samba - Oct 2011 - Weird issue with samba 3.4.7

Hello All,


I have samba version 3.3.2 installed on a system running Ubuntu Server 9.04
(32-bit).  The users trying to mount the samba shares authenticate over the LDAP
server.
Here is how my configuration files look like, 

1. /etc/samba/smb.conf

[global]
	server string = %h server (Samba, Ubuntu)
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
	unix password sync = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	passdb backend = ldapsam:ldaps://ldap1.xetus.com
	ldap suffix = dc=xetus,dc=com


2. /etc/nsswitch.conf

passwd:      files ldap
group:         files ldap
shadow:      files ldap

hosts:          files dns
networks:    files

protocols:    db files
services:     db files
ethers:        db files
rpc:             db files

netgroup: nis


3. /etc/pam.d/common-auth

auth	[success=2 default=ignore]	pam_unix.so nullok_secure
auth	[success=1 default=ignore]	pam_ldap.so use_first_pass
auth	requisite			pam_deny.so
auth	required			pam_permit.so


4. /etc/pam.d/common-account

account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so 
account	[success=1 default=ignore]	pam_ldap.so 
account	requisite			pam_deny.so
account	required			pam_permit.so


5. /etc/pam.d/common-password

password	requisite			pam_cracklib.so retry=3 minlen=8 difok=3
password	[success=2 default=ignore]	pam_unix.so obscure use_authtok
try_first_pass sha512
password	[success=1 user_unknown=ignore default=die]	pam_ldap.so use_authtok
try_first_pass
password	requisite			pam_deny.so
password	required			pam_permit.so
password	optional			pam_smbpass.so nullok use_authtok 						use_first_pass
6. /etc.pam.d/common-session

session	[default=1]			pam_permit.so
session	requisite			pam_deny.so
session	required			pam_permit.so
session	required	                pam_unix.so 
session	optional			pam_ldap.so 
session	optional			pam_ck_connector.so nox11
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel



I have another system running Ubuntu Server 10.04 (64-bit) where samba version
3.4.7 is installed (using apt-get). The /etc/nsswitch.conf and all the
/etc/pam.d/common-{auth, ccount,password,session} match the respective files
from Ubuntu Server 9.04 system (described earlier).
Other  relevant packages installed on both the systems are winbind,
libpam-smbpass and smbldap-tools.  My question is, why does ldap authentication
works with samba version 3.3.2 and not with samba version 3.4.7 even though the
directives in the configuration files are the same?  Am i missing a step here.
Can anyone point me in the right direction on this issue. I would  appreciate
all your time and help.
Thanks in advance.

- Amit

On Wed, Oct 26, 2011 at 2:59 PM, Amit More <amore at xetus.com> wrote:
> Hello All,
>
>
> I have samba version 3.3.2 installed on a system running Ubuntu Server 9.04
> (32-bit).  The users trying to mount the samba shares authenticate over the
> LDAP server.
> Here is how my configuration files look like,
>
Your /etc/nsswitch.conf and pam.d configurations look identical to my 10.04
64bit config, other than the fact that I don't have the pam_smbpass.so in
password or pam_mkhomerdir.so in session, so I don't think your problem lies
there.

I would check your ldap configuration to make sure that works properly
before investigating the samba config.
In that regard a few questions come to mind:

Are you using a custom cert for your ldap server?
If so, do you have the root cert installed and do your ldap configuration
files have the right tls_cacertfile entries?
Is your ldap password password properly configured on the 10.04 host?

-Chris