[Samba] Workstation joins domain but user cannot log in SMB-LDAP

Peter Van den Wildenbergh peter at srecengineering.com
Tue Nov 4 21:44:40 GMT 2008

Hi List,

I've done a little bit of SaMBa in the past, but new to LDAP, so bear 
with me please. (It is a lengthy post...)

I've (loosely) followed this guide here:

My server is a Ubuntu 8.04 LTS (up-to-date) running :
OpenLDAP: slapd 2.4.9 (Aug  1 2008 01:08:50)
buildd at terranova:/build/buildd/openldap2.3-2.4.9/debian/build/servers/slapd

Samba Version 3.0.28a

Kernel : 2.6.24-21-server #1 SMP Wed Oct 22 00:18:13 UTC 2008 i686 GNU/Linux

I got to the point where things should fall together but they don't...

What is working:
On the server:
Anonymous checking what is available works:
smbclient -L localhost
Password: <EMPTY>
Anonymous login successful
Domain=[SRECENGINEERING] OS=[Unix] Server=[Samba 3.0.28a]
... <snip>

I was also able to succesfully join a laptop to the domain.
The system even shows up in LDAP
ldapsearch -x -b dc=srecengineering,dc=int | grep lpt
# lpt-00005$, Computers, SRECENGINEERING.INT
dn: uid=lpt-00005$,ou=Computers,dc=SRECENGINEERING,dc=INT
cn: lpt-00005$
uid: lpt-00005$

Then trouble started,
I created a user using /usr/sbin/smbldap-useradd
A ldapsearch returns the user.

BUT I cannot log in using that user on a Win XP SP3.
"The system could not log you on..."

Googling things points to troubles between ldap / samba and groupmap

net groupmap list
Domain Admins (S-1-5-21-415917906-1882792140-1713642741-512) -> Domain 
Domain Users (S-1-5-21-415917906-1882792140-1713642741-513) -> Domain Users
Domain Guests (S-1-5-21-415917906-1882792140-1713642741-514) -> Domain 
Domain Computers (S-1-5-21-415917906-1882792140-1713642741-515) -> 
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators

In /var/log/samba/log.LPT-00005 I see:
[2008/11/04 14:19:04, 0] auth/auth_util.c:create_builtin_users(758)
  create_builtin_users: Failed to create Users

But is NOT all bad because using 'root' to log in on the WinXP laptop 
(There are still some err messages in the samba logs, but I see a Z: 
drive on the laptop pointing to the SaMBa server)

What else?
I also see a lot of these:
Nov  4 11:53:13 SRV-00002 slapd[9261]: <= bdb_equality_candidates: 
(....) not indexed
(.... are diff 'fields like gidNumber, sambaSID etc)

My smb.conf
   workgroup = SRECENGINEERING
   server string = fileserver (%h)
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
security = user
   encrypt passwords = true
passdb backend = ldapsam:ldap://localhost/
obey pam restrictions = no
ldap admin dn = cn=admin,dc=srecengineering,dc=int
ldap suffix = dc=srecengineering, dc=int
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap passwd sync = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
domain logons = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
logon path =
logon script = allusers.bat
   socket options = TCP_NODELAY
  comment = Home directories
  path = /data/home
  browseable = yes
  read only = no
  create mask = 0700
  directory mask = 0700
  valid users = %S
  hide dot files = yes
   comment = Network Logon Service
   path = /home/samba/netlogon
   guest ok = yes
   read only = yes
   share modes = no
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no

I confirmed that the smbldap are in /usr/sbin

my slapd.conf in /etc/ldap/
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
logfile /var/log/slapd.log
loglevel 256
modulepath      /usr/lib/ldap
moduleload      back_bdb
sizelimit 500
tool-threads 1
backend         bdb
database        bdb
suffix          "dc=srecengineering,dc=int"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
checkpoint      512 30
access to 
        by dn="cn=admin,dc=srecengineering,dc=int" write
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
        by dn="cn=admin,dc=srecengineering,dc=int" write
        by * read

ldap.conf in /etc/ldap
base dc=srecengineering,dc=int
uri ldap://
ldap_version 3
rootbinddn cn=admin,dc=srecengineering,dc=int
bind_policy soft
pam_password md5

I can provide other information if needed.

Your feedback/hints and even solutions are very appreciated.



PS. SaMBa-team keep up the good work!
And say hi to Ms. N. Kroess if you see her!

More information about the samba mailing list