Hi all,
I've been searching for answers for my problems with win2k Pro and Server to logon a Samba 3 PDC for some time and still don't have a clue.
the scenario seems to be simple. I'm using MDK 10.0 + Samba3 + OpenLDAP.
The versions are
samba-winbind-3.0.6-4.1.100mdk
samba-swat-3.0.6-4.1.100mdk
samba-common-3.0.6-4.1.100mdk
samba-doc-3.0.6-4.1.100mdk
samba-server-3.0.6-4.1.100mdk
samba-client-3.0.6-4.1.100mdk
smbldap-tools 0.8.5
openldap-back_passwd-2.1.25-6mdk
openldap-2.1.25-6mdk
openldap-servers-2.1.25-6mdk
openldap-back_dnssrv-2.1.25-6mdk
openldap-clients-2.1.25-6mdk
libldap2-2.1.25-6mdk
nss_ldap-212-3mdk
openldap-back_ldap-2.1.25-6mdk
openldap-back_sql-2.1.25-6mdk
pam_ldap-167-3mdk
I'm able to joing my Windows 2000 Pro and Servers to the domain without problems(the machine account is added automatically under the Computers OU) . But once the system is restarted I'm not able to logon to the domain.
I already deactivate the registry entries for secure channel and Signor Seal (the standard ones everyone talk about). Still can't logon.
I can see by the logs that the request is getting to the LDAP authentication directory. But the win2k workstation returns an username or password error.
any help will be appreciated
regards,
Fabiano Breves
Full Version: Win2k logon on Samba 3 + OpenLDAP PDC
Above is a part of the samba log file log.desenv02
check_ntlm_password: Checking password for unmapped user [SMB3]\[patrick]@[DESENV02] with the new password interface
[2004/11/11 15:45:59, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [SMB3]\[patrick]@[DESENV02]
[2004/11/11 15:45:59, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
[2004/11/11 15:45:59, 3] smbd/uid.c:push_conn_ctx(364)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2004/11/11 15:45:59, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/11/11 15:45:59, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485)
init_sam_from_ldap: Entry found for user: patrick
[2004/11/11 15:45:59, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2004/11/11 15:45:59, 1] auth/auth_util.c:make_server_info_sam(822)
User patrick in passdb, but getpwnam() fails!
[2004/11/11 15:45:59, 0] auth/auth_sam.c:check_sam_security(306)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
any ideas of what is happennig ??
check_ntlm_password: Checking password for unmapped user [SMB3]\[patrick]@[DESENV02] with the new password interface
[2004/11/11 15:45:59, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [SMB3]\[patrick]@[DESENV02]
[2004/11/11 15:45:59, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(65534, 65534) : sec_ctx_stack_ndx = 1
[2004/11/11 15:45:59, 3] smbd/uid.c:push_conn_ctx(364)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2004/11/11 15:45:59, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/11/11 15:45:59, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485)
init_sam_from_ldap: Entry found for user: patrick
[2004/11/11 15:45:59, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2004/11/11 15:45:59, 1] auth/auth_util.c:make_server_info_sam(822)
User patrick in passdb, but getpwnam() fails!
[2004/11/11 15:45:59, 0] auth/auth_sam.c:check_sam_security(306)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
any ideas of what is happennig ??
Someone may have interest to know that I solve the problem. There were 3 problems.
The firt one was a misconfiguration. The SID number was diferent from the users SID part of the sambaPrimaryGroupSID and sambaSID attributes.
The second was the permissions on the netlogon share I had to set it to 1777.
The third one seems to be a BUG of the samba version. I had manually add all my Ldap users to the /etc/passwd. Now my getent passwd output shows me each LDAP users twice...
Now I can logon from Win2K servers and Workstation...
Regards,
Fabiano Breves
The firt one was a misconfiguration. The SID number was diferent from the users SID part of the sambaPrimaryGroupSID and sambaSID attributes.
The second was the permissions on the netlogon share I had to set it to 1777.
The third one seems to be a BUG of the samba version. I had manually add all my Ldap users to the /etc/passwd. Now my getent passwd output shows me each LDAP users twice...
Now I can logon from Win2K servers and Workstation...
Regards,
Fabiano Breves
Thanks for the update. 
Group mod request....
can we put this into tips 'n' tricks.
Obviously not an issue we could help with but very thoughtful of fbres to post just the same....
can we put this into tips 'n' tricks.
Obviously not an issue we could help with but very thoughtful of fbres to post just the same....
Done. 
Hi,
I had the same problem when I was setting PDC with SAMBA + LDAP.
The problem is that, in spite of SAMBA is using ldap as backend to look up the user's and machine's account, SAMBA will use a function called "getpwnam" to confirm if those accounts really exist in NIS database. So you have set NIS to search in the ldap database.
To set NIS to look up in the ldap database, you need to edit the "/etc/nsswitch.conf" file and "/etc/ldap.conf" - don't mistake /etc/ldap.conf for /etc/openldap/ldap.conf, cause /etc/ldap.conf is used for NIS and /etc/openldap/ldap.conf is used for ldap client.
the /etc/nsswitch.conf must have these lines:
------------------------
group: files ldap
shadow: files ldap
passwd: files ldap
-----------------------
the /etc/ldap.conf must have these lines:
---------------------------------
HOST the_ip_address_of_your_ldap_server
URI ldap://the_ip_address_of_your_ldap_server
binddn cn=user_with_permission_to_look_up_in_ldap_sever,d c=your_suffix,dc=your_suffix
bindpw secret_of_the_user
---------------------------
I hope having helped you.
I had the same problem when I was setting PDC with SAMBA + LDAP.
The problem is that, in spite of SAMBA is using ldap as backend to look up the user's and machine's account, SAMBA will use a function called "getpwnam" to confirm if those accounts really exist in NIS database. So you have set NIS to search in the ldap database.
To set NIS to look up in the ldap database, you need to edit the "/etc/nsswitch.conf" file and "/etc/ldap.conf" - don't mistake /etc/ldap.conf for /etc/openldap/ldap.conf, cause /etc/ldap.conf is used for NIS and /etc/openldap/ldap.conf is used for ldap client.
the /etc/nsswitch.conf must have these lines:
------------------------
group: files ldap
shadow: files ldap
passwd: files ldap
-----------------------
the /etc/ldap.conf must have these lines:
---------------------------------
HOST the_ip_address_of_your_ldap_server
URI ldap://the_ip_address_of_your_ldap_server
binddn cn=user_with_permission_to_look_up_in_ldap_sever,d c=your_suffix,dc=your_suffix
bindpw secret_of_the_user
---------------------------
I hope having helped you.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.