Hi!
I'm a bit new to Samba+LDAP integration, and most likely because of that
I experienced this morning something I can't fully understand. I would
appreciate if someone could explain to me what was really wrong.
So, our name server was unavailable this morning due to OS update.
Division's Samba and LDAP services are running on same server, and Samba
is using TLS in connecting to LDAP service. Because some of the network
names were not resolvable, I changed "passdb backend =
ldapsam:ldap://ldap.server.name/" to "passdb backend =
ldapsam:ldap://127.0.0.1/" in smb.conf, although I have ldap.server.name
also in /etc/hosts, just in case. In file /etc/nsswitch.conf I have
line "hosts: files dns". After I restarted Samba, I just
couldn't
login to domain anymore either with any machine or domain user accounts.
Samba gave me errors like
smbd[1956]: [2005/10/24 11:03:17, 0]
lib/smbldap.c:smbldap_open_connection(677)
smbd[1956]: Failed to issue the StartTLS instruction: Connect error
smbd[1956]: [2005/10/24 11:03:17, 1] lib/smbldap.c:another_ldap_try(1011)
smbd[1956]: Connection to LDAP server failed for the 1 try!
smbd[1956]: [2005/10/24 11:03:18, 2]
passdb/pdb_ldap.c:init_sam_from_ldap(499)
smbd[1956]: init_sam_from_ldap: Entry found for user: myusr
smbd[1956]: [2005/10/24 11:03:18, 1]
passdb/pdb_ldap.c:init_sam_from_ldap(553)
smbd[1956]: init_sam_from_ldap: no sambaSID or sambaSID attribute
found for this user myusr
smbd[1956]: [2005/10/24 11:03:18, 1]
passdb/pdb_ldap.c:ldapsam_getsampwnam(1346)
smbd[1956]: ldapsam_getsampwnam: init_sam_from_ldap failed for user
'myusr'!
smbd[1956]: [2005/10/24 11:03:18, 2] auth/auth.c:check_ntlm_password(312)
smbd[1956]: check_ntlm_password: Authentication for user [myusr] ->
[myusr] FAILED with error NT_STATUS_NO_SUCH_USER
so I assume that this issue was somehow related to changes I made in
smb.conf file. At the same time I could login to server using ssh, and
also e,g, command "smbclient -L ldap.server.name -U myusr" gave me
list
of all available services. Also I could authenticate myself through
Apache, which also uses TLS to connect to LDAP server.
My question is, how changing "passdb backend" from ldap.server,name to
127.0.0.1 can have this effect, since the server name should have been
resolvable with /etc/hosts file? Does it has something to do with my
certificate files, which are generated using ldap.server.name? However,
I was able to login with TLS and Apache, so I don't think that's the
case.
Thanks in advance,
Jukka Hienola