Hi folks,
We are using Samba 3.0.10 and are using OpenLdap to manage users. We
are also usign PAM to track the users on the computer.
The problem that we are having is when Samba has the "encrypt
passwords" option is enabled, we recieve an "session setup failed:
NT_STATUS_LOGON_FAILURE" message. When "encrypt passwords" is
disabled
the login is succesful.
When we left work Friday we thought that there was a different
encryption method being used between Samba and ldap. However, that
doesn't seem to be the case now, but we are not certain of that.
We have setup Samba, OpenLDAP, and PAM to use MD5 as their hashing function.
This is the setup of our smb.conf global section:
[global]
ldap ssl = no
name resolve order = wins lmhosts hosts bcast
passwd chat = *new*password %n\n *new*password %n\n *successfully*
idmap gid = 16777216-33554431
passwd program = /usr/local/sbin/smbldap-passwd -o %u
allow hosts = 192.168.5.0/24 192.168.10.0/24 192.168.14.0/24 127.0.0.0/8
dns proxy = no
netbios name = *
idmap uid = 16777216-33554431
local master = yes
workgroup = *
os level = 65
security = user
max log size = 50
log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#Make sure that passwords are not empty, & do not encrypt until we
#figure our what is going on with the encryption
null passwords = no
encrypt passwords = yes
#encrypt passwords = no
#SET TO update unix passwd
unix password sync = yes
update encrypted = yes
#Set as master Samba server
domain master = yes
winbind use default domain = no
passdb backend = ldapsam:ldap://127.0.0.1/
template shell = /bin/false
wins support = yes
server string = * Samba Server
ldap admin dn = "cn=Manager,dc=*,dc=*"
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
path = /home
ldap suffix = dc=*,dc=*
add user script = /usr/local/sbin/smbldap-useradd -w %u
valid users = @"Domain Admins",@"Domain Users"
preferred master = yes
domain logons = yes
logon script = STARTUP.BAT
logon path = \\%N\Profiles\%U
#ldap passwd sync = only
smb passwd file = /etc/samba/smbpasswd
Andy Kesterson wrote:> > The problem that we are having is when Samba has the "encrypt > passwords" option is enabled, we recieve an "session setup failed: > NT_STATUS_LOGON_FAILURE" message. When "encrypt passwords" is disabled > the login is succesful....> We have setup Samba, OpenLDAP, and PAM to use MD5 as their hashing function.When "encrypt passwords" is disabled, and the client is appropriately configured, the client will establish a session by sending its username and password, both in plain text. With the plain text password from the client, the server can use PAM to authenticate the user. However, if you don't want to reconfigure all of your Windows desktops, and you don't want your passwords sent across the network in plain text for each connection, you should have "encrypt passwords" turned on. In this configuration, the client and server engage in a challenge-response conversation to authenticate the users. To do that, the server needs to have the plain-text equivalent of the user's password. If you had a smbpasswd file before converting to LDAP, you can use that to get the values that you need. If not, then you'll need all of your users to set their password. However you choose to solve that problem, you need to make sure that in addition to the "userPassword" attribute, each user has a "sambaLMPassword" and a "sambaNTPassword" attribute. The values for those two attributes can be formed using the "mkntpwd" program, if you want to script the password changes. Be careful to configure your LDAP server such that users can not read the sambaLMPassword and sambaNTPassword attributes from the server. Those values are plain-text equivalents, and could be used to log in as the user to whom they belong.