Matt Anderson
2007-Aug-14 18:23 UTC
[Samba] Bad Password Count Problem -- LDAP connection failed
Dear Help, Initially, I thought that I had solved this problem, but it turns out that I haven't. I currently have Samba set up as a PDC with an eDirectory/LDAP backend. There are also a few Samba BDCs in play as well. If a user enters the correct password, there are no issues and everything authenticates fine. If I turn off the PDC and force a user to authenticate against a BDC with the wrong password, the Bad Password Count updates properly and locks them out after the defined amount of attempts in pdbedit. However, if I turn off the BDCs and force the user to authenticate against the PDC with a wrong password, it just hangs for awhile and never increments the Bad Password Count. (This is all from the Ctrl+Alt+Delete Windows login box to get on to the domain). Also worth noting: If I log in locally to the same Windows machine as Administrator and try and connect to a share on the PDC using the same user as before with the wrong password, everything works as expected--the bad count gets incremented, and there is no delay. When I search the log files, the error that is causing this "delay" is a failed LDAP connection attempt: "smbldap_open: cannot access LDAP when not root.." Which it tries 15 times before giving up. The rest of the log file context is added below. If anyone could provide any advice or assistance, it would be greatly appreciated! Thanks, Matt [2007/08/14 11:07:36, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [DOMAIN]\[testUser2]@[COMPUTER] with the new password interface [2007/08/14 11:07:36, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [DOMAIN]\[testUser2]@[COMPUTER] [2007/08/14 11:07:36, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65533) : sec_ctx_stack_ndx = 1 [2007/08/14 11:07:36, 3] smbd/uid.c:push_conn_ctx(393) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2007/08/14 11:07:36, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/08/14 11:07:36, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: testUser2 [2007/08/14 11:07:36, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0 [2007/08/14 11:07:36, 3] libsmb/ntlm_check.c:ntlm_password_check(207) ntlm_password_check: Interactive logon: NT password check failed for user testUser2 [2007/08/14 11:07:36, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65533) : sec_ctx_stack_ndx = 1 [2007/08/14 11:07:36, 3] smbd/uid.c:push_conn_ctx(393) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2007/08/14 11:07:36, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/08/14 11:07:36, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0 [2007/08/14 11:07:36, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/14 11:07:36, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 1 try! [2007/08/14 11:07:37, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/14 11:07:37, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 2 try! [2007/08/14 11:07:38, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/14 11:07:38, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 3 try! ... [2007/08/14 11:07:50, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 15 try! [2007/08/14 11:07:51, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/14 11:07:51, 3] passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3462) ldapsam_get_account_policy_from_ldap: Could not get account policy for sambaDomainName=DOMAIN,o=Organization, error: Time limit exceeded () [2007/08/14 11:07:51, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/14 11:07:51, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 1 try! [2007/08/14 11:07:52, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/14 11:07:52, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 2 try! ... [2007/08/14 11:08:06, 1] lib/smbldap.c:another_ldap_try(1072) Connection to LDAP server failed for the 15 try! [2007/08/14 11:08:07, 0] lib/smbldap.c:smbldap_open(943) smbldap_open: cannot access LDAP when not root.. [2007/08/14 11:08:07, 0] passdb/pdb_ldap.c: ldapsam_set_account_policy_in_ldap(3400) ldapsam_set_account_policy_in_ldap: Could not set account policy for sambaDomainName=DOMAIN,o=Organization, error: Timed out () [2007/08/14 11:08:07, 0] passdb/passdb.c:pdb_update_bad_password_count(2301) pdb_update_bad_password_count: pdb_get_account_policy failed. [2007/08/14 11:08:07, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(65534, 65533) : sec_ctx_stack_ndx = 1 [2007/08/14 11:08:07, 3] smbd/uid.c:push_conn_ctx(393) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2007/08/14 11:08:07, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/08/14 11:08:07, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1078) init_ldap_from_sam: Setting entry for user: testUser2 [2007/08/14 11:08:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0 [2007/08/14 11:08:07, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [DOMAIN] was for this SAM. [2007/08/14 11:08:07, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [testUser2] -> [testUser2] FAILED with error NT_STATUS_WRONG_PASSWORD
Apparently Analagous Threads
Wisdom of the Ancients
