[Samba] pam_smbldap problem

John McMonagle johnm at advocap.org
Wed Feb 15 13:17:34 MST 2012

Have samba pdc using smbldap etc.
In my test setup the samba is a bdc as the pdc is a crucial service.
Running debian squeeze with samba  3.5.6
Working on getting pam to keep ldap and  windows passsword in sync.
have been using smbldap-passwd with some added password tests to change 

smbldap-passwd works
smbpasswd works
in auth part of pam the migrate works with pam_smbldap
smbclient -L localhost  authenticates OK.

If I use no ssl or tls for ldap connections in smb.conf 
passwd will change the windows password.
If the connection to the master ldap server uses ssl or tls I get this error 
in auth.log.

Feb 15 13:21:51 nfondy passwd[30090]: pam_smbpass(passwd:chauthtok): Cannot 
access samba password database, not running as root.

Again it works with out tsl or ssl. 

# here are the per-package modules (the "Primary" block)
password        requisite                       pam_passwdqc.so
password        [success=2 default=ignore]      pam_unix.so obscure 
use_authtok try_first_pass sha512
password        [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
password        optional                        pam_smbpass.so nullok 
use_authtok use_first_pass debug
# end of pam-auth-update config

# I clearly do not know what to put in for ldap debug
 ldap debug level = 280
 ldap debug threshold = 280

# ldap ssl = start tls
 ldap ssl = off
 ldap follow referral = auto
ldap ssl ads = no

# next to avoid nss
ldapsam:trusted = Yes
guest account = winguest
#For Windows7
#client lanman auth = no
client ntlmv2 auth = yes
guest account = nobody

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = ADVOCAP
   netbios name = NFONDY
# server string is the equivalent of the NT Description field
   server string = Fondulac Server
#normaly will use second line. just using one to debug
        passdb backend = ldapsam:"ldaps://mstldap.advocap.org"
#        passdb backend = ldapsam:"ldap://fonldap.advocap.org 

        #log level = 9
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 50
        # next changes 4/4/2011
        #smb ports = 139 445
        smb ports = 139
        time server = Yes

# block from examples
        show add printer wizard = No
        add user script = /usr/sbin/smbldap-useradd -a -m '%u'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        add group script = /usr/sbin/smbldap-groupadd -p '%g'
        delete group script = /usr/sbin/smbldap-groupdel '%g'
        add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
        delete user from group script 
= /usr/sbin/smbldap-groupmod -x '%u' '%g'
        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
        add machine script = /usr/sbin/smbldap-useradd -w '%u'
#       shutdown script = /var/lib/samba/scripts/shutdown.sh
#       abort shutdown script = /sbin/shutdown -c
        logon path = \\%L\profiles\%U
        logon drive = X:
        preferred master = No
        wins support = Yes
        ldap suffix = dc=advocap,dc=org
        ldap machine suffix = ou=machines
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
# not running winbind
#       ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=samba,ou=DSA,dc=advocap,dc=org
#       idmap backend = ldap://mstldap.advocap.org
#       idmap uid = 10000-20000
#       idmap gid = 10000-20000
        map acl inherit = Yes
        printing = cups

   load printers = yes
   log file = /var/log/samba/smbd.log

# Put a capping on the size of the log files (in Kb).
   max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
   security = user

 encrypt passwords = yes

  unix password sync = No

  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

  interfaces =

   domain master = no

   preferred master = no

   domain logons = yes

   logon script = %U.bat

        name resolve order = wins bcast hosts

   dns proxy = no
  preserve case = yes
...............shares etc...
smb.conf is a bit of a mess as it's evolved over about 10 years :-(

I had been debugging by watch the ldap traffic with wireshark. 
As it works with out tls and it's hard to debug with tls on :-(

It does the same if I connect through the local ldap server when it gets 
refered to an ldaps connection.
To test I changed the referal in slapd.conf to ldap:/./ and it worked.

Any suggestions on how to fix or debug?



More information about the samba mailing list