[Samba] user authentication issue

Rowland Penny rowlandpenny at googlemail.com
Sat Apr 18 11:00:28 MDT 2015

On 18/04/15 17:17, Itamar Gal wrote:
> Hey Rowland,
> Thank you so much for your help and patience.
>     OK, just a few questions based on what is in your smb.conf, which
>     seems to show that it is running as an NT-4 style PDC.
> That's consistent with my understanding.
>     passdb backend = ldapsam:"ldap://hosturl"
>     I take it that 'hosturl' is the fqdn of the machine that samba is
>     running on.
> Yeah, sorry. I anonymized some of the parameters in order to 
> (hopefully) comply with policy. I'll take this opportunity to 
> apologize for all past and future clumsiness.

No, it is not a problem, I was just checking that ldap was running on 
the same machine as samba, so there is no apology needed.

>     ldap suffix = o=org
>     Is this correct ?? I would expect something like 'dc=example,dc=com'
> Actually, yes. Moreover, there is no line of the form 
> 'dc=example,dc=com' anywhere in the file.
>     unix password sync = no
>     This means that there is no sync between samba and local unix
>     users i.e. they can have different passwords!
> Yeah, that directive is brutally intuitive; it's funny what total 
> intellectual disorientation causes me to view with suspicion. I was 
> thinking that it was possible that some other directive might have a 
> side effect that overrides the 'unix password sync' directive.

Got to be honest here, I have never seen an ldap with a root of 'o=org', 
but if that is what is in ldap, you will just have to work with it.

>     logon home = \\%N\%U
>     %N means 'replace this with the name of your NIS home directory
>     server'
>     Do you have a NIS home directory server ?
>     If not (and samba as been compiled in the right way) this could
>     also mean the NetBIOS name of the server, in which case it may be
>     better to just set this to NetBIOS name.
> I don't believe that there is a NIS home directory server running. 
> I've replaced "logon home = \\%N\%U" with "logon home = \\%L\%U"; 
> thanks for the pointer.
>     map to guest = bad user
>     There doesn't seem to be much point to this because all the shares
>     have this: 'guest ok = no'
> Got it.
>     As is, your users need to exist, but if they don't, they get
>     mapped to nobody and can see the shares, but because 'guest ok =
>     no' is set on the shares, they cannot do anything.
> Ah. Ok, I think I understand, sort of. However I'm still required to 
> authenticate using the user's Samba password (set via smbpasswd) in 
> order to view the shares. Is that consistent with the user being 
> mapped to nobody?

No, change the line 'unix password sync = no' to 'unix password sync = 
yes', restart samba, then as root run 'smbpasswd -a <username>' this 
should set the users password for the samba and local unix user, this 
user should then be able to connect to the shares.

> I'm also still unclear on why Samba doesn't see the user; the user 
> appears in the list generated by 'pdbedit -L', for instance. What gives?
> Thanks again for your help!
> Cheers,
> Itamar

More information about the samba mailing list