[Samba] Bad Password Count Problem -- LDAP connection failed

Matt Anderson sokkerstud_11 at hotmail.com
Tue Aug 14 18:22:39 GMT 2007


Dear Help,

Initially, I thought that I had solved this problem, but it turns out that I
haven't.  I currently have Samba set up as a PDC with an eDirectory/LDAP
backend.  There are also a few Samba BDCs in play as well.

If a user enters the correct password, there are no issues and everything
authenticates fine.  If I turn off the PDC and force a user to authenticate
against a BDC with the wrong password, the Bad Password Count updates properly
and locks them out after the defined amount of attempts in pdbedit.  However, if
I turn off the BDCs and force the user to authenticate against the PDC with a
wrong password, it just hangs for awhile and never increments the Bad Password
Count. (This is all from the Ctrl+Alt+Delete Windows login box to get on to the
domain).

Also worth noting: If I log in locally to the same Windows machine as
Administrator and try and connect to a share on the PDC using the same user as
before with the wrong password, everything works as expected--the bad count gets
incremented, and there is no delay.

When I search the log files, the error that is causing this "delay" is a failed
LDAP connection attempt:
"smbldap_open: cannot access LDAP when not root.."
Which it tries 15 times before giving up.

The rest of the log file context is added below.  If anyone could provide any
advice or assistance, it would be greatly appreciated!

Thanks,
Matt

[2007/08/14 11:07:36, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[DOMAIN]\[testUser2]@[COMPUTER] with the new password interface
[2007/08/14 11:07:36, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [DOMAIN]\[testUser2]@[COMPUTER]
[2007/08/14 11:07:36, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(65534, 65533) : sec_ctx_stack_ndx = 1
[2007/08/14 11:07:36, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2007/08/14 11:07:36, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/08/14 11:07:36, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: testUser2
[2007/08/14 11:07:36, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0
[2007/08/14 11:07:36, 3] libsmb/ntlm_check.c:ntlm_password_check(207)
  ntlm_password_check: Interactive logon: NT password check failed for user
testUser2
[2007/08/14 11:07:36, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(65534, 65533) : sec_ctx_stack_ndx = 1
[2007/08/14 11:07:36, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2007/08/14 11:07:36, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/08/14 11:07:36, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0
[2007/08/14 11:07:36, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/14 11:07:36, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 1 try!
[2007/08/14 11:07:37, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/14 11:07:37, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 2 try!
[2007/08/14 11:07:38, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/14 11:07:38, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 3 try!

...

[2007/08/14 11:07:50, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 15 try!
[2007/08/14 11:07:51, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/14 11:07:51, 3]
passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3462)
  ldapsam_get_account_policy_from_ldap: Could not get account policy for
sambaDomainName=DOMAIN,o=Organization, error: Time limit exceeded ()
[2007/08/14 11:07:51, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/14 11:07:51, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 1 try!
[2007/08/14 11:07:52, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/14 11:07:52, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 2 try!

...

[2007/08/14 11:08:06, 1] lib/smbldap.c:another_ldap_try(1072)
  Connection to LDAP server failed for the 15 try!
[2007/08/14 11:08:07, 0] lib/smbldap.c:smbldap_open(943)
  smbldap_open: cannot access LDAP when not root..
[2007/08/14 11:08:07, 0] passdb/pdb_ldap.c:
ldapsam_set_account_policy_in_ldap(3400)
  ldapsam_set_account_policy_in_ldap: Could not set account policy for
sambaDomainName=DOMAIN,o=Organization, error: Timed out ()
[2007/08/14 11:08:07, 0] passdb/passdb.c:pdb_update_bad_password_count(2301)
  pdb_update_bad_password_count: pdb_get_account_policy failed.
[2007/08/14 11:08:07, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(65534, 65533) : sec_ctx_stack_ndx = 1
[2007/08/14 11:08:07, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2007/08/14 11:08:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/08/14 11:08:07, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1078)
  init_ldap_from_sam: Setting entry for user: testUser2
[2007/08/14 11:08:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0
[2007/08/14 11:08:07, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain [DOMAIN] was for
this SAM.
[2007/08/14 11:08:07, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [testUser2] -> [testUser2]
FAILED with error NT_STATUS_WRONG_PASSWORD



More information about the samba mailing list