[Samba] ldap authentication fails

Gordon Messmer yinyang at eburg.com
Tue Jan 24 03:07:52 GMT 2006

Andy Kesterson wrote:
>    The problem that we are having is when Samba has the "encrypt
> passwords" option is enabled, we recieve an "session setup failed:
> NT_STATUS_LOGON_FAILURE" message. When "encrypt passwords" is disabled
> the login is succesful.
>   We have setup Samba, OpenLDAP, and PAM to use MD5 as their hashing function.

When "encrypt passwords" is disabled, and the client is appropriately 
configured, the client will establish a session by sending its username 
and password, both in plain text.  With the plain text password from the 
client, the server can use PAM to authenticate the user.

However, if you don't want to reconfigure all of your Windows desktops, 
and you don't want your passwords sent across the network in plain text 
for each connection, you should have "encrypt passwords" turned on.  In 
this configuration, the client and server engage in a challenge-response 
conversation to authenticate the users.  To do that, the server needs to 
have the plain-text equivalent of the user's password.  If you had a 
smbpasswd file before converting to LDAP, you can use that to get the 
values that you need.  If not, then you'll need all of your users to set 
their password.  However you choose to solve that problem, you need to 
make sure that in addition to the "userPassword" attribute, each user 
has a "sambaLMPassword" and a "sambaNTPassword" attribute.  The values 
for those two attributes can be formed using the "mkntpwd" program, if 
you want to script the password changes.

Be careful to configure your LDAP server such that users can not read 
the sambaLMPassword and sambaNTPassword attributes from the server. 
Those values are plain-text equivalents, and could be used to log in as 
the user to whom they belong.

More information about the samba mailing list