[Samba] Local account login failed when samba join to LDAP

Johnson Cheng Johnson.Cheng at QsanTechnology.com
Fri Mar 21 03:53:20 MDT 2014 

Dears,

My samba version is 3.6.4
I have a problem to co-work with open LDAP server. When samba join to open LDAP server, my local account can NOT login samba anymore, only LDAP account can login.
When my samba come back to standalone, the local account is OK. Did I miss something?

The following is my configuration files, I list the part of them,
smb.conf
server string = "Samba Server"
workgroup = WORKGROUP
security = user
obey pam restrictions = yes
passdb backend = ldapsam:ldap://192.168.8.143
ldap admin dn = cn=admin, dc=ff,dc=com
ldap suffix = dc=ff,dc=com
domain logons = yes
ldap ssl = off
ldap passwd sync = yes
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Machines
ldap delete dn = yes

nslcd.conf
uid admin
gid Administrator_Group
uri ldap://192.168.8.143
base dc=ff,dc=com

/etc/nssswitch.conf
passwd: files ldap
group:  files ldap
shadow: files ldap

/etc/pam.d/samba
auth    sufficient      /usr/lib/security/pam_ldap.so
auth    sufficient      /usr/lib/security/pam_unix.so
account sufficient      /usr/lib/security/pam_ldap.so
account sufficient      /usr/lib/security/pam_unix.so
session sufficient      /usr/lib/security/pam_ldap.so
session sufficient      /usr/lib/security/pam_unix.so

I can use LDAP account to login samba via the below command,
smbclient -L 192.168.8.75 -U kevin2%123456123456

But when I use local account to login samba via smbclient, it reports "session setup failed: NT_STATUS_LOGON_FAILURE"
smbclient -L 192.168.8.75 -U qq%qq

One thing is interested that when I change "passdb backend = ldapsam:ldap://192.168.8.143" to "passdb backend = tdbsam", local account can login samba but LDAP account will fail to login.
The below is samba output debug message,
[2014/03/21 17:44:25.780867,  5] lib/smbldap.c:1439(smbldap_search_ext)
  smbldap_search_ext: base => [dc=ff,dc=com], filter => [(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2]
[2014/03/21 17:44:25.781685,  4] passdb/pdb_ldap.c:1581(ldapsam_getsampwnam)
  ldapsam_getsampwnam: Unable to locate user [qq] count=0
[2014/03/21 17:44:25.781846,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/03/21 17:44:25.781931,  3] auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'qq' in passdb.
[2014/03/21 17:44:25.782108,  5] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: sam authentication for user [qq] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/03/21 17:44:25.782213, 10] auth/auth_winbind.c:50(check_winbind_security)
  Check auth for: [qq]
[2014/03/21 17:44:25.782293,  3] auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM.
[2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password)
  check_ntlm_password: winbind had nothing to say
[2014/03/21 17:44:25.787728,  2] auth/auth.c:334(check_ntlm_password)
  check_ntlm_password:  Authentication for user [qq] -> [qq] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/03/21 17:44:25.787936,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE


Any suggestion will be appreciated.

Regards,
Johnson

More information about the samba mailing list