Hello, Test environment : Server : Debian 4 up-to-date with debian original samba 3.0.24 (same with 3.0.26a) and slapd 2.3.30. Workstations : Windows XP SP2 up-to-date, firewall deactivated, joined to TEST domain. Workstations access to domain and shares is ok. Problem description : When using LDAP as a backend, trying to restrict users access by groups of machines fails. Without compile option CFLAGS=-DNO_LDAP_SECURITY, the samba ldap bind fails with this error message : "smbldap_open: cannot access LDAP when not root.." Using a simple list of comma separated computer names is ok, but dealing with groups of machines (+groupname) in sambaUserWorkstations attribute gives the error. More infos here : http://lists.samba.org/archive/samba/2007-November/136188.html Here are the config and log files : slapd.conf : ============================================================================= include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/samba.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel 936 modulepath /usr/lib/ldap moduleload back_bdb sizelimit 500 tool-threads 1 backend bdb checkpoint 512 30 database bdb suffix "dc=test,dc=org" rootdn "cn=Manager,dc=test,dc=org" rootpw "{SSHA}dMWj1rhnVV8oPWx3jUoilcwew5ZfTTN9" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index sambaSID eq index sambaGroupType eq index sambaSIDlist eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub index memberUid eq index uniqueMember eq index gidNumber eq lastmod on access to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=test,dc=org" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=Manager,dc=test,dc=org" write by * read ============================================================================= smb.conf : ============================================================================= [global] workgroup = TEST server string = %h server wins support = yes ; wins server = w.x.y.z dns proxy = no name resolve order = lmhosts host wins bcast interfaces = eth3 bind interfaces only = true log file = /var/log/samba/%m.log log level = 10 debug timestamp=yes enable privileges = yes max log size = 1000 ; syslog only = no syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://127.0.0.1 ; obey pam restrictions = yes ; guest account = nobody ; invalid users = root ldap delete dn = yes ldap admin dn = cn=Manager,dc=test,dc=org ldap suffix = dc=test,dc=org ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ; unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . ; pam password change = no domain logons = yes local master = yes domain master = yes preferred master = yes admin users = admin logon path = \\%N\profiles\%U ; logon path = \\%N\%U\profile logon drive = H: ; logon home = \\%N\%U logon script = logon.cmd ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u add machine script = smbldap-useradd -w -i -n "%u" ; load printers = yes ; printing = bsd ; printcap name = /etc/printcap ; printing = cups ; printcap name = cups ; printer admin = @ntadmin ; include = /home/samba/etc/smb.conf.%m socket options = TCP_NODELAY ; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' & ; idmap uid = 10000-20000 ; idmap gid = 10000-20000 ; template shell = /bin/bash ; ; The following was the default behaviour in sarge ; but samba upstream reverted the default because it might induce ; performance issues in large organizations ; See #368251 for some of the consequences of *not* having ; this setting and smb.conf(5) for all details ; ; winbind enum groups = yes ; winbind enum users = yes [homes] comment = Home Directories browseable = yes writable = yes create mask = 0700 directory mask = 0701 valid users = %S ;[netlogon] ; comment = Network Logon Service ; path = /home/samba/netlogon ; guest ok = yes ; writable = no ; share modes = no ;[profiles] ; comment = Users profiles ; path = /home/samba/profiles ; guest ok = no ; browseable = no ; create mask = 0600 ; directory mask = 0700 ============================================================================= slapcat : ============================================================================= dn: dc=test,dc=org objectClass: dcObject objectClass: organization o: test dc: test structuralObjectClass: organization entryUUID: ba7b4ecc-230f-102c-8329-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#000000#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: ou=Users,dc=test,dc=org objectClass: top objectClass: organizationalUnit ou: Users structuralObjectClass: organizationalUnit entryUUID: ba828cb4-230f-102c-832a-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#000001#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: ou=Groups,dc=test,dc=org objectClass: top objectClass: organizationalUnit ou: Groups structuralObjectClass: organizationalUnit entryUUID: ba83e32a-230f-102c-832b-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#000002#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: ou=Computers,dc=test,dc=org objectClass: top objectClass: organizationalUnit ou: Computers structuralObjectClass: organizationalUnit entryUUID: ba86c568-230f-102c-832c-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#000003#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: ou=Idmap,dc=test,dc=org objectClass: top objectClass: organizationalUnit ou: Idmap structuralObjectClass: organizationalUnit entryUUID: ba898f46-230f-102c-832d-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#000004#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: uid=admin,ou=Users,dc=test,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount homeDirectory: /home/root sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\debian\root sambaHomeDrive: H: sambaProfilePath: \\debian\profiles\root loginShell: /bin/false gecos: Netbios Domain Administrator structuralObjectClass: inetOrgPerson entryUUID: ba8c0b0e-230f-102c-832e-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z sambaLMPassword: D951BB3435BD40A4613E9293942509F0 sambaAcctFlags: [U] sambaNTPassword: A62E0E459DB9308715C18486FCEDB902 sambaPwdLastSet: 1194613339 sambaPwdMustChange: 1198501339 userPassword:: e1NTSEF9QXZPVk40d25zQlVWelIxajJYZ21hTWVWVzg1M1JucHQ= sambaSID: S-1-5-21-747375223-3054175255-2287932516-3040 uidNumber: 1020 gidNumber: 512 sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-512 uid: admin sn: admin cn: admin entryCSN: 20071110081146Z#000002#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071110081146Z dn: uid=nobody,ou=Users,dc=test,dc=org cn: nobody sn: nobody objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 514 uid: nobody uidNumber: 999 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\debian\nobody sambaHomeDrive: H: sambaProfilePath: \\debian\profiles\nobody sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-514 sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [NUD ] sambaSID: S-1-5-21-747375223-3054175255-2287932516-2998 loginShell: /bin/false structuralObjectClass: inetOrgPerson entryUUID: ba97a66c-230f-102c-832f-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#000006#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: cn=Domain Admins,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins description: Netbios Domain Administrators sambaSID: S-1-5-21-747375223-3054175255-2287932516-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: ba98f350-230f-102c-8330-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z memberUid: admin entryCSN: 20071110081146Z#000003#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071110081146Z dn: cn=Domain Users,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users description: Netbios Domain Users sambaSID: S-1-5-21-747375223-3054175255-2287932516-513 sambaGroupType: 2 displayName: Domain Users structuralObjectClass: posixGroup entryUUID: baa1bce2-230f-102c-8331-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#000008#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: cn=Domain Guests,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users sambaSID: S-1-5-21-747375223-3054175255-2287932516-514 sambaGroupType: 2 displayName: Domain Guests structuralObjectClass: posixGroup entryUUID: baa6ace8-230f-102c-8332-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#000009#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: cn=Domain Computers,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-747375223-3054175255-2287932516-515 sambaGroupType: 2 displayName: Domain Computers structuralObjectClass: posixGroup entryUUID: baaa8ed0-230f-102c-8333-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#00000a#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: cn=Administrators,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDom ainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators structuralObjectClass: posixGroup entryUUID: baae12d0-230f-102c-8334-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#00000b#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: cn=Account Operators,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: Account Operators description: Netbios Domain Users to manipulate users accounts sambaSID: S-1-5-32-548 sambaGroupType: 5 displayName: Account Operators structuralObjectClass: posixGroup entryUUID: baaf6248-230f-102c-8335-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#00000c#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: cn=Print Operators,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: Print Operators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 5 displayName: Print Operators structuralObjectClass: posixGroup entryUUID: bab33332-230f-102c-8336-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#00000d#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: cn=Backup Operators,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 5 displayName: Backup Operators structuralObjectClass: posixGroup entryUUID: bab5ddd0-230f-102c-8337-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#00000e#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: cn=Replicators,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 5 displayName: Replicators structuralObjectClass: posixGroup entryUUID: bab976f2-230f-102c-8338-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z entryCSN: 20071109130211Z#00000f#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071109130211Z dn: sambaDomainName=TEST,dc=test,dc=org objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: TEST sambaSID: S-1-5-21-747375223-3054175255-2287932516 uidNumber: 1000 gidNumber: 1000 structuralObjectClass: sambaDomain entryUUID: babc2f14-230f-102c-8339-fbe086d6d9f5 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071109130211Z sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 entryCSN: 20071112083223Z#000001#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071112083223Z dn: cn=groupe1,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: groupe1 gidNumber: 5000 sambaSID: S-1-5-21-747375223-3054175255-2287932516-11001 sambaGroupType: 2 displayName: groupe1 memberUid: toto structuralObjectClass: posixGroup entryUUID: f9d4db56-239b-102c-870f-91036c1e67e9 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071110054606Z entryCSN: 20071110054606Z#000000#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071110054606Z dn: uid=pc1$,ou=Computers,dc=test,dc=org cn: pc1$ sn: pc1$ uid: pc1$ uidNumber: 1002 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-747375223-3054175255-2287932516-3004 sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-515 sambaAcctFlags: [W ] sambaPwdCanChange: 1194446962 sambaNTPassword: 66E7582F74C1402026F89C7D9827835F sambaPwdLastSet: 1194446962 structuralObjectClass: inetOrgPerson entryUUID: f9d780a4-239b-102c-8710-91036c1e67e9 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071110054606Z entryCSN: 20071110054606Z#000001#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071110054606Z dn: uid=toto,ou=Users,dc=test,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: toto sn: toto givenName: toto uid: toto uidNumber: 1003 gidNumber: 513 homeDirectory: /home/toto loginShell: /bin/bash gecos: System User sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 displayName: System User sambaSID: S-1-5-21-747375223-3054175255-2287932516-3006 sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-513 sambaLogonScript: logon.bat sambaProfilePath: \\debian\profiles\toto sambaHomePath: \\debian\toto sambaHomeDrive: H: sambaLMPassword: BAC14D04669EE1D1AAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: FBBF55D0EF0E34D39593F55C5F2CA5F2 sambaPwdLastSet: 1194447210 sambaPwdMustChange: 1198335210 userPassword:: e1NTSEF9UjhmT0E5U2dzM21FQm10YXhLQVhRd2VnbXV0cFR6WTU= sambaUserWorkstations: PC1,+salle1 structuralObjectClass: inetOrgPerson entryUUID: f9d849da-239b-102c-8711-91036c1e67e9 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071110054606Z entryCSN: 20071110054606Z#000002#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071110054606Z dn: uid=pc3$,ou=Computers,dc=test,dc=org cn: pc3$ sn: pc3$ uid: pc3$ uidNumber: 1004 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-747375223-3054175255-2287932516-3008 sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-515 sambaAcctFlags: [W ] sambaPwdCanChange: 1194448365 sambaNTPassword: 2C8802341C1D7F79A358F6B722094859 sambaPwdLastSet: 1194448365 structuralObjectClass: inetOrgPerson entryUUID: f9db099a-239b-102c-8712-91036c1e67e9 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071110054606Z entryCSN: 20071110054606Z#000003#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071110054606Z dn: uid=pc2$,ou=Computers,dc=test,dc=org cn: pc2$ sn: pc2$ uid: pc2$ uidNumber: 1005 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-747375223-3054175255-2287932516-3010 sambaPrimaryGroupSID: S-1-5-21-747375223-3054175255-2287932516-515 sambaAcctFlags: [W ] sambaPwdCanChange: 1194448427 sambaNTPassword: 1AA35F78B079985CE16DEC5BDDB33493 sambaPwdLastSet: 1194448427 structuralObjectClass: inetOrgPerson entryUUID: f9dcffe8-239b-102c-8713-91036c1e67e9 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071110054606Z entryCSN: 20071110054606Z#000004#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071110054606Z dn: cn=salle1,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: salle1 gidNumber: 4000 sambaSID: S-1-5-21-747375223-3054175255-2287932516-9001 sambaGroupType: 2 displayName: salle1 memberUid: PC1$ memberUid: PC2$ memberUid: pc1$ memberUid: pc2$ structuralObjectClass: posixGroup entryUUID: f9ddc770-239b-102c-8714-91036c1e67e9 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071110054606Z entryCSN: 20071110054606Z#000005#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071110054606Z dn: cn=salle2,ou=Groups,dc=test,dc=org objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: salle2 gidNumber: 4001 sambaSID: S-1-5-21-747375223-3054175255-2287932516-9003 sambaGroupType: 2 displayName: salle2 memberUid: PC3$ structuralObjectClass: posixGroup entryUUID: f9de8552-239b-102c-8715-91036c1e67e9 creatorsName: cn=Manager,dc=test,dc=org createTimestamp: 20071110054606Z entryCSN: 20071110054606Z#000006#00#000000 modifiersName: cn=Manager,dc=test,dc=org modifyTimestamp: 20071110054606Z ============================================================================= testparm -v : ============================================================================= [global] dos charset = CP850 unix charset = UTF-8 display charset = LOCALE workgroup = TEST realm = netbios name = DEBIAN netbios aliases = netbios scope = server string = %h server interfaces = eth3 bind interfaces only = Yes security = USER auth methods = encrypt passwords = Yes update encrypted = No client schannel = Auto server schannel = Auto allow trusted domains = Yes map to guest = Never null passwords = No obey pam restrictions = No password server = * smb passwd file = /etc/samba/smbpasswd private dir = /etc/samba passdb backend = ldapsam:ldap://127.0.0.1 algorithmic rid base = 1000 root directory = guest account = nobody enable privileges = Yes pam password change = No passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . passwd chat debug = No passwd chat timeout = 2 check password script = username map = password level = 0 username level = 0 unix password sync = No restrict anonymous = 0 lanman auth = Yes ntlm auth = Yes client NTLMv2 auth = No client lanman auth = Yes client plaintext auth = Yes preload modules = use kerberos keytab = No log level = 10 syslog = 0 syslog only = No log file = /var/log/samba/%m.log max log size = 1000 debug timestamp = Yes debug hires timestamp = No debug pid = No debug uid = No enable core files = Yes smb ports = 445 139 large readwrite = Yes max protocol = NT1 min protocol = CORE read bmpx = No read raw = Yes write raw = Yes disable netbios = No reset on zero vc = No acl compatibility = auto defer sharing violations = Yes nt pipe support = Yes nt status support = Yes announce version = 4.9 announce as = NT max mux = 50 max xmit = 16644 name resolve order = lmhosts host wins bcast max ttl = 259200 max wins ttl = 518400 min wins ttl = 21600 time server = No unix extensions = Yes use spnego = Yes client signing = auto server signing = No client use spnego = Yes enable asu support = No svcctl list = deadtime = 0 getwd cache = Yes keepalive = 300 kernel change notify = Yes fam change notify = Yes lpq cache time = 30 max smbd processes = 0 paranoid server security = Yes max disk size = 0 max open files = 10000 open files database hash size = 10007 socket options = TCP_NODELAY use mmap = Yes hostname lookups = No name cache timeout = 660 load printers = Yes printcap cache time = 750 printcap name = cups server = iprint server = disable spoolss = No addport command = enumports command = addprinter command = deleteprinter command = show add printer wizard = Yes os2 driver map = mangling method = hash2 mangle prefix = 1 max stat cache size = 0 stat cache = Yes machine password timeout = 604800 add user script = rename user script = delete user script = add group script = delete group script = add user to group script = delete user from group script = set primary group script = add machine script = smbldap-useradd -w -i -n "%u" shutdown script = abort shutdown script = username map script = logon script = logon.cmd logon path = \\%N\profiles\%U logon drive = H: logon home = \\%N\%U domain logons = Yes os level = 20 lm announce = Auto lm interval = 60 preferred master = Yes local master = Yes domain master = Yes browse list = Yes enhanced browsing = Yes dns proxy = No wins proxy = No wins server = wins support = Yes wins hook = kernel oplocks = Yes lock spin count = 3 lock spin time = 10 oplock break wait time = 0 ldap admin dn = cn=Manager,dc=test,dc=org ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ldap machine suffix = ou=Computers ldap passwd sync = no ldap replication sleep = 1000 ldap suffix = dc=test,dc=org ldap ssl = ldap timeout = 15 ldap page size = 1024 ldap user suffix = ou=Users add share command = change share command = delete share command = eventlog list = config file = preload = lock directory = pid directory = /var/run/samba utmp directory = wtmp directory = utmp = No default service = message command = get quota command = set quota command = remote announce = remote browse sync = socket address = 0.0.0.0 homedir map = auto.home afs username map = afs token lifetime = 604800 log nt token command = time offset = 0 NIS homedir = No usershare allow guests = No usershare max shares = 0 usershare owner only = Yes usershare path = /var/run/samba/usershares usershare prefix allow list = usershare prefix deny list = usershare template share = panic action = /usr/share/samba/panic-action %d host msdfs = Yes passdb expand explicit = No idmap backend = idmap uid = idmap gid = template homedir = /home/%D/%U template shell = /bin/false winbind separator = \ winbind cache time = 300 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = No winbind trusted domains only = No winbind nested groups = Yes winbind nss info = template winbind refresh tickets = No winbind offline logon = No comment = path = username = invalid users = valid users = admin users = admin read list = write list = printer admin = force user = force group = read only = Yes acl check permissions = Yes acl group control = No acl map full control = Yes create mask = 0744 force create mode = 00 security mask = 0777 force security mode = 00 directory mask = 0755 force directory mode = 00 directory security mask = 0777 force directory security mode = 00 force unknown acl user = No inherit permissions = No inherit acls = No inherit owner = No guest only = No guest ok = No only user = No hosts allow = hosts deny = allocation roundup size = 1048576 aio read size = 0 aio write size = 0 aio write behind = ea support = No nt acl support = Yes profile acls = No map acl inherit = No afs share = No block size = 1024 change notify timeout = 60 max connections = 0 min print space = 0 strict allocate = No strict sync = No sync always = No use sendfile = No write cache size = 0 max reported print jobs = 0 max print jobs = 1000 printable = No printing = bsd cups options = print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j lppause command = lpresume command = queuepause command = queueresume command = printer name = use client driver = No default devmode = Yes force printername = No default case = lower case sensitive = Auto preserve case = Yes short preserve case = Yes mangling char = ~ hide dot files = Yes hide special files = No hide unreadable = No hide unwriteable files = No delete veto files = No veto files = hide files = veto oplock files = map archive = Yes map hidden = No map system = No map readonly = yes mangled names = Yes mangled map = store dos attributes = No dmapi support = No browseable = Yes blocking locks = Yes csc policy = manual fake oplocks = No locking = Yes oplocks = Yes level2 oplocks = Yes oplock contention limit = 2 posix locking = Yes strict locking = Auto share modes = Yes dfree cache time = 0 dfree command = copy = include = preexec = preexec close = No postexec = root preexec = root preexec close = No root postexec = available = Yes volume = fstype = NTFS set directory = No wide links = Yes follow symlinks = Yes dont descend = magic script = magic output = delete readonly = No dos filemode = No dos filetimes = Yes dos filetime resolution = No fake directory create times = No vfs objects = msdfs root = Yes msdfs proxy = [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0701 [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers ============================================================================= Log files (slapd level : 326, samba level : 10) with default debian samba 3.0.24 (and LDAP_SECURITY) : part of pc2.log (samba log) when login fails on PC2 : ============================================================================= [2007/11/12 09:17:50, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=4000))], scope => [2] [2007/11/12 09:17:50, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) init_group_from_ldap: Entry found for group: 4000 [2007/11/12 09:17:50, 10] lib/smbldap.c:smbldap_get_single_attribute(276) smbldap_get_single_attribute: [description] = [<does not exist>] [2007/11/12 09:17:50, 10] passdb/lookup_sid.c:gid_to_sid(1149) gid_to_sid: local 4000 -> S-1-5-21-747375223-3054175255-2287932516-9001 [2007/11/12 09:17:50, 3] passdb/lookup_sid.c:store_gid_sid_cache(1059) store_gid_sid_cache: gid 4000 in cache -> S-1-5-21-747375223-3054175255-2287932516-9001 [2007/11/12 09:17:50, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015) fetch gid from cache 544 -> S-1-5-32-544 [2007/11/12 09:17:50, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))], scope => [2] [2007/11/12 09:17:50, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217) ldapsam_getgroup: Did not find group [2007/11/12 09:17:50, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,dc=test,dc=org], filter => [(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-3010)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-515)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-11)(sambaSIDList=S-1-5-21-747375223-3054175255-2287932516-9001)(sambaSIDList=S-1-22-2-515)(sambaSIDList=S-1-22-2-4000)))], scope => [2] [2007/11/12 09:17:50, 0] lib/smbldap.c:smbldap_open(1009) smbldap_open: cannot access LDAP when not root.. [2007/11/12 09:17:50, 10] auth/auth_util.c:add_aliases(653) pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL [2007/11/12 09:17:50, 10] auth/auth_util.c:user_in_group_sid(1277) could not create token for PC2$ [2007/11/12 09:17:50, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: sam authentication for user [toto] FAILED with error NT_STATUS_INVALID_WORKSTATION [2007/11/12 09:17:50, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [TEST] was for this SAM. [2007/11/12 09:17:50, 10] auth/auth.c:check_ntlm_password(261) check_ntlm_password: winbind had nothing to say [2007/11/12 09:17:50, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [toto] -> [toto] FAILED with error NT_STATUS_INVALID_WORKSTATION [2007/11/12 09:17:50, 5] auth/auth_util.c:free_user_info(1867) attempting to free (and zero) a user_info structure [2007/11/12 09:17:50, 10] auth/auth_util.c:free_user_info(1871) structure was created for toto [2007/11/12 09:17:50, 5] rpc_server/srv_netlog_nt.c:_net_sam_logon_internal(934) _net_sam_logon: check_password returned status NT_STATUS_INVALID_WORKSTATION ============================================================================= part of the syslog when login fails on pc2$ : ============================================================================= Nov 12 09:17:50 debian slapd[8566]: Nov 12 09:17:50 debian slapd[8566]: daemon: read activity on 21 Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=5 active_threads=0 tvp=NULL Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=6 active_threads=0 tvp=NULL Nov 12 09:17:50 debian slapd[8566]: begin get_filter Nov 12 09:17:50 debian slapd[8566]: AND Nov 12 09:17:50 debian slapd[8566]: begin get_filter_list Nov 12 09:17:50 debian slapd[8566]: begin get_filter Nov 12 09:17:50 debian slapd[8566]: EQUALITY Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 Nov 12 09:17:50 debian slapd[8566]: begin get_filter Nov 12 09:17:50 debian slapd[8566]: EQUALITY Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 Nov 12 09:17:50 debian slapd[8566]: end get_filter_list Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 Nov 12 09:17:50 debian slapd[8566]: conn=7 op=6 SRCH base="dc=test,dc=org" scope=2 deref=0 filter="(&(objectClass=posixGroup)(uniqueMember=cn=salle1,ou=groups,dc=test,dc=org))" Nov 12 09:17:50 debian slapd[8566]: conn=7 op=6 SRCH attr=gidNumber Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IAND Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IOR Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa1 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IAND Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=12 first=8 last=24 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=8 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=8 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=0 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=1 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=1 last=0 Nov 12 09:17:50 debian slapd[8566]: conn=7 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text= Nov 12 09:17:50 debian slapd[8566]: daemon: activity on 1 descriptor Nov 12 09:17:50 debian slapd[8566]: daemon: activity on: Nov 12 09:17:50 debian slapd[8566]: 10r Nov 12 09:17:50 debian slapd[8566]: Nov 12 09:17:50 debian slapd[8566]: daemon: read activity on 10 Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=5 active_threads=0 tvp=NULL Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=6 active_threads=0 tvp=NULL Nov 12 09:17:50 debian slapd[8566]: begin get_filter Nov 12 09:17:50 debian slapd[8566]: AND Nov 12 09:17:50 debian slapd[8566]: begin get_filter_list Nov 12 09:17:50 debian slapd[8566]: begin get_filter Nov 12 09:17:50 debian slapd[8566]: EQUALITY Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 Nov 12 09:17:50 debian slapd[8566]: begin get_filter Nov 12 09:17:50 debian slapd[8566]: EQUALITY Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 Nov 12 09:17:50 debian slapd[8566]: end get_filter_list Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 Nov 12 09:17:50 debian slapd[8566]: conn=6 op=29 SRCH base="ou=Groups,dc=test,dc=org" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(gidNumber=4000))" Nov 12 09:17:50 debian slapd[8566]: conn=6 op=29 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IAND Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IOR Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa1 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IAND Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=12 first=8 last=24 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=1 first=23 last=23 Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=1 first=23 last=23 Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=1 first=23 last=23 Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=1 first=23 last=23 Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=1 first=23 last=23 Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=1 first=23 last=23 Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=1 first=23 last=23 Nov 12 09:17:50 debian slapd[8566]: => test_filter Nov 12 09:17:50 debian slapd[8566]: AND Nov 12 09:17:50 debian slapd[8566]: => test_filter_and Nov 12 09:17:50 debian slapd[8566]: => test_filter Nov 12 09:17:50 debian slapd[8566]: EQUALITY Nov 12 09:17:50 debian slapd[8566]: => access_allowed: search access to "cn=salle1,ou=Groups,dc=test,dc=org" "objectClass" requested Nov 12 09:17:50 debian slapd[8566]: <= root access granted Nov 12 09:17:50 debian slapd[8566]: <= test_filter 6 Nov 12 09:17:50 debian slapd[8566]: => test_filter Nov 12 09:17:50 debian slapd[8566]: EQUALITY Nov 12 09:17:50 debian slapd[8566]: => access_allowed: search access to "cn=salle1,ou=Groups,dc=test,dc=org" "gidNumber" requested Nov 12 09:17:50 debian slapd[8566]: <= root access granted Nov 12 09:17:50 debian slapd[8566]: <= test_filter 6 Nov 12 09:17:50 debian slapd[8566]: <= test_filter_and 6 Nov 12 09:17:50 debian slapd[8566]: <= test_filter 6 Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "entry" requested Nov 12 09:17:50 debian slapd[8566]: <= root access granted Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "objectClass" requested Nov 12 09:17:50 debian slapd[8566]: <= root access granted Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "cn" requested Nov 12 09:17:50 debian slapd[8566]: <= root access granted Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "gidNumber" requested Nov 12 09:17:50 debian slapd[8566]: <= root access granted Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "sambaSID" requested Nov 12 09:17:50 debian slapd[8566]: <= root access granted Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "sambaGroupType" requested Nov 12 09:17:50 debian slapd[8566]: <= root access granted Nov 12 09:17:50 debian slapd[8566]: => access_allowed: read access to "cn=salle1,ou=Groups,dc=test,dc=org" "displayName" requested Nov 12 09:17:50 debian slapd[8566]: <= root access granted Nov 12 09:17:50 debian slapd[8566]: conn=6 op=29 ENTRY dn="cn=salle1,ou=groups,dc=test,dc=org" Nov 12 09:17:50 debian slapd[8566]: conn=6 op=29 SEARCH RESULT tag=101 err=0 nentries=1 text= Nov 12 09:17:50 debian slapd[8566]: daemon: activity on 1 descriptor Nov 12 09:17:50 debian slapd[8566]: daemon: activity on: Nov 12 09:17:50 debian slapd[8566]: 10r Nov 12 09:17:50 debian slapd[8566]: Nov 12 09:17:50 debian slapd[8566]: daemon: read activity on 10 Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=5 active_threads=0 tvp=NULL Nov 12 09:17:50 debian slapd[8566]: daemon: select: listen=6 active_threads=0 tvp=NULL Nov 12 09:17:50 debian slapd[8566]: begin get_filter Nov 12 09:17:50 debian slapd[8566]: AND Nov 12 09:17:50 debian slapd[8566]: begin get_filter_list Nov 12 09:17:50 debian slapd[8566]: begin get_filter Nov 12 09:17:50 debian slapd[8566]: EQUALITY Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 Nov 12 09:17:50 debian slapd[8566]: begin get_filter Nov 12 09:17:50 debian slapd[8566]: EQUALITY Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 Nov 12 09:17:50 debian slapd[8566]: end get_filter_list Nov 12 09:17:50 debian slapd[8566]: end get_filter 0 Nov 12 09:17:50 debian slapd[8566]: conn=6 op=30 SRCH base="ou=Groups,dc=test,dc=org" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-32-545))" Nov 12 09:17:50 debian slapd[8566]: conn=6 op=30 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IAND Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IOR Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa1 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IAND Nov 12 09:17:50 debian slapd[8566]: => bdb_list_candidates 0xa0 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=12 first=8 last=24 Nov 12 09:17:50 debian slapd[8566]: => bdb_filter_candidates Nov 12 09:17:50 debian slapd[8566]: ^IEQUALITY Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=8 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=8 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=0 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=0 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_list_candidates: id=0 first=3 last=0 Nov 12 09:17:50 debian slapd[8566]: <= bdb_filter_candidates: id=0 first=3 last=0 Nov 12 09:17:50 debian slapd[8566]: conn=6 op=30 SEARCH RESULT tag=101 err=0 nentries=0 text= Nov 12 09:17:56 debian exiting on signal 15 ============================================================================= Part of the source sode : auth_sam.c ============================================================================= if (*workstation_list) { BOOL invalid_ws = True; fstring tok; const char *s = workstation_list; const char *machine_name = talloc_asprintf(mem_ctx, "%s$", user_info->wksta_name); if (machine_name == NULL) return NT_STATUS_NO_MEMORY; while (next_token(&s, tok, ",", sizeof(tok))) { DEBUG(10,("sam_account_ok: checking for workstation match %s and %s\n", tok, user_info->wksta_name)); if(strequal(tok, user_info->wksta_name)) { invalid_ws = False; break; } if (tok[0] == '+') { DEBUG(10,("sam_account_ok: checking for workstation %s in group: %s\n", machine_name, tok + 1)); if (user_in_group(machine_name, tok + 1)) { invalid_ws = False; break; } } } if (invalid_ws) return NT_STATUS_INVALID_WORKSTATION; } ============================================================================= Complete config and (a little bit longer) log files can be found here : http://www.fichiers.univ-metz.fr/depot/nass/samba-debug.tgz Also available in this .tgz, logfiles of a samba build with same options than default debian build options but with CFLAGS=-DNO_LDAP_SECURITY. Wich makes it working... By the way... What are or would be the consequences of using this (LDAP security off) samba build ? Bug ? Thanks for any help, Frédéric Nass Université de Metz, Service S2i - IUT de Metz, tél : +33387547736
Created attachment 2964 [details] Config and Log Files This is the complete config and (a little bit longer) log files that can also be found here : http://www.fichiers.univ-metz.fr/depot/nass/samba-debug.tgz
userWorkstations is not designed to work with groups