samba - Mar 2004 - ldap auth no longer works with upgrade from 3.0-3.0.2?

Ok, I had ldap with samba working perfectly a few weeks ago.  however, I had no
root account, since i was told not to have a root account on ldap server, so
someone recommended i do this in smb.conf...
 passdb backend = smbpasswd

adding root user to samba with smbpasswd -a 

then changing smb.conf to this

 passdb backend = ldapsam:ldap://127.0.0.1 smbpasswd

so it could use both, right?

So a while later I let fedora up2date upgrade samba 3.0.0 rpms to 3.0.2. 
Everything seemed to work fine afterward.
I looked in smbpasswd today, and I noticed all the ldap accounts, including the
machine accounts are in there, as well as the root account.  I thought this odd,
so I removed smbpasswd from the aforementioned line, and oddly enough, none of
the ldap accounts could use samba anymore, getting nt_login_failure or whatever!

however, in a command line, i can still id username and it shows their username,
through ldap, and i can log in to unix with them(ssh and everything), but samba
no longer recognizes them.  can someone tell me what i did wrong, or if this is
a bug or something?  below i paste relevant parts of smb.conf


[global]
        workgroup = DOMAINNAME
        netbios name = NETBIOSNAME
        netbios aliases = INTRANET
        logon script = logon.cmd
        logon home         #\\homeserver\%u\winprofile
        logon path         domain logons = Yes
        os level = 64
        preferred master = Yes
        encrypt passwords = Yes
        domain master = Yes
        wins support = Yes
        encrypt passwords = Yes
        update encrypted = Yes
        auth methods = sam guest
        security = USER

#ldap
        passdb backend = ldapsam:ldap://127.0.0.1 smbpasswd
        ldap suffix = dc=INTRANET
        ldap machine suffix = ou=People
        ldap passwd sync = yes
        ldap user suffix = ou=People
        ldap group suffix = ou=Group
        ldap admin dn = "cn=Manager,dc=INTRANET"
        ldap ssl = no
        idmap backend = ldapsam:ldapsam://127.0.0.1
        passwd chat debug = Yes
        passwd program =/usr/local/sbin/smbldap-passwd -o %u
        passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add machine script = /usr/local/sbin/smbldap-useradd -w %m
        add user script = /usr/local/sbin/smbldap-useradd -a -n -m %u
        delete user script = /usr/local/sbin/smbldap-userdel %u
        add group script = /usr/local/sbin/smbldap-groupadd %g
        delete group script = /usr/local/sbin/smbldap-groupdel %g
        add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g
        delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u
%g
        set primary group script = /usr/local/sbin/smbldap-usermod -G %g %u





_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

k, it seems only certain accounts do work on samba with ldap, others do not.

the first one does not, the second one does.
any ideas?
<?php
# safety, People, INTRANET
dn: uid=safety,ou=People,dc=INTRANET
shadowLastChange: 12418
shadowMax: 99999
shadowWarning: 7
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2000
sambaPwdCanChange: 1075750753
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1075750753
sambaNTPassword: B34EY5E59X50620EACZ9FF5B4C3C359A
gecos: Mikey
sambaLMPassword: D2B5A9E561CABAB5AAD3B435B51404EE
loginShell: /bin/bash
uid: safety
uidNumber: 500
gidNumber: 504
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: phpgwAccount
objectClass: sambaSamAccount
homeDirectory: /home/safety
cn: user pass
userPassword:: e1NNRDV2V9VqNVEwYxh2anZUcTAra2pqYWVzSjg3RWI0PQ=
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1




WORKING
dn: uid=david,ou=People,dc=INTRANET
shadowLastChange: 12418
sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2002
sambaPrimaryGroupSID: S-1-5-21-4070452498-3149834983-2923667569-1201
displayName: David
sambaPwdCanChange: 1075763078
sambaPwdLastSet: 1075763078
sambaAcctFlags: [U          ]
sambaPwdMustChange: 2147483647
homeDirectory: /home/david
sambaLMPassword: F3289011E7FBB7D1AAD3B435B51404EE
uidNumber: 501
loginShell: /bin/bash
cn: David
uid: david
gidNumber: 100
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: phpgwAccount
gecos: David
sambaNTPassword: 22GFDXE1C98968F33C19F452A46875A3
userPassword:: e2NxeXB0zTZScTMwbGFhdlBxZS4
# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
?> 





 --- On Mon 03/15, John H. < mrmailer@myway.com > wrote:
From: John H. [mailto: mrmailer@myway.com]
To: samba@lists.samba.org
Date: Mon, 15 Mar 2004 17:16:49 -0500 (EST)
Subject: [Samba] ldap auth no longer  works with upgrade from 3.0-3.0.2?

<br>Ok, I had ldap with samba working perfectly a few weeks ago.  however,
I had no root account, since i was told not to have a root account on ldap
server, so someone recommended i do this in smb.conf...<br> passdb backend
= smbpasswd<br><br>adding root user to samba with smbpasswd -a
<br><br>then changing smb.conf to this<br><br> passdb
backend = ldapsam:ldap://127.0.0.1 smbpasswd<br><br>so it could use
both, right?<br><br>So a while later I let fedora up2date upgrade
samba 3.0.0 rpms to 3.0.2.  Everything seemed to work fine afterward.<br>I
looked in smbpasswd today, and I noticed all the ldap accounts, including the
machine accounts are in there, as well as the root account.  I thought this odd,
so I removed smbpasswd from the aforementioned line, and oddly enough, none of
the ldap accounts could use samba anymore, getting nt_login_failure or whatever!
<br><br>however, in a command line, i can still id username and it
shows their username, through ldap, and i can log in to unix with them(ssh and
everything), but samba no longer recognizes them.  can someone tell me what i
did wrong, or if this is a bug or something?  below i paste relevant parts of
smb.conf<br><br><br>[global]<br>        workgroup =
DOMAINNAME<br>        netbios name = NETBIOSNAME<br>        netbios
aliases = INTRANET<br>        logon script = logon.cmd<br>       
logon home =<br>        #\\homeserver\%u\winprofile<br>        logon
path =<br>        domain logons = Yes<br>        os level =
64<br>        preferred master = Yes<br>        encrypt passwords =
Yes<br>        domain master = Yes<br>        wins support =
Yes<br>        encrypt passwords = Yes<br>        update encrypted =
Yes<br>        auth methods = sam guest<br>        security =
USER<br><br>#ldap<br>        passdb backend =
ldapsam:ldap://127.0.0.1 smbpasswd<br>        ldap suffix =
dc=INTRANET<br>        ldap machine suffix = ou=People<br>       
ldap passwd sync = yes<br>        ldap user suffix = ou=People<br>  
ldap group suffix = ou=Group<br>        ldap admin dn =
"cn=Manager,dc=INTRANET"<br>        ldap ssl = no<br>     
idmap backend = ldapsam:ldapsam://127.0.0.1<br>        passwd chat debug =
Yes<br>        passwd program =/usr/local/sbin/smbldap-passwd -o
%u<br>        passwd chat = *new*password* %n\n *new*password:* %n\
*successfully*<br>        socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192<br>        add machine script =
/usr/local/sbin/smbldap-useradd -w %m<br>        add user script =
/usr/local/sbin/smbldap-useradd -a -n -m %u<br>        delete user script
= /usr/local/sbin/smbldap-userdel %u<br>        add group script =
/usr/local/sbin/smbldap-groupadd %g<br>        delete group script =
/usr/local/sbin/smbldap-groupdel %g<br>        add user to group script =
/usr/local/sbin/smbldap-groupmod -m %u %g<br>        delete user from
group script = /usr/local/sbin/smbldap-groupmod -x %u %g<br>        set
primary group script = /usr/local/sbin/smbldap-usermod -G %g
%u<br><br><br><br><br><br>_______________________________________________<br>No
banners. No pop-ups. No kidding.<br>Introducing My Way -
http://www.myway.com<br>-- <br>To unsubscribe from this list go to
the following URL and read the<br>instructions: 
http://lists.samba.org/mailman/listinfo/samba<br>

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

No sambaPrimaryGroupSID on first one (non-working) - next issue?  You
have taken some marginal advice.

Craig

On Mon, 2004-03-15 at 15:46, John H. wrote:
> k, it seems only certain accounts do work on samba with ldap, others do
not.
> 
> the first one does not, the second one does.
> any ideas?
> <?php
> # safety, People, INTRANET
> dn: uid=safety,ou=People,dc=INTRANET
> shadowLastChange: 12418
> shadowMax: 99999
> shadowWarning: 7
> sambaAcctFlags: [U          ]
> sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2000
> sambaPwdCanChange: 1075750753
> sambaPwdMustChange: 2147483647
> sambaPwdLastSet: 1075750753
> sambaNTPassword: B34EY5E59X50620EACZ9FF5B4C3C359A
> gecos: Mikey
> sambaLMPassword: D2B5A9E561CABAB5AAD3B435B51404EE
> loginShell: /bin/bash
> uid: safety
> uidNumber: 500
> gidNumber: 504
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: phpgwAccount
> objectClass: sambaSamAccount
> homeDirectory: /home/safety
> cn: user pass
> userPassword:: e1NNRDV2V9VqNVEwYxh2anZUcTAra2pqYWVzSjg3RWI0PQ=> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> 
> 
> 
> WORKING
> dn: uid=david,ou=People,dc=INTRANET
> shadowLastChange: 12418
> sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2002
> sambaPrimaryGroupSID: S-1-5-21-4070452498-3149834983-2923667569-1201
> displayName: David
> sambaPwdCanChange: 1075763078
> sambaPwdLastSet: 1075763078
> sambaAcctFlags: [U          ]
> sambaPwdMustChange: 2147483647
> homeDirectory: /home/david
> sambaLMPassword: F3289011E7FBB7D1AAD3B435B51404EE
> uidNumber: 501
> loginShell: /bin/bash
> cn: David
> uid: david
> gidNumber: 100
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> objectClass: phpgwAccount
> gecos: David
> sambaNTPassword: 22GFDXE1C98968F33C19F452A46875A3
> userPassword:: e2NxeXB0zTZScTMwbGFhdlBxZS4> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1

but the following account has the same problem, they cannot log in either, yet
look at their ldap entry...


dn: uid=mkt1,ou=People,dc=INTRANET
shadowLastChange: 12418
sambaSID: S-1-5-21-4070452498-3149834983-2923667569-2010
sambaPrimaryGroupSID: S-1-5-21-4070452498-3149834983-2923667569-1201
displayName: display name
sambaPwdCanChange: 1075505065
sambaPwdLastSet: 1075505065
sambaAcctFlags: [U          ]
sambaNTPassword: E886B7AADD4D342F9F2AFA2C8A06E901
gecos: Larry Fannaly
sambaLMPassword: FEDE57F19EE96EDEAAD4B435B51404EE
loginShell: /bin/bash
uid: mkt1
uidNumber: 505
gidNumber: 100
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: phpgwAccount
objectClass: sambaSamAccount
homeDirectory: /home/mkt1
cn: first last
sambaPwdMustChange: 2147483647
userPassword:: e1NNRDV9dVzSZnl4UlZrYnRSampvOEtqZ3FXeFhJOHE4PQ= 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1



 --- On Mon 03/15, Craig White < craigwhite@azapple.com > wrote:
From: Craig White [mailto: craigwhite@azapple.com]
To: mrmailer@myway.com
     Cc: samba@lists.samba.org
Date: Mon, 15 Mar 2004 19:36:50 -0700
Subject: RE: [Samba] ldap auth no longer  works with upgrade from 3.0-3.0.2?

No sambaPrimaryGroupSID on first one (non-working) - next issue? 
You<br>have taken some marginal
advice.<br><br>Craig<br><br>On Mon, 2004-03-15 at 15:46,
John H. wrote:<br>> k, it seems only certain accounts do work on samba
with ldap, others do not.<br>> <br>> the first one does not,
the second one does.<br>> any ideas?<br>>
<?php<br>> # safety, People, INTRANET<br>> dn:
uid=safety,ou=People,dc=INTRANET<br>> shadowLastChange:
12418<br>> shadowMax: 99999<br>> shadowWarning:
7<br>> sambaAcctFlags: [U          ]<br>> sambaSID:
S-1-5-21-4070452498-3149834983-2923667569-2000<br>> sambaPwdCanChange:
1075750753<br>> sambaPwdMustChange: 2147483647<br>>
sambaPwdLastSet: 1075750753<br>> sambaNTPassword:
B34EY5E59X50620EACZ9FF5B4C3C359A<br>> gecos: Mikey<br>>
sambaLMPassword: D2B5A9E561CABAB5AAD3B435B51404EE<br>> loginShell:
/bin/bash<br>> uid: safety<br>> uidNumber: 500<br>>
gidNumber: 504<br>> objectClass: account<br>> objectClass:
posixAccount<br>> objectClass: top<br>> objectClass:
shadowAccount<br>> objectClass: phpgwAccount<br>> objectClass:
sambaSamAccount<br>> homeDirectory: /home/safety<br>> cn: user
pass<br>> userPassword::
e1NNRDV2V9VqNVEwYxh2anZUcTAra2pqYWVzSjg3RWI0PQ==<br>> <br>> #
search result<br>> search: 2<br>> result: 0
Success<br>> <br>> # numResponses: 2<br>> #
numEntries: 1<br>> <br>> <br>> <br>>
<br>> WORKING<br>> dn:
uid=david,ou=People,dc=INTRANET<br>> shadowLastChange:
12418<br>> sambaSID:
S-1-5-21-4070452498-3149834983-2923667569-2002<br>>
sambaPrimaryGroupSID:
S-1-5-21-4070452498-3149834983-2923667569-1201<br>> displayName:
David<br>> sambaPwdCanChange: 1075763078<br>> sambaPwdLastSet:
1075763078<br>> sambaAcctFlags: [U          ]<br>>
sambaPwdMustChange: 2147483647<br>> homeDirectory:
/home/david<br>> sambaLMPassword:
F3289011E7FBB7D1AAD3B435B51404EE<br>> uidNumber: 501<br>>
loginShell: /bin/bash<br>> cn: David<br>> uid:
david<br>> gidNumber: 100<br>> objectClass:
account<br>> objectClass: posixAccount<br>> objectClass:
top<br>> objectClass: shadowAccount<br>> objectClass:
sambaSamAccount<br>> objectClass: phpgwAccount<br>> gecos:
David<br>> sambaNTPassword:
22GFDXE1C98968F33C19F452A46875A3<br>> userPassword::
e2NxeXB0zTZScTMwbGFhdlBxZS4=<br>> <br>> # search
result<br>> search: 2<br>> result: 0 Success<br>>
<br>> # numResponses: 2<br>> # numEntries:
1<br><br><br>

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com

ah, the problem was the users still had the phpgw object, despite me
uninstalling phpgw/egw.  i remove the object from the user, and it works fine.




 --- On Mon 03/15, Craig White < craigwhite@azapple.com > wrote:
From: Craig White [mailto: craigwhite@azapple.com]
To: mrmailer@myway.com
     Cc: samba@lists.samba.org
Date: Mon, 15 Mar 2004 19:36:50 -0700
Subject: RE: [Samba] ldap auth no longer  works with upgrade from 3.0-3.0.2?

No sambaPrimaryGroupSID on first one (non-working) - next issue? 
You<br>have taken some marginal
advice.<br><br>Craig<br><br>On Mon, 2004-03-15 at 15:46,
John H. wrote:<br>> k, it seems only certain accounts do work on samba
with ldap, others do not.<br>> <br>> the first one does not,
the second one does.<br>> any ideas?<br>>
<?php<br>> # safety, People, INTRANET<br>> dn:
uid=safety,ou=People,dc=INTRANET<br>> shadowLastChange:
12418<br>> shadowMax: 99999<br>> shadowWarning:
7<br>> sambaAcctFlags: [U          ]<br>> sambaSID:
S-1-5-21-4070452498-3149834983-2923667569-2000<br>> sambaPwdCanChange:
1075750753<br>> sambaPwdMustChange: 2147483647<br>>
sambaPwdLastSet: 1075750753<br>> sambaNTPassword:
B34EY5E59X50620EACZ9FF5B4C3C359A<br>> gecos: Mikey<br>>
sambaLMPassword: D2B5A9E561CABAB5AAD3B435B51404EE<br>> loginShell:
/bin/bash<br>> uid: safety<br>> uidNumber: 500<br>>
gidNumber: 504<br>> objectClass: account<br>> objectClass:
posixAccount<br>> objectClass: top<br>> objectClass:
shadowAccount<br>> objectClass: phpgwAccount<br>> objectClass:
sambaSamAccount<br>> homeDirectory: /home/safety<br>> cn: user
pass<br>> userPassword::
e1NNRDV2V9VqNVEwYxh2anZUcTAra2pqYWVzSjg3RWI0PQ==<br>> <br>> #
search result<br>> search: 2<br>> result: 0
Success<br>> <br>> # numResponses: 2<br>> #
numEntries: 1<br>> <br>> <br>> <br>>
<br>> WORKING<br>> dn:
uid=david,ou=People,dc=INTRANET<br>> shadowLastChange:
12418<br>> sambaSID:
S-1-5-21-4070452498-3149834983-2923667569-2002<br>>
sambaPrimaryGroupSID:
S-1-5-21-4070452498-3149834983-2923667569-1201<br>> displayName:
David<br>> sambaPwdCanChange: 1075763078<br>> sambaPwdLastSet:
1075763078<br>> sambaAcctFlags: [U          ]<br>>
sambaPwdMustChange: 2147483647<br>> homeDirectory:
/home/david<br>> sambaLMPassword:
F3289011E7FBB7D1AAD3B435B51404EE<br>> uidNumber: 501<br>>
loginShell: /bin/bash<br>> cn: David<br>> uid:
david<br>> gidNumber: 100<br>> objectClass:
account<br>> objectClass: posixAccount<br>> objectClass:
top<br>> objectClass: shadowAccount<br>> objectClass:
sambaSamAccount<br>> objectClass: phpgwAccount<br>> gecos:
David<br>> sambaNTPassword:
22GFDXE1C98968F33C19F452A46875A3<br>> userPassword::
e2NxeXB0zTZScTMwbGFhdlBxZS4=<br>> <br>> # search
result<br>> search: 2<br>> result: 0 Success<br>>
<br>> # numResponses: 2<br>> # numEntries:
1<br><br><br>

_______________________________________________
No banners. No pop-ups. No kidding.
Introducing My Way - http://www.myway.com