[Samba] Local account login failed when samba join to LDAP
L.P.H. van Belle
belle at bazuin.nl
Wed Mar 26 02:41:26 MDT 2014
wat does,
getent passwd
getent group
wbinfo -u
wbinfo -g
tell you.
>-----Oorspronkelijk bericht-----
>Van: Johnson.Cheng at QsanTechnology.com
>[mailto:samba-bounces at lists.samba.org] Namens Johnson Cheng
>Verzonden: woensdag 26 maart 2014 8:11
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Local account login failed when samba
>join to LDAP
>
>Dear All,
>
>I have upgraded samba version to 3.6.22.
>This issue still exists.
>
>Any suggestion will be appreciated.
>
>
>Regards,
>Johnson
>
>-----Original Message-----
>From: samba-bounces at lists.samba.org
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Johnson Cheng
>Sent: Friday, March 21, 2014 5:53 PM
>To: samba at lists.samba.org
>Subject: [Samba] Local account login failed when samba join to LDAP
>
>Dears,
>
>My samba version is 3.6.4
>I have a problem to co-work with open LDAP server. When samba
>join to open LDAP server, my local account can NOT login samba
>anymore, only LDAP account can login.
>When my samba come back to standalone, the local account is
>OK. Did I miss something?
>
>The following is my configuration files, I list the part of
>them, smb.conf server string = "Samba Server"
>workgroup = WORKGROUP
>security = user
>obey pam restrictions = yes
>passdb backend = ldapsam:ldap://192.168.8.143 ldap admin dn =
>cn=admin, dc=ff,dc=com ldap suffix = dc=ff,dc=com domain
>logons = yes ldap ssl = off ldap passwd sync = yes ldap group
>suffix = ou=Groups ldap user suffix = ou=Users ldap machine
>suffix = ou=Machines ldap delete dn = yes
>
>nslcd.conf
>uid admin
>gid Administrator_Group
>uri ldap://192.168.8.143
>base dc=ff,dc=com
>
>/etc/nssswitch.conf
>passwd: files ldap
>group: files ldap
>shadow: files ldap
>
>/etc/pam.d/samba
>auth sufficient /usr/lib/security/pam_ldap.so
>auth sufficient /usr/lib/security/pam_unix.so
>account sufficient /usr/lib/security/pam_ldap.so
>account sufficient /usr/lib/security/pam_unix.so
>session sufficient /usr/lib/security/pam_ldap.so
>session sufficient /usr/lib/security/pam_unix.so
>
>I can use LDAP account to login samba via the below command,
>smbclient -L 192.168.8.75 -U kevin2%123456123456
>
>But when I use local account to login samba via smbclient, it
>reports "session setup failed: NT_STATUS_LOGON_FAILURE"
>smbclient -L 192.168.8.75 -U qq%qq
>
>One thing is interested that when I change "passdb backend =
>ldapsam:ldap://192.168.8.143" to "passdb backend = tdbsam",
>local account can login samba but LDAP account will fail to login.
>The below is samba output debug message,
>[2014/03/21 17:44:25.780867, 5] lib/smbldap.c:1439(smbldap_search_ext)
> smbldap_search_ext: base => [dc=ff,dc=com], filter =>
>[(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2]
>[2014/03/21 17:44:25.781685, 4]
>passdb/pdb_ldap.c:1581(ldapsam_getsampwnam)
> ldapsam_getsampwnam: Unable to locate user [qq] count=0
>[2014/03/21 17:44:25.781846, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>[2014/03/21 17:44:25.781931, 3]
>auth/check_samsec.c:399(check_sam_security)
> check_sam_security: Couldn't find user 'qq' in passdb.
>[2014/03/21 17:44:25.782108, 5] auth/auth.c:271(check_ntlm_password)
> check_ntlm_password: sam authentication for user [qq] FAILED
>with error NT_STATUS_NO_SUCH_USER
>[2014/03/21 17:44:25.782213, 10]
>auth/auth_winbind.c:50(check_winbind_security)
> Check auth for: [qq]
>[2014/03/21 17:44:25.782293, 3]
>auth/auth_winbind.c:60(check_winbind_security)
> check_winbind_security: Not using winbind, requested domain
>[WORKGROUP] was for this SAM.
>[2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password)
> check_ntlm_password: winbind had nothing to say
>[2014/03/21 17:44:25.787728, 2] auth/auth.c:334(check_ntlm_password)
> check_ntlm_password: Authentication for user [qq] -> [qq]
>FAILED with error NT_STATUS_NO_SUCH_USER
>[2014/03/21 17:44:25.787936, 3] smbd/error.c:81(error_packet_set)
> error packet at smbd/sesssetup.c(124) cmd=115
>(SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>
>
>Any suggestion will be appreciated.
>
>Regards,
>Johnson
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list