Bug 7954 - Samba ignores "password server" in smb.conf.
Samba ignores "password server" in smb.conf.
Status: NEW
Product: Samba 3.5
Classification: Unclassified
Component: Config Files
x64 Linux
: P3 major
: ---
Assigned To: Volker Lendecke
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2011-02-11 09:16 UTC by Chris Pepper
Modified: 2011-02-26 07:19 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Chris Pepper 2011-02-11 09:16:04 UTC
I have confirmed this with both the CentOS 5 v3.0.33 RPM and SerNet's v3.5.6 RPM.

I tried several values for "password server" in smb.conf (with "security = ads"), but Samba always uses an auto-detected LDAP server and ignores my specification (other changes are picked up with "service smb restart"). I need to override the port, but cannot get it to take. I have tried both real servers with port (e.g., "password server = 140.163.***.***:3268") and "password server =". But every time I check, "net ads info" shows the autotdetected LDAP server & default port 389.

[root@ananew samba]# uname -a
Linux ananew.cbio.mskcc.org 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:14 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
[root@ananew samba]# rpm -qi samba3
Name        : samba3                       Relocations: (not relocatable)
Version     : 3.5.6                             Vendor: Service Network GmbH, Goettingen
Release     : 43.el5                        Build Date: Thu 07 Oct 2010 04:49:39 PM EDT
Install Date: Fri 11 Feb 2011 09:39:52 AM EST      Build Host: sam
Group       : Productivity/Networking/Samba   Source RPM: samba3-3.5.6-43.el5.src.rpm
Size        : 52760655                         License: GPL v3 or later
Signature   : DSA/SHA1, Wed 13 Oct 2010 06:59:38 AM EDT, Key ID d9921b1cf4428b1a
Packager    : SerNet Samba Team <Samba@SerNet.DE>
URL         : http://www.samba.org
Summary     : SerNet Samba SMB/CIFS file, print and authentication server
Description :
Samba is a suite of programs which work together to allow clients to
access Unix filespace and printers via the SMB/CIFS protocol.
[root@ananew samba]# net ads info
LDAP server: 140.163.***.***
Bind Path: dc=MSKCC,dc=ROOT,dc=MSKCC,dc=ORG
LDAP port: 389
Server time: Fri, 11 Feb 2011 09:59:15 EST
KDC server: 140.163.***.***
Server time offset: 0
[root@ananew samba]# grep "password server" /etc/samba/smb.conf|grep -v \#
password server =
;	password server = <NT-Server-Name>
[root@ananew samba]# grep security /etc/samba/smb.conf|grep -v \#
	security = ads
;	security = ads
;	security = user

	Originally observed with the CentOS 5 RPM:

Name       : samba
Arch       : x86_64
Version    : 3.0.33
Release    : 3.29.el5_5.1
Size       : 16 M
Repo       : updates
Comment 1 Karolin Seeger 2011-02-24 08:38:25 UTC
Volker, would you like to comment on this one?
Comment 2 Volker Lendecke 2011-02-24 09:49:35 UTC
Sorry, I'd see this not as a major bug but as an enhancement.

Comment 3 Chris Pepper 2011-02-25 23:50:42 UTC
I don't understand. There is a documented feature that doesn't work. Not supporting the specification (the manual page in this case) seems like a bug.

Is it just that Samba doesn't support alternate LDAP ports and never has, and the manual page writer just got carried away and made up a nonexistent feature?

For us it's major -- Samba cannot communicate with our AD system.
Comment 4 Volker Lendecke 2011-02-26 02:56:41 UTC
Sorry, but the documentation is wrong. A port option in the ADS world just does not make sense, as we have to contact several services in AD. 445, 389, 135 at least. All of them might be individually redirected.

In case you are working with Linux, you might want to try iptables DNAT rules that redirect 389 connects to another port.

Comment 5 Chris Pepper 2011-02-26 07:10:38 UTC
Thanks, I will check out iptables DNAT, but the "password server" configuration is specifically for the LDAP service normally on port 389 -- nothing to do with the CIFS file service ports.
Comment 6 Volker Lendecke 2011-02-26 07:19:31 UTC
(In reply to comment #5)
> Thanks, I will check out iptables DNAT, but the "password server" configuration
> is specifically for the LDAP service normally on port 389 -- nothing to do with
> the CIFS file service ports.

The documentation might wrongly indicate so. Historically, "password server" predates our AD and thus LDAP support by years. it came from "security=server", which has nothing to do with LDAP at all. That is pure CIFS on port 139/445.