[Samba] Local account login failed when samba join to LDAP
Johnson Cheng
Johnson.Cheng at QsanTechnology.com
Wed Mar 26 01:10:45 MDT 2014
Dear All,
I have upgraded samba version to 3.6.22.
This issue still exists.
Any suggestion will be appreciated.
Regards,
Johnson
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Johnson Cheng
Sent: Friday, March 21, 2014 5:53 PM
To: samba at lists.samba.org
Subject: [Samba] Local account login failed when samba join to LDAP
Dears,
My samba version is 3.6.4
I have a problem to co-work with open LDAP server. When samba join to open LDAP server, my local account can NOT login samba anymore, only LDAP account can login.
When my samba come back to standalone, the local account is OK. Did I miss something?
The following is my configuration files, I list the part of them, smb.conf server string = "Samba Server"
workgroup = WORKGROUP
security = user
obey pam restrictions = yes
passdb backend = ldapsam:ldap://192.168.8.143 ldap admin dn = cn=admin, dc=ff,dc=com ldap suffix = dc=ff,dc=com domain logons = yes ldap ssl = off ldap passwd sync = yes ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Machines ldap delete dn = yes
nslcd.conf
uid admin
gid Administrator_Group
uri ldap://192.168.8.143
base dc=ff,dc=com
/etc/nssswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
/etc/pam.d/samba
auth sufficient /usr/lib/security/pam_ldap.so
auth sufficient /usr/lib/security/pam_unix.so
account sufficient /usr/lib/security/pam_ldap.so
account sufficient /usr/lib/security/pam_unix.so
session sufficient /usr/lib/security/pam_ldap.so
session sufficient /usr/lib/security/pam_unix.so
I can use LDAP account to login samba via the below command, smbclient -L 192.168.8.75 -U kevin2%123456123456
But when I use local account to login samba via smbclient, it reports "session setup failed: NT_STATUS_LOGON_FAILURE"
smbclient -L 192.168.8.75 -U qq%qq
One thing is interested that when I change "passdb backend = ldapsam:ldap://192.168.8.143" to "passdb backend = tdbsam", local account can login samba but LDAP account will fail to login.
The below is samba output debug message,
[2014/03/21 17:44:25.780867, 5] lib/smbldap.c:1439(smbldap_search_ext)
smbldap_search_ext: base => [dc=ff,dc=com], filter => [(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2]
[2014/03/21 17:44:25.781685, 4] passdb/pdb_ldap.c:1581(ldapsam_getsampwnam)
ldapsam_getsampwnam: Unable to locate user [qq] count=0
[2014/03/21 17:44:25.781846, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/03/21 17:44:25.781931, 3] auth/check_samsec.c:399(check_sam_security)
check_sam_security: Couldn't find user 'qq' in passdb.
[2014/03/21 17:44:25.782108, 5] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: sam authentication for user [qq] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/03/21 17:44:25.782213, 10] auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [qq]
[2014/03/21 17:44:25.782293, 3] auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM.
[2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password)
check_ntlm_password: winbind had nothing to say
[2014/03/21 17:44:25.787728, 2] auth/auth.c:334(check_ntlm_password)
check_ntlm_password: Authentication for user [qq] -> [qq] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/03/21 17:44:25.787936, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
Any suggestion will be appreciated.
Regards,
Johnson
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list