[Samba] ldap authentication fails

Andy Kesterson tc2617 at gmail.com
Thu Jan 26 01:00:52 GMT 2006

Well as it turns out our problem eas with the sambaSID values in ldap.
Apprently Samba 3.0 want the full SID value in those fields (sambaSID,
and sambaGroupSID) for any user. We only had the last 4 digits, which
are the unique digits for us (I'm not sure if the amount of digits at
the end can change). Once we setup the users with with the full Samba
SID we were able to execute every Samba command without a problem.

Thanks for the help

On 1/23/06, Gordon Messmer <yinyang at eburg.com> wrote:
> Andy Kesterson wrote:
> >
> >    The problem that we are having is when Samba has the "encrypt
> > passwords" option is enabled, we recieve an "session setup failed:
> > NT_STATUS_LOGON_FAILURE" message. When "encrypt passwords" is disabled
> > the login is succesful.
> ...
> >   We have setup Samba, OpenLDAP, and PAM to use MD5 as their hashing function.
> When "encrypt passwords" is disabled, and the client is appropriately
> configured, the client will establish a session by sending its username
> and password, both in plain text.  With the plain text password from the
> client, the server can use PAM to authenticate the user.
> However, if you don't want to reconfigure all of your Windows desktops,
> and you don't want your passwords sent across the network in plain text
> for each connection, you should have "encrypt passwords" turned on.  In
> this configuration, the client and server engage in a challenge-response
> conversation to authenticate the users.  To do that, the server needs to
> have the plain-text equivalent of the user's password.  If you had a
> smbpasswd file before converting to LDAP, you can use that to get the
> values that you need.  If not, then you'll need all of your users to set
> their password.  However you choose to solve that problem, you need to
> make sure that in addition to the "userPassword" attribute, each user
> has a "sambaLMPassword" and a "sambaNTPassword" attribute.  The values
> for those two attributes can be formed using the "mkntpwd" program, if
> you want to script the password changes.
> Be careful to configure your LDAP server such that users can not read
> the sambaLMPassword and sambaNTPassword attributes from the server.
> Those values are plain-text equivalents, and could be used to log in as
> the user to whom they belong.

More information about the samba mailing list