khalid.m.alvi@census.gov
2004-Dec-08 19:41 UTC
[Samba] SAMBA 3.0.8 Authentication/Configuration problems with LDAP (SunOne Directory Server 5.2)
Q#1. What SAMBA related object classes and attributes I must add to a POSIX user in LDAP (SunOne DS 5.2) before it can be used by SAMBA for authentication? Q#2. Why does the SAMBA log for the user show the error ?FAILED with error NT_STATUS_WRONG_PASSWORD? even before the user is prompted for username and password on the SAMBA client? Also in this log, I saw another error ?NT MD4 password check failed for <username>?. I know that my LDAP uses CRYPT as the password storage scheme. Other options available are CLEAR, SHA, and SSHA but we must use CRYPT because other apps require it. When I do put the valid POSIX username and password in the SAMBA client?s dialog box, I get an error ?Incorrect password or unknown username.? I am using Samba version 3.0.8 which I compiled with the ?with-ldapsam and -with-pam_smbpass options and also used OpenLDAP libraries. It is running on Solaris 9 as a stand-alone server. My goal is to simply allow Win2K users to map UNIX directories on their PCs. In the past, we used the smbpasswd file but on a new system, we want to use LDAP (SunOne DS 5.2). I already have a POSIX account in LDAP that works just fine for UNIX logins. Based on the netscape-5.x schema from the examples/LDAP directory, I added 6 object classes (sambaSamAccount, sambaGroupMapping, sambaDomain, sambaUnixIdPool, sambaIdmapEntry, and sambaSidEntry) and several attributes including sambaLMPassword, sambaAcctFlags, sambaDomainName, smabaSID, and sambaNTPassword to my LDAP server?s schema. An account has been added to LDAP (under ou=people) for the Solaris host where Samba is running. Both SAMBA stand-alone server and LDAP server are running on the same Solaris server. The Samba users log on to their Win2K PCs after being authenticated from their own network service. My SAMBA server is just a stand-alone server and not a PDC or BDC. From my LDAP server logs, I can see that samba binds to the LDAP server successfully. It searched for the user but it used a filter that put sambaSID=S-1-5-21-43403935-1067099457-3807174611-501 in it which resulted in user not being found. Next, I added the sambaSID attribute to the user and assigned this value. Now I don?t get the error but am still unable to map a drive as this user. Samba starts up fine and I am able to do smbclient ?L localhost ?U% to list the shares etc. Here are the contents of my smb.conf file: [global] workgroup = MYGROUP netbios name = DEVWS2 server string = Samba Server DEVWS2 encrypt passwords = Yes update encrypted = Yes password level = 8 obey pam restrictions = Yes pam password change = No restrict anonymous = Yes debug uid = Yes preferred master = No domain master = No security = user hosts allow = 148. 127. log file = /usr/local/samba/var/log.%m log level = 5 max log size = 500 passdb backend = ldapsam:ldap://localhost:389 dns proxy = no ldap admin dn="cn=Directory Manager" ldap server = DEVws2.DEV.xxxxxx.com ldap ssl = off ldap port = 389 ldap suffix = "ou=people,dc=DEV,dc=xxxxxx,dc=com" [homes] comment = Users' Home Directories path = /export/home public = no writable = yes printable = no create mask = 0765 [tmp] comment = temp path = /tmp read only = No Logs of the user from the /usr/local/samba/var directory: smbldap_search: base => [ou=people,dc=xxxx,dc=xxxxxx,dc=com], filter => [(&(uid=userxxxx)(objectclass=sambaSamAccount))], scope => [2] [2004/12/08 12:53:47, 2, effective(0, 0), real(0, 0)] passdb/pdb_ldap.c:init_sam_from_ldap(511) init_sam_from_ldap: Entry found for user: userxxxx [2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)] lib/substitute.c:automount_server(323) Home server: devws2 [2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)] lib/substitute.c:automount_server(323) Home server: devws2 [2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)] libsmb/ntlm_check.c:ntlm_password_check(326) ntlm_password_check: Checking NT MD4 password [2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)] libsmb/ntlm_check.c:ntlm_password_check(344) ntlm_password_check: NT MD4 password check failed for user userxxxx [2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/12/08 12:53:47, 5, effective(0, 0), real(0, 0)] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/12/08 12:53:47, 5, effective(0, 0), real(0, 0)] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)] passdb/pdb_ldap.c:ldapsam_update_sam_account(1704) ldapsam_update_sam_account: user userxxxx to be modified has dn: uid=userxxxx,ou=People, dc=dev,dc=xxxxxx,dc=com [2004/12/08 12:53:47, 2, effective(0, 0), real(0, 0)] passdb/pdb_ldap.c:init_ldap_from_sam(893) init_ldap_from_sam: Setting entry for user: userxxxx [2004/12/08 12:53:47, 4, effective(0, 0), real(0, 0)] passdb/pdb_ldap.c:ldapsam_update_sam_account(1717) ldapsam_update_sam_account: mods is empty: nothing to update for user: userxxxx [2004/12/08 12:53:47, 3, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/12/08 12:53:47, 5, effective(0, 0), real(0, 0)] auth/auth.c:check_ntlm_password(271) check_ntlm_password: sam authentication for user [userxxxx] FAILED with error NT_STATUS_WRONG_PASSWORD [2004/12/08 12:53:47, 2, effective(0, 0), real(0, 0)] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [userxxxx] -> [userxxxx] FAILED with error NT_STATUS_WRONG_PASSWORD [2004/12/08 12:53:47, 5, effective(0, 0), real(0, 0)] auth/auth_util.c:free_user_info(1318) attempting to free (and zero) a user_info structure I have spent weeks on reading available documentation to try to find the answer to these problems. I am now hoping that SAMBA experts out there can help me resolve these problems. Any help would be greatly appreciated.
Possibly Parallel Threads
- samba bad password count reset between logins (not loaded from login_cache.tdb)
- samba bad password count reset between logins (not loaded from login_cache.tdb)
- samba bad password count reset between logins (not loaded from login_cache.tdb)
- samba bad password count reset between logins (not loaded from login_cache.tdb)
- Password trouble with LDAP (eDirectory)