[Samba] Auth fail on Samba standalone server with LDAP backend

Rowland Penny rowlandpenny at googlemail.com
Tue Feb 17 07:34:27 MST 2015 

On 17/02/15 14:09, R. Jeremy wrote:
> Hello,
> My apologies for my bad english, this is not my birth langage and I'm still learning it.
> I'm trying to configure a Samba server to simply use LDAP backend for authenticate users. Just that, I don't care of PDC/BDC, etc.The samba schema is present in the LDAP, and in the users profile.
> The samba server have the same SID as the domain.
> I can log to my samba server using LDAP account, so I think that NSS/PAM stuffs are good.
> The thing is that when I try this command:smbclient -d 2  //sandbox-samba.mydomain.com/MyShare  -U user.ldap
> I get this:rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)added interface eth0 ip=10.X.X.19 bcast=10.X.X.255 netmask=255.255.255.0Enter user.ldap's password:session setup failed: NT_STATUS_LOGON_FAILURE
> And on the samba server site, I have this in the logs:[2015/02/17 14:55:19.913036,  2] lib/smbldap.c:1018(smbldap_open_connection)  smbldap_open_connection: connection opened[2015/02/17 14:55:19.916244,  3] lib/smbldap.c:1240(smbldap_connect_system)  ldap_connect_system: successful connection to the LDAP server[2015/02/17 14:55:19.918237,  3] auth/auth.c:219(check_ntlm_password)  check_ntlm_password:  Checking password for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new password interface[2015/02/17 14:55:19.918387,  3] auth/auth.c:222(check_ntlm_password)  check_ntlm_password:  mapped user is: [MYDOMAIN]\[user.ldap]@[CLIENT_WS][2015/02/17 14:55:19.939873,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap)  init_sam_from_ldap: Entry found for user: user.ldap[2015/02/17 14:55:20.025999,  2] passdb/pdb_ldap.c:2427(init_group_from_ldap)  init_group_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029060,  2] passdb/pdb_ldap.c:2427(init_group_from_ldap)  init_gr
>   oup_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029424,  3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check)  ntlm_password_check: NO NT password stored for user user.ldap.[2015/02/17 14:55:20.029667,  3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check)  ntlm_password_check: Lanman passwords NOT PERMITTED for user user.ldap[2015/02/17 14:55:20.030792,  2] passdb/pdb_ldap.c:1180(init_ldap_from_sam)  init_ldap_from_sam: Setting entry for user: user.ldap[2015/02/17 14:55:20.030989,  3] auth/auth_winbind.c:60(check_winbind_security)  check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM.[2015/02/17 14:55:20.031126,  2] auth/auth.c:330(check_ntlm_password)  check_ntlm_password:  Authentication for user [user.ldap] -> [user.ldap] FAILED with error NT_STATUS_WRONG_PASSWORD[2015/02/17 14:55:20.031307,  3] smbd/error.c:81(error_packet_set)  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE[20
>   15/02/17 14:55:20.031968,  3] smbd/server_exit.c:181(exit_server_common)  Server exit (failed to receive smb request)    I don't understand the NT_STATUS_WRONG_PASSWORD thing... Where can I look to understand what is going ?Is it simply possible to just have a samba standalone which just use LDAP for authentication ?
> I got the same result with a Windows 7 client using GUI interface.
> Here is my smb.conf, if it could  help:[global]
>          workgroup = MYDOMAIN        server string = TEST Samba Server Version %v        domain logons = yes        domain master = no
>          # logs split per machine        log file = /var/log/samba/log.%m        # max 50KB per log file, then rotate        max log size = 50
>          # Audit        vfs object = full_audit        full_audit:prefix = %u|%I|%m|%S        full_audit:success = all        full_audit:failure = connect        full_audit:facility = local7        full_audit:priority = notice
>
>
>          encrypt passwords = yes        security = user        passdb backend = ldapsam:ldap://ldap.mydomain.com        ldap admin dn = "uid=administrator,ou=Users,o=mydomain,c=com"        ldap suffix = o=mydomain, c=com        ldap user suffix = ou=Users        ldap machine suffix = ou=Computers        ldap group suffix = ou=Groups        ldap ssl = no        ldap passwd sync = no        log level = 3
>
> 		load printers = no		printing = bsd		printcap name = /dev/null		disable spoolss = yes
>
>          [MyShare]        comment = MyShare Stuff        path = /srv/share        public = yes        writable = yes        printable = no        Thanks for any help you could give me!  Best Regards   		 	   		

Hi, your English isn't that bad, the same cannot be said for your email 
client :-)

Once I deciphered your email, it seems that you are trying to run a 
standalone server, if this is correct, why have you got this line in 
smb.conf:

  domain logons = yes

You also say that your standalone server has the same SID as the domain, 
what domain ?

There is also this:

Enter user.ldap's password:session setup failed: NT_STATUS_LOGON_FAILURE

Have you run 'smbpasswd -w PASSWORD'

Rowland

More information about the samba mailing list