Can you use "ldapsearch" or a GUI Ldap browser/editor (e.g. Apache
Directory Studio) to make sure that your primary LDAP server really is
working . Verify that the credentials are good.
You may need to re enter the ldap pw in samba if your password store
got corrupted
# smbpasswd -w LDAPBINDPW
On 02/13/2012 11:12 AM, Fergus Clarke wrote:> Hi
>
> We have a Samba server that authenticates with an openldap server. Or it
used to.
> We had a power cut last week and after a bit of struggling everything came
back, but not Samba.
> Previously our smb.conf file included the line
>
> passdb backend = ldapsam:ldap://server.domain.net/
>
> With this line in place the connection to the LDAP server fails, and
peoples shares drop off every few minutes. I changed this to point to our 2nd,
backup ldap server and now shares and logon work again. I need to get
communication started again between our Samba and primary LDAP server.
>
> Symptoms include the following: (with the new config, ie pointing at the
backup ldap server)
>
> On the samba server:
>
> servername:/etc/samba# smbclient '\\servername\data'
> WARNING: The "printer admin" option is deprecated
> Enter root's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> but
>
> servername:/etc/samba# smbclient -L localhost -U%
> WARNING: The "printer admin" option is deprecated
> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.2.5]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk Network Logon Service
> print$ Disk Printer Drivers
>
> etc
>
> also:
>
> servername:/etc/samba# pdbedit -u username -c "[X]"
> doing parameter syslog = 1
> doing parameter log file = /var/log/samba/log.%m
> doing parameter max log size = 1000
> doing parameter smb ports = 139
> doing parameter name resolve order = wins bcast hosts
> doing parameter printcap name = cups
> doing parameter add user script = /usr/sbin/adduser --quiet
--disabled-password --gecos "" %u
> doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m
> doing parameter logon script = logon.cmd
> doing parameter logon path = \\server.domain.net\%U\profile
> doing parameter logon home = \\server.domain.net\%U
> doing parameter domain logons = Yes
> doing parameter os level = 33
> doing parameter preferred master = Yes
> doing parameter domain master = Yes
> doing parameter dns proxy = No
> doing parameter wins support = Yes
> doing parameter ldap admin dn =
"uid=username,cn=admins,cn=thenameofthecn"
> doing parameter ldap group suffix = ou=groups
> doing parameter ldap machine suffix = ou=machines
> doing parameter ldap passwd sync = Yes
> doing parameter ldap suffix = dc=ixico,dc=com
> doing parameter ldap user suffix = ou=people
> doing parameter panic action = /usr/share/samba/panic-action %d
> pm_process() returned Yes
> smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> The LDAP server is successfully connected
> smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> The LDAP server is successfully connected
> init_sam_from_ldap: Entry found for user: username
> ldapsam_update_sam_account: user username to be modified has dn:
uid=username,ou=people,dc=domain,dc=com
> init_ldap_from_sam: Setting entry for user: username
> Unable to modify entry!
>
>
> If I change the setting back to point at our original LDAP server I get the
following errors, for example:
>
>
> servername:/etc/samba# pdbedit -u username -c "[X]"
> doing parameter syslog = 1
> doing parameter log file = /var/log/samba/log.%m
> doing parameter max log size = 1000
> doing parameter smb ports = 139
> doing parameter name resolve order = wins bcast hosts
> doing parameter printcap name = cups
> doing parameter add user script = /usr/sbin/adduser --quiet
--disabled-password --gecos "" %u
> doing parameter add machine script = /usr/sbin/smbldap-useradd -w %m
> doing parameter logon script = logon.cmd
> doing parameter logon path = \\server.domain.net\%U\profile
> doing parameter logon home = \\server.domain.net\%U
> doing parameter domain logons = Yes
> doing parameter os level = 33
> doing parameter preferred master = Yes
> doing parameter domain master = Yes
> doing parameter dns proxy = No
> doing parameter wins support = Yes
> doing parameter ldap admin dn =
"uid=user,cn=admins,cn=relevantcn"
> doing parameter ldap group suffix = ou=groups
> doing parameter ldap machine suffix = ou=machines
> doing parameter ldap passwd sync = Yes
> doing parameter ldap suffix = dc=domain,dc=com
> doing parameter ldap user suffix = ou=people
> doing parameter panic action = /usr/share/samba/panic-action %d
> pm_process() returned Yes
> smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
> smbldap_open_connection: connection opened
> failed to bind to server ldap://ldap2.domain.net/ with
dn="uid=username,cn=admins,cn=thecn" Error: Can't contact LDAP
server
> (unknown)
> Connection to LDAP server failed for the 1 try!
> smbldap_open_connection: connection opened
> failed to bind to server ldap://ldap2.domain.net/ with
dn="uid=username,cn=admins,cn=thecn" Error: Can't contact LDAP
server
>
> etc
>
> but I can ping the LDAP server with its hostname and the LDAP alias.
>
> I have upped the log level to 10 and grepped for relevant hostnames and
things but I am somewhat at a loss as to whats gone wrong, any help you can
offer would be very gratefully received. I would also be v happy to post any
logs etc to assist.
>
> Thanks
>
> Fergus
>
>
>