I'm having trouble setting up samba as a PDC on an apple xserve, using
yellowdog linux 4.0. After a lot of thrashing, I believe the problem
may be smbpasswd generating the wrong NT hash. Running smbpasswd on a
redhat box (intel architecture) produces the follow LDAP entry:
dn: uid=testuser2,ou=Users,dc=allstate,dc=network
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser2
sn: testuser2
uid: testuser2
uidNumber: 1006
gidNumber: 513
homeDirectory: /home/testuser2
loginShell: /bin/bash
gecos: System User
description: System User
sambaSID: S-1-5-21-813279244-2815909583-2512609307-3012
sambaPrimaryGroupSID: S-1-5-21-813279244-2815909583-2512609307-513
displayName: System User
sambaPwdMustChange: 2147483647
sambaAcctFlags: [U ]
sambaPwdCanChange: 1100885825
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4
Running smbpasswd on the Xserve produces the following entry:
dn: uid=testuser1,ou=Users,dc=allstate,dc=network
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: testuser1
sn: testuser1
uid: testuser1
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/testuser1
loginShell: /bin/bash
gecos: System User
description: System User
sambaSID: S-1-5-21-471028381-1047030085-1551032810-3000
sambaPrimaryGroupSID: S-1-5-21-471028381-1047030085-1551032810-513
displayName: System User
sambaPasswordHistory:
sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE
sambaPwdCanChange: 1100920198
sambaPwdMustChange: 2147483647
sambaNTPassword: CAE238A01BFF98AB2A465882B20D01B7
sambaPwdLastSet: 1100920198
sambaAcctFlags: [U ]
userPassword:: e1NNRDV9Z09tN08zWjJ6TEpOQUNvdDVYN0FQTCs2NWM0PQ==
Notice that the sambaNTPassword: entries are different! And if I run:
[EMAIL PROTECTED] /]# smbclient -L localhost -U testuser1%123456
Domain=[ALLSTATE] OS=[Unix] Server=[Samba 3.0.8]
Sharename Type Comment
- ---
print$ Disk
public Disk Repertoire public
IPC$IPC IPC Service (Samba Server 3.0.8)
ADMIN$ IPC IPC Service (Samba Server 3.0.8)
testuser1 Disk repertoire de testuser1, testuser1
Domain=[ALLSTATE] OS=[Unix] Server=[Samba 3.0.8]
Server Comment
----
PDC-SMB3 Samba Server 3.0.8
WorkgroupMaster
----
ALLSTATE PDC-SMB3
INDIANA EWC-TECH
Seems to work just fine, but if I try that from the redhat box, (or
from a windows machine):
smbclient -L PDC-SMB3 -U testuser1%123456
added interface ip=192.168.1.253 bcast=192.168.1.255 nmask=255.255.255.0
Got a positive name query response from 192.168.1.5 ( 192.168.1.5 )
session setup failed: NT_STATUS_LOGON_FAILURE
I thought I had resolved the problem by using smbldap-passwd, which
uses Crypt::SmbHash and produces the correct sambaNTPassword, I can
authenticate from the windows box and from the intel redhat box just
fine, even though smbclient -L localhost -U testuser1%123456 from the
Xserve fails, but alas when I try to add a windows XP box to the
domain I get an access denied error. I've done some googling, but
havent found the solution to this dilemma. Is anyone else trying this?
Is this a new bug, or am I RTFing the wrong Manual?
smb.conf follows:
# Global parameters
[global]
workgroup = allstate
netbios name = PDC-SMB3
#interfaces = 192.168.5.11
username map = /etc/samba/smbusers
#admin users= @"Domain Admins"
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
#unix password sync = Yes
#passwd program = /usr/local/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype
new password*" %n\n"
ldap passwd sync = Yes
log level = 20
syslog = 0
log file = /var/log/samba/log.%m
max log size = 10
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon drive = H:
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
# passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com";
# ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
#ldap admin dn = cn=samba,ou=DSA,dc