[Samba] Samba unable to bind to LDAP server

Roel van Meer rolek at alt001.com
Fri Nov 16 08:05:00 GMT 2007

Steve Brown writes:

> I've spent the last several days trying to get Samba to bind to our
> OpenDirectory server for user authentication with no success.
> Whenever I try start Samba, it complains that the connection to the
> LDAP server failed with invalid credentials.  I am authenticating
> other services against the LDAP server through NSS, so I am a bit at a
> loss as to why Samba won't run.  I'm also a bit at a loss as to why I
> can't just tell Samba to use the same PAM modules that the other
> servers are using and just have authentication chug happily along
> through existing mechanisms.

My guess is that you can when you use pam - only you would need another 
passdb backend the (for example tdbsam).

> Samba 3.0.26a built with ./configure --prefix=/usr/local --enable-fhs
> --with-ldap --with-pam --with-configdir=/etc/samba
> --with-logfilebase=/var/log/samba

Looks good.
> $ cat /etc/samba/smb.conf
> [global]
> 	workgroup =	WORKGROUP
> 	netbios name =	Samuel
> 	security =	user
> 	passdb backend =	ldapsam:ldap://
> 	ldap suffix =		dc=vpn,dc=a3dauto,dc=com
> 	ldap admin dn =		dc=vpn,dc=a3dauto,dc=com
> 	ldap user suffix =	cn=users
> 	ldap group suffix =	cn=groups

It strikes me as strange that your ldap suffix and ldap admin dn are 

I'm not familiar with OpenDirectory, but do they have a 'root dn' like 
OpenLDAP does or are you authenticating against an entry in the database 
> I am able to query the LDAP server using ldapsearch -x just fine,
> which tells me that my settings in /etc/openldap/ldap.conf are
> correct.

Settings in /etc/openldap/ldap.conf are not used by samba, AFAIK. 

> I assumed that I could just duplicate the same settings in
> smb.conf, add my admin password through smbpasswd -W  and everything
> would Just Work (tm), but that is obviously not the case.

Well, it should be. :)
You say you can use ldapsearch; can you also do authenticated binds with it? 
E.g. does this work:
ldapsearch -h -D dc=vpn,dc=a3dauto,dc=com -w mypass 
-x objectClass=*

and this:
ldapsearch -h -D uid=diradmin,dc=vpn,dc=a3dauto,dc=com -w 
mypass -x objectClass=*

Is your nss config authenticated or not? (You can set the bindpw flag in 
/etc/ldap.conf, but you can also leave it out.) That might give you a clue 
to whether your authenticated setup is working.

> 1) Is there anything that I am missing in the configuration that would
> make everything roll over?

It looks good - apart from the fact that your admin dn might be incorrect - 
but that may also be caused by your testing, like you mention in another 
> 2) Is there a way to make Samba use the PAM / NSS mechanism that is
> already working?

Yes, but you would need another passdb backend then.

Additionally, you cannot configure it to do an anonymous bind. Samba needs 
access to private information in the ldap server (passwords and such) and to 
grant this access to anonymous users is not recommended.



More information about the samba mailing list