I'm trying to configure a Samba server to simply use LDAP backend for authenticate users. Just that, I don't care of PDC/BDC, etc.
The samba schema is present in the LDAP, and in the users profile. And this server is already used by an another Samba server which is probably a PDC. But, I don't have write access to the LDAP or the samba server. I can only read de LDAP entries.
I can log via SSH on my samba server using LDAP account, so I think that NSS/PAM stuffs are good.
The thing is that when I try this command:
smbclient -d 2 //sandbox-samba.mydomain.com/MyShare -U user.ldap
I get this:
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384) added interface eth0 ip=10.X.X.19 bcast=10.X.X.255
netmask=255.255.255.0 Enter user.ldap's password: session setup
failed: NT_STATUS_LOGON_FAILURE
And on the samba server side, I have this in the samba logs:
[2015/03/24 14:55:19.913036, 2] lib/smbldap.c:1018(smbldap_open_connection)
smbldap_open_connection: connection opened
[2015/03/24 14:55:19.916244, 3] lib/smbldap.c:1240(smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2015/03/24 14:55:19.918237, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [MYGROUP][user.ldap]@[CLIENT_WS] with the new password interface
[2015/03/24 14:55:19.918387, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOMAIN][user.ldap]@[CLIENT_WS]
[2015/03/24 14:55:19.939873, 2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: user.ldap
[2015/03/24 14:55:20.025999, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1100
[2015/03/24 14:55:20.029060, 2] passdb/pdb_ldap.c:2427(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 1100
[2015/03/24 14:55:20.029424, 3] ../libcli/auth/ntlm_check.c:309(ntlm_password_check)
ntlm_password_check: NO NT password stored for user user.ldap.
[2015/03/24 14:55:20.029667, 3] ../libcli/auth/ntlm_check.c:442(ntlm_password_check)
ntlm_password_check: Lanman passwords NOT PERMITTED for user user.ldap
[2015/03/24 14:55:20.030792, 2] passdb/pdb_ldap.c:1180(init_ldap_from_sam)
init_ldap_from_sam: Setting entry for user: user.ldap
[2015/03/24 14:55:20.030989, 3] auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM.
[2015/03/24 14:55:20.031126, 2] auth/auth.c:330(check_ntlm_password)
check_ntlm_password: Authentication for user [user.ldap] -> [user.ldap] FAILED with error NT_STATUS_WRONG_PASSWORD
[2015/03/24 14:55:20.031307, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2015/03/24 14:55:20.031968, 3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)
I don't understand the NT_STATUS_WRONG_PASSWORD thing... Where can I look to understand what is going ?
Is it simply possible to just have a samba server which just use LDAP just for authentication ?
I got the same result with a Windows 7 client using GUI interface.
Here is my smb.conf, if it could help:
[global]
workgroup = MYDOMAIN
netbios name = machinename
server string = %h
server string = TEST Samba Server Version %v
domain logons = no
domain master = no
log file = /var/log/samba/log.%m
max log size = 50
vfs object = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = all
full_audit:failure = connect
full_audit:facility = local7
full_audit:priority = notice
encrypt passwords = yes
security = user
passdb backend = ldapsam:ldap://ldap.mydomain.com
ldap admin dn = "uid=administrator,ou=Users,o=mydomain,c=com"
ldap suffix = o=mydomain, c=com
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap ssl = no
ldap passwd sync = only
log level = 3
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[MyShare]
comment = MyShare Stuff
path = /srv/share
public = yes
writable = yes
printable = no
Thanks for any help you could give me!
Best Regards
