[Samba] Auth fail on Samba standalone server with LDAP backend

Sgrunt _ sgrunt91 at hotmail.com
Tue Feb 17 08:12:06 MST 2015 

This is a repost of my first mail:

















Hello,

 

I'm trying to configure a Samba server to simply use LDAP
backend for authenticate users. Just that, I don't care of PDC/BDC, etc.

The samba schema is present in the LDAP, and in the users
profile.

 

The samba server have the same SID as the domain.

 

I can log to my samba server using LDAP account, so I think
that NSS/PAM stuffs are good.

 

The thing is that when I try this command:

smbclient -d 2 
//sandbox-samba.mydomain.com/MyShare 
-U user.ldap

 

I get this:

rlimit_max: increasing rlimit_max (1024) to minimum Windows
limit (16384)

added interface eth0 ip=10.X.X.19 bcast=10.X.X.255
netmask=255.255.255.0

Enter user.ldap's password:

session setup failed: NT_STATUS_LOGON_FAILURE

 

And on the samba server site, I have this in the logs:

[2015/02/17 14:55:19.913036, 
2] lib/smbldap.c:1018(smbldap_open_connection)

 
smbldap_open_connection: connection opened

[2015/02/17 14:55:19.916244, 
3] lib/smbldap.c:1240(smbldap_connect_system)

  ldap_connect_system:
successful connection to the LDAP server

[2015/02/17 14:55:19.918237, 
3] auth/auth.c:219(check_ntlm_password)

 
check_ntlm_password:  Checking
password for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new
password interface

[2015/02/17 14:55:19.918387, 
3] auth/auth.c:222(check_ntlm_password)

 
check_ntlm_password:  mapped user
is: [MYDOMAIN]\[user.ldap]@[CLIENT_WS]

[2015/02/17 14:55:19.939873, 
2] passdb/pdb_ldap.c:553(init_sam_from_ldap)

  init_sam_from_ldap:
Entry found for user: user.ldap

[2015/02/17 14:55:20.025999, 
2] passdb/pdb_ldap.c:2427(init_group_from_ldap)

 
init_group_from_ldap: Entry found for group: 1100

[2015/02/17 14:55:20.029060, 
2] passdb/pdb_ldap.c:2427(init_group_from_ldap)

 
init_group_from_ldap: Entry found for group: 1100

[2015/02/17 14:55:20.029424, 
3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check)

  ntlm_password_check:
NO NT password stored for user user.ldap.

[2015/02/17 14:55:20.029667, 
3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check)

  ntlm_password_check:
Lanman passwords NOT PERMITTED for user user.ldap

[2015/02/17 14:55:20.030792, 
2] passdb/pdb_ldap.c:1180(init_ldap_from_sam)

  init_ldap_from_sam:
Setting entry for user: user.ldap

[2015/02/17 14:55:20.030989, 
3] auth/auth_winbind.c:60(check_winbind_security)

 
check_winbind_security: Not using winbind, requested domain [MYDOMAIN]
was for this SAM.

[2015/02/17 14:55:20.031126, 
2] auth/auth.c:330(check_ntlm_password)

 
check_ntlm_password: 
Authentication for user [user.ldap] -> [user.ldap] FAILED with error
NT_STATUS_WRONG_PASSWORD

[2015/02/17 14:55:20.031307, 
3] smbd/error.c:81(error_packet_set)

  error packet at
smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

[2015/02/17 14:55:20.031968, 
3] smbd/server_exit.c:181(exit_server_common)

  Server exit (failed
to receive smb request)

  

  

I don't understand the NT_STATUS_WRONG_PASSWORD thing...
Where can I look to understand what is going ?

Is it simply possible to just have a samba standalone which
just use LDAP for authentication ?

 

I got the same result with a Windows 7 client using GUI
interface.

 

Here is my smb.conf, if it could  help:

[global]

 

        workgroup =
MYDOMAIN

        server string
= TEST Samba Server Version %v

        domain logons
= yes

        domain master
= no

 

        # logs split
per machine

        log file =
/var/log/samba/log.%m

        # max 50KB per
log file, then rotate

        max log size =
50

 

        # Audit

        vfs object =
full_audit

       
full_audit:prefix = %u|%I|%m|%S

       
full_audit:success = all

       
full_audit:failure = connect

       
full_audit:facility = local7

       
full_audit:priority = notice

 

 

 

        encrypt
passwords = yes

        security =
user

        passdb backend
= ldapsam:ldap://ldap.mydomain.com

        ldap admin dn
= "uid=administrator,ou=Users,o=mydomain,c=com"

        ldap suffix =
o=mydomain, c=com

        ldap user
suffix = ou=Users

        ldap machine
suffix = ou=Computers

        ldap group
suffix = ou=Groups

        ldap ssl = no

        ldap passwd
sync = no

        log level = 3

 

 

                       load
printers = no

                       printing
= bsd

                       printcap
name = /dev/null

                       disable
spoolss = yes

 

 

        [MyShare]

        comment =
MyShare Stuff

        path =
/srv/share

        public = yes

        writable = yes

        printable =
no  

  

  

  Thanks for any help
you could give me!

  Best Regards

  


> Date: Tue, 17 Feb 2015 15:34:13 +0100
> From: mmuehlfeld at samba.org
> To: sgrunt91 at hotmail.com; samba at lists.samba.org
> Subject: Re: [Samba] Auth fail on Samba standalone server with LDAP backend
> 
> Hello Jeremy,
> 
> please re-post. Your mail lost all newlines in your log snippet and
> config and what ever else was in there. Its almost unreadable without
> newlines. Or put it on a paste service like https://cpaste.org/ please.
> 
> Regards,
> Marc
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list