Re: [Samba] Problem w/ Samba 3 & LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 02 April 2004 12:16 am, Craig White wrote: > On Thu, 2004-04-01 at 16:40, Ted Wisniewski wrote: > > Ldapsearch was being a pain, so just grabbed the info from a "slapcat" > > instead, which was simpler. > > --- > crutches - life with LDAP is infinitely easier when you can get command > of the ldap queries from the command line. That sharpens your > understanding and skills of using LDAP. > --- Well, sometimes the best way is the simple way. Ldapsearch has a lot of arguments to type to get a simple result. Besides, it asks for a password. ;-> > > So, now that I know what my "problem" is/was I am able > > to move forward. The only issue I have now is that I have 9000 users > > that I want to be able to log onto multiple domains. By having > > to have the SID match the domain It presents a problem... > > > > I only want one password database to maintain... I guess I could get > > clever with LDAP replication and have multiple LDAP's... This is a less > > than Ideal solution. At this time I have large smbpasswd files that I > > would like to not use. I guess my ideal solution would look like: > > > > /--- Domain A > > / > > LDAP ---+ > > \ > > \--- Domain B > > > > > > Since we use a web based password changer, I could have a separate > > LDAP per Domain. I guess, in my ideal world I would have an LDAP > > with multiple sambaSID's, each samba server would just pick the one > > out of the LDAP that was appropriate to that Domain. I realize > > that the current schema does not allow for this and that samba is not set > > up to handle it either. Any ides on how to accomplish something similar > > without that ability. > > > ahh - the million dollar question. > > Don't you want users to be able to change their password using the > typical Windows change password tool instead of requiring them to change > it via http? What about UserMgr.exe? No. We are forcing all users to do password changes inside the campus portal. This was a decision made to simplify support and drive people into using the portal. Good or bad, it was the decision made. > > Anyway, if your LDAP skills are strong enough (I suspect not), you can > use replication to have each PDC run the master of the primary Domain it > is serving up and become a slave on the domains that it is not. Together > with winbindd, this should prove to be the most flexible - of course you > must set up 'trusts' between the various domains. LDAP itself is a cake walk. The hard part is finding the best way to support what we have, with all the limitations that comes along with what we have. I'll admit this is the first time integrating it with Samba. I want to seemlessly change everything from using smbpaswd files (historical, we used them before there was anything else) to LDAP and to simplify our backend. If it is not seemless, I have unhappy users. > LDAP is the tiger that you apparently don't want to ride but I have > found it to be quite predictable. Actually I am pushing LDAP, I have been using it in some form for about 4 years. Thanks for the advice, though you could lose the condescending tone. Ted - -- | Ted WisniewskiE-Mail: [EMAIL PROTECTED]| | Manager, Systems GroupWEB:http://oz.plymouth.edu/~ted/ | | Information Technology Services| | Plymouth State University Phone: (603) 535-2661 | | Plymouth NH, 03264Fax:(603) 535-2263 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFAbXVKLoXjVqfQ0u4RAj1UAKDDBkWto7KxEwwXOJxTd9h51LQSCgCeM0ug NSzVK3mK85pFgeZ9ksm13q4= =8m1R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 & LDAP
On Thu, 2004-04-01 at 16:40, Ted Wisniewski wrote: > Ldapsearch was being a pain, so just grabbed the info from a "slapcat" > instead, which was simpler. --- crutches - life with LDAP is infinitely easier when you can get command of the ldap queries from the command line. That sharpens your understanding and skills of using LDAP. --- > > So, now that I know what my "problem" is/was I am able > to move forward. The only issue I have now is that I have 9000 users > that I want to be able to log onto multiple domains. By having > to have the SID match the domain It presents a problem... > > I only want one password database to maintain... I guess I could get > clever with LDAP replication and have multiple LDAP's... This is a less > than Ideal solution. At this time I have large smbpasswd files that I > would like to not use. I guess my ideal solution would look like: > > /--- Domain A > / > LDAP ---+ > \ > \--- Domain B > > > Since we use a web based password changer, I could have a separate > LDAP per Domain. I guess, in my ideal world I would have an LDAP > with multiple sambaSID's, each samba server would just pick the one > out of the LDAP that was appropriate to that Domain. I realize > that the current schema does not allow for this and that samba is not set > up to handle it either. Any ides on how to accomplish something similar > without that ability. ahh - the million dollar question. Don't you want users to be able to change their password using the typical Windows change password tool instead of requiring them to change it via http? What about UserMgr.exe? Anyway, if your LDAP skills are strong enough (I suspect not), you can use replication to have each PDC run the master of the primary Domain it is serving up and become a slave on the domains that it is not. Together with winbindd, this should prove to be the most flexible - of course you must set up 'trusts' between the various domains. LDAP is the tiger that you apparently don't want to ride but I have found it to be quite predictable. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 & LDAP
(* > > Example LDIF (NOT WORKING) (* > > dn: uid=notworking, ou=People, dc=plymouth,dc=edu (* > > sambaPwdLastSet: 1080739453 (* > > sambaAcctFlags: [U ] (* > > displayName: Not Working (* > > sambaPwdMustChange: 2147483647 (* > > objectClass: sambaSamAccount (* > > objectClass: account (* > > uid: notworking (* > > sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472 (* > > sambapwdCanChange: 1080739453 (* > > sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303 (* > > sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399 (* > > sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE Ldapsearch was being a pain, so just grabbed the info from a "slapcat" instead, which was simpler. Anyway, I did paste in the "SID" into the "Non working" entry from the first (working) entry. I was then able to log on as the non-working user. (* (* It appeared that you edited the info to the point of making it difficult (* to trust what is actually being reported from the ldapsearch command. (* (* It seems as though your smbuser in one case matches up to a unix user (* and in the other case (where it doesn't work) doesn't match up but if it (* works when you delete and then create the samba user, then both parts (* are certainly done. (* (* I have both posix and sambaSamAccount objectclass for all my users... a (* typical user looks like: What I have is very similar. Many of the attributes are not required. (* NOTE: (* sambaPrimaryGroupSID: ends in -513 ("Domain Users") (* posix attributes not necessary with samba: (* loginShell, givenName, sn, cn, gecos, homeDirectory, and objectclasses (* posixAccount-inetOrgPerson-shadowAccount (* (* LDAP for samba should have 1 and only 1 domain (windows variety) and 1 (* SID (obtainable with net getlocalSID command). So, now that I know what my "problem" is/was I am able to move forward. The only issue I have now is that I have 9000 users that I want to be able to log onto multiple domains. By having to have the SID match the domain It presents a problem... I only want one password database to maintain... I guess I could get clever with LDAP replication and have multiple LDAP's... This is a less than Ideal solution. At this time I have large smbpasswd files that I would like to not use. I guess my ideal solution would look like: /--- Domain A / LDAP ---+ \ \--- Domain B Since we use a web based password changer, I could have a separate LDAP per Domain. I guess, in my ideal world I would have an LDAP with multiple sambaSID's, each samba server would just pick the one out of the LDAP that was appropriate to that Domain. I realize that the current schema does not allow for this and that samba is not set up to handle it either. Any ides on how to accomplish something similar without that ability. Ted -- | Ted Wisniewski E-Mail: [EMAIL PROTECTED]| | Manager, Systems Group WEB: http://oz.plymouth.edu/~ted/ | | Information Technology Services| | Plymouth State UniversityPhone: (603) 535-2661 | | Plymouth NH, 03264 Fax: (603) 535-2263 | -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 & LDAP
On Thu, 2004-04-01 at 07:30, Ted Wisniewski wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Sorry, > I found a clue. In these below, I made the SID the same and it worked. In > my case, I will have multiple domains all pulling from the same LDAP. How > can I make this work without having to have the SID's for each domain be the > same. (Which I am pretty sure would be a bad idea, right?) > > Ted > > > On Thursday 01 April 2004 09:19 am, Ted Wisniewski wrote: > > Thanks for the response, but the odd thing is that both had the same set of > > parameters in the LDAP. I took your advice and added some other parameters > > to the LDAP for a non working entry... Same result. > > > > Example LDIF (Working): > > > > dn: uid=newuser, ou=People, dc=plymouth,dc=edu > > sambaPwdLastSet: 1080739453 > > sambaAcctFlags: [U ] > > displayName: New User > > sambaPwdMustChange: 2147483647 > > objectClass: sambaSamAccount > > objectClass: account > > uid: newuser > > sambaSID: S-1-5-21-204843054-3526713080-3458795326-37000 > > sambaPwdCanChange: 1080739453 > > sambaNTPassword: 5A6A0AFE9618570BF8B167BC1B9E4B1D > > sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1063 > > sambaLMPassword: 54E8D1FD3821A0A8AAD3B435B51404EE > > > > Example LDIF (NOT WORKING) > > dn: uid=notworking, ou=People, dc=plymouth,dc=edu > > sambaPwdLastSet: 1080739453 > > sambaAcctFlags: [U ] > > displayName: Not Working > > sambaPwdMustChange: 2147483647 > > objectClass: sambaSamAccount > > objectClass: account > > uid: notworking > > sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472 > > sambapwdCanChange: 1080739453 > > sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303 > > sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399 > > sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE > > > > > > > > Any ideas? I can map to the home share without difficulty... It is only > > a problem when doing a domain logon. If I delete the LDAP entry and do > > the (smbpasswd -a) from the command line, the entries look identical. The > > only difference is one works and the other does not. Is there another > > place where info is recorded? In the LDAP? in a TDB file? It appeared that you edited the info to the point of making it difficult to trust what is actually being reported from the ldapsearch command. It seems as though your smbuser in one case matches up to a unix user and in the other case (where it doesn't work) doesn't match up but if it works when you delete and then create the samba user, then both parts are certainly done. I have both posix and sambaSamAccount objectclass for all my users... a typical user looks like: # testuser, People, Domain US dn: uid=testuser, ou=People,o=Domain,c=US sambaPwdCanChange: 1075657455 sambaPwdMustChange: 2147483647 sambaPwdLastSet: 1075657455 shadowLastChange: 12449 sambaProfilePath: \\linserv1\profiles\testuser sambaLogonScript: users-pr.bat cn: testuser uidNumber: 1054 sambaAcctFlags: [U ] gecos: testuser mail: [EMAIL PROTECTED] sambaLMPassword: **removed** uid: testuser sambaHomePath: \\linserv2\homes\testuser homeDirectory: /home/users/testuser objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgperson objectClass: sambaSamAccount sambaDomainName: DOMAIN gidNumber: 1000 sambaSID: S-1-5-21-1292501092-333717336-619646970-3108 sambaNTPassword: **removed** sn: User givenName: Test loginShell: /bin/sh userPassword:: **removed** sambaPrimaryGroupSID: S-1-5-21-1292501092-333717336-619646970-513 NOTE: sambaPrimaryGroupSID: ends in -513 ("Domain Users") posix attributes not necessary with samba: loginShell, givenName, sn, cn, gecos, homeDirectory, and objectclasses posixAccount-inetOrgPerson-shadowAccount LDAP for samba should have 1 and only 1 domain (windows variety) and 1 SID (obtainable with net getlocalSID command). Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 & LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry, I found a clue. In these below, I made the SID the same and it worked. In my case, I will have multiple domains all pulling from the same LDAP. How can I make this work without having to have the SID's for each domain be the same. (Which I am pretty sure would be a bad idea, right?) Ted On Thursday 01 April 2004 09:19 am, Ted Wisniewski wrote: > Thanks for the response, but the odd thing is that both had the same set of > parameters in the LDAP. I took your advice and added some other parameters > to the LDAP for a non working entry... Same result. > > Example LDIF (Working): > > dn: uid=newuser, ou=People, dc=plymouth,dc=edu > sambaPwdLastSet: 1080739453 > sambaAcctFlags: [U ] > displayName: New User > sambaPwdMustChange: 2147483647 > objectClass: sambaSamAccount > objectClass: account > uid: newuser > sambaSID: S-1-5-21-204843054-3526713080-3458795326-37000 > sambaPwdCanChange: 1080739453 > sambaNTPassword: 5A6A0AFE9618570BF8B167BC1B9E4B1D > sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1063 > sambaLMPassword: 54E8D1FD3821A0A8AAD3B435B51404EE > > Example LDIF (NOT WORKING) > dn: uid=notworking, ou=People, dc=plymouth,dc=edu > sambaPwdLastSet: 1080739453 > sambaAcctFlags: [U ] > displayName: Not Working > sambaPwdMustChange: 2147483647 > objectClass: sambaSamAccount > objectClass: account > uid: notworking > sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472 > sambapwdCanChange: 1080739453 > sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303 > sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399 > sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE > > > > Any ideas? I can map to the home share without difficulty... It is only > a problem when doing a domain logon. If I delete the LDAP entry and do > the (smbpasswd -a) from the command line, the entries look identical. The > only difference is one works and the other does not. Is there another > place where info is recorded? In the LDAP? in a TDB file? > > Ted > > >On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote: > >> -BEGIN PGP SIGNED MESSAGE- > >> Hash: SHA1 > >> > >> Here is a description of what I am trying to do (with Samba 3.0.2a & > > openldap > > >> 2.1.27): > >> > >> I have all my users populated into the LDAP with all the applicable > >> attributes; Users can map drives to a server using LDAP as the > >> authentication backend without issue. > >> > >> Where I am running into problems is bringing up a PDC using Samba > >> w/LDAP. > >> > >> * I added the appropriate machine accounts (using smbpasswd -a -m) and > >> was able to join the domain. > >> > >> * Any user in the pre-populated LDAP cannot log in, however, any user I > >> add > > to > > >> the LDAP from the machine with Samba running on it CAN log in properly. > >> > >> If I delete the original entry from the LDAP, add a new on via > >> (smbpasswd > > -a), > > >> then the user can log in. This works, but is ultimately not > >> scalable... > > I > > >> can then place the original LDAP entry back in place and they can log > >> in... Just as long as the password for the account is not changed. > >> > >> I am sure there is something I am missing, but I cannot see it for the > >> life > > of > > >> me.The odd thing is, that in the log.smbd, I get odd errors about > > reading > > > a socket, but only for the users that have not been added by the local > > "smbpasswd" command. They are both in the same LDAP. Any help would be > > greatly appreciated. > > > > Ted > > -- SNIP -- > > > Global section of smb.conf > > - > it appears that the 'non-functional' user doesn't have the domain > attribute set (or at least set properly). > > ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)' > > and then > > ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)' > > and the functional users will have attributes such as sambaDomainName > properly set that the non-functional's do not. > > Craig - -- | Ted WisniewskiE-Mail: [EMAIL PROTECTED]| | Manager, Systems GroupWEB:http://oz.plymouth.edu/~ted/ | | Information Technology Services| | Plymouth State University Phone: (603) 535-2661 | | Plymouth NH, 03264Fax:(603) 535-2263 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFAbCegLoXjVqfQ0u4RAgHyAJ9Vl35VH06crVDvKugwq+mFbF9HKQCeOj4u I1LMqAnUzzzHEyXMwRpbwXM= =hCgI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 & LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks for the response, but the odd thing is that both had the same set of parameters in the LDAP. I took your advice and added some other parameters to the LDAP for a non working entry... Same result. Example LDIF (Working): dn: uid=newuser, ou=People, dc=plymouth,dc=edu sambaPwdLastSet: 1080739453 sambaAcctFlags: [U ] displayName: New User sambaPwdMustChange: 2147483647 objectClass: sambaSamAccount objectClass: account uid: newuser sambaSID: S-1-5-21-204843054-3526713080-3458795326-37000 sambaPwdCanChange: 1080739453 sambaNTPassword: 5A6A0AFE9618570BF8B167BC1B9E4B1D sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1063 sambaLMPassword: 54E8D1FD3821A0A8AAD3B435B51404EE Example LDIF (NOT WORKING) dn: uid=notworking, ou=People, dc=plymouth,dc=edu sambaPwdLastSet: 1080739453 sambaAcctFlags: [U ] displayName: Not Working sambaPwdMustChange: 2147483647 objectClass: sambaSamAccount objectClass: account uid: notworking sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472 sambapwdCanChange: 1080739453 sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303 sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399 sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE Any ideas? I can map to the home share without difficulty... It is only a problem when doing a domain logon. If I delete the LDAP entry and do the (smbpasswd -a) from the command line, the entries look identical. The only difference is one works and the other does not. Is there another place where info is recorded? In the LDAP? in a TDB file? Ted >On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> Here is a description of what I am trying to do (with Samba 3.0.2a & openldap >> 2.1.27): >> >> I have all my users populated into the LDAP with all the applicable >> attributes; Users can map drives to a server using LDAP as the >> authentication backend without issue. >> >> Where I am running into problems is bringing up a PDC using Samba w/LDAP. >> >> * I added the appropriate machine accounts (using smbpasswd -a -m) and was >> able to join the domain. >> >> * Any user in the pre-populated LDAP cannot log in, however, any user I add to >> the LDAP from the machine with Samba running on it CAN log in properly. >> >> If I delete the original entry from the LDAP, add a new on via (smbpasswd - -a), >> then the user can log in. This works, but is ultimately not scalable... I >> can then place the original LDAP entry back in place and they can log in... >> Just as long as the password for the account is not changed. >> >> I am sure there is something I am missing, but I cannot see it for the life of >> me.The odd thing is, that in the log.smbd, I get odd errors about reading > a socket, but only for the users that have not been added by the local > "smbpasswd" command. They are both in the same LDAP. Any help would be > greatly appreciated. > > Ted > - -- SNIP -- > Global section of smb.conf - - it appears that the 'non-functional' user doesn't have the domain attribute set (or at least set properly). ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)' and then ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)' and the functional users will have attributes such as sambaDomainName properly set that the non-functional's do not. Craig - -- | Ted WisniewskiE-Mail: [EMAIL PROTECTED]| | Manager, Systems GroupWEB:http://oz.plymouth.edu/~ted/ | | Information Technology Services| | Plymouth State University Phone: (603) 535-2661 | | Plymouth NH, 03264Fax:(603) 535-2263 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFAbCUOLoXjVqfQ0u4RAlMJAKDtX1d/e6APTME3VC7uGEUDm4+z3wCgjQyL XVfh2hqDuua+mD54Ai46LE8= =GIld -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 & LDAP
On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Here is a description of what I am trying to do (with Samba 3.0.2a & openldap > 2.1.27): > > I have all my users populated into the LDAP with all the applicable > attributes; Users can map drives to a server using LDAP as the > authentication backend without issue. > > Where I am running into problems is bringing up a PDC using Samba w/LDAP. > > * I added the appropriate machine accounts (using smbpasswd -a -m) and was > able to join the domain. > > * Any user in the pre-populated LDAP cannot log in, however, any user I add to > the LDAP from the machine with Samba running on it CAN log in properly. > > If I delete the original entry from the LDAP, add a new on via (smbpasswd -a), > then the user can log in. This works, but is ultimately not scalable... I > can then place the original LDAP entry back in place and they can log in... > Just as long as the password for the account is not changed. > > I am sure there is something I am missing, but I cannot see it for the life of > me.The odd thing is, that in the log.smbd, I get odd errors about reading > a socket, but only for the users that have not been added by the local > "smbpasswd" command. They are both in the same LDAP. Any help would be > greatly appreciated. > > Ted > > > Excerpt from log.smb (non-functional user): > - > > [2004/03/31 10:24:11, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) > process_request_pdu: failed to do schannel processing. > [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: pubtest$ > [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: testuser > [2004/03/31 10:24:11, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [testuser] -> [testuser] -> > [testuser] succeeded > [2004/03/31 10:24:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: testuser > [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_search_domain_info(1331) > Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=TEST_DOM))] > [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_open_connection(626) > smbldap_open_connection: connection opened > [2004/03/31 10:24:24, 0] lib/util_sock.c:read_socket_data(342) > read_socket_data: recv failure for 4. Error = Connection reset by peer > [2004/03/31 10:24:24, 2] smbd/server.c:exit_server(558) > > Excerpt from log.smbd (functional user): > - > -- > [2004/03/31 10:26:04, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) > process_request_pdu: failed to do schannel processing. > [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: pubtest$ > [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: newuser > [2004/03/31 10:26:04, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [newuser] -> [newuser] -> > [newus > er] succeeded > [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: newuser > [2004/03/31 10:26:05, 2] auth/auth.c:check_ntlm_password(305) > check_ntlm_password: authentication for user [newuser] -> [newuser] -> > [newuser] succeeded > [2004/03/31 10:26:05, 1] smbd/service.c:make_connection_snum(705) > pubtest (158.136.115.89) connect to service profiles initially as user > newuser (uid=18000, gid=31) (pid 85352) > [2004/03/31 10:26:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) > Returning domain sid for domain TEST_DOM -> > S-1-5-21-204843054-3526713080-3458 > 795326 > [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) > init_sam_from_ldap: Entry found for user: newuser > - > --- > > > Global section of smb.conf - it appears that the 'non-functional' user doesn't have the domain attribute set (or at least set properly). ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)' and then ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)' and the functional users will have attributes such as sambaDomainName properly set that the non-functional's do not. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba