I am setting up a Samba PDC which uses LDAP for account information. It is a debian installation with samba 3.0.14a and slapd 2.2.23 (I'm also using ldap-account-manager, but I don't think that has anything to do with this). The problem is that when I attempt to join a w2k machine (the first one, actually) to the domain it reports 'Logon failure: unknown user name or password'. Samba, at the same time, reports in the logfile for that machine: [2005/09/06 13:12:58, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (1000, 1000) - sec_ctx_stack_ndx = 0 [2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:_samr_set_userinfo(3077) _samr_set_userinfo: does not possess sufficient rights [2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2961) Attempting administrator password change for user krauq$ [2005/09/06 13:12:58, 10] lib/account_pol.c:account_policy_get(210) account_policy_get: maximum password age:-1 [2005/09/06 13:12:58, 10] lib/account_pol.c:account_policy_get(210) account_policy_get: minimum password age:0 [2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2981) Changing trust account or non-unix-user password, not updating /etc/passwd [2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2999) set_user_info_pw: pdb_update_pwd() [2005/09/06 13:12:58, 5] lib/smbldap.c:smbldap_search(1038) smbldap_search: base => [dc=XXX,dc=XXX,dc=org], filter => [(&(uid=krauq$)(objectclass=sambaSamAccount))], scope => [2] [2005/09/06 13:12:58, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2005/09/06 13:12:58, 1] lib/smbldap.c:another_ldap_try(1011) Connection to LDAP server failed for the 1 try! It does this 15 times and then gives up. [2005/09/06 13:13:13, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2005/09/06 13:13:13, 0] lib/smbldap.c:smbldap_search_suffix(1176) smbldap_search_suffix: Problem during the LDAP search: (Timed out) [2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_debug(82) 000000 samr_io_r_set_userinfo [2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_ntstatus(672) 0000 status: NT_STATUS_ACCESS_DENIED [2005/09/06 13:13:13, 5] rpc_server/srv_pipe.c:api_rpcTNP(1578) api_rpcTNP: called samr successfully [2005/09/06 13:13:13, 10] rpc_server/srv_pipe.c:api_rpcTNP(1587) api_rpcTNP: rpc input buffer underflow (parse error?) [2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_uint8s(729) 021c : 00 I don't understand this as smbd and nmbd are running as root, so why is it complaining about not being root? I am sure that there is no problem with the LDAP connection or database. It is already used for unix authentication (using pam_ldap/nss_ldap) and also on this w2k machine I can browse (windows explorer) the shares on the PDC using the same username/password used to join the machine to the domain. So I guess that samba is getting information from LDAP just fine (the logfile also shows this in other places).
In the end I found out that I needed an administrator account that had uidNUmber 0 in the LDAP. This made an smbd process with uid 0. So it is not really a bug. Or perhaps it is. Why is it necessary to have a samba adminstrator also be unix root when using LDAP?
See the "user rights" chapter in the Samba HOWTO. The behavior you describe is by design.