[Samba] Errors logging in from Windows - LDAP + Samba PDC

Paul Traylor patraylo at unity.ncsu.edu
Wed Mar 14 14:06:39 GMT 2007

Just to get these things out of the way

  CentOS (2.6.9-42.0.10.ELsmp)

  # yum list installed | grep openssl
  openssl.i686                             0.9.7a-43.14           installed
  openssl-devel.i586                       0.9.7a-43.14           installed

  # yum list installed | grep samba
  samba.i386                               3.0.10-1.4E.11         installed
  samba-client.i386                        3.0.10-1.4E.11         installed
  samba-common.i386                        3.0.10-1.4E.11         installed
  samba-swat.i386                          3.0.10-1.4E.11         installed

  # yum list installed | grep samba
  nss_ldap.i386                            226-17                 installed
  openldap.i386                            2.2.13-6.4E            installed
  openldap-clients.i386                    2.2.13-6.4E            installed
  openldap-devel.i386                      2.2.13-6.4E            installed
  openldap-servers.i386                    2.2.13-6.4E            installed

  I think that should cover most of what someone else would need to know.
The goal is to have a PDC that uses Samba and LDAP.  I have used guides
like the guide from here
http://www.idealx.com/content/view/184/169/lang,en/ .  I seem to have
LDAP and Samba working and the smbldap-tools working properly.  I can
use the LDAP Account Manager ( http://lam.sourceforge.net/ ) to add
users to the domain and then use ssh and pam_ldap to connect with those
user names.  I can add users to the domain, and use the domain usernames
and passwords to connect to shares off the server.  I can also add
machines to the domain from Windows without any problems and they show
up in LDAP.  The part that has me stumped is that I can't  seem to login
to the domain from one of the domain accounts.  I can login with the
local admin account then use a domain login to login to domain shares I
just can't do the initial Windows login.  Turning the samba debugging up
to 3 doesn't seem to help since I see log messages like
  "  check_ntlm_password:  authentication for user [testuser] ->
[testuser] -> [testuser] succeeded"
  which would make me think that things are working properly.  I kinda
suspect that the problem could be with smbldap-tools somewhere since I
was able to switch samba to authing from the /etc/samba/smbpasswd file
and it was able to login fine though I have yet to figure out which
script is called on Windows logins.  Any help would be appreciated.

smb.conf (I replaced the server address with 'server.address' but that's
the only change I made for posting to this list.

	workgroup = TEMPDOMAIN
	netbios name = SSC2
	server string = Samba Server %v
	security = user
	allow trusted domains = yes

	time server = no

	log level = 3
	log file = /var/log/samba/log.%m
	max log size = 100000

	domain logons = yes
	os level = 35
	local master = yes
	domain master = yes
	preferred master = yes
	encrypt passwords = yes
	lm announce = true
	passwd program = /usr/local/sbin/smbldap-tools/smbldap-passwd %u
	passwd chat debug = yes
	ldap passwd sync = yes
	passdb backend = ldapsam:ldap://server.address:389

	ldap ssl = start_tls
	ldap suffix = dc=soil,dc=ncsu,dc=edu
	ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
	ldap delete dn =no
	ldap user suffix = ou=Users
	ldap group suffix = ou=Groups
	ldap machine suffix = ou=Computers
	ldap idmap suffix = ou=Users
	admin users = administrator

	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

	logon home =
	logon path =
	logon script = logon.cmd

	add user script = /usr/local/sbin/smbldap-tools/smbldap-useradd -a "%u"
	add machine script = /usr/local/sbin/smbldap-tools/smbldap-useradd -w "%u"
	add group script = /usr/local/sbin/smbldap-tools/smbldap-groupadd -p "%g"
	add user to group script =
/usr/local/sbin/smbldap-tools/smbldap-groupmod -m "%u" "%g"
	delete user from group script =
/usr/local/sbin/smbldap-tools/smbldap-groupmod -x "%u" "%g"
	set primary group script =
/usr/local/sbin/smbldap-tools/smbldap-usermod -g "%g" "%u"

	dos charset = 850
	hosts allow =
	mangling method = hash2
	obey pam restrictions = no
	syslog = 0
	unix charset = ISO8859-1
	username map = /etc/samba/smbusers
	wins support = no
	template shell = /bin/false
	winbind use default domain = no
	comment = Network Logon Service
	path = /usr/local/samba/netlogon
	writeable = no
	public = no
	browsable = no

More information about the samba mailing list