[Samba] Samba unable to bind to LDAP server

Steve Brown sbrown25 at gmail.com
Thu Nov 15 15:55:01 GMT 2007

I've spent the last several days trying to get Samba to bind to our
OpenDirectory server for user authentication with no success.
Whenever I try start Samba, it complains that the connection to the
LDAP server failed with invalid credentials.  I am authenticating
other services against the LDAP server through NSS, so I am a bit at a
loss as to why Samba won't run.  I'm also a bit at a loss as to why I
can't just tell Samba to use the same PAM modules that the other
servers are using and just have authentication chug happily along
through existing mechanisms.  At any rate, here are the details right

Samba 3.0.26a built with ./configure --prefix=/usr/local --enable-fhs
--with-ldap --with-pam --with-configdir=/etc/samba

$ cat /etc/samba/smb.conf
	workgroup =	WORKGROUP
	netbios name =	Samuel
	security =	user
	passdb backend =	ldapsam:ldap://
	ldap suffix =		dc=vpn,dc=a3dauto,dc=com
	ldap admin dn =		dc=vpn,dc=a3dauto,dc=com
	ldap user suffix =	cn=users
	ldap group suffix =	cn=groups

	path =		/mnt/smb
	read only =	no
	guest ok =	no

$ sudo /usr/local/sbin/smbd -iS
smbd version 3.0.26a started.
Copyright Andrew Tridgell and the Samba Team 1992-2007
failed to bind to server ldap:// with
dn="dc=vpn,dc=a3dauto,dc=com" Error: Invalid credentials
Connection to LDAP server failed for the 1 try!
Connection to LDAP server failed for the 2 try!

I am able to query the LDAP server using ldapsearch -x just fine,
which tells me that my settings in /etc/openldap/ldap.conf are
correct.  I assumed that I could just duplicate the same settings in
smb.conf, add my admin password through smbpasswd -W  and everything
would Just Work (tm), but that is obviously not the case.  I did some
reviewing of network traffic comparing and it seems that the only
difference between successful binds and Samba's binds is that Samba is
sending the dn when trying to bind and others are just binding then
sending the dn later.  So my questions are as follows:

1) Is there anything that I am missing in the configuration that would
make everything roll over?

2) Is there a way to make Samba use the PAM / NSS mechanism that is
already working?


More information about the samba mailing list