[Samba] Auth fail on Samba standalone server with LDAP backend
Rowland Penny
rowlandpenny at googlemail.com
Tue Feb 17 07:34:27 MST 2015
On 17/02/15 14:09, R. Jeremy wrote:
> Hello,
> My apologies for my bad english, this is not my birth langage and I'm still learning it.
> I'm trying to configure a Samba server to simply use LDAP backend for authenticate users. Just that, I don't care of PDC/BDC, etc.The samba schema is present in the LDAP, and in the users profile.
> The samba server have the same SID as the domain.
> I can log to my samba server using LDAP account, so I think that NSS/PAM stuffs are good.
> The thing is that when I try this command:smbclient -d 2 //sandbox-samba.mydomain.com/MyShare -U user.ldap
> I get this:rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)added interface eth0 ip=10.X.X.19 bcast=10.X.X.255 netmask=255.255.255.0Enter user.ldap's password:session setup failed: NT_STATUS_LOGON_FAILURE
> And on the samba server site, I have this in the logs:[2015/02/17 14:55:19.913036, 2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened[2015/02/17 14:55:19.916244, 3] lib/smbldap.c:1240(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server[2015/02/17 14:55:19.918237, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new password interface[2015/02/17 14:55:19.918387, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [MYDOMAIN]\[user.ldap]@[CLIENT_WS][2015/02/17 14:55:19.939873, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: user.ldap[2015/02/17 14:55:20.025999, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029060, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_gr
> oup_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029424, 3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check) ntlm_password_check: NO NT password stored for user user.ldap.[2015/02/17 14:55:20.029667, 3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check) ntlm_password_check: Lanman passwords NOT PERMITTED for user user.ldap[2015/02/17 14:55:20.030792, 2] passdb/pdb_ldap.c:1180(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: user.ldap[2015/02/17 14:55:20.030989, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM.[2015/02/17 14:55:20.031126, 2] auth/auth.c:330(check_ntlm_password) check_ntlm_password: Authentication for user [user.ldap] -> [user.ldap] FAILED with error NT_STATUS_WRONG_PASSWORD[2015/02/17 14:55:20.031307, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE[20
> 15/02/17 14:55:20.031968, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) I don't understand the NT_STATUS_WRONG_PASSWORD thing... Where can I look to understand what is going ?Is it simply possible to just have a samba standalone which just use LDAP for authentication ?
> I got the same result with a Windows 7 client using GUI interface.
> Here is my smb.conf, if it could help:[global]
> workgroup = MYDOMAIN server string = TEST Samba Server Version %v domain logons = yes domain master = no
> # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50
> # Audit vfs object = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = all full_audit:failure = connect full_audit:facility = local7 full_audit:priority = notice
>
>
> encrypt passwords = yes security = user passdb backend = ldapsam:ldap://ldap.mydomain.com ldap admin dn = "uid=administrator,ou=Users,o=mydomain,c=com" ldap suffix = o=mydomain, c=com ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap ssl = no ldap passwd sync = no log level = 3
>
> load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes
>
> [MyShare] comment = MyShare Stuff path = /srv/share public = yes writable = yes printable = no Thanks for any help you could give me! Best Regards
Hi, your English isn't that bad, the same cannot be said for your email
client :-)
Once I deciphered your email, it seems that you are trying to run a
standalone server, if this is correct, why have you got this line in
smb.conf:
domain logons = yes
You also say that your standalone server has the same SID as the domain,
what domain ?
There is also this:
Enter user.ldap's password:session setup failed: NT_STATUS_LOGON_FAILURE
Have you run 'smbpasswd -w PASSWORD'
Rowland
More information about the samba
mailing list