samba - Mar 2007 - Errors logging in from Windows - LDAP + Samba PDC

Just to get these things out of the way

  CentOS (2.6.9-42.0.10.ELsmp)

  # yum list installed | grep openssl
  openssl.i686                             0.9.7a-43.14           installed
  openssl-devel.i586                       0.9.7a-43.14           installed

  # yum list installed | grep samba
  samba.i386                               3.0.10-1.4E.11         installed
  samba-client.i386                        3.0.10-1.4E.11         installed
  samba-common.i386                        3.0.10-1.4E.11         installed
  samba-swat.i386                          3.0.10-1.4E.11         installed

  # yum list installed | grep samba
  nss_ldap.i386                            226-17                 installed
  openldap.i386                            2.2.13-6.4E            installed
  openldap-clients.i386                    2.2.13-6.4E            installed
  openldap-devel.i386                      2.2.13-6.4E            installed
  openldap-servers.i386                    2.2.13-6.4E            installed
  smbldap-tools-0.9.2

  I think that should cover most of what someone else would need to know.
The goal is to have a PDC that uses Samba and LDAP.  I have used guides
like the guide from here
http://www.idealx.com/content/view/184/169/lang,en/ .  I seem to have
LDAP and Samba working and the smbldap-tools working properly.  I can
use the LDAP Account Manager ( http://lam.sourceforge.net/ ) to add
users to the domain and then use ssh and pam_ldap to connect with those
user names.  I can add users to the domain, and use the domain usernames
and passwords to connect to shares off the server.  I can also add
machines to the domain from Windows without any problems and they show
up in LDAP.  The part that has me stumped is that I can't  seem to login
to the domain from one of the domain accounts.  I can login with the
local admin account then use a domain login to login to domain shares I
just can't do the initial Windows login.  Turning the samba debugging up
to 3 doesn't seem to help since I see log messages like
  "  check_ntlm_password:  authentication for user [testuser] ->
[testuser] -> [testuser] succeeded"
  which would make me think that things are working properly.  I kinda
suspect that the problem could be with smbldap-tools somewhere since I
was able to switch samba to authing from the /etc/samba/smbpasswd file
and it was able to login fine though I have yet to figure out which
script is called on Windows logins.  Any help would be appreciated.

smb.conf (I replaced the server address with 'server.address' but
that's
the only change I made for posting to this list.
[global]

	workgroup = TEMPDOMAIN
	netbios name = SSC2
	server string = Samba Server %v
	security = user
	allow trusted domains = yes

	time server = no

	log level = 3
	log file = /var/log/samba/log.%m
	max log size = 100000

	domain logons = yes
	os level = 35
	local master = yes
	domain master = yes
	preferred master = yes
	encrypt passwords = yes
	lm announce = true
	
	passwd program = /usr/local/sbin/smbldap-tools/smbldap-passwd %u
	passwd chat debug = yes
	ldap passwd sync = yes
	passdb backend = ldapsam:ldap://server.address:389

	ldap ssl = start_tls
	ldap suffix = dc=soil,dc=ncsu,dc=edu
	ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
	ldap delete dn =no
	ldap user suffix = ou=Users
	ldap group suffix = ou=Groups
	ldap machine suffix = ou=Computers
	ldap idmap suffix = ou=Users
	admin users = administrator

	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

	logon home 	logon path 	logon script = logon.cmd

	add user script = /usr/local/sbin/smbldap-tools/smbldap-useradd -a
"%u"
	add machine script = /usr/local/sbin/smbldap-tools/smbldap-useradd -w
"%u"
	add group script = /usr/local/sbin/smbldap-tools/smbldap-groupadd -p
"%g"
	add user to group script /usr/local/sbin/smbldap-tools/smbldap-groupmod -m
"%u" "%g"
	delete user from group script /usr/local/sbin/smbldap-tools/smbldap-groupmod -x
"%u" "%g"
	set primary group script /usr/local/sbin/smbldap-tools/smbldap-usermod -g
"%g" "%u"

	dos charset = 850
	hosts allow = 152.1.121.0/24
	mangling method = hash2
	obey pam restrictions = no
	syslog = 0
	unix charset = ISO8859-1
	username map = /etc/samba/smbusers
	wins support = no
	template shell = /bin/false
	winbind use default domain = no
[netlogon]
	comment = Network Logon Service
	path = /usr/local/samba/netlogon
	writeable = no
	public = no
	browsable = no

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/14/2007 11:06 AM, Paul Traylor wrote:
[...]
>     os level = 35
[...]

	Any chances that you have a Windows machine around (like
a 2000 server or a 2003) that could win the election and answering
the domain requests instead of you samba server?


	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+Us7Cj65ZxU4gPQRAnVwAJ9r4ageQKrAmZsoO0bGLe0BWp6KiACbBvse
6Q5NCLSXYzSMsmufZ7w6dP8=2AyG
-----END PGP SIGNATURE-----

There are not any 2000 or 2003 servers on the network, but I bumped the 
os level up to 100 anyways and restarted samba though it still gives me 
the same login error.
"The system cound not log you on.  Make sure your User name and domain 
are correct, then type your password again.  Letters in passwords must 
be typed using the correct case"


Felipe Augusto van de Wiel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 03/14/2007 11:06 AM, Paul Traylor wrote:
> [...]
>>     os level = 35
> [...]
> 
> 	Any chances that you have a Windows machine around (like
> a 2000 server or a 2003) that could win the election and answering
> the domain requests instead of you samba server?
> 
> 
> 	Kind regards,
> 
> - --
> Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
> http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFF+Us7Cj65ZxU4gPQRAnVwAJ9r4ageQKrAmZsoO0bGLe0BWp6KiACbBvse
> 6Q5NCLSXYzSMsmufZ7w6dP8> =2AyG
> -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/16/2007 10:54 AM, Paul Traylor wrote:
> There are not any 2000 or 2003 servers on the network, 
> but I bumped the os level up to 100 anyways and restarted
> samba though it still gives me the same login error.
> "The system cound not log you on.  Make sure your User name 
> and domain are correct, then type your password again.
> Letters in passwords must be typed using the correct case"
	It stills sounds like the client is not finding your
samba server. Try to increase the log level and see what
happens on the server side with more detail.

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+qePCj65ZxU4gPQRArQiAJ92s82BgCAMYXae3p7awNG8syq36wCgiwuU
cCgONW6d/Fk32VtxdmzZwnw=R+w4
-----END PGP SIGNATURE-----