Machine STOCKHOLM is PDC for domain SAMBA. LDAP used as backend. Machine FYRPC271 (W2K) is joined to SAMBA. Login, file access, printers etc all works just fine. But when loging in using a correct uid but invalid password there is a delay of 30 seconds before the message about invalid password is displayed. The same happens if wrong password is given when unlocking the screen lock. If a faulty uid is given there is no delay. The logfile shows that uid != 0 is not allowed to talk to LDAP. In this case I tried to log in as user "root": 2006/01/10 15:55:47, 9] passdb/passdb.c:pdb_update_autolock_flag(2338) pdb_update_autolock_flag: Account root not autolocked, no check needed [2006/01/10 15:55:47, 3] libsmb/ntlm_check.c:ntlm_password_check(207) ntlm_password_check: Interactive logon: NT password check failed for user root [2006/01/10 15:55:47, 10] lib/account_pol.c:account_policy_cache_timestamp(193) account policy cache lastset was: Tue, 10 Jan 2006 15:27:49 CET [2006/01/10 15:55:47, 10] lib/account_pol.c:cache_account_policy_get(401) cache_account_policy_get: no valid cache entry (cache expired) [2006/01/10 15:55:47, 10] passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3405) ldapsam_get_account_policy_from_ldap [2006/01/10 15:55:47, 5] lib/smbldap.c:smbldap_search_ext(1080) smbldap_search_ext: base => [sambaDomainName=SAMBA,dc=fyrplus,dc=se], filter => [(objectclass=*)], scope => [0] [2006/01/10 15:55:47, 0] lib/smbldap.c:smbldap_open(922) smbldap_open: cannot access LDAP when not root.. [2006/01/10 15:55:47, 1] lib/smbldap.c:another_ldap_try(1051) Connection to LDAP server failed for the 1 try! [2006/01/10 15:55:48, 0] lib/smbldap.c:smbldap_open(922) smbldap_open: cannot access LDAP when not root.. [2006/01/10 15:55:48, 1] lib/smbldap.c:another_ldap_try(1051) .... [2006/01/10 15:56:02, 0] passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3430) ldapsam_get_account_policy_from_ldap: Could not get account policy for sambaDomainName=SAMBA,dc=fyrplus,dc=se, error: Time li mit exceeded () [2006/01/10 15:56:02, 10] passdb/pdb_ldap.c:ldapsam_get_account_policy(3484) ldapsam_get_account_policy: failed to retrieve from ldap, returning default. [2006/01/10 15:56:02, 10] passdb/pdb_ldap.c:ldapsam_set_account_policy(3347) ldapsam_set_account_policy [2006/01/10 15:56:02, 5] lib/smbldap.c:smbldap_modify(1254) smbldap_modify: dn => [sambaDomainName=SAMBA,dc=fyrplus,dc=se] [2006/01/10 15:56:02, 0] lib/smbldap.c:smbldap_open(922) smbldap_open: cannot access LDAP when not root.. [2006/01/10 15:56:02, 1] lib/smbldap.c:another_ldap_try(1051) Connection to LDAP server failed for the 1 try! [2006/01/10 15:56:03, 0] lib/smbldap.c:smbldap_open(922) smbldap_open: cannot access LDAP when not root.. ... [2006/01/10 15:56:17, 0] passdb/pdb_ldap.c:ldapsam_set_account_policy(3377) ldapsam_set_account_policy: Could not set account policy for sambaDomainName=SAMBA,dc=fyrplus,dc=se, error: Timed out () [2006/01/10 15:56:17, 0] passdb/passdb.c:pdb_increment_bad_password_count(2393) pdb_increment_bad_password_count: pdb_get_account_policy failed. [2006/01/10 15:56:17, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1 [2006/01/10 15:56:17, 3] smbd/uid.c:push_conn_ctx(388) push_conn_ctx(101) : conn_ctx_stack_ndx = 0 [2006/01/10 15:56:17, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2006/01/10 15:56:17, 5] auth/auth_util.c:debug_nt_user_token(433) NT user token: (NULL) [2006/01/10 15:56:17, 5] auth/auth_util.c:debug_unix_user_token(454) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/01/10 15:56:17, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1846) ldapsam_update_sam_account: user root to be modified has dn: uid=root,ou=Users,dc=fyrplus,dc=se [2006/01/10 15:56:17, 11] passdb/pdb_get_set.c:pdb_get_init_flags(210) element 12: SET .... PS. Although probably not the same problem it is the same kind of log entries (cannot access LDAP when not root..) as when a non uid=0 user tries to change group membership in UsrMgr.exe even if he belongs to the Domain Admins group and Domain Admins has all rigths assigned (adding a user is OK but not changing groups).
Created attachment 1659 [details] samba log for when a W2K login delays by 30 sec Log produced: 1. /etc/init.d/smb stop 2. Enable loglevel 20 3. /etc/init.d/smb start 4. Attempt to login from FYRPC271 using root and invalid password
(In reply to comment #1) > Created an attachment (id=1659) [edit] > samba log for when a W2K login delays by 30 sec > Log produced: > 1. /etc/init.d/smb stop > 2. Enable loglevel 20 > 3. /etc/init.d/smb start > 4. Attempt to login from FYRPC271 using root and invalid password What does it look like with a person other than root? Were NT hashes generated for the root user (login fails)? Also, what platform is this? Os? Ldap version? smb.conf? Cheers, Bill
> What does it look like with a person other than root? Were NT hashes generated > for the root user (login fails)? Also, what platform is this? Os? Ldap version? > smb.conf? Linux: RedHat 8.0 OpenLDAP 2.0.27 Client: Windows 2000 SP4 The exakt same happens for testuser1 and testuser2. They are regular users. See similar log below. NT password hashes are OK. root, testuser1 and testuser2 can log in without problems - if correct password is used. The side effect is that when entering wrong password it takes 30 sec before a new attempt can be made. When doing "net use" with faulty password I get a reject immediately. The code that produces this behaviour is within "ifdefs" in smbldap.c: #ifndef NO_LDAP_SECURITY if (geteuid() != 0) { DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n")); return LDAP_INSUFFICIENT_ACCESS; } #endif Haven't found any definition what NO_LDAP_SECURITY is used for. (I would guess that sice the authentication fails the code still continues in some fashion and tries to read/update LDAP (failed login attempts perhaps), but the the euid has not be set to = 0 for this operation since user is not authenticated...?) Log from when logging in as testuser1: -------- [2006/01/11 10:36:15, 3] libsmb/ntlm_check.c:ntlm_password_check(207) ntlm_password_check: Interactive logon: NT password check failed for user testuser1 [2006/01/11 10:36:15, 10] lib/account_pol.c:account_policy_cache_timestamp(193) account policy cache lastset was: Tue, 10 Jan 2006 17:38:23 CET [2006/01/11 10:36:15, 10] lib/account_pol.c:cache_account_policy_get(401) cache_account_policy_get: no valid cache entry (cache expired) [2006/01/11 10:36:15, 10] passdb/pdb_ldap.c:ldapsam_get_account_policy_from_ldap(3405) ldapsam_get_account_policy_from_ldap [2006/01/11 10:36:15, 5] lib/smbldap.c:smbldap_search_ext(1080) smbldap_search_ext: base => [sambaDomainName=SAMBA,dc=fyrplus,dc=se], filter => [(objectclass=*)], scope => [0] [2006/01/11 10:36:15, 0] lib/smbldap.c:smbldap_open(922) smbldap_open: cannot access LDAP when not root.. [2006/01/11 10:36:15, 1] lib/smbldap.c:another_ldap_try(1051) Connection to LDAP server failed for the 1 try! [2006/01/11 10:36:16, 0] lib/smbldap.c:smbldap_open(922) smbldap_open: cannot access LDAP when not root.. [2006/01/11 10:36:16, 1] lib/smbldap.c:another_ldap_try(1051) Connection to LDAP server failed for the 2 try! -------- Cheers Petter
Created attachment 1675 [details] make sure we have the right access rights to query account policy settings Please test this patch and let me know.
marking this as fixed. Checking the code in for 3.0.21b
actually closing it now.
(In reply to comment #6) > actually closing it now. > I applied the patch (added a missing { to get it to compile). The problem solved for me. Hmm, also now tried 3.0.21a. With that version it is very hard to repoduce my problem, i managed to repoduce it only one time. Cheers Petter
Petter, in 3.0.21a, I removed the automatic assumption to have account policies beeing set in LDAP. If you want to use account policies as part of your ldapsam environment, you need to export your tdb-based account policies with pdbedit -y -i tdbsam: -e ldapsam:ldap://your.ldap.server Jerry, I still need to a) document that behaviour/feature and b) look for other places where pdb_(get|set)_account_policy() calls need a become_root/unbecome_root.