SAMBA and LDAP configuration issues
 

I am running an LDAP server (openldap version 2.3.27) on RHEL 5 server.
It is configured correctly to allow remote linux logins.
I am also trying to use it as the user database for a SAMBA server running on the same machine.
I have version 3.0.23 of SAMBA.

I can successfully join my windows server to the domain using the samba administrator credentials.
I can successfully login to the windows server using the samba administrator credentials and i get the correct home directory mounted on my H: drive.

However, I am unable to login as a user from the LDAP database at the windows login screen.
I get the following message from windows:
The system cannot log you on due to the following error:
A device attached to the system is not functioning.

This is very strange because, if I login locally to the windows server and browse to the samba server in Windows Explorer, I can click on the server and it will ask me for a user name and password. If I put any username and password in the LDAP database, I can see the contents of the server applicable to that user. I even get the correct home directory (shown in network places but not mounted on H:) and permissions!

I would really appreciate some help here. This is a very frustrating problem and no amount of googleing has produced the solution.

Sincerely
Tristan

p.s. I am posting this here because the SAMBA mailing list keeps bouncing it.

p.p.s. Another weird phenomenon has arisen in the last two days. I can join the domain using the SAMBA administrator's credentials from only two machines. None of the other machines I have tried will join. They all give me a message saying cannot find user.

Enter the exact error message in Google surrounded in double quotes.

Been there, done that. There are a large amount of solutions returned by google, none of which apply to this specific situation. I have tried most of them and none of them work for me. I spent approximately three days trying to solve this problem by following tutorials and suggested solutions returned by googleing the error.

It seems that SAMBA is not using the LDAP database correctly and I suspect that this is a problem with my SAMBA configuration file. I will post my samba configuration file here when I return to work tomorrow.

Look for a samba-doc package. The "Samba-3 By Example" and "Samba 3 Howto & Reference Guide" books cover LDAP. Look at the troubleshooting section as well.

I have not found anything in the SAMBA manuals, books or troubleshooting sections that will help me.

smb.conf

Using tcpdump to dump port 445 during an attempted domain login gives output which doesn't make sense (I think its encrypted). Dumping port 139 shows nothing.

The samba message log for the host I am trying to login from shows the following:
The sabma server daemon message log shows:
I have spent many hours googleing all of these error messages and have not yet found a solution that works for me. Please, I would really appreciate some help. It seems that there is a problem writing to disk or reading the LDAP database or maybe even writing to the LDAP database...

I think you're best bet would be to reconfigure samba and smbldap-tools packages to not use any kind of encryption when talking to you're ldap server. It's far easier to troubleshoot when the data is in the clear. You can always enable encryption later.

Also, I'm going to assume in your smb.conf the line

passdb backend = ldapsam:ldap://example.com/

was you just hiding the true name of your ldap server. If not, that needs to get fixed asap :)

After that I would watch both the ldap logs and traffic to see what happens when samba troes to talk to ldap.

zen0n

Hi zenOn

Yes: example.com is simply hiding the name of my ldap server. SAMBA can communicate with the LDAP server because I can authenticate with LDAP credentials when viewing the Samba server from Network Neighbourhood on another Windows machine.
The problem arises when I try and log on to the domain using LDAP credentials.

I have tried without encryption but I still seem to get the same problem. I don't really need encryption sice both the SAMBA server and the LDAP server run on the same host.

I never thought of looking at the LDAP logs. I will give that a try next week.

A note: I am also exporting the home directories with NFS for the linux boxes on my network. Yesterday I tried turning the NFS server off and then logging into the SAMBA domain and I still get the same error message: A device attached to the system is not functioning.

This seems out of place if you are using ldap:
Also, this samba.org mailing list has a user with 2 of your errors. The problem in that case is with some mappings.
http://lists.samba.org/archive/samba...il/084342.html

----

Maybe this explains why (from the smbslapd-tools.pdf):

I've changed the password program. In fact, becuase I am using OpenLDAP I have removed the directive complete according to the second part of jschiwal's reply. I have also removed the unix password sync directive and the ldap password sync was always set to yes.

Here is the new version of the config file:

I cannot find the database file group_mapping.tdb mentioned here: http://lists.samba.org/archive/samba...il/084342.html

The error message has changed! I now get:
When I try to change the password on the Samba server using the following command:
I get the following error message:
So it seems that Samba is failing to connect to LDAP using TLS. When I set:
the system gives me my original error message about a device attached to the system not functioning.

Do I need to tell Samba where the ldap server certificate is? How do I do that?