Chris Snider
2004-Apr-16 20:07 UTC
[Samba] Problems with NT passwords using Samba3 and LDAP
I'm at my wits end here so hopefully someone can help me. Currently I have a Redhat 9.0 box running Samba 2.2.7 with openldap 2.0.27 as a PDC Domain logins work great with this setup. I can add, remove, modify computers and users all day long without a glitch. I do not store usernames in the local smbpasswd or passwd files. User information is stored in ou=Users,dc=mydomain,dc=com Group information is stored in ou=Groups,dc=mydomain,dc=com Computer information is stored in ou=Computers,dc=mydomain,dc=com My problem appeared when I attempted to create the same setup using Samba 3.0.2a. Here is what I did. 1. I created a working PDC using Samba 2.2.7 and openldap 2.0.27 on RH9. I was able to login as user bsmith from a W2k machine called bob-smith. 2. I then compiled Samba 3.0.2a from source making sure I added the "--with-ldapsam" flag 3. Configure --with-acl-support --with-ldapsam --prefix=/usr --localstatedir=/var --with-configdir=/etc/samba --with-privatedir=/etc/samba/private --with-lockdir=/var/lock --with-piddir=/var/run --with-logfilebase=/var/log --with-smbmount --with-utmp --with-syslog 4. Make 5. Make install No errors were generated during the compile. 6. Made the changes to my smb.conf file to allow for the ldapsam_compat mode.(see smb.conf at the end of this message) 7. Edited the samba.schema file to use the Version 2 schema and copied it to /etc/openldap/schema/ 8. Installed the new version of smbldap tools which came bundled with Samba 3.0.2a 9. Ran the smbpasswd -w password to store my Manager password in the secrets.tdb file 10. Started smbd -D and nmbd -D Everything to this point seems to work fine When I attempt to login as user bsmith from a computer(bob-smith) I get a "bad username or password" message. I checked the /var/logs/samba/bob-smith.log and this is what I see. [2004/04/16 12:27:01, 2] smbd/sesssetup.c:setup_new_vc_session(591) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/04/16 12:27:01, 2] smbd/sesssetup.c:setup_new_vc_session(591) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/04/16 12:27:01, 2] lib/smbldap.c:smbldap_open_connection(626) smbldap_open_connection: connection opened [2004/04/16 12:27:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: nobody [2004/04/16 12:27:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1668) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No such object) [2004/04/16 12:27:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1668) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No such object) [2004/04/16 12:27:10, 2] rpc_parse/parse_prs.c:netsec_decode(1575) netsec_decode: FAILED: packet sequence number: [2004/04/16 12:27:10, 2] lib/util.c:dump_data(1830) [000] 87 F0 07 93 7D 17 F1 80 ....}... [2004/04/16 12:27:10, 2] rpc_parse/parse_prs.c:netsec_decode(1577) should be: [2004/04/16 12:27:10, 2] lib/util.c:dump_data(1830) [000] 00 00 00 00 80 00 00 00 ........ [2004/04/16 12:27:10, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1371) failed to decode PDU [2004/04/16 12:27:10, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. [2004/04/16 12:27:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: bob-smith$ [2004/04/16 12:27:17, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: nobody [2004/04/16 12:27:18, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: bsmith [2004/04/16 12:27:18, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [bsmith] -> [bsmith] FAILED with error NT_STATUS_WRONG_PASSWORD [2004/04/16 12:29:43, 2] smbd/server.c:exit_server(558) Closing connections I know this password is valid since it was working fine with Samba 2.2.7/LDAP It's like Samba3 doesn't understand the password encryption or something. I've tried changing bsmiths password using smbldap-passwd.pl bsmith and, again, there are no error messages and it appears to have changed his password. When I attempt to login again I get the same error. The only way I can get Samba to accept the password is if I set it using smbpasswd bsmith. Then it will accept my password but another error message pops up saying "The name or security ID(SID) of the domain specified is inconsistent with the trust information for that domain" I have no idea what that means but it doesn't sound good. I'm sure I'll be making another post to fix that. I would appreciate any help you can provide. Here is my SMB.CONF file # Global parameters [global] workgroup = MYDOMAIN netbios name = TESTPDC server string = My Test Ldap Aware Samba Server passdb backend = ldapsam_compat:ldap://127.0.0.1 passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password* %n\n *successfully* username level = 8 unix password sync = Yes log level = 2 log file = /var/log/samba/%m.log socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 add user script = /usr/local/sbin/smbldap-useradd.pl -m -d /dev/null -g 1000 -s /bin/false domain logons = Yes os level = 255 preferred master = Yes domain master = Yes wins support = Yes ldap server = 127.0.0.1 ldap port = 389 ldap suffix = dc=mydomain,dc=com ldap machine suffix = ou=Computers,dc= mydomain,dc=com ldap user suffix = ou=Users,dc= mydomain,dc=com ldap group suffix = ou=Groups,dc= mydomain,dc=com ldap admin dn = cn=Manager,dc= mydomain,dc=com ldap ssl = no utmp = Yes remote announce = 192.168.0.0 [homes] comment = Home Directories valid users = %U read only = No create mask = 0640 browseable = No [netlogon] comment = Network Logon Service path = /samba/netlogon guest ok = Yes Thanks, Chris Snider
Chris Snider
2004-Apr-20 14:47 UTC
[Samba] Problems with NT passwords using Samba3 and LDAP
Jose, I finally figured out my problem yesterday and it ended up being the value set in the pwdLastSet field in the LDAP database. If this entry was set to 0 then that user would be unable to login. If you are able to get your users to login by rejoining their workstation to the domain then that may not be the issue. Try running smbclient -L localhost -U brokenuser on the server and see if it authenticates them. If it doesn't then check the pwdLastSet field and make sure it's not set to 0. I found this to only be an issue with Samba 3. Another thing to try is open up two ldap records, one that works and one that doesn't, and simply look at what's different between the two. That's how I was able to find my problem. Hope this helps. Thanks, Chris -----Original Message----- From: Jose Martinez [mailto:jvm_vi@bellsouth.net] Sent: Tuesday, April 20, 2004 9:17 AM To: Chris.Snider@Tagtmi.com Subject: Re: [Samba] Problems with NT passwords using Samba3 and LDAP Chris Have you been able to find a fix to your problem. I have a similar situation in where I can have one user be able to login fine from multiple workstations but cant from say one or 2 others. However, I know those couple problematic workstations are ok because other users can login with no problem to those "problematic" machines. My fix has been to remove the workstation from the domain and readd it. This is a horrible fix because of the amount of boxes we have. Also, I am realizing that even though it fixes the problem temporarily, it does not fix it forever because another user might experience the same problem. Very confusing. Please let me know if you have found a fix. Jose jmartinez@bellsouth.net "Chris Snider" <Chris.Snider@Tagtmi.com> wrote in message news:<1LHP5-49U-25@gated-at.bofh.it>... I'm at my wits end here so hopefully someone can help me. Currently I have a Redhat 9.0 box running Samba 2.2.7 with openldap 2.0.27 as a PDC Domain logins work great with this setup. I can add, remove, modify computers and users all day long without a glitch. I do not store usernames in the local smbpasswd or passwd files. User information is stored in ou=Users,dc=mydomain,dc=com Group information is stored in ou=Groups,dc=mydomain,dc=com Computer information is stored in ou=Computers,dc=mydomain,dc=com My problem appeared when I attempted to create the same setup using Samba 3.0.2a. Here is what I did. 1. I created a working PDC using Samba 2.2.7 and openldap 2.0.27 on RH9. I was able to login as user bsmith from a W2k machine called bob-smith. 2. I then compiled Samba 3.0.2a from source making sure I added the "--with-ldapsam" flag 3. Configure --with-acl-support --with-ldapsam --prefix=/usr --localstatedir=/var --with-configdir=/etc/samba --with-privatedir=/etc/samba/private --with-lockdir=/var/lock --with-piddir=/var/run --with-logfilebase=/var/log --with-smbmount --with-utmp --with-syslog 4. Make 5. Make install No errors were generated during the compile. 6. Made the changes to my smb.conf file to allow for the ldapsam_compat mode.(see smb.conf at the end of this message) 7. Edited the samba.schema file to use the Version 2 schema and copied it to /etc/openldap/schema/ 8. Installed the new version of smbldap tools which came bundled with Samba 3.0.2a 9. Ran the smbpasswd -w password to store my Manager password in the secrets.tdb file 10. Started smbd -D and nmbd -D Everything to this point seems to work fine When I attempt to login as user bsmith from a computer(bob-smith) I get a "bad username or password" message. I checked the /var/logs/samba/bob-smith.log and this is what I see. [2004/04/16 12:27:01, 2] smbd/sesssetup.c:setup_new_vc_session(591) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/04/16 12:27:01, 2] smbd/sesssetup.c:setup_new_vc_session(591) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/04/16 12:27:01, 2] lib/smbldap.c:smbldap_open_connection(626) smbldap_open_connection: connection opened [2004/04/16 12:27:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: nobody [2004/04/16 12:27:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1668) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No such object) [2004/04/16 12:27:10, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1668) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (No such object) [2004/04/16 12:27:10, 2] rpc_parse/parse_prs.c:netsec_decode(1575) netsec_decode: FAILED: packet sequence number: [2004/04/16 12:27:10, 2] lib/util.c:dump_data(1830) [000] 87 F0 07 93 7D 17 F1 80 ....}... [2004/04/16 12:27:10, 2] rpc_parse/parse_prs.c:netsec_decode(1577) should be: [2004/04/16 12:27:10, 2] lib/util.c:dump_data(1830) [000] 00 00 00 00 80 00 00 00 ........ [2004/04/16 12:27:10, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1371) failed to decode PDU [2004/04/16 12:27:10, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. [2004/04/16 12:27:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: bob-smith$ [2004/04/16 12:27:17, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: nobody [2004/04/16 12:27:18, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: bsmith [2004/04/16 12:27:18, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [bsmith] -> [bsmith] FAILED with error NT_STATUS_WRONG_PASSWORD [2004/04/16 12:29:43, 2] smbd/server.c:exit_server(558) Closing connections I know this password is valid since it was working fine with Samba 2.2.7/LDAP It's like Samba3 doesn't understand the password encryption or something. I've tried changing bsmiths password using smbldap-passwd.pl bsmith and, again, there are no error messages and it appears to have changed his password. When I attempt to login again I get the same error. The only way I can get Samba to accept the password is if I set it using smbpasswd bsmith. Then it will accept my password but another error message pops up saying "The name or security ID(SID) of the domain specified is inconsistent with the trust information for that domain" I have no idea what that means but it doesn't sound good. I'm sure I'll be making another post to fix that. I would appreciate any help you can provide. Here is my SMB.CONF file # Global parameters [global] workgroup = MYDOMAIN netbios name = TESTPDC server string = My Test Ldap Aware Samba Server passdb backend = ldapsam_compat:ldap://127.0.0.1 passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u passwd chat = *new*password* %n\n *new*password* %n\n *successfully* username level = 8 unix password sync = Yes log level = 2 log file = /var/log/samba/%m.log socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 add user script = /usr/local/sbin/smbldap-useradd.pl -m -d /dev/null -g 1000 -s /bin/false domain logons = Yes os level = 255 preferred master = Yes domain master = Yes wins support = Yes ldap server = 127.0.0.1 ldap port = 389 ldap suffix = dc=mydomain,dc=com ldap machine suffix = ou=Computers,dc= mydomain,dc=com ldap user suffix = ou=Users,dc= mydomain,dc=com ldap group suffix = ou=Groups,dc= mydomain,dc=com ldap admin dn = cn=Manager,dc= mydomain,dc=com ldap ssl = no utmp = Yes remote announce = 192.168.0.0 [homes] comment = Home Directories valid users = %U read only = No create mask = 0640 browseable = No [netlogon] comment = Network Logon Service path = /samba/netlogon guest ok = Yes Thanks, Chris Snider -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba ----------