[Samba] Auth fail on Samba standalone server with LDAP backend

Sgrunt _ sgrunt91 at hotmail.com
Tue Feb 17 08:12:06 MST 2015

This is a repost of my first mail:



I'm trying to configure a Samba server to simply use LDAP
backend for authenticate users. Just that, I don't care of PDC/BDC, etc.

The samba schema is present in the LDAP, and in the users


The samba server have the same SID as the domain.


I can log to my samba server using LDAP account, so I think
that NSS/PAM stuffs are good.


The thing is that when I try this command:

smbclient -d 2 
-U user.ldap


I get this:

rlimit_max: increasing rlimit_max (1024) to minimum Windows
limit (16384)

added interface eth0 ip=10.X.X.19 bcast=10.X.X.255

Enter user.ldap's password:

session setup failed: NT_STATUS_LOGON_FAILURE


And on the samba server site, I have this in the logs:

[2015/02/17 14:55:19.913036, 
2] lib/smbldap.c:1018(smbldap_open_connection)

smbldap_open_connection: connection opened

[2015/02/17 14:55:19.916244, 
3] lib/smbldap.c:1240(smbldap_connect_system)

successful connection to the LDAP server

[2015/02/17 14:55:19.918237, 
3] auth/auth.c:219(check_ntlm_password)

check_ntlm_password:  Checking
password for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new
password interface

[2015/02/17 14:55:19.918387, 
3] auth/auth.c:222(check_ntlm_password)

check_ntlm_password:  mapped user
is: [MYDOMAIN]\[user.ldap]@[CLIENT_WS]

[2015/02/17 14:55:19.939873, 
2] passdb/pdb_ldap.c:553(init_sam_from_ldap)

Entry found for user: user.ldap

[2015/02/17 14:55:20.025999, 
2] passdb/pdb_ldap.c:2427(init_group_from_ldap)

init_group_from_ldap: Entry found for group: 1100

[2015/02/17 14:55:20.029060, 
2] passdb/pdb_ldap.c:2427(init_group_from_ldap)

init_group_from_ldap: Entry found for group: 1100

[2015/02/17 14:55:20.029424, 
3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check)

NO NT password stored for user user.ldap.

[2015/02/17 14:55:20.029667, 
3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check)

Lanman passwords NOT PERMITTED for user user.ldap

[2015/02/17 14:55:20.030792, 
2] passdb/pdb_ldap.c:1180(init_ldap_from_sam)

Setting entry for user: user.ldap

[2015/02/17 14:55:20.030989, 
3] auth/auth_winbind.c:60(check_winbind_security)

check_winbind_security: Not using winbind, requested domain [MYDOMAIN]
was for this SAM.

[2015/02/17 14:55:20.031126, 
2] auth/auth.c:330(check_ntlm_password)

Authentication for user [user.ldap] -> [user.ldap] FAILED with error

[2015/02/17 14:55:20.031307, 
3] smbd/error.c:81(error_packet_set)

  error packet at
smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

[2015/02/17 14:55:20.031968, 
3] smbd/server_exit.c:181(exit_server_common)

  Server exit (failed
to receive smb request)



I don't understand the NT_STATUS_WRONG_PASSWORD thing...
Where can I look to understand what is going ?

Is it simply possible to just have a samba standalone which
just use LDAP for authentication ?


I got the same result with a Windows 7 client using GUI


Here is my smb.conf, if it could  help:



        workgroup =

        server string
= TEST Samba Server Version %v

        domain logons
= yes

        domain master
= no


        # logs split
per machine

        log file =

        # max 50KB per
log file, then rotate

        max log size =


        # Audit

        vfs object =

full_audit:prefix = %u|%I|%m|%S

full_audit:success = all

full_audit:failure = connect

full_audit:facility = local7

full_audit:priority = notice




passwords = yes

        security =

        passdb backend
= ldapsam:ldap://ldap.mydomain.com

        ldap admin dn
= "uid=administrator,ou=Users,o=mydomain,c=com"

        ldap suffix =
o=mydomain, c=com

        ldap user
suffix = ou=Users

        ldap machine
suffix = ou=Computers

        ldap group
suffix = ou=Groups

        ldap ssl = no

        ldap passwd
sync = no

        log level = 3



printers = no

= bsd

name = /dev/null

spoolss = yes




        comment =
MyShare Stuff

        path =

        public = yes

        writable = yes

        printable =



  Thanks for any help
you could give me!

  Best Regards


> Date: Tue, 17 Feb 2015 15:34:13 +0100
> From: mmuehlfeld at samba.org
> To: sgrunt91 at hotmail.com; samba at lists.samba.org
> Subject: Re: [Samba] Auth fail on Samba standalone server with LDAP backend
> Hello Jeremy,
> please re-post. Your mail lost all newlines in your log snippet and
> config and what ever else was in there. Its almost unreadable without
> newlines. Or put it on a paste service like https://cpaste.org/ please.
> Regards,
> Marc
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list