[Samba] smbldap_open: cannot access LDAP when not root..

Matt Anderson sokkerstud_11 at hotmail.com
Thu Aug 9 19:52:40 GMT 2007 

Dear Help,

I currently have a Samba PDC along with multiple BDCs using an eDirectory LDAP
backend.  While trying to figure out how to get the bad password account lockout
feature to work, I managed to somehow mess up the samba PDC.

If a user attempts to authenticate against the PDC with the correct password,
all is well and works as usual.  However, if I use an incorrect password, the
Windows login box just kind of hangs.  I've discovered that this is because (for
some reason now) Samba is unable to update the LDAP server from the PDC (at
least this is my theory based on the logs shown below).  The interesting part is
that if I authenticate against a BDC with an incorrect password, everything
functions as normal.  So, something I specifically did to the PDC (The only
steps I can remember doing since before this problem occurred is replicating the
account policies from the local tdb to ldap (using pdbedit) and attempting to
rejoin the PDC to its own domain--which I had to delete and recreate the machine
trust account again in the process).

In any case, I'm currently getting the following error in my logs:
[2007/08/09 12:38:24, 3] libsmb/ntlm_check.c:ntlm_password_check(207)
  ntlm_password_check: Interactive logon: NT password check failed for user
testUser3
[2007/08/09 12:38:24, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(65534, 65533) : sec_ctx_stack_ndx = 1
[2007/08/09 12:38:24, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2007/08/09 12:38:24, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/08/09 12:38:24, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0
[2007/08/09 12:38:24, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/09 12:38:24, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 1 try!
[2007/08/09 12:38:25, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/09 12:38:25, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 2 try!
[2007/08/09 12:38:26, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/09 12:38:26, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 3 try!
[2007/08/09 12:38:27, 0] lib/smbldap.c:smbldap_open(943)
...
[2007/08/09 12:38:39, 3]
passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3462)
  ldapsam_get_account_policy_from_ldap: Could not get account policy for
sambaDomainName=PHSDOMAIN,o=PHS, error: Time limit exceeded ()

I have seen posts regarding this error when joining the domain... and even tried
applying those solutions, but it doesn't seem to work.

Any insight or help would be greatly appreciated.
-Matt

More information about the samba mailing list