samba - Jun 2004 - Password trouble with LDAP (eDirectory)

Hi All,

I have a strange problem with passwords, stored in LDAP.

When i try to logon as a user with the correct password, access is 
denied and the log says
    check_ntlm_password:  Authentication for user [administrator] -> 
[administrator] FAILED with error NT_STATUS_NO_SUCH_USER

When i try to logon a user with incorrect password, access is (of 
course) denied, but the log now says
    check_ntlm_password:  Authentication for user [administrator] -> 
[administrator] FAILED with error NT_STATUS_WRONG_PASSWORD

I have now tried for several hours to solve the problem,  but can't find 
out what is wrong and need some new input for solvin this.

Below are some snippets from the log, maybe this is useful for you and 
the smb.conf too.

Best regards
Erik Holst Trans

With correct password:
  
[2004/06/07 02:20:15, 3] smbd/sesssetup.c:reply_sesssetup_and_X(783)
  Domain=[]  NativeOS=[Windows 4.0] NativeLanMan=[Windows 4.0] 
PrimaryDomain=[null]
[2004/06/07 02:20:15, 2] smbd/sesssetup.c:setup_new_vc_session(602)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2004/06/07 02:20:15, 3] smbd/sesssetup.c:reply_sesssetup_and_X(798)
  sesssetupX:name=[]\[ADMINISTRATOR]@[notebook]
[2004/06/07 02:20:15, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/06/07 02:20:15, 3] smbd/uid.c:push_conn_ctx(351)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/06/07 02:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/06/07 02:20:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/06/07 02:20:15, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user 
[]\[ADMINISTRATOR]@[notebook] with the new password interface
[2004/06/07 02:20:15, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [EDIR]\[ADMINISTRATOR]@[notebook]
[2004/06/07 02:20:15, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/06/07 02:20:15, 3] smbd/uid.c:push_conn_ctx(351)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/06/07 02:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/06/07 02:20:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
  init_sam_from_ldap: Entry found for user: Administrator
[2004/06/07 02:20:15, 4] lib/substitute.c:automount_server(323)
  Home server: slss
[2004/06/07 02:20:15, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/06/07 02:20:15, 4] libsmb/ntlm_check.c:ntlm_password_check(369)
  ntlm_password_check: Checking LM password
[2004/06/07 02:20:15, 4] auth/auth_sam.c:sam_account_ok(82)
  sam_account_ok: Checking SMB password for user Administrator
[2004/06/07 02:20:15, 1] auth/auth_util.c:make_server_info_sam(822)
  User Administrator in passdb, but getpwnam() fails!
[2004/06/07 02:20:15, 0] auth/auth_sam.c:check_sam_security(260)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_NO_SUCH_USER'
[2004/06/07 02:20:15, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain [EDIR] was 
for this SAM.
[2004/06/07 02:20:15, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [ADMINISTRATOR] -> 
[ADMINISTRATOR] FAILED with error NT_STATUS_NO_SUCH_USER
[2004/06/07 02:20:15, 3] smbd/error.c:error_packet(94)
  error string = No such file or directory
[2004/06/07 02:20:15, 3] smbd/error.c:error_packet(134)
  error packet at smbd/sesssetup.c(881) cmd=115 (SMBsesssetupX) eclass=1 
ecode=5
[2004/06/07 02:20:16, 3] smbd/process.c:timeout_processing(1121)
  timeout_processing: End of file from client (client has disconnected).
[2004/06/07 02:20:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/06/07 02:20:16, 2] smbd/server.c:exit_server(568)
  Closing connections
[2004/06/07 02:20:16, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
Server exit (normal exit)



With incorrect password:

[2004/06/07 02:20:32, 3] smbd/sesssetup.c:reply_sesssetup_and_X(783)
  Domain=[]  NativeOS=[Windows 4.0] NativeLanMan=[Windows 4.0] 
PrimaryDomain=[null]
[2004/06/07 02:20:32, 2] smbd/sesssetup.c:setup_new_vc_session(602)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2004/06/07 02:20:32, 3] smbd/sesssetup.c:reply_sesssetup_and_X(798)
  sesssetupX:name=[]\[ADMINISTRATOR]@[notebook]
[2004/06/07 02:20:32, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/06/07 02:20:32, 3] smbd/uid.c:push_conn_ctx(351)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/06/07 02:20:32, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/06/07 02:20:32, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/06/07 02:20:32, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user 
[]\[ADMINISTRATOR]@[notebook] with the new password interface
[2004/06/07 02:20:32, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [EDIR]\[ADMINISTRATOR]@[notebook]
[2004/06/07 02:20:32, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/06/07 02:20:32, 3] smbd/uid.c:push_conn_ctx(351)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/06/07 02:20:32, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/06/07 02:20:32, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
  init_sam_from_ldap: Entry found for user: Administrator
[2004/06/07 02:20:32, 4] lib/substitute.c:automount_server(323)
  Home server: slss
[2004/06/07 02:20:32, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/06/07 02:20:32, 4] libsmb/ntlm_check.c:ntlm_password_check(369)
  ntlm_password_check: Checking LM password
[2004/06/07 02:20:32, 4] libsmb/ntlm_check.c:ntlm_password_check(395)
  ntlm_password_check: Checking LMv2 password with domain
[2004/06/07 02:20:32, 4] libsmb/ntlm_check.c:ntlm_password_check(405)
  ntlm_password_check: Checking LMv2 password with upper-cased version 
of domain
[2004/06/07 02:20:32, 4] libsmb/ntlm_check.c:ntlm_password_check(415)
  ntlm_password_check: Checking LMv2 password without a domain
[2004/06/07 02:20:32, 4] libsmb/ntlm_check.c:ntlm_password_check(428)
  ntlm_password_check: Checking NT MD4 password in LM field
[2004/06/07 02:20:32, 3] libsmb/ntlm_check.c:ntlm_password_check(451)
  ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 
failed for user Administrator
[2004/06/07 02:20:32, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/06/07 02:20:32, 3] smbd/uid.c:push_conn_ctx(351)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/06/07 02:20:32, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/06/07 02:20:32, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1485)
  ldapsam_update_sam_account: user Administrator to be modified has dn: 
uid=Administrator,o=it-trans
[2004/06/07 02:20:32, 2] passdb/pdb_ldap.c:init_ldap_from_sam(812)
  init_ldap_from_sam: Setting entry for user: Administrator
[2004/06/07 02:20:32, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1498)
  ldapsam_update_sam_account: mods is empty: nothing to update for user: 
Administrator
[2004/06/07 02:20:32, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/06/07 02:20:32, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain [EDIR] was 
for this SAM.
[2004/06/07 02:20:32, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [ADMINISTRATOR] -> 
[ADMINISTRATOR] FAILED with error NT_STATUS_WRONG_PASSWORD
[2004/06/07 02:20:32, 3] smbd/error.c:error_packet(134)
  error packet at smbd/sesssetup.c(881) cmd=115 (SMBsesssetupX) eclass=1 
ecode=5
[2004/06/07 02:20:33, 3] smbd/process.c:timeout_processing(1121)
  timeout_processing: End of file from client (client has disconnected).
[2004/06/07 02:20:33, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/06/07 02:20:33, 2] smbd/server.c:exit_server(568)
  Closing connections
[2004/06/07 02:20:33, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2004/06/07 02:20:33, 3] smbd/server.c:exit_server(611)
  Server exit (normal exit)


SMB.CONF

[global]
        workgroup = edir
        netbios name = SLSS
        server string = Samba Server %v, Powered by Linux
        security = user
        domain master = Yes
        encrypt passwords = No
        passwd program = /usr/local/sbin/smbldap-passwd %u
        os level = 2
        log level = 4
        syslog = 0
        time server = Yes
        #unix extensions = Yes
        encrypt passwords = Yes
#       map to guest = Bad User
        map to guest = Never
        mangling method = hash2
        printing = CUPS
        printcap name = CUPS
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        wins support = No
        veto files = /*.eml/*.nws/riched20.dll/*.{*}/
        domain logons = Yes
        ldap passwd sync = Yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        ldap suffix = o=it-trans
        ldap group suffix = ou=Groups
        ldap admin dn = cn=admin,o=it-trans
        #ldap port = 389
        #ldap server = 127.0.0.1
        ldap ssl = no
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"

Hi,

I just tied to lower the sambaPwdMustChange value, and then the windows 
   client correctly says the password is expired, and prompts for a new one.

But the update fails because the server still does't accept the password 
  (the old one)
So the sambaPwdMustChange shold be fine.

Below is the Administrator LDAP entry.
I am know that the home path's are wrong, but that shold not have 
anything to do with my problem.

BTW. the Samba version is 3.0.4

Best regards
Erik Holst Trans



version: 1

# LDIF Export for: uid=Administrator,o=it-trans
# Generated by phpLDAPadmin on June 7, 2004 11:17 am
# Server: SLSS (ldap://127.0.0.1)
# Search Scope: base
# Total Entries: 1

# Entry 1: uid=Administrator,o=it-trans
dn:uid=Administrator,o=it-trans
sambaPrimaryGroupSID: S-1-5-21-511030576-2330128811-1600862552-512
sambaSID: S-1-5-21-511030576-2330128811-1600862552-2996
sambaHomePath: \\SLSS\homes
sambaHomeDrive: H:
sambaKickoffTime: 2147483647
sambaLogoffTime: 2147483647
sambaLogonTime: 0
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1086598595
sambaPwdLastSet: 1086598595
sambaAcctFlags: [U]
sambaNTPassword: 2D20D252A479F485CDF5E171D93985BF
sambaLMPassword: 598DDCE2660D3193AAD3B435B51404EE
loginShell: /bin/bash
homeDirectory: /home/
gecos: Netbios Domain Administrator
gidNumber: 512
uidNumber: 0
uid: Administrator
sn: Administrator
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
cn: Administrator
ACL: 2#entry#[Public]#messageServer
ACL: 2#entry#[Root]#groupMembership
ACL: 2#entry#[Root]#networkAddress
ACL: 2#subtree#uid=Administrator,o=it-trans#[All Attributes Rights]
ACL: 6#entry#uid=Administrator,o=it-trans#loginScript
ACL: 6#entry#uid=Administrator,o=it-trans#printJobConfiguration




brucehohl@access-4-free.com wrote:
> From: Erik Holst Trans <eht@it-trans.dk>
> To: samba@lists.samba.org
> Subject: [Samba] Password trouble with LDAP (eDirectory)
> Date: Mon, 07 Jun 2004 02:25:03 +0200
> 
> 
>>When i try to logon as a user with the correct password,
>>access is  denied and the log says
>>    check_ntlm_password:  Authentication for user
>>[administrator] ->  [administrator] FAILED with error
>>NT_STATUS_NO_SUCH_USER
>>
> 
> Just a quick thought ... has the password expired?
> Check ldap attribute sambaPwdMustChange.
> 
>

Hi Bruce,

Thanks for your replys.

I got i working.. allmost
Think i forgot a few things such as a "root" account in LDAP and 
"adminstrator" account in /etc/passwd.

There is a little thing with join'ed workstations.
I can only login as root, login's on other accounts get a WRONG PASSWORD 
message in the log ?

Windows 9x works great on all accounts.

//Erik

brucehohl@access-4-free.com wrote:
> Sorry, I have no idea what is causing this problem.  I wish
> you luck in resolving the problem.
> Bruce
> 
> From: Erik Holst Trans <eht@it-trans.dk>
> To: brucehohl@access-4-free.com, samba@lists.samba.org
> Subject: Re: [Samba] Password trouble with LDAP (eDirectory)
> Date: Mon, 07 Jun 2004 11:28:02 +0200
> 
> ----- Original Message Follows -----
> 
>>Hi,
>>
>>I just tied to lower the sambaPwdMustChange value, and
>>then the windows
>>   client correctly says the password is expired, and
>>prompts for a new one.
>>
>>But the update fails because the server still does't
>>accept the password
>>  (the old one)
>>So the sambaPwdMustChange shold be fine.
>>
>>Below is the Administrator LDAP entry.
>>I am know that the home path's are wrong, but that shold
>>not have  anything to do with my problem.
>>
>>BTW. the Samba version is 3.0.4
>>
>>Best regards
>>Erik Holst Trans
>>
>>
>>
>>version: 1
>>
>># LDIF Export for: uid=Administrator,o=it-trans
>># Generated by phpLDAPadmin on June 7, 2004 11:17 am
>># Server: SLSS (ldap://127.0.0.1)
>># Search Scope: base
>># Total Entries: 1
>>
>># Entry 1: uid=Administrator,o=it-trans
>>dn:uid=Administrator,o=it-trans
>>sambaPrimaryGroupSID:
>>S-1-5-21-511030576-2330128811-1600862552-512 sambaSID:
>>S-1-5-21-511030576-2330128811-1600862552-2996
>>sambaHomePath: \\SLSS\homes sambaHomeDrive: H:
>>sambaKickoffTime: 2147483647
>>sambaLogoffTime: 2147483647
>>sambaLogonTime: 0
>>sambaPwdMustChange: 2147483647
>>sambaPwdCanChange: 1086598595
>>sambaPwdLastSet: 1086598595
>>sambaAcctFlags: [U]
>>sambaNTPassword: 2D20D252A479F485CDF5E171D93985BF
>>sambaLMPassword: 598DDCE2660D3193AAD3B435B51404EE
>>loginShell: /bin/bash
>>homeDirectory: /home/
>>gecos: Netbios Domain Administrator
>>gidNumber: 512
>>uidNumber: 0
>>uid: Administrator
>>sn: Administrator
>>objectClass: inetOrgPerson
>>objectClass: sambaSamAccount
>>objectClass: posixAccount
>>objectClass: shadowAccount
>>objectClass: organizationalPerson
>>objectClass: Person
>>objectClass: ndsLoginProperties
>>objectClass: Top
>>cn: Administrator
>>ACL: 2#entry#[Public]#messageServer
>>ACL: 2#entry#[Root]#groupMembership
>>ACL: 2#entry#[Root]#networkAddress
>>ACL: 2#subtree#uid=Administrator,o=it-trans#[All
>>Attributes Rights] ACL: 6#entry#uid=Administrator
>>,o=it-trans#loginScript ACL: 6#entry#uid=Administrator
>>,o=it-trans#printJobConfiguration
>>
>>
>>
>>
>>brucehohl@access-4-free.com wrote:
>>
>>>From: Erik Holst Trans <eht@it-trans.dk>
>>>To: samba@lists.samba.org
>>>Subject: [Samba] Password trouble with LDAP (eDirectory)
>>>Date: Mon, 07 Jun 2004 02:25:03 +0200
>>>
>>>
>>>
>>>>When i try to logon as a user with the correct password,
>>>>access is  denied and the log says
>>>>   check_ntlm_password:  Authentication for user
>>>>[administrator] ->  [administrator] FAILED with error
>>>>NT_STATUS_NO_SUCH_USER
>>>>
>>>
>>>Just a quick thought ... has the password expired?
>>>Check ldap attribute sambaPwdMustChange.
>>>
>>>
>>
>>--
>>To unsubscribe from this list go to the following URL and
>>read the instructions:
>>http://lists.samba.org/mailman/listinfo/samba
> 
> 
>