Hi,
I'm configuring samba-3.0.2a-Debian. I have it configured with LDAP.
I get samba decline access for a W98 clinet when using user authentication
(NT domain), and the following entries get into /var/log/smb/machine.log:
--------------------------------------------------------------------
[2004/05/07 13:46:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X(772)
Domain=[WORKGROUP] NativeOS=[Windows 4.0] NativeLanMan=[Windows 4.0]
PrimaryDomain=[null]
[2004/05/07 13:46:07, 2] smbd/sesssetup.c:setup_new_vc_session(591)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2004/05/07 13:46:07, 3] smbd/sesssetup.c:reply_sesssetup_and_X(787)
sesssetupX:name=[WORKGROUP]\[LENEC]@[protel]
[2004/05/07 13:46:07, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[WORKGROUP]\[LENEC]@[protel] with the new password interface
[2004/05/07 13:46:07, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [MORIA]\[LENEC]@[protel]
.....
[2004/05/07 13:46:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: lenec
.....
[2004/05/07 13:46:07, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(235)
fetch sid from gid cache 513 ->
S-1-5-21-3658755377-320826499-3197562212-2027
[2004/05/07 13:46:07, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: sam authentication for user [LENEC] succeeded
[2004/05/07 13:46:07, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/05/07 13:46:07, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/05/07 13:46:07, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/05/07 13:46:07, 0] auth/pampass.c:smb_pam_account(573)
smb_pam_account: PAM: UNKNOWN PAM ERROR (9) during Account Management
for User: lenec
[2004/05/07 13:46:07, 2]
auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: Account Check Failed : Authentication
service cannot retrieve authentication info.
[2004/05/07 13:46:07, 0]
auth/pampass.c:smb_pam_accountcheck(781)
smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User
lenec!
[2004/05/07 13:46:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/05/07 13:46:07, 3] auth/auth.c:check_ntlm_password(295)
check_ntlm_password: PAM Account for user [lenec] FAILED with error
NT_STATUS_LOGON_FAILURE
[2004/05/07 13:46:07, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [LENEC] -> [LENEC]
FAILED with error NT_STATUS_LOGON_FAILURE
------------------------------------------------------------------------
What looks strange, is that initially, there is a success with
check_ntlm_password(), but sugsequently the process fails.... attemping a
sort of 'second stage authentication'? Why?
There is a certain twick to my configuration. This server will provide
authentication/file/printing servicies for wider audience, but will allow
local /bin/sh access only to local admins. I try to achieve this using the
following nsswitch configuration:
---------------------------------------
passwd: compat ldap
shadow: compat
---------------------------------------
(Note the missing ldap in shadow configuration above). So:
model$ getent passwd lenec
lenec:x:1081:513:User Lenec:/root:/bin/false
is quite correct (the entry comes from LDAP), while:
model# passwd lenec
passwd: Authentication service cannot retrieve authentication info.
fails as expected (/etc/shadow does not contain it).
Does anyone have any idea why w98 in such situation does not get access
granted? I don't have any other client (apart local smbclient) to test the
setup on.
Or may be my attempt to have ldap serve passwd and NOT serve shadow is
inapropriate and there is simpler and *working* other setup to achieve the
same target?
Thenx,
-R
