Bradley W. Langhorst
2004-Mar-18 18:16 UTC
[Samba] samba 3.0.2a-Debian +ldapsam +smbldap-tools 3.0rc4-1= newly created users can't log in
There is something very strange going on with new users... i've created a new user using the smbldap-tools creation goes fine... smbldap-useradd -a -g labusers -G power_users -n -c 'test user' -m -P testuser I've set the password and i see this in my ldap dir: ldapsearch -x -D cn=ldapadmin,dc=bitc,dc=unh,dc=edu -W '(&(uid=testuser)(objectclass=SambaSamAccount))' # testuser, People, bitc.unh.edu dn: uid=testuser,ou=People,dc=bitc,dc=unh,dc=edu cn: testuser sn: testuser uid: testuser uidNumber: 2014 gidNumber: 100 loginShell: /bin/bash gecos: test user description: test user objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSAMAccount sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: test user sambaSID: S-1-5-21-3603135777-1134410093-4029533982-5028 sambaPrimaryGroupSID: S-1-5-21-3603135777-1134410093-4029533982-1201 sambaHomeDrive: H: sambaHomePath: \\BITC\homes sambaProfilePath: \\BITC\profiles\testuser sambaLogonScript: mcmahon.cmd sambaLMPassword: changed here sambaNTPassword: changed here userPassword:: changedhomeDirectory: /home/testuser sambaAcctFlags: [U ] This user can't log in on any workstation in the domain. It is able to log in via ssh to the samba server (so libnss-ldap is able to parse it fine) I cranked up the log to 100 and watched what's going on during login... It finds the user using the same filter as i did above. It finds all the attributes except the NT and LM passwords. But then i find this: 2004/03/18 11:58:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (2007, 100) - sec_ctx_stack_ndx = 0 [2004/03/18 11:58:52, 3] libsmb/ntlm_check.c:ntlm_password_check(182) ntlm_password_check: NO NT password stored for user mcmahon. [2004/03/18 11:58:52, 3] libsmb/ntlm_check.c:ntlm_password_check(309) ntlm_password_check: NO LanMan password set for user mcmahon (and no NT passwo rd supplied) [2004/03/18 11:58:52, 4] libsmb/ntlm_check.c:ntlm_password_check(325) ntlm_password_check: LM password check failed for user, no NT password mcmahon [2004/03/18 11:58:52, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: sam authentication for user [mcmahon] FAILED with error N T_STATUS_WRONG_PASSWORD These missing attribs are serious errors - i think they should be at level 2 at least... So the first thing to occur to me is that there is a directory security problem on the the password attribs. Samba is accessing the ldap store as the admin user so it shouldn't matter, but i tried removing the security permissions anyway to no avail. Looks like the smbldap tools switched to inetorgperson from account, that's the only thing that i can tell is different between old users and new users. But samba is able to find the account... could it be that there is a "sniffing" of the store to see which objectclasses are in use and my mix of I'm stumped - about to dump and re-init my ldap store (urg) thanks for any suggestion! brad -- Bradley W. Langhorst <brad@langhorst.com>
Bradley W. Langhorst
2004-Mar-18 19:34 UTC
[Samba] samba 3.0.2a-Debian +ldapsam +smbldap-tools 3.0rc4-1= newly created users can't log in
On Thu, 2004-03-18 at 13:15, Bradley W. Langhorst wrote:> sambaPwdLastSet: 0here's the problem! if i manually change this to "1" in the ldap store the login works fine 0 should be an okay value i think - though smbldap-passwd should set it to the current time...> I cranked up the log to 100 and watched what's going on during login... > It finds the user using the same filter as i did above. > It finds all the attributes except the NT and LM passwords. > But then i find this: > 2004/03/18 11:58:52, 3] smbd/sec_ctx.c:pop_sec_ctx(386) > pop_sec_ctx (2007, 100) - sec_ctx_stack_ndx = 0 > [2004/03/18 11:58:52, 3] libsmb/ntlm_check.c:ntlm_password_check(182) > ntlm_password_check: NO NT password stored for user mcmahon. > [2004/03/18 11:58:52, 3] libsmb/ntlm_check.c:ntlm_password_check(309) > ntlm_password_check: NO LanMan password set for user mcmahon (and no > NT password supplied)I believe these false reports to be a bug i just looked in the code to see if i could find something obvious but it would take me a while trace out whats going on... maybe one of the developers just knows where to fix this. brad PS - cross posting because this is now a potential bug report - i'll file it if someone agrees that this behaviour is wrong. -- Bradley W. Langhorst <brad@langhorst.com>
Possibly Parallel Threads
- samba bad password count reset between logins (not loaded from login_cache.tdb)
- Samba4 server is not accessible for logon from Windows 2008R2 SP1.
- Cannot access Samba 4 via old Windows CE
- Problems with smbpasswd: any local changes are discarted after connection request
- smbclient with lanman auth=no unable to connect