R. Jeremy
2015-Feb-17 14:09 UTC
[Samba] Auth fail on Samba standalone server with LDAP backend
Hello, My apologies for my bad english, this is not my birth langage and I'm still learning it. I'm trying to configure a Samba server to simply use LDAP backend for authenticate users. Just that, I don't care of PDC/BDC, etc.The samba schema is present in the LDAP, and in the users profile. The samba server have the same SID as the domain. I can log to my samba server using LDAP account, so I think that NSS/PAM stuffs are good. The thing is that when I try this command:smbclient -d 2 //sandbox-samba.mydomain.com/MyShare -U user.ldap I get this:rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)added interface eth0 ip=10.X.X.19 bcast=10.X.X.255 netmask=255.255.255.0Enter user.ldap's password:session setup failed: NT_STATUS_LOGON_FAILURE And on the samba server site, I have this in the logs:[2015/02/17 14:55:19.913036, 2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened[2015/02/17 14:55:19.916244, 3] lib/smbldap.c:1240(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server[2015/02/17 14:55:19.918237, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new password interface[2015/02/17 14:55:19.918387, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [MYDOMAIN]\[user.ldap]@[CLIENT_WS][2015/02/17 14:55:19.939873, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: user.ldap[2015/02/17 14:55:20.025999, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029060, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029424, 3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check) ntlm_password_check: NO NT password stored for user user.ldap.[2015/02/17 14:55:20.029667, 3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check) ntlm_password_check: Lanman passwords NOT PERMITTED for user user.ldap[2015/02/17 14:55:20.030792, 2] passdb/pdb_ldap.c:1180(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: user.ldap[2015/02/17 14:55:20.030989, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM.[2015/02/17 14:55:20.031126, 2] auth/auth.c:330(check_ntlm_password) check_ntlm_password: Authentication for user [user.ldap] -> [user.ldap] FAILED with error NT_STATUS_WRONG_PASSWORD[2015/02/17 14:55:20.031307, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE[2015/02/17 14:55:20.031968, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) I don't understand the NT_STATUS_WRONG_PASSWORD thing... Where can I look to understand what is going ?Is it simply possible to just have a samba standalone which just use LDAP for authentication ? I got the same result with a Windows 7 client using GUI interface. Here is my smb.conf, if it could help:[global] workgroup = MYDOMAIN server string = TEST Samba Server Version %v domain logons = yes domain master = no # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 # Audit vfs object = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = all full_audit:failure = connect full_audit:facility = local7 full_audit:priority = notice encrypt passwords = yes security = user passdb backend = ldapsam:ldap://ldap.mydomain.com ldap admin dn = "uid=administrator,ou=Users,o=mydomain,c=com" ldap suffix = o=mydomain, c=com ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap ssl = no ldap passwd sync = no log level = 3 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [MyShare] comment = MyShare Stuff path = /srv/share public = yes writable = yes printable = no Thanks for any help you could give me! Best Regards
Marc Muehlfeld
2015-Feb-17 14:34 UTC
[Samba] Auth fail on Samba standalone server with LDAP backend
Hello Jeremy, please re-post. Your mail lost all newlines in your log snippet and config and what ever else was in there. Its almost unreadable without newlines. Or put it on a paste service like https://cpaste.org/ please. Regards, Marc
Rowland Penny
2015-Feb-17 14:34 UTC
[Samba] Auth fail on Samba standalone server with LDAP backend
On 17/02/15 14:09, R. Jeremy wrote:> Hello, > My apologies for my bad english, this is not my birth langage and I'm still learning it. > I'm trying to configure a Samba server to simply use LDAP backend for authenticate users. Just that, I don't care of PDC/BDC, etc.The samba schema is present in the LDAP, and in the users profile. > The samba server have the same SID as the domain. > I can log to my samba server using LDAP account, so I think that NSS/PAM stuffs are good. > The thing is that when I try this command:smbclient -d 2 //sandbox-samba.mydomain.com/MyShare -U user.ldap > I get this:rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)added interface eth0 ip=10.X.X.19 bcast=10.X.X.255 netmask=255.255.255.0Enter user.ldap's password:session setup failed: NT_STATUS_LOGON_FAILURE > And on the samba server site, I have this in the logs:[2015/02/17 14:55:19.913036, 2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened[2015/02/17 14:55:19.916244, 3] lib/smbldap.c:1240(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server[2015/02/17 14:55:19.918237, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new password interface[2015/02/17 14:55:19.918387, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [MYDOMAIN]\[user.ldap]@[CLIENT_WS][2015/02/17 14:55:19.939873, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: user.ldap[2015/02/17 14:55:20.025999, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029060, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_gr > oup_from_ldap: Entry found for group: 1100[2015/02/17 14:55:20.029424, 3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check) ntlm_password_check: NO NT password stored for user user.ldap.[2015/02/17 14:55:20.029667, 3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check) ntlm_password_check: Lanman passwords NOT PERMITTED for user user.ldap[2015/02/17 14:55:20.030792, 2] passdb/pdb_ldap.c:1180(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: user.ldap[2015/02/17 14:55:20.030989, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM.[2015/02/17 14:55:20.031126, 2] auth/auth.c:330(check_ntlm_password) check_ntlm_password: Authentication for user [user.ldap] -> [user.ldap] FAILED with error NT_STATUS_WRONG_PASSWORD[2015/02/17 14:55:20.031307, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE[20 > 15/02/17 14:55:20.031968, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) I don't understand the NT_STATUS_WRONG_PASSWORD thing... Where can I look to understand what is going ?Is it simply possible to just have a samba standalone which just use LDAP for authentication ? > I got the same result with a Windows 7 client using GUI interface. > Here is my smb.conf, if it could help:[global] > workgroup = MYDOMAIN server string = TEST Samba Server Version %v domain logons = yes domain master = no > # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 > # Audit vfs object = full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = all full_audit:failure = connect full_audit:facility = local7 full_audit:priority = notice > > > encrypt passwords = yes security = user passdb backend = ldapsam:ldap://ldap.mydomain.com ldap admin dn = "uid=administrator,ou=Users,o=mydomain,c=com" ldap suffix = o=mydomain, c=com ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap ssl = no ldap passwd sync = no log level = 3 > > load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes > > [MyShare] comment = MyShare Stuff path = /srv/share public = yes writable = yes printable = no Thanks for any help you could give me! Best RegardsHi, your English isn't that bad, the same cannot be said for your email client :-) Once I deciphered your email, it seems that you are trying to run a standalone server, if this is correct, why have you got this line in smb.conf: domain logons = yes You also say that your standalone server has the same SID as the domain, what domain ? There is also this: Enter user.ldap's password:session setup failed: NT_STATUS_LOGON_FAILURE Have you run 'smbpasswd -w PASSWORD' Rowland
Sgrunt _
2015-Feb-17 15:12 UTC
[Samba] Auth fail on Samba standalone server with LDAP backend
This is a repost of my first mail: Hello, I'm trying to configure a Samba server to simply use LDAP backend for authenticate users. Just that, I don't care of PDC/BDC, etc. The samba schema is present in the LDAP, and in the users profile. The samba server have the same SID as the domain. I can log to my samba server using LDAP account, so I think that NSS/PAM stuffs are good. The thing is that when I try this command: smbclient -d 2 //sandbox-samba.mydomain.com/MyShare -U user.ldap I get this: rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) added interface eth0 ip=10.X.X.19 bcast=10.X.X.255 netmask=255.255.255.0 Enter user.ldap's password: session setup failed: NT_STATUS_LOGON_FAILURE And on the samba server site, I have this in the logs: [2015/02/17 14:55:19.913036, 2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened [2015/02/17 14:55:19.916244, 3] lib/smbldap.c:1240(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2015/02/17 14:55:19.918237, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [MYGROUP]\[user.ldap]@[CLIENT_WS] with the new password interface [2015/02/17 14:55:19.918387, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [MYDOMAIN]\[user.ldap]@[CLIENT_WS] [2015/02/17 14:55:19.939873, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: user.ldap [2015/02/17 14:55:20.025999, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1100 [2015/02/17 14:55:20.029060, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap) init_group_from_ldap: Entry found for group: 1100 [2015/02/17 14:55:20.029424, 3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check) ntlm_password_check: NO NT password stored for user user.ldap. [2015/02/17 14:55:20.029667, 3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check) ntlm_password_check: Lanman passwords NOT PERMITTED for user user.ldap [2015/02/17 14:55:20.030792, 2] passdb/pdb_ldap.c:1180(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: user.ldap [2015/02/17 14:55:20.030989, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM. [2015/02/17 14:55:20.031126, 2] auth/auth.c:330(check_ntlm_password) check_ntlm_password: Authentication for user [user.ldap] -> [user.ldap] FAILED with error NT_STATUS_WRONG_PASSWORD [2015/02/17 14:55:20.031307, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2015/02/17 14:55:20.031968, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) I don't understand the NT_STATUS_WRONG_PASSWORD thing... Where can I look to understand what is going ? Is it simply possible to just have a samba standalone which just use LDAP for authentication ? I got the same result with a Windows 7 client using GUI interface. Here is my smb.conf, if it could help: [global] workgroup MYDOMAIN server string = TEST Samba Server Version %v domain logons = yes domain master = no # logs split per machine log file /var/log/samba/log.%m # max 50KB per log file, then rotate max log size 50 # Audit vfs object full_audit full_audit:prefix = %u|%I|%m|%S full_audit:success = all full_audit:failure = connect full_audit:facility = local7 full_audit:priority = notice encrypt passwords = yes security user passdb backend = ldapsam:ldap://ldap.mydomain.com ldap admin dn = "uid=administrator,ou=Users,o=mydomain,c=com" ldap suffix o=mydomain, c=com ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap group suffix = ou=Groups ldap ssl = no ldap passwd sync = no log level = 3 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes [MyShare] comment MyShare Stuff path /srv/share public = yes writable = yes printable no Thanks for any help you could give me! Best Regards> Date: Tue, 17 Feb 2015 15:34:13 +0100 > From: mmuehlfeld at samba.org > To: sgrunt91 at hotmail.com; samba at lists.samba.org > Subject: Re: [Samba] Auth fail on Samba standalone server with LDAP backend > > Hello Jeremy, > > please re-post. Your mail lost all newlines in your log snippet and > config and what ever else was in there. Its almost unreadable without > newlines. Or put it on a paste service like https://cpaste.org/ please. > > Regards, > Marc > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba