[Samba] Local account login failed when samba join to LDAP

Johnson Cheng Johnson.Cheng at QsanTechnology.com
Wed Mar 26 06:47:36 MDT 2014 

Dear Belle,

Thanks for your reply.

These commands are work, and I listed the part of output as below,
[getent passwd]
admin:x:0:0:root:/root:/bin/sh
guest:x:38:101:Operator:/var:/bin/sh
qq:x:1000:101:Linux User,,,:/var/tmp:/bin/sh
root:x:0:0:Netbios Domain Administrator,,,,:/home/root:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
senti:x:1002:513:senti:/home/senti:/bin/bash
felt:x:1003:513:felt-m-P:/home/felt:/bin/bash
qwer:x:1004:513:qwer:/home/qwer:/bin/bash
qaz:x:1005:513:qaz:/home/qaz:/bin/bash
qqq:x:1006:513:qqq:/home/qqq:/bin/bash
aaa:x:1007:513:a:/home/aaa:/bin/bash
kevin2:x:1008:513:zzz:/home/kevin2:/bin/bash
....

[getend group]
Administrator_Group:x:0:admin
User_Group:x:101:admin,guest,qq
Guest_Group:x:65534:
Domain Admins:*:512:root
Domain Users:*:513:
Domain Guests:*:514:
Domain Computers:*:515:
Administrators:*:544:
Account Operators:*:548:
Print Operators:*:550:
Backup Operators:*:551:
Replicators:*:552:
gggg:*:1074:
....

[wbinfo -u]
root
nobody
senti
felt
qwer
qaz
qqq
aaa
kevin2
....

[wbinfo -g]
domain admins
domain users
domain guests
domain computers
gggg
....


I find wbinfo -u and wbinfo -g do NOT list local account and group.


Regards,
Johnson



-----Original Message-----
From: L.P.H. van Belle [mailto:belle at bazuin.nl] 
Sent: Wednesday, March 26, 2014 4:41 PM
To: samba at lists.samba.org
Cc: Johnson Cheng
Subject: RE: [Samba] Local account login failed when samba join to LDAP

wat does, 

getent passwd
getent group

wbinfo -u
wbinfo -g 

tell you. 

 

>-----Oorspronkelijk bericht-----
>Van: Johnson.Cheng at QsanTechnology.com
>[mailto:samba-bounces at lists.samba.org] Namens Johnson Cheng
>Verzonden: woensdag 26 maart 2014 8:11
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Local account login failed when samba join to 
>LDAP
>
>Dear All,
>
>I have upgraded samba version to 3.6.22.
>This issue still exists.
>
>Any suggestion will be appreciated.
>
>
>Regards,
>Johnson
>
>-----Original Message-----
>From: samba-bounces at lists.samba.org
>[mailto:samba-bounces at lists.samba.org] On Behalf Of Johnson Cheng
>Sent: Friday, March 21, 2014 5:53 PM
>To: samba at lists.samba.org
>Subject: [Samba] Local account login failed when samba join to LDAP
>
>Dears,
>
>My samba version is 3.6.4
>I have a problem to co-work with open LDAP server. When samba join to 
>open LDAP server, my local account can NOT login samba anymore, only 
>LDAP account can login.
>When my samba come back to standalone, the local account is OK. Did I 
>miss something?
>
>The following is my configuration files, I list the part of them, 
>smb.conf server string = "Samba Server"
>workgroup = WORKGROUP
>security = user
>obey pam restrictions = yes
>passdb backend = ldapsam:ldap://192.168.8.143 ldap admin dn = cn=admin, 
>dc=ff,dc=com ldap suffix = dc=ff,dc=com domain logons = yes ldap ssl = 
>off ldap passwd sync = yes ldap group suffix = ou=Groups ldap user 
>suffix = ou=Users ldap machine suffix = ou=Machines ldap delete dn = 
>yes
>
>nslcd.conf
>uid admin
>gid Administrator_Group
>uri ldap://192.168.8.143
>base dc=ff,dc=com
>
>/etc/nssswitch.conf
>passwd: files ldap
>group:  files ldap
>shadow: files ldap
>
>/etc/pam.d/samba
>auth    sufficient      /usr/lib/security/pam_ldap.so
>auth    sufficient      /usr/lib/security/pam_unix.so
>account sufficient      /usr/lib/security/pam_ldap.so
>account sufficient      /usr/lib/security/pam_unix.so
>session sufficient      /usr/lib/security/pam_ldap.so
>session sufficient      /usr/lib/security/pam_unix.so
>
>I can use LDAP account to login samba via the below command, smbclient 
>-L 192.168.8.75 -U kevin2%123456123456
>
>But when I use local account to login samba via smbclient, it reports 
>"session setup failed: NT_STATUS_LOGON_FAILURE"
>smbclient -L 192.168.8.75 -U qq%qq
>
>One thing is interested that when I change "passdb backend = 
>ldapsam:ldap://192.168.8.143" to "passdb backend = tdbsam", local 
>account can login samba but LDAP account will fail to login.
>The below is samba output debug message,
>[2014/03/21 17:44:25.780867,  5] lib/smbldap.c:1439(smbldap_search_ext)
>  smbldap_search_ext: base => [dc=ff,dc=com], filter => 
>[(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2]
>[2014/03/21 17:44:25.781685,  4]
>passdb/pdb_ldap.c:1581(ldapsam_getsampwnam)
>  ldapsam_getsampwnam: Unable to locate user [qq] count=0
>[2014/03/21 17:44:25.781846,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>[2014/03/21 17:44:25.781931,  3]
>auth/check_samsec.c:399(check_sam_security)
>  check_sam_security: Couldn't find user 'qq' in passdb.
>[2014/03/21 17:44:25.782108,  5] auth/auth.c:271(check_ntlm_password)
>  check_ntlm_password: sam authentication for user [qq] FAILED with 
>error NT_STATUS_NO_SUCH_USER
>[2014/03/21 17:44:25.782213, 10]
>auth/auth_winbind.c:50(check_winbind_security)
>  Check auth for: [qq]
>[2014/03/21 17:44:25.782293,  3]
>auth/auth_winbind.c:60(check_winbind_security)
>  check_winbind_security: Not using winbind, requested domain 
>[WORKGROUP] was for this SAM.
>[2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password)
>  check_ntlm_password: winbind had nothing to say
>[2014/03/21 17:44:25.787728,  2] auth/auth.c:334(check_ntlm_password)
>  check_ntlm_password:  Authentication for user [qq] -> [qq] FAILED 
>with error NT_STATUS_NO_SUCH_USER
>[2014/03/21 17:44:25.787936,  3] smbd/error.c:81(error_packet_set)
>  error packet at smbd/sesssetup.c(124) cmd=115
>(SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>
>
>Any suggestion will be appreciated.
>
>Regards,
>Johnson
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list