Whoops! I forgot the -a flag when using smbldap-tools' smbldap-useradd
script. Updating all accounts has fixed the problem and I can log the
Vista machine into Samba without issue.
One thing I noticed was that there is a difference in case between
sambaSAMAccount in the smbldap-tools and the openldap samba.schema's
sambaSamAccount, but I'm not sure if it affects the overall outcome.
Anyway, I changed all instances of sambaSAMAccount to sambaSamAccount in
the smbldap-tools scripts just in case.
Mr Havercamp wrote:> I have a Samba server set up to share files within a small network
> (with 2 clients) and I use OpenLDAP to store user accounts.
>
> I have pretty much got everything working (smbclient prints the
> correct information and I can browse and log into Samba via Nautilus)
> except I can't get the Vista client to connect to Samba, as it
won't
> even prompt for a username and password it simply pops up the error
> "The account is not authorized to log in from this station".
>
> If I set encrypt passwords = yes in smb.conf then Vista client begins
> to be prompted for a username/password but the login always fails and
> I get re-prompted for the combination. Looking in the smb logs I see;
>
> "check_ntlm_password: Authentication for user [testuser] ->
> [testuser] FAILED with error NT_STATUS_NO_SUCH_USER"
>
> I have included my testparm output, slapd.conf and ldap.conf files for
> review as I'm sure I have something in slapd.conf incorrectly
> configured. Additionally, I've attached all logging for the specific
> session.
>
> testparm
> *********
>
> [global]
> workgroup = BUSHWOOD.LOCAL
> server string = Samba Server
> passdb backend = ldapsam:ldap://127.0.0.1
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password %n\n
> *all*authentication*tokens*updated*
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> log level = 3
> log file = /var/log/samba/smbd.log
> max log size = 50
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> printcap name = /etc/printcap
> dns proxy = No
> ldap admin dn = cn=Manager,dc=bushwood,dc=local
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Hosts
> ldap passwd sync = Yes
> ldap suffix = dc=bushwood,dc=local
> ldap ssl = no
> ldap user suffix = ou=People
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> hosts allow = 192.168.5., 127.
> cups options = raw
>
> [homes]
> comment = Home Directories
> read only = No
> browseable = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
> [shared]
> comment = Users share
> path = /home/shared
> valid users = S-1-5-21-2252255531-4061614174-2474224977-513
> read only = No
> create mask = 0770
>
> slapd.conf
> ***********
>
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba.schema
>
> allow bind_v2
>
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> by self write
> by anonymous auth
> by * none
> access to *
> by * read
>
> #######################################################################
> # ldbm and/or bdb database definitions
> #######################################################################
>
> database bdb
> suffix "dc=bushwood,dc=local"
> rootdn "cn=Manager,dc=bushwood,dc=local"
> rootpw {SSHA}wflS3RmzdjXVxYDF1zX9kRh3IHT8nza9
>
> hash_encrypt="SSHA"
>
> directory /var/lib/ldap/bushwood.local
>
> index objectClass eq,pres
> index ou,cn,mail,surname,givenname eq,pres,sub
> index uidNumber,gidNumber,loginShell eq,pres
> index uid,memberUid eq,pres,sub
> index nisMapName,nisMapEntry eq,pres,sub
> index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
>
> ldap.conf
> **********
>
> HOST 192.168.5.1
> BASE dc=bushwood,dc=local
>
> TLS_CACERTDIR /etc/openldap/cacerts
>
> smbd.log
> *********
>
> [2007/09/26 23:20:23, 3] smbd/oplock.c:init_oplocks(863)
> init_oplocks: initializing messages.
> [2007/09/26 23:20:23, 3]
> smbd/oplock_linux.c:linux_init_kernel_oplocks(276)
> Linux kernel oplocks enabled
> [2007/09/26 23:20:23, 3] lib/access.c:check_access(312)
> check_access: no hostnames in host allow/deny list.
> [2007/09/26 23:20:23, 2] lib/access.c:check_access(323)
> Allowed connection from (192.168.5.21)
> [2007/09/26 23:20:23, 3] smbd/process.c:process_smb(1068)
> Transaction 0 of length 183
> [2007/09/26 23:20:23, 3] smbd/process.c:switch_message(926)
> switch message SMBnegprot (pid 14514) conn 0x0
> [2007/09/26 23:20:23, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2007/09/26 23:20:23, 3] smbd/negprot.c:reply_negprot(505)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2007/09/26 23:20:23, 3] smbd/negprot.c:reply_negprot(505)
> Requested protocol [MICROSOFT NETWORKS 1.03]
> [2007/09/26 23:20:23, 3] smbd/negprot.c:reply_negprot(505)
> Requested protocol [MICROSOFT NETWORKS 3.0]
> [2007/09/26 23:20:23, 3] smbd/negprot.c:reply_negprot(505)
> Requested protocol [LANMAN1.0]
> [2007/09/26 23:20:23, 3] smbd/negprot.c:reply_negprot(505)
> Requested protocol [LM1.2X002]
> [2007/09/26 23:20:23, 3] smbd/negprot.c:reply_negprot(505)
> Requested protocol [DOS LANMAN2.1]
> [2007/09/26 23:20:23, 3] smbd/negprot.c:reply_negprot(505)
> Requested protocol [Samba]
> [2007/09/26 23:20:23, 3] smbd/negprot.c:reply_nt1(364)
> using SPNEGO
> [2007/09/26 23:20:23, 3] smbd/negprot.c:reply_negprot(606)
> Selected protocol NT LANMAN 1.0
> [2007/09/26 23:20:25, 3] smbd/process.c:process_smb(1068)
> Transaction 1 of length 176
> [2007/09/26 23:20:25, 3] smbd/process.c:switch_message(926)
> switch message SMBsesssetupX (pid 14514) conn 0x0
> [2007/09/26 23:20:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2007/09/26 23:20:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
> wct=12 flg2=0xc801
> [2007/09/26 23:20:25, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
> Doing spnego session setup
> [2007/09/26 23:20:25, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
> [2007/09/26 23:20:25, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
> reply_spnego_negotiate: Got secblob of size 56
> [2007/09/26 23:20:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
> Got NTLMSSP neg_flags=0x60080215
> [2007/09/26 23:20:25, 3] smbd/process.c:process_smb(1068)
> Transaction 2 of length 288
> [2007/09/26 23:20:25, 3] smbd/process.c:switch_message(926)
> switch message SMBsesssetupX (pid 14514) conn 0x0
> [2007/09/26 23:20:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2007/09/26 23:20:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
> wct=12 flg2=0xc801
> [2007/09/26 23:20:25, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
> Doing spnego session setup
> [2007/09/26 23:20:25, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
> NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
> [2007/09/26 23:20:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
> Got user=[testuser] domain=[BUSHWOOD.LOCAL] workstation=[BILLYBAROO]
> len1=24 len2=24
> [2007/09/26 23:20:25, 3] auth/auth.c:check_ntlm_password(221)
> check_ntlm_password: Checking password for unmapped user
> [BUSHWOOD.LOCAL]\[testuser]@[BILLYBAROO] with the new password interface
> [2007/09/26 23:20:25, 3] auth/auth.c:check_ntlm_password(224)
> check_ntlm_password: mapped user is: [CZERVIK]\[testuser]@[BILLYBAROO]
> [2007/09/26 23:20:25, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2007/09/26 23:20:25, 3] smbd/uid.c:push_conn_ctx(358)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2007/09/26 23:20:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2007/09/26 23:20:25, 2] lib/smbldap.c:smbldap_open_connection(786)
> smbldap_open_connection: connection opened
> [2007/09/26 23:20:25, 3] lib/smbldap.c:smbldap_connect_system(997)
> ldap_connect_system: succesful connection to the LDAP server
> [2007/09/26 23:20:25, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2007/09/26 23:20:25, 3] auth/auth_sam.c:check_sam_security(281)
> check_sam_security: Couldn't find user 'testuser' in passdb.
> [2007/09/26 23:20:25, 2] auth/auth.c:check_ntlm_password(319)
> check_ntlm_password: Authentication for user [testuser] ->
> [testuser] FAILED with error NT_STATUS_NO_SUCH_USER
> [2007/09/26 23:20:25, 3] smbd/error.c:error_packet_set(106)
> error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2007/09/26 23:20:25, 3] smbd/process.c:timeout_processing(1328)
> timeout_processing: End of file from client (client has disconnected).
> [2007/09/26 23:20:25, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2007/09/26 23:20:25, 3] smbd/connection.c:yield_connection(69)
> Yielding connection to
> [2007/09/26 23:20:25, 3] smbd/server.c:exit_server_common(768)
> Server exit (normal exit)
>
>
>