful.
   When we left work Friday we thought that there was a different
encryption method being used between Samba and ldap. However, that
doesn't seem to be the case now, but we are not certain of that.
  We have setup Samba, OpenLDAP, and PAM to use MD5 as their hashing function.

This is the setup of our smb.conf global section:

        ldap ssl = no
        name resolve order = wins lmhosts hosts bcast
        passwd chat = *new*password %n\n *new*password %n\n *successfully*
        idmap gid = 16777216-33554431
        passwd program = /usr/local/sbin/smbldap-passwd -o %u
        allow hosts =
        dns proxy = no
        netbios name = *
        idmap uid = 16777216-33554431
        local master = yes
        workgroup = *
        os level = 65
        security = user
        max log size = 50
        log file = /var/log/samba/%m.log
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        #Make sure that passwords are not empty, & do not encrypt until we
        #figure our what is going on with the encryption
        null passwords = no
        encrypt passwords = yes
        #encrypt passwords = no
        #SET TO update unix passwd
	unix password sync = yes
        update encrypted = yes
        #Set as master Samba server
        domain master = yes
        winbind use default domain = no
        passdb backend = ldapsam:ldap://
        template shell = /bin/false
        wins support = yes
        server string = * Samba Server
        ldap admin dn = "cn=Manager,dc=*,dc=*"
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        path = /home
        ldap suffix = dc=*,dc=*
        add user script = /usr/local/sbin/smbldap-useradd -w %u
        valid users = @"Domain Admins",@"Domain Users"
        preferred master = yes
        domain logons = yes
        logon script = STARTUP.BAT
        logon path = \\%N\Profiles\%U
        #ldap passwd sync = only
        smb passwd file = /etc/samba/smbpasswd

More information about the samba mailing list