Chris St. Pierre
2005-Jun-02 21:51 UTC
[Samba] Windows logon doesn't work, Samba says it's fine
This is an immensely frustrating problem. I try to logon to my Samba 3.0.11 PDC running on SuSE, and the Samba logs report that it all went swimmingly: [2005/06/02 16:34:45, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [stpierre] -> [stpierre] -> [stpierre] succeeded So w00t, right. But no! Windows rejects my login with a "bad password" error. The strange thing is that I can mount volumes from that server without a problem -- it's only domain logons that are broken. Googling didn't turn up much, but it seemed in general to be a problem with mismatched SIDs. Here are mine:>From the server:# net getlocalsid SID for domain FLUFFY is: S-1-5-21-2946021175-1172358965-46922411 In my LDAP backend (all of these were copied directly from the results of ldapsearch): The machine account: sambaSID=S-1-5-21-2946021175-1172358965-46922411-3048 The user account: sambaSID=S-1-5-21-2946021175-1172358965-46922411-5546 The domain account: sambaSID=S-1-5-21-2946021175-1172358965-46922411 As you can see, they're all identical. I dearly wish the problem could be mismatched SIDs, but it doesn't appear to be. My full smb.conf is below. Any ideas? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University ------------------------------- smb.conf: ------------------------------- [global] server string = Fluffy workgroup = NWU_FLUFFY netbios name = FLUFFY log level = 2 encrypt passwords = yes max smbd processes = 0 socket options = TCP_NODELAY use sendfile = no add machine script = /usr/local/samba/scripts/trust-acct.pl '%u' logon script = scripts\logon.bat logon path = \\%L\profiles\%U domain logons = yes domain master = yes local master = yes preferred master = yes wins server = 10.9.1.12 security = user admin users = stpierre os level = 33 passdb backend = ldapsam:ldap://ldap.nebrwesleyan.edu ldap suffix = o=nebrwesleyan.edu,o=isp ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap filter = (uid=%u) ldap admin dn = cn=manager ldap ssl = no #idmap backend = ldap:ldap://newman.nebrwesleyan.edu idmap uid = 10000-20000 idmap gid = 10000-20000 [netlogon] comment = Network Logon Service path = /usr/local/samba/var/netlogon guest ok = yes locking = No [profiles] [profiles] comment = Profile Share path = /usr/local/samba/var/profiles read only = No create mask = 0600 directory mask = 0700 nt acl support = Yes csc policy = disable share modes = no profile acls = yes [tmp] comment = temporary files path = /tmp read only = yes