Johnson Cheng
2014-Mar-21 09:53 UTC
[Samba] Local account login failed when samba join to LDAP
Dears, My samba version is 3.6.4 I have a problem to co-work with open LDAP server. When samba join to open LDAP server, my local account can NOT login samba anymore, only LDAP account can login. When my samba come back to standalone, the local account is OK. Did I miss something? The following is my configuration files, I list the part of them, smb.conf server string = "Samba Server" workgroup = WORKGROUP security = user obey pam restrictions = yes passdb backend = ldapsam:ldap://192.168.8.143 ldap admin dn = cn=admin, dc=ff,dc=com ldap suffix = dc=ff,dc=com domain logons = yes ldap ssl = off ldap passwd sync = yes ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Machines ldap delete dn = yes nslcd.conf uid admin gid Administrator_Group uri ldap://192.168.8.143 base dc=ff,dc=com /etc/nssswitch.conf passwd: files ldap group: files ldap shadow: files ldap /etc/pam.d/samba auth sufficient /usr/lib/security/pam_ldap.so auth sufficient /usr/lib/security/pam_unix.so account sufficient /usr/lib/security/pam_ldap.so account sufficient /usr/lib/security/pam_unix.so session sufficient /usr/lib/security/pam_ldap.so session sufficient /usr/lib/security/pam_unix.so I can use LDAP account to login samba via the below command, smbclient -L 192.168.8.75 -U kevin2%123456123456 But when I use local account to login samba via smbclient, it reports "session setup failed: NT_STATUS_LOGON_FAILURE" smbclient -L 192.168.8.75 -U qq%qq One thing is interested that when I change "passdb backend = ldapsam:ldap://192.168.8.143" to "passdb backend = tdbsam", local account can login samba but LDAP account will fail to login. The below is samba output debug message, [2014/03/21 17:44:25.780867, 5] lib/smbldap.c:1439(smbldap_search_ext) smbldap_search_ext: base => [dc=ff,dc=com], filter => [(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2] [2014/03/21 17:44:25.781685, 4] passdb/pdb_ldap.c:1581(ldapsam_getsampwnam) ldapsam_getsampwnam: Unable to locate user [qq] count=0 [2014/03/21 17:44:25.781846, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2014/03/21 17:44:25.781931, 3] auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'qq' in passdb. [2014/03/21 17:44:25.782108, 5] auth/auth.c:271(check_ntlm_password) check_ntlm_password: sam authentication for user [qq] FAILED with error NT_STATUS_NO_SUCH_USER [2014/03/21 17:44:25.782213, 10] auth/auth_winbind.c:50(check_winbind_security) Check auth for: [qq] [2014/03/21 17:44:25.782293, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM. [2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password) check_ntlm_password: winbind had nothing to say [2014/03/21 17:44:25.787728, 2] auth/auth.c:334(check_ntlm_password) check_ntlm_password: Authentication for user [qq] -> [qq] FAILED with error NT_STATUS_NO_SUCH_USER [2014/03/21 17:44:25.787936, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE Any suggestion will be appreciated. Regards, Johnson
Johnson Cheng
2014-Mar-26 07:10 UTC
[Samba] Local account login failed when samba join to LDAP
Dear All, I have upgraded samba version to 3.6.22. This issue still exists. Any suggestion will be appreciated. Regards, Johnson -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Johnson Cheng Sent: Friday, March 21, 2014 5:53 PM To: samba at lists.samba.org Subject: [Samba] Local account login failed when samba join to LDAP Dears, My samba version is 3.6.4 I have a problem to co-work with open LDAP server. When samba join to open LDAP server, my local account can NOT login samba anymore, only LDAP account can login. When my samba come back to standalone, the local account is OK. Did I miss something? The following is my configuration files, I list the part of them, smb.conf server string = "Samba Server" workgroup = WORKGROUP security = user obey pam restrictions = yes passdb backend = ldapsam:ldap://192.168.8.143 ldap admin dn = cn=admin, dc=ff,dc=com ldap suffix = dc=ff,dc=com domain logons = yes ldap ssl = off ldap passwd sync = yes ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Machines ldap delete dn = yes nslcd.conf uid admin gid Administrator_Group uri ldap://192.168.8.143 base dc=ff,dc=com /etc/nssswitch.conf passwd: files ldap group: files ldap shadow: files ldap /etc/pam.d/samba auth sufficient /usr/lib/security/pam_ldap.so auth sufficient /usr/lib/security/pam_unix.so account sufficient /usr/lib/security/pam_ldap.so account sufficient /usr/lib/security/pam_unix.so session sufficient /usr/lib/security/pam_ldap.so session sufficient /usr/lib/security/pam_unix.so I can use LDAP account to login samba via the below command, smbclient -L 192.168.8.75 -U kevin2%123456123456 But when I use local account to login samba via smbclient, it reports "session setup failed: NT_STATUS_LOGON_FAILURE" smbclient -L 192.168.8.75 -U qq%qq One thing is interested that when I change "passdb backend = ldapsam:ldap://192.168.8.143" to "passdb backend = tdbsam", local account can login samba but LDAP account will fail to login. The below is samba output debug message, [2014/03/21 17:44:25.780867, 5] lib/smbldap.c:1439(smbldap_search_ext) smbldap_search_ext: base => [dc=ff,dc=com], filter => [(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2] [2014/03/21 17:44:25.781685, 4] passdb/pdb_ldap.c:1581(ldapsam_getsampwnam) ldapsam_getsampwnam: Unable to locate user [qq] count=0 [2014/03/21 17:44:25.781846, 4] smbd/sec_ctx.c:422(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2014/03/21 17:44:25.781931, 3] auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'qq' in passdb. [2014/03/21 17:44:25.782108, 5] auth/auth.c:271(check_ntlm_password) check_ntlm_password: sam authentication for user [qq] FAILED with error NT_STATUS_NO_SUCH_USER [2014/03/21 17:44:25.782213, 10] auth/auth_winbind.c:50(check_winbind_security) Check auth for: [qq] [2014/03/21 17:44:25.782293, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [WORKGROUP] was for this SAM. [2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password) check_ntlm_password: winbind had nothing to say [2014/03/21 17:44:25.787728, 2] auth/auth.c:334(check_ntlm_password) check_ntlm_password: Authentication for user [qq] -> [qq] FAILED with error NT_STATUS_NO_SUCH_USER [2014/03/21 17:44:25.787936, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE Any suggestion will be appreciated. Regards, Johnson -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2014-Mar-26 08:41 UTC
[Samba] Local account login failed when samba join to LDAP
wat does, getent passwd getent group wbinfo -u wbinfo -g tell you.>-----Oorspronkelijk bericht----- >Van: Johnson.Cheng at QsanTechnology.com >[mailto:samba-bounces at lists.samba.org] Namens Johnson Cheng >Verzonden: woensdag 26 maart 2014 8:11 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Local account login failed when samba >join to LDAP > >Dear All, > >I have upgraded samba version to 3.6.22. >This issue still exists. > >Any suggestion will be appreciated. > > >Regards, >Johnson > >-----Original Message----- >From: samba-bounces at lists.samba.org >[mailto:samba-bounces at lists.samba.org] On Behalf Of Johnson Cheng >Sent: Friday, March 21, 2014 5:53 PM >To: samba at lists.samba.org >Subject: [Samba] Local account login failed when samba join to LDAP > >Dears, > >My samba version is 3.6.4 >I have a problem to co-work with open LDAP server. When samba >join to open LDAP server, my local account can NOT login samba >anymore, only LDAP account can login. >When my samba come back to standalone, the local account is >OK. Did I miss something? > >The following is my configuration files, I list the part of >them, smb.conf server string = "Samba Server" >workgroup = WORKGROUP >security = user >obey pam restrictions = yes >passdb backend = ldapsam:ldap://192.168.8.143 ldap admin dn = >cn=admin, dc=ff,dc=com ldap suffix = dc=ff,dc=com domain >logons = yes ldap ssl = off ldap passwd sync = yes ldap group >suffix = ou=Groups ldap user suffix = ou=Users ldap machine >suffix = ou=Machines ldap delete dn = yes > >nslcd.conf >uid admin >gid Administrator_Group >uri ldap://192.168.8.143 >base dc=ff,dc=com > >/etc/nssswitch.conf >passwd: files ldap >group: files ldap >shadow: files ldap > >/etc/pam.d/samba >auth sufficient /usr/lib/security/pam_ldap.so >auth sufficient /usr/lib/security/pam_unix.so >account sufficient /usr/lib/security/pam_ldap.so >account sufficient /usr/lib/security/pam_unix.so >session sufficient /usr/lib/security/pam_ldap.so >session sufficient /usr/lib/security/pam_unix.so > >I can use LDAP account to login samba via the below command, >smbclient -L 192.168.8.75 -U kevin2%123456123456 > >But when I use local account to login samba via smbclient, it >reports "session setup failed: NT_STATUS_LOGON_FAILURE" >smbclient -L 192.168.8.75 -U qq%qq > >One thing is interested that when I change "passdb backend = >ldapsam:ldap://192.168.8.143" to "passdb backend = tdbsam", >local account can login samba but LDAP account will fail to login. >The below is samba output debug message, >[2014/03/21 17:44:25.780867, 5] lib/smbldap.c:1439(smbldap_search_ext) > smbldap_search_ext: base => [dc=ff,dc=com], filter => >[(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2] >[2014/03/21 17:44:25.781685, 4] >passdb/pdb_ldap.c:1581(ldapsam_getsampwnam) > ldapsam_getsampwnam: Unable to locate user [qq] count=0 >[2014/03/21 17:44:25.781846, 4] smbd/sec_ctx.c:422(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 >[2014/03/21 17:44:25.781931, 3] >auth/check_samsec.c:399(check_sam_security) > check_sam_security: Couldn't find user 'qq' in passdb. >[2014/03/21 17:44:25.782108, 5] auth/auth.c:271(check_ntlm_password) > check_ntlm_password: sam authentication for user [qq] FAILED >with error NT_STATUS_NO_SUCH_USER >[2014/03/21 17:44:25.782213, 10] >auth/auth_winbind.c:50(check_winbind_security) > Check auth for: [qq] >[2014/03/21 17:44:25.782293, 3] >auth/auth_winbind.c:60(check_winbind_security) > check_winbind_security: Not using winbind, requested domain >[WORKGROUP] was for this SAM. >[2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password) > check_ntlm_password: winbind had nothing to say >[2014/03/21 17:44:25.787728, 2] auth/auth.c:334(check_ntlm_password) > check_ntlm_password: Authentication for user [qq] -> [qq] >FAILED with error NT_STATUS_NO_SUCH_USER >[2014/03/21 17:44:25.787936, 3] smbd/error.c:81(error_packet_set) > error packet at smbd/sesssetup.c(124) cmd=115 >(SMBsesssetupX) NT_STATUS_LOGON_FAILURE > > >Any suggestion will be appreciated. > >Regards, >Johnson > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
FC Mario Patty
2014-Mar-26 15:43 UTC
[Samba] Local account login failed when samba join to LDAP
Johnson, Is this a samba pdc or file server? A file server doesn't need "domain logons = yes" parameter. I'm going to check my configuration tomorrow for I'm at home right now. I believe it has something to do with pam. # switch passdb backend from ldap to tdbsam will sure bring back your local samba account - that's where your local accounts live; wbinfo will give you nothing unless you configured samba to be one and you got winbind running. On Fri, Mar 21, 2014 at 4:53 PM, Johnson Cheng < Johnson.Cheng at qsantechnology.com> wrote:> Dears, > > My samba version is 3.6.4 > I have a problem to co-work with open LDAP server. When samba join to open > LDAP server, my local account can NOT login samba anymore, only LDAP > account can login. > When my samba come back to standalone, the local account is OK. Did I miss > something? > > The following is my configuration files, I list the part of them, > smb.conf > server string = "Samba Server" > workgroup = WORKGROUP > security = user > obey pam restrictions = yes > passdb backend = ldapsam:ldap://192.168.8.143 > ldap admin dn = cn=admin, dc=ff,dc=com > ldap suffix = dc=ff,dc=com > domain logons = yes > ldap ssl = off > ldap passwd sync = yes > ldap group suffix = ou=Groups > ldap user suffix = ou=Users > ldap machine suffix = ou=Machines > ldap delete dn = yes > > nslcd.conf > uid admin > gid Administrator_Group > uri ldap://192.168.8.143 > base dc=ff,dc=com > > /etc/nssswitch.conf > passwd: files ldap > group: files ldap > shadow: files ldap > > /etc/pam.d/samba > auth sufficient /usr/lib/security/pam_ldap.so > auth sufficient /usr/lib/security/pam_unix.so > account sufficient /usr/lib/security/pam_ldap.so > account sufficient /usr/lib/security/pam_unix.so > session sufficient /usr/lib/security/pam_ldap.so > session sufficient /usr/lib/security/pam_unix.so > > I can use LDAP account to login samba via the below command, > smbclient -L 192.168.8.75 -U kevin2%123456123456 > > But when I use local account to login samba via smbclient, it reports > "session setup failed: NT_STATUS_LOGON_FAILURE" > smbclient -L 192.168.8.75 -U qq%qq > > One thing is interested that when I change "passdb backend > ldapsam:ldap://192.168.8.143" to "passdb backend = tdbsam", local account > can login samba but LDAP account will fail to login. > The below is samba output debug message, > [2014/03/21 17:44:25.780867, 5] lib/smbldap.c:1439(smbldap_search_ext) > smbldap_search_ext: base => [dc=ff,dc=com], filter => > [(&(uid=qq)(objectclass=sambaSamAccount))], scope => [2] > [2014/03/21 17:44:25.781685, 4] > passdb/pdb_ldap.c:1581(ldapsam_getsampwnam) > ldapsam_getsampwnam: Unable to locate user [qq] count=0 > [2014/03/21 17:44:25.781846, 4] smbd/sec_ctx.c:422(pop_sec_ctx) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2014/03/21 17:44:25.781931, 3] > auth/check_samsec.c:399(check_sam_security) > check_sam_security: Couldn't find user 'qq' in passdb. > [2014/03/21 17:44:25.782108, 5] auth/auth.c:271(check_ntlm_password) > check_ntlm_password: sam authentication for user [qq] FAILED with error > NT_STATUS_NO_SUCH_USER > [2014/03/21 17:44:25.782213, 10] > auth/auth_winbind.c:50(check_winbind_security) > Check auth for: [qq] > [2014/03/21 17:44:25.782293, 3] > auth/auth_winbind.c:60(check_winbind_security) > check_winbind_security: Not using winbind, requested domain [WORKGROUP] > was for this SAM. > [2014/03/21 17:44:25.782372, 10] auth/auth.c:259(check_ntlm_password) > check_ntlm_password: winbind had nothing to say > [2014/03/21 17:44:25.787728, 2] auth/auth.c:334(check_ntlm_password) > check_ntlm_password: Authentication for user [qq] -> [qq] FAILED with > error NT_STATUS_NO_SUCH_USER > [2014/03/21 17:44:25.787936, 3] smbd/error.c:81(error_packet_set) > error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > > > Any suggestion will be appreciated. > > Regards, > Johnson > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >