[Samba] openldap integration failed after power cut

Fergus Clarke fclarke at ixico.com
Mon Feb 13 09:12:02 MST 2012 

Hi

We have a Samba server that authenticates with an openldap server.  Or it used to.
We had a power cut last week and after a bit of struggling everything came back, but not Samba.
Previously our smb.conf file included the line

passdb backend = ldapsam:ldap://server.domain.net/

With this line in place the connection to the LDAP server fails, and peoples shares drop off every few minutes.  I changed this to point to our 2nd, backup ldap server and now shares and logon work again.  I need to get communication started again between our Samba and primary LDAP server.

Symptoms include the following: (with the new config, ie pointing at the backup ldap server)

On the samba server:

servername:/etc/samba# smbclient '\\servername\data'
WARNING: The "printer admin" option is deprecated
Enter root's password: 
session setup failed: NT_STATUS_LOGON_FAILURE

but

servername:/etc/samba# smbclient -L localhost -U%
WARNING: The "printer admin" option is deprecated
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]

	Sharename       Type      Comment
	---------       ----      -------
	netlogon        Disk      Network Logon Service
	print$          Disk      Printer Drivers

etc

also:

servername:/etc/samba# pdbedit -u username -c "[X]"
doing parameter syslog = 1
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter smb ports = 139
doing parameter name resolve order = wins bcast hosts
doing parameter printcap name = cups
doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m
doing parameter logon script = logon.cmd
doing parameter logon path = \\server.domain.net\%U\profile
doing parameter logon home = \\server.domain.net\%U
doing parameter domain logons = Yes
doing parameter os level = 33
doing parameter preferred master = Yes
doing parameter domain master = Yes
doing parameter dns proxy = No
doing parameter wins support = Yes
doing parameter ldap admin dn = "uid=username,cn=admins,cn=thenameofthecn"
doing parameter ldap group suffix = ou=groups
doing parameter ldap machine suffix = ou=machines
doing parameter ldap passwd sync = Yes
doing parameter ldap suffix = dc=ixico,dc=com
doing parameter ldap user suffix = ou=people
doing parameter panic action = /usr/share/samba/panic-action %d
pm_process() returned Yes
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
The LDAP server is successfully connected
init_sam_from_ldap: Entry found for user: username
ldapsam_update_sam_account: user username to be modified has dn: uid=username,ou=people,dc=domain,dc=com
init_ldap_from_sam: Setting entry for user: username
Unable to modify entry!


If I change the setting back to point at our original LDAP server I get the following errors, for example:


servername:/etc/samba# pdbedit -u username -c "[X]"
doing parameter syslog = 1
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter smb ports = 139
doing parameter name resolve order = wins bcast hosts
doing parameter printcap name = cups
doing parameter add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m
doing parameter logon script = logon.cmd
doing parameter logon path = \\server.domain.net\%U\profile
doing parameter logon home = \\server.domain.net\%U
doing parameter domain logons = Yes
doing parameter os level = 33
doing parameter preferred master = Yes
doing parameter domain master = Yes
doing parameter dns proxy = No
doing parameter wins support = Yes
doing parameter ldap admin dn = "uid=user,cn=admins,cn=relevantcn"
doing parameter ldap group suffix = ou=groups
doing parameter ldap machine suffix = ou=machines
doing parameter ldap passwd sync = Yes
doing parameter ldap suffix = dc=domain,dc=com
doing parameter ldap user suffix = ou=people
doing parameter panic action = /usr/share/samba/panic-action %d
pm_process() returned Yes
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
smbldap_open_connection: connection opened
failed to bind to server ldap://ldap2.domain.net/ with dn="uid=username,cn=admins,cn=thecn" Error: Can't contact LDAP server
	(unknown)
Connection to LDAP server failed for the 1 try!
smbldap_open_connection: connection opened
failed to bind to server ldap://ldap2.domain.net/ with dn="uid=username,cn=admins,cn=thecn" Error: Can't contact LDAP server

etc

but I can ping the LDAP server with its hostname and the LDAP alias.

I have upped the log level to 10 and grepped for relevant hostnames and things but I am somewhat at a loss as to whats gone wrong, any help you can offer would be very gratefully received.  I would also be v happy to post any logs etc to assist.

Thanks  

Fergus

More information about the samba mailing list