[Samba] Local account login failed when samba join to LDAP

Johnson Cheng Johnson.Cheng at QsanTechnology.com
Wed Mar 26 01:10:45 MDT 2014

Dear All,

I have upgraded samba version to 3.6.22.
This issue still exists.

Any suggestion will be appreciated.


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Johnson Cheng
Sent: Friday, March 21, 2014 5:53 PM
To: samba at lists.samba.org
Subject: [Samba] Local account login failed when samba join to LDAP


My samba version is 3.6.4
I have a problem to co-work with open LDAP server. When samba join to open LDAP server, my local account can NOT login samba anymore, only LDAP account can login.
When my samba come back to standalone, the local account is OK. Did I miss something?

The following is my configuration files, I list the part of them, smb.conf server string = "Samba Server"
workgroup = WORKGROUP
security = user
obey pam restrictions = yes
passdb backend = ldapsam:ldap:// ldap admin dn = cn=admin, dc=ff,dc=com ldap suffix = dc=ff,dc=com domain logons = yes ldap ssl = off ldap passwd sync = yes ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Machines ldap delete dn = yes

uid admin
gid Administrator_Group
uri ldap://
base dc=ff,dc=com

passwd: files ldap
group:  files ldap
shadow: files ldap

auth    sufficient      /usr/lib/security/pam_ldap.so
auth    sufficient      /usr/lib/security/pam_unix.so
account sufficient      /usr/lib/security/pam_ldap.so
account sufficient      /usr/lib/security/pam_unix.so
session sufficient      /usr/lib/security/pam_ldap.so
session sufficient      /usr/lib/security/pam_unix.so

I can use LDAP account to login samba via the below command, smbclient -L -U kevin2%123456123456

But when I use local account to login samba via smbclient, it reports "session setup failed: NT_STATUS_LOGON_FAILURE"
smbclient -L -U qq%qq

One thing is interested that when I change "passdb backend = ldapsam:ldap://" to "passdb backend = tdbsam", local account can login samba but LDAP account will fail to login.
The below is samba output debug message,
[2014/03/21 17:44:25.780867,  5] lib/smbldap.c:1439(smbldap_search_ext)
  smbldap_search_ext: base => [dc=ff,dc=com], filter => [(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2]
[2014/03/21 17:44:25.781685,  4] passdb/pdb_ldap.c:1581(ldapsam_getsampwnam)
  ldapsam_getsampwnam: Unable to locate user [qq] count=0
[2014/03/21 17:44:25.781846,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/03/21 17:44:25.781931,  3] auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'qq' in passdb.
[2014/03/21 17:44:25.782108,  5] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: sam authentication for user [qq] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/03/21 17:44:25.782213, 10] auth/auth_winbind.c:50(check_winbind_security)
  Check auth for: [qq]
[2014/03/21 17:44:25.782293,  3] auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM.
[2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password)
  check_ntlm_password: winbind had nothing to say
[2014/03/21 17:44:25.787728,  2] auth/auth.c:334(check_ntlm_password)
  check_ntlm_password:  Authentication for user [qq] -> [qq] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/03/21 17:44:25.787936,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

Any suggestion will be appreciated.


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list