Joost van der Locht
2004-Mar-13 18:04 UTC
[Samba] Weird: Samba 3.0.2a (PDC) and OpenLDAP = Windows can't logon to PDC
Hello I have a weird problem. I have installed on a Fedora Core 1 server the following: Samba 3.0.2a Openldap 2.1.22 Smbldaptools 0.8.4 Everything works for this setup until I try to logon to the domain from a Windows XP Pro workstation. I can: - join the domain - create users with the smbldap tools - Logon to Linux localy - use smbclient tools - Access shares from my Windows XP (when logged on localy) - See my personal homedirectory and mapped to a personal share I Can't - Logon to the domain. When I try to do that Windows gives the error: The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case. I tried it with a non ldap setup and then it seemed to work. Now with ldap it doesn't. As far as I could monitor the log files I see a SUCCEED comming up when it checks the ldap directory. But still no luck logging in. What is wrong? I followed every instructions I could find online regarding ldap..... Greetings Joost
Craig White
2004-Mar-14 02:03 UTC
[Samba] Weird: Samba 3.0.2a (PDC) and OpenLDAP = Windows can't logon to PDC
On Sat, 2004-03-13 at 11:04, Joost van der Locht wrote:> Hello > > I have a weird problem. I have installed on a Fedora Core 1 server the > following: > Samba 3.0.2a > Openldap 2.1.22 > Smbldaptools 0.8.4 > > Everything works for this setup until I try to logon to the domain from > a Windows XP Pro workstation. > > I can: > - join the domain > - create users with the smbldap tools > - Logon to Linux localy > - use smbclient tools > - Access shares from my Windows XP (when logged on localy) > - See my personal homedirectory and mapped to a personal share > > I Can't > - Logon to the domain. > > When I try to do that Windows gives the error: > The system could not log you on. Make sure your User name and domain are > correct, then type your password again. Letters in passwords must be > typed using the correct case. > > I tried it with a non ldap setup and then it seemed to work. > > Now with ldap it doesn't. > As far as I could monitor the log files I see a SUCCEED comming up when > it checks the ldap directory. But still no luck logging in. > > What is wrong? I followed every instructions I could find online > regarding ldap.....---- Not enough info to be certain but usually when users post this problem, their problem is either failure to access ldap with the rootdn as specified in smb.conf (you must smbpasswd -w PASSWD_FOR_ROOTDN_AS_SPECIFIED_IN_SMB.CONF) or the SID's don't match up. net getlocalsid ldapsearch -x -h localhost -D 'rootdn_in_full' -W '(sambaDomainName=*)'|grep sambaSID # the sambaSID for the domain needs to match the above ldapsearch -x -h localhost -D 'rootdn_in_full' -W '(uid=*)'|grep SID '(sambaDomainName=*)'|grep sambaSID # for users, the sambaSID and the sambaPrimaryGroupSID needs to match as well (up to the RID) ldapsearch -x -h localhost -D 'rootdn_in_full' -W '(cn=*)'|grep SID '(sambaDomainName=*)'|grep sambaSID # for groups, the sambaSID (up to the RID) needs to match too to be certain, the logs - typically /var/log/samba/smbd.log, /var/log/samba/log.ip_address_of_machine_failing_to_log_in should tell you what is breaking. Craig