samba - May 2003 - 3.0alpha23 not authenticating with LDAP (RedHat 9) - Help needed!

Hi!

	I am trying to migrate to a new server, with a shiny-new installation
of RedHat 9.  I have downloaded the 3.0alpha23 rpm intended for RedHat
8.0...

	I am also using the stock RedHat 9 version of OpenLDAP.  By itself,
LDAP is working fine:  this is how I log onto my Linux boxes.  I am
including one sample user (me) below, which I extracted using
"ldapsearch -x".

	Great - this is 1/2 of what I am trying to reproduce (from my prior
server)!

====
	Now for the Samba bit:

	I take it for a test-drive, firstly by using 'testparm'.  Everything
looks great; initially I got a warning that may be relevant:

Unknown parameter encountered: "ldap port"
Ignoring unknown parameter "ldap port"
Unknown parameter encountered: "ldap server"
Ignoring unknown parameter "ldap server"

	I have commented out these smb.conf entries; essentially crossing my
fingers that Samba knows I am using Port 389 and the server is
localhost... IS THIS A SERIOUSLY WRONG ASSUMPTION???

	Now, testparm is clean.

	Moving onto 'smbclient'... I have my super-duper-domain-joining-
pseudo-user entered into smbpasswd (chosen to be 'root').  If I run
smbclient as 'root' (either supplied on the command-line with '-U
root',
or invoking smbclient while I am the system root user), then it behaves
as it should - I get a listing of available shares.  A typical
log.SERVERNAME is:


[2003/05/13 13:57:51, 2] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password:  authentication for user [root] -> [root] ->
[root] suceeded

	So far, so good.
	Now, same thing, but as any old user but supplying no password.  This
also allows me to see the available shares, as an anonymous user, but
logs this:


[2003/05/13 13:59:41, 2] auth/auth.c:check_ntlm_password(275)
  check_ntlm_password:  Authentication for user [gordonp] -> [gordonp]
FAILED with error NT_STATUS_NO_SUCH_USER

	Hmmm... there is no smbpasswd user 'gordonp', nor an /etc/passwd user
'gordonp', but there certainly *is* an LDAP user 'gordonp'. 
Further, if
I now supply a password for 'gordonp', smbclient responds thusly:

Doing spnego session setup (blob length=58)
session setup failed: NT_STATUS_LOGON_FAILURE

	and the following is logged:

[2003/05/13 14:01:29, 2] auth/auth.c:check_ntlm_password(275)
  check_ntlm_password:  Authentication for user [gordonp] -> [gordonp]
FAILED with error NT_STATUS_NO_SUCH_USER

	For the purposes of this note, log level was set to '2'.

====QUESTION:  Can anyone direct me how to get my Samba to use LDAP for
authentication?
====

Reference Information
====================
===== Relevant smb.conf

   hosts allow = 192.168.0. 127.
   security = user
   encrypt passwords = yes
   smb passwd file = /etc/samba/smbpasswd
# SAMBA - LDAP declarations
   ldap suffix = dc=WHITEROCK
   ldap admin dn = cn=Manager,dc=WHITEROCK
#####   ldap port = 389
#####   ldap server = 127.0.0.1
   ldap ssl = no



===== Example (partial) LDAP extraction, which works for Linux login:

# Domain Admins, Groups, WHITEROCK
dn: cn=Domain Admins,ou=Groups,dc=WHITEROCK
objectClass: posixGroup
gidNumber: 200
cn: Domain Admins
description: Windows Domain Users
memberUid: administrator
memberUid: gordonp
memberUid: margaret
memberUid: chris
memberUid: root


# gordonp, Users, WHITEROCK
dn: uid=gordonp,ou=Users,dc=WHITEROCK
cn: gordonp
sn: gordonp
uid: gordonp
uidNumber: 1001
gidNumber: 200
homeDirectory: /home/gordonp
loginShell: /bin/bash
gecos: System User
description: System User
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaAccount
pwdLastSet: 0
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
displayName: System User
acctFlags: [UX]
rid: 3002
primaryGroupID: 1401
homeDrive: H:
smbHome: \\PDC-SRV\homes
profilePath: \\PDC-SRV\profiles\gordonp
scriptPath: gordonp.cmd
lmPassword: 6224B0199F8273C3AAD3B435B51404EE
ntPassword: 8747D6F1DF9E9C1034D3754CC0350D6B
userPassword:: e1NTSEF9cmxIUkRJWVJCdWVQaW15QmNTSGwxbVh4bUE1UENqSXU


	Thanks for any/all tips or pointers!
	-Gord

-- 
Gordon Pritchard, P.Eng.         | Institute of Electrical and
Research Labs Manager            |      Electronics Engineers
Simon Fraser University, Surrey  | Quarter Century Wireless Ass'n
gordonp@sfu.ca                   | Telephone Pioneers of America
phone:  604.268.7509             | Amateur Radio:  VA7SFU, VA7GP

<<in answer to my own earlier posting>>:

On Tue, 2003-05-13 at 14:10, Gordon Pritchard wrote:
> 	I am also using the stock RedHat 9 version of OpenLDAP.  By itself,
> LDAP is working fine:  this is how I log onto my Linux boxes.
> 
> 	Moving onto 'smbclient'... I have my super-duper-domain-joining-
> pseudo-user entered into smbpasswd (chosen to be 'root').  If I run
> smbclient as 'root' (either supplied on the command-line with
'-U root',
> or invoking smbclient while I am the system root user), then it behaves
> as it should - I get a listing of available shares.
> 
> 	So far, so good.
> 	Now, same thing, but as any old user but supplying no password.  This
> also allows me to see the available shares, as an anonymous user,
>  Further, if
> I now supply a password for 'gordonp', smbclient responds thusly:
> 
> Doing spnego session setup (blob length=58)
> session setup failed: NT_STATUS_LOGON_FAILURE

	OK - as some of you astute, long-time readers will have guessed, the
answer seems to lie in the smb.conf file.  Specifically, I didn't have
enough LDAP in there.  Some surfing revealed more parameters, which
worked (thanks to http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html
and Ignacio Coupeau).

	Here are now the relevant LDAP parameters in my smb.conf:

==================== Begin Included Text ===================# SAMBA - LDAP
declarations
    passdb backend = ldapsam:ldap://trainwreck/
   ldap suffix = dc=WHITEROCK
   ldap user suffix = ou=Users
   ldap admin dn = cn=Manager,dc=WHITEROCK
   ldap machine suffix = ou=Computers
   ldap ssl = no
====================  End Included Text  ===================
	Now, I am able to perform authenticated browsing with my LDAP users!

	Further testing will have to wait until I'm physically at the (WinXP
Pro) computer, but the Linux components are looking good!

	Thanks for the moral support (and virtual beers :-) ),
	-Gord

-- 
Gordon Pritchard, P.Eng.         | Institute of Electrical and
Research Labs Manager            |      Electronics Engineers
Simon Fraser University, Surrey  | Quarter Century Wireless Ass'n
gordonp@sfu.ca                   | Telephone Pioneers of America
phone:  604.268.7509             | Amateur Radio:  VA7SFU, VA7GP