Matt Anderson
2007-Aug-09 19:53 UTC
[Samba] smbldap_open: cannot access LDAP when not root..
Dear Help, I currently have a Samba PDC along with multiple BDCs using an eDirectory LDAP backend. While trying to figure out how to get the bad password account lockout feature to work, I managed to somehow mess up the samba PDC. If a user attempts to authenticate against the PDC with the correct password, all is well and works as usual. However, if I use an incorrect password, the Windows login box just kind of hangs. I've discovered that this is because (for some reason now) Samba is unable to update the LDAP server from the PDC (at least this is my theory based on the logs shown below). The interesting part is that if I authenticate against a BDC with an incorrect password, everything functions as normal. So, something I specifically did to the PDC (The only steps I can remember doing since before this problem occurred is replicating the account policies from the local tdb to ldap (using pdbedit) and attempting to rejoin the PDC to its own domain--which I had to delete and recreate the machine trust account again in the process). In any case, I'm currently getting the following error in my logs: [2007/08/09 12:38:24, 3] libsmb/ntlm_check.c:ntlm_password_check(207) ntlm_password_check: Interactive logon: NT password check failed for user testUser3 [2007/08/09 12:38:24, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65533) : sec_ctx_stack_ndx = 1 [2007/08/09 12:38:24, 3] smbd/uid.c:push_conn_ctx(393) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2007/08/09 12:38:24, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/08/09 12:38:24, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0 [2007/08/09 12:38:24, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/09 12:38:24, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 1 try! [2007/08/09 12:38:25, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/09 12:38:25, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 2 try! [2007/08/09 12:38:26, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/09 12:38:26, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 3 try! [2007/08/09 12:38:27, 0] lib/smbldap.c:smbldap_open(943) ... [2007/08/09 12:38:39, 3] passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3462) ldapsam_get_account_policy_from_ldap: Could not get account policy for sambaDomainName=PHSDOMAIN,o=PHS, error: Time limit exceeded () I have seen posts regarding this error when joining the domain... and even tried applying those solutions, but it doesn't seem to work. Any insight or help would be greatly appreciated. -Matt
Matt Anderson
2007-Aug-10 14:56 UTC
[Samba] Re: smbldap_open: cannot access LDAP when not root..
Matt Anderson <sokkerstud_11 <at> hotmail.com> writes:> I currently have a Samba PDC along with multiple BDCs using an eDirectory LDAP > backend. While trying to figure out how to get the bad password account > lockout feature to work, I managed to somehow mess up the samba PDC.For anyone who runs into the same issue, I believe that I must have corrupted one of the user or policy-related local databases on the PDC. I was only able to resolve this issue by removing Samba from the system (and deleting the contents of etc samba) and then re-installing it again as the PDC. The fresh install seemed to fix whatever the underlying problem was. Best of luck, Matt