[Samba] Errors logging in from Windows - LDAP + Samba PDC
Paul Traylor
patraylo at unity.ncsu.edu
Wed Mar 14 14:06:39 GMT 2007
Just to get these things out of the way
CentOS (2.6.9-42.0.10.ELsmp)
# yum list installed | grep openssl
openssl.i686 0.9.7a-43.14 installed
openssl-devel.i586 0.9.7a-43.14 installed
# yum list installed | grep samba
samba.i386 3.0.10-1.4E.11 installed
samba-client.i386 3.0.10-1.4E.11 installed
samba-common.i386 3.0.10-1.4E.11 installed
samba-swat.i386 3.0.10-1.4E.11 installed
# yum list installed | grep samba
nss_ldap.i386 226-17 installed
openldap.i386 2.2.13-6.4E installed
openldap-clients.i386 2.2.13-6.4E installed
openldap-devel.i386 2.2.13-6.4E installed
openldap-servers.i386 2.2.13-6.4E installed
smbldap-tools-0.9.2
I think that should cover most of what someone else would need to know.
The goal is to have a PDC that uses Samba and LDAP. I have used guides
like the guide from here
http://www.idealx.com/content/view/184/169/lang,en/ . I seem to have
LDAP and Samba working and the smbldap-tools working properly. I can
use the LDAP Account Manager ( http://lam.sourceforge.net/ ) to add
users to the domain and then use ssh and pam_ldap to connect with those
user names. I can add users to the domain, and use the domain usernames
and passwords to connect to shares off the server. I can also add
machines to the domain from Windows without any problems and they show
up in LDAP. The part that has me stumped is that I can't seem to login
to the domain from one of the domain accounts. I can login with the
local admin account then use a domain login to login to domain shares I
just can't do the initial Windows login. Turning the samba debugging up
to 3 doesn't seem to help since I see log messages like
" check_ntlm_password: authentication for user [testuser] ->
[testuser] -> [testuser] succeeded"
which would make me think that things are working properly. I kinda
suspect that the problem could be with smbldap-tools somewhere since I
was able to switch samba to authing from the /etc/samba/smbpasswd file
and it was able to login fine though I have yet to figure out which
script is called on Windows logins. Any help would be appreciated.
smb.conf (I replaced the server address with 'server.address' but that's
the only change I made for posting to this list.
[global]
workgroup = TEMPDOMAIN
netbios name = SSC2
server string = Samba Server %v
security = user
allow trusted domains = yes
time server = no
log level = 3
log file = /var/log/samba/log.%m
max log size = 100000
domain logons = yes
os level = 35
local master = yes
domain master = yes
preferred master = yes
encrypt passwords = yes
lm announce = true
passwd program = /usr/local/sbin/smbldap-tools/smbldap-passwd %u
passwd chat debug = yes
ldap passwd sync = yes
passdb backend = ldapsam:ldap://server.address:389
ldap ssl = start_tls
ldap suffix = dc=soil,dc=ncsu,dc=edu
ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
ldap delete dn =no
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
admin users = administrator
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon home =
logon path =
logon script = logon.cmd
add user script = /usr/local/sbin/smbldap-tools/smbldap-useradd -a "%u"
add machine script = /usr/local/sbin/smbldap-tools/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-tools/smbldap-groupadd -p "%g"
add user to group script =
/usr/local/sbin/smbldap-tools/smbldap-groupmod -m "%u" "%g"
delete user from group script =
/usr/local/sbin/smbldap-tools/smbldap-groupmod -x "%u" "%g"
set primary group script =
/usr/local/sbin/smbldap-tools/smbldap-usermod -g "%g" "%u"
dos charset = 850
hosts allow = 152.1.121.0/24
mangling method = hash2
obey pam restrictions = no
syslog = 0
unix charset = ISO8859-1
username map = /etc/samba/smbusers
wins support = no
template shell = /bin/false
winbind use default domain = no
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/netlogon
writeable = no
public = no
browsable = no
More information about the samba
mailing list