Samba on HP-UX 11i, MC ServiceGuard, Network aliases, LDAP
issue - Samba does not seem to see lmPassword or ntPassword for
*some* accounts.
ulairi
ulairi at ulairi.org
Mon Sep 22 16:16:15 GMT 2003
Figured it out - you were right, but with a twist (HP-UX, grin).
We use LDAP-UX at the backend, and it seems that unless LDAP-UX finds a
host: <localhostname> attribute in the user's object, the getpwnam()
function call will return a null. Since LDAP-UX is based on PADL
software, there should be a way to override that (I hope) - but that is
for a different list. :)
On Fri, 2003-09-12 at 11:47, Don McCall wrote:
> the failure you are seeing comes when samba is using getpwnam() with
> the username; this should work with ldap, but it's going to be getting
> THIS information NOT from the 'sambaAccount' object, but from the
> posix account object, the one that has the uid and gid, etc for the
> user. Look at ALL attributes for the broken and working user, and I
> think you will find that on the broken one, you may ONLY have the
> sambaAccount object, which won't be sufficient.
> I think.
> I haven't played with the ldap stuff enough to be sure.
> Don
>
> ulairi <ulairi at ulairi.org> wrote:
> Hi all. Trying to troubleshoot an odd problem.
>
> OS: HP-UX 11i
> Samba: 2.2.8a with --ldap-sam, linked against an OpenLDAP SDK.
>
> Issue: *some* people cannot login - error is:
> NT_STATUS_LOGON_FAILURE
>
> Both a working account and a "broken" account have
> ObjectClass:
> sambaAccount and both objects have lmPassword and ntPassword
> attributes
> set. Here's the debug dump snippet from a 'broken' account
> login
> attempt:
> (XXXXXXXXXXXX's represent information I do not feel like
> sharing at the
> moment) :)
>
> ldap_open_connection: connection opened
> ldap_connect_system: Binding to ldap server as
> "XXXXXXXXXXXXXXXXXXXXXXX"
> ldap_connect_system: succesful connection to the LDAP server
> ldap_search_one_user: searching
> for:[(&(uid=atellez)(objectclass=sambaAccount))]
> get_single_attribute: [uid] = [atellez]
> Entry found for user: atellez
> get_single_attribute: [pwdLastSet] = [1063319146]
> get_single_attribute: [logonTime] = []
> get_single_attribute: [logoffTime] = []
> get_single_attribute: [kickoffTime] = []
> get_single_attribute: [pwdCanChange] = []
> get_single_attribute: [pwdMustChange] = []
> get_single_attribute: [cn] = [Armando Tellez]
> get_single_attribute: [homeDrive] = []
> get_single_attribute: [smbHome] = []
> get_single_attribute: [scriptPath] = []
> get_single_attribute: [profilePath] = []
> get_single_attribute: [description] = []
> get_single_attribute: [userWorkstations] = []
> get_single_attribute: [rid] = [100416]
> get_single_attribute: [primaryGroupID] = []
> init_sam_from_ldap: User [atellez] does not ave a uid!
> pass_check_smb failed - invalid password for user [atellez]
> NT Password did not match for user 'atellez'!
> Defaulting to Lanman password for atellez
> ldap_open_connection: connection opened
> ldap_connect_system: Binding to ldap server as
> "XXXXXXXXXXXXXXXXXXXXXXX"
> ldap_connect_system: succesful connection to the LDAP server
> ldap_search_one_user: searching
> for:[(&(uid=atellez)(objectclass=sambaAccount))]
> get_single_attribute: [uid] = [atellez]
> Entry found for user: atellez
> get_single_attribute: [pwdLastSet] = [1063319146]
> get_single_attribute: [logonTime] = []
> get_single_attribute: [logoffTime] = []
> get_single_attribute: [kickoffTime] = []
> get_single_attribute: [pwdCanChange] = []
> get_single_attribute: [pwdMustChange] = []
> get_single_attribute: [cn] = [Armando Tellez]
> get_single_attribute: [homeDrive] = []
> get_single_attribute: [smbHome] = []
> get_single_attribute: [scriptPath] = []
> get_single_attribute: [profilePath] = []
> get_single_attribute: [description] = []
> get_single_attribute: [userWorkstations] = []
> get_single_attribute: [rid] = [100416]
> get_single_attribute: [primaryGroupID] = []
> init_sam_from_ldap: User [atellez] does not ave a uid!
> pass_check_smb failed - invalid password for user [atellez]
> Rejecting user 'atellez': authentication failed
> error packet at smbd/reply.c(1025) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
>
>
> Here's the same snippet for an account which works:
>
> ldap_connect_system: succesful connection to the LDAP server
> ldap_search_one_user: searching
> for:[(&(uid=ulairi)(objectclass=sambaAccount))]
> get_single_attribute: [uid] = [ulairi]
> Entry found for user: ulairi
> get_single_attribute: [pwdLastSet] = [1062707545]
> get_single_attribute: [logonTime] = [0]
> get_single_attribute: [logoffTime] = [2147483647]
> get_single_attribute: [kickoffTime] = [2147483647]
> get_single_attribute: [pwdCanChange] = [0]
> get_single_attribute: [pwdMustChange] = [2147483647]
> get_single_attribute: [cn] = [Me]
> get_single_attribute: [homeDrive] = []
> get_single_attribute: [smbHome] = [\\%N\]
> get_single_attribute: [scriptPath] = []
> get_single_attribute: [profilePath] = [\\%N\\profile]
> get_single_attribute: [description] = [Ulairi's account.
> Whatcha want?]
> get_single_attribute: [userWorkstations] = []
> get_single_attribute: [rid] = [161010]
> get_single_attribute: [primaryGroupID] = [11007]
> get_single_attribute: [lmPassword] =
> [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
> get_single_attribute: [ntPassword] =
> [XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX]
> get_single_attribute: [acctFlags] = [[UX ]]
> adding home directory ulairi at /home/users0/ccs/ulairi
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> get_current_groups: user is in 8 groups: 5003, 59000, 301,
> 5250, 1003,
> 59005, 10058, 5033
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> get_current_groups: user is in 8 groups: 5003, 59000, 301,
> 5250, 1003,
> 59005, 10058, 5033
> uid 161010 registered to name ulairi
> Clearing default real name
>
>
> TCPDump shows that in both cases the lmPassword and ntPassword
> attributes actually make it onto the box's NIC and up the
> stack, but in
> the first instance (the 'broken account', the debug output
> does not show
> those).
>
> What would cause this behavior - samba, for all intents and
> purposes,
> ignoring the lmPassword and ntPassword LDAP attributes for one
> uid but
> not for another? I've tried debug levels all the way up to 20,
> but
> cannot seem to determine what causes this (quite possibly
> because I have
> no clue what I'm looking for).
>
> Help, pointers to RTFM with hints as to for what to look are
> all
> appreciated.
>
> ______________________________________________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
More information about the samba-technical
mailing list