R. Jeremy
2015-Feb-17 14:09 UTC
[Samba] Auth fail on Samba standalone server with LDAP backend
Hello,
My apologies for my bad english, this is not my birth langage and I'm still
learning it.
I'm trying to configure a Samba server to simply use LDAP backend for
authenticate users. Just that, I don't care of PDC/BDC, etc.The samba schema
is present in the LDAP, and in the users profile.
The samba server have the same SID as the domain.
I can log to my samba server using LDAP account, so I think that NSS/PAM stuffs
are good.
The thing is that when I try this command:smbclient -d 2
//sandbox-samba.mydomain.com/MyShare -U user.ldap
I get this:rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)added interface eth0 ip=10.X.X.19 bcast=10.X.X.255
netmask=255.255.255.0Enter user.ldap's password:session setup failed:
NT_STATUS_LOGON_FAILURE
And on the samba server site, I have this in the logs:[2015/02/17
14:55:19.913036, 2] lib/smbldap.c:1018(smbldap_open_connection)
smbldap_open_connection: connection opened[2015/02/17 14:55:19.916244, 3]
lib/smbldap.c:1240(smbldap_connect_system) ldap_connect_system: successful
connection to the LDAP server[2015/02/17 14:55:19.918237, 3]
auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password
for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new password
interface[2015/02/17 14:55:19.918387, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is:
[MYDOMAIN]\[user.ldap]@[CLIENT_WS][2015/02/17 14:55:19.939873, 2]
passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for
user: user.ldap[2015/02/17 14:55:20.025999, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found
for group: 1100[2015/02/17 14:55:20.029060, 2]
passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found
for group: 1100[2015/02/17 14:55:20.029424, 3]
../libcli/auth/ntlm_check.c:309(ntlm_password_check) ntlm_password_check: NO NT
password stored for user user.ldap.[2015/02/17 14:55:20.029667, 3]
../libcli/auth/ntlm_check.c:442(ntlm_password_check) ntlm_password_check:
Lanman passwords NOT PERMITTED for user user.ldap[2015/02/17 14:55:20.030792,
2] passdb/pdb_ldap.c:1180(init_ldap_from_sam) init_ldap_from_sam: Setting entry
for user: user.ldap[2015/02/17 14:55:20.030989, 3]
auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not
using winbind, requested domain [MYDOMAIN] was for this SAM.[2015/02/17
14:55:20.031126, 2] auth/auth.c:330(check_ntlm_password) check_ntlm_password:
Authentication for user [user.ldap] -> [user.ldap] FAILED with error
NT_STATUS_WRONG_PASSWORD[2015/02/17 14:55:20.031307, 3]
smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115
(SMBsesssetupX) NT_STATUS_LOGON_FAILURE[2015/02/17 14:55:20.031968, 3]
smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb
request) I don't understand the NT_STATUS_WRONG_PASSWORD thing... Where
can I look to understand what is going ?Is it simply possible to just have a
samba standalone which just use LDAP for authentication ?
I got the same result with a Windows 7 client using GUI interface.
Here is my smb.conf, if it could help:[global]
workgroup = MYDOMAIN server string = TEST Samba Server Version %v
domain logons = yes domain master = no
# logs split per machine log file = /var/log/samba/log.%m
# max 50KB per log file, then rotate max log size = 50
# Audit vfs object = full_audit full_audit:prefix =
%u|%I|%m|%S full_audit:success = all full_audit:failure = connect
full_audit:facility = local7 full_audit:priority = notice
encrypt passwords = yes security = user passdb backend =
ldapsam:ldap://ldap.mydomain.com ldap admin dn =
"uid=administrator,ou=Users,o=mydomain,c=com" ldap suffix =
o=mydomain, c=com ldap user suffix = ou=Users ldap machine suffix
= ou=Computers ldap group suffix = ou=Groups ldap ssl = no
ldap passwd sync = no log level = 3
load printers = no printing = bsd printcap name = /dev/null disable spoolss
= yes
[MyShare] comment = MyShare Stuff path = /srv/share
public = yes writable = yes printable = no Thanks for any
help you could give me! Best Regards
Marc Muehlfeld
2015-Feb-17 14:34 UTC
[Samba] Auth fail on Samba standalone server with LDAP backend
Hello Jeremy, please re-post. Your mail lost all newlines in your log snippet and config and what ever else was in there. Its almost unreadable without newlines. Or put it on a paste service like https://cpaste.org/ please. Regards, Marc
Rowland Penny
2015-Feb-17 14:34 UTC
[Samba] Auth fail on Samba standalone server with LDAP backend
On 17/02/15 14:09, R. Jeremy wrote:> Hello, > My apologies for my bad english, this is not my birth langage and I'm still learning it. > I'm trying to configure a Samba server to simply use LDAP backend for authenticate users. Just that, I don't care of PDC/BDC, etc.The samba schema is present in the LDAP, and in the users profile. > The samba server have the same SID as the domain. > I can log to my samba server using LDAP account, so I think that NSS/PAM stuffs are good. > The thing is that when I try this command:smbclient -d 2 //sandbox-samba.mydomain.com/MyShare -U user.ldap > I get this:rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)added interface eth0 ip=10.X.X.19 bcast=10.X.X.255 netmask=255.255.255.0Enter user.ldap's password:session setup failed: NT_STATUS_LOGON_FAILURE > And on the samba server site, I have this in the logs:[2015/02/17 14:55:19.913036, 2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened[2015/02/17 14:55:19.916244, 3] lib/smbldap.c:1240(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server[2015/02/17 14:55:19.918237, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new password interface[2015/02/17 14:55:19.918387, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [MYDOMAIN]\[user.ldap]@[CLIENT_WS][2015/02/17 14:55:19.939873, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: user.ldap[2015/02/17 14:55:20.025999, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029060, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_gr > oup_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029424, 3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check) ntlm_password_check: NO NT password stored for user user.ldap.[2015/02/17 14:55:20.029667, 3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check) ntlm_password_check: Lanman passwords NOT PERMITTED for user user.ldap[2015/02/17 14:55:20.030792, 2] passdb/pdb_ldap.c:1180(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: user.ldap[2015/02/17 14:55:20.030989, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM.[2015/02/17 14:55:20.031126, 2] auth/auth.c:330(check_ntlm_password) check_ntlm_password: Authentication for user [user.ldap] -> [user.ldap] FAILED with error NT_STATUS_WRONG_PASSWORD[2015/02/17 14:55:20.031307, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE[20 > 15/02/17 14:55:20.031968, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) I don't understand the NT_STATUS_WRONG_PASSWORD thing... Where can I look to understand what is going ?Is it simply possible to just have a samba standalone which just use LDAP for authentication ? > I got the same result with a Windows 7 client using GUI interface. > Here is my smb.conf, if it could help:[global] > workgroup = MYDOMAIN server string = TEST Samba Server Version %v domain logons = yes domain master = no > # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 > # Audit vfs object = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = all full_audit:failure = connect full_audit:facility = local7 full_audit:priority = notice > > > encrypt passwords = yes security = user passdb backend = ldapsam:ldap://ldap.mydomain.com ldap admin dn = "uid=administrator,ou=Users,o=mydomain,c=com" ldap suffix = o=mydomain, c=com ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap ssl = no ldap passwd sync = no log level = 3 > > load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes > > [MyShare] comment = MyShare Stuff path = /srv/share public = yes writable = yes printable = no Thanks for any help you could give me! Best RegardsHi, your English isn't that bad, the same cannot be said for your email client :-) Once I deciphered your email, it seems that you are trying to run a standalone server, if this is correct, why have you got this line in smb.conf: domain logons = yes You also say that your standalone server has the same SID as the domain, what domain ? There is also this: Enter user.ldap's password:session setup failed: NT_STATUS_LOGON_FAILURE Have you run 'smbpasswd -w PASSWORD' Rowland
Sgrunt _
2015-Feb-17 15:12 UTC
[Samba] Auth fail on Samba standalone server with LDAP backend
This is a repost of my first mail:
Hello,
I'm trying to configure a Samba server to simply use LDAP
backend for authenticate users. Just that, I don't care of PDC/BDC, etc.
The samba schema is present in the LDAP, and in the users
profile.
The samba server have the same SID as the domain.
I can log to my samba server using LDAP account, so I think
that NSS/PAM stuffs are good.
The thing is that when I try this command:
smbclient -d 2
//sandbox-samba.mydomain.com/MyShare
-U user.ldap
I get this:
rlimit_max: increasing rlimit_max (1024) to minimum Windows
limit (16384)
added interface eth0 ip=10.X.X.19 bcast=10.X.X.255
netmask=255.255.255.0
Enter user.ldap's password:
session setup failed: NT_STATUS_LOGON_FAILURE
And on the samba server site, I have this in the logs:
[2015/02/17 14:55:19.913036,
2] lib/smbldap.c:1018(smbldap_open_connection)
smbldap_open_connection: connection opened
[2015/02/17 14:55:19.916244,
3] lib/smbldap.c:1240(smbldap_connect_system)
ldap_connect_system:
successful connection to the LDAP server
[2015/02/17 14:55:19.918237,
3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking
password for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new
password interface
[2015/02/17 14:55:19.918387,
3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user
is: [MYDOMAIN]\[user.ldap]@[CLIENT_WS]
[2015/02/17 14:55:19.939873,
2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap:
Entry found for user: user.ldap
[2015/02/17 14:55:20.025999,
2] passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1100
[2015/02/17 14:55:20.029060,
2] passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1100
[2015/02/17 14:55:20.029424,
3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check)
ntlm_password_check:
NO NT password stored for user user.ldap.
[2015/02/17 14:55:20.029667,
3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check)
ntlm_password_check:
Lanman passwords NOT PERMITTED for user user.ldap
[2015/02/17 14:55:20.030792,
2] passdb/pdb_ldap.c:1180(init_ldap_from_sam)
init_ldap_from_sam:
Setting entry for user: user.ldap
[2015/02/17 14:55:20.030989,
3] auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [MYDOMAIN]
was for this SAM.
[2015/02/17 14:55:20.031126,
2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password:
Authentication for user [user.ldap] -> [user.ldap] FAILED with error
NT_STATUS_WRONG_PASSWORD
[2015/02/17 14:55:20.031307,
3] smbd/error.c:81(error_packet_set)
error packet at
smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2015/02/17 14:55:20.031968,
3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed
to receive smb request)
I don't understand the NT_STATUS_WRONG_PASSWORD thing...
Where can I look to understand what is going ?
Is it simply possible to just have a samba standalone which
just use LDAP for authentication ?
I got the same result with a Windows 7 client using GUI
interface.
Here is my smb.conf, if it could help:
[global]
workgroup MYDOMAIN
server string
= TEST Samba Server Version %v
domain logons
= yes
domain master
= no
# logs split
per machine
log file /var/log/samba/log.%m
# max 50KB per
log file, then rotate
max log size 50
# Audit
vfs object full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = all
full_audit:failure = connect
full_audit:facility = local7
full_audit:priority = notice
encrypt
passwords = yes
security user
passdb backend
= ldapsam:ldap://ldap.mydomain.com
ldap admin dn
= "uid=administrator,ou=Users,o=mydomain,c=com"
ldap suffix o=mydomain, c=com
ldap user
suffix = ou=Users
ldap machine
suffix = ou=Computers
ldap group
suffix = ou=Groups
ldap ssl = no
ldap passwd
sync = no
log level = 3
load
printers = no
printing
= bsd
printcap
name = /dev/null
disable
spoolss = yes
[MyShare]
comment MyShare Stuff
path /srv/share
public = yes
writable = yes
printable no
Thanks for any help
you could give me!
Best Regards
> Date: Tue, 17 Feb 2015 15:34:13 +0100
> From: mmuehlfeld at samba.org
> To: sgrunt91 at hotmail.com; samba at lists.samba.org
> Subject: Re: [Samba] Auth fail on Samba standalone server with LDAP backend
>
> Hello Jeremy,
>
> please re-post. Your mail lost all newlines in your log snippet and
> config and what ever else was in there. Its almost unreadable without
> newlines. Or put it on a paste service like https://cpaste.org/ please.
>
> Regards,
> Marc
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba