Samba team, I'm having some problems to have a client Windows XP, I believe all systems could have the same issue, using Ldap authentication with Samba. This is a native OpenFiler configuration with a local LDAP server for Samba shares. The problem is that sharing is never authenticated where my suspicious is about sambaSID. Basically I create a test user called "rlvcosta". This user was created into LDAP as : dn: uid=rlvcosta,ou=People,dc=flores,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount homeDirectory: /dev/null loginShell: /bin/false cn: rlvcosta givenName: rlvcosta sn: rlvcosta uid: rlvcosta uidNumber: 500 gidNumber: 9126 sambaSID: S-1-5-21-1299536883-3844537390-917088389-1001 This appears to be ok. Although when I put a tcpdumo trace I see: Lightweight Directory Access Protocol LDAPMessage searchRequest(161) "dc=flores,dc=com" wholeSubtree messageID: 161 protocolOp: searchRequest (3) searchRequest baseObject: dc=flores,dc=com scope: wholeSubtree (2) derefAliases: neverDerefAliases (0) sizeLimit: 0 timeLimit: 15 typesOnly: False Filter: (&(sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)(objectclass=sambaSamAccount)) filter: and (0) and: (&(sambaSID=S-1-5-21-1299536883-3844537390-917088389-513)(objectclass=sambaSamAccount)) and: 2 items Filter: (sambaSID=S-1-5-21-1299536883-3844537390-917088389-513) and item: equalityMatch (3) equalityMatch attributeDesc: sambaSID assertionValue: S-1-5-21-1299536883-3844537390-917088389-513 Filter: (objectclass=sambaSamAccount) and item: equalityMatch (3) equalityMatch attributeDesc: objectclass assertionValue: sambaSamAccount attributes: 38 items AttributeDescription: uid AttributeDescription: uidNumber AttributeDescription: gidNumber AttributeDescription: homeDirectory AttributeDescription: sambaPwdLastSet AttributeDescription: sambaPwdCanChange AttributeDescription: sambaPwdMustChange AttributeDescription: sambaLogonTime AttributeDescription: sambaLogoffTime AttributeDescription: sambaKickoffTime AttributeDescription: cn AttributeDescription: sn AttributeDescription: displayName AttributeDescription: sambaHomeDrive AttributeDescription: sambaHomePath AttributeDescription: sambaLogonScript AttributeDescription: sambaProfilePath AttributeDescription: description AttributeDescription: sambaUserWorkstations AttributeDescription: sambaSID AttributeDescription: sambaPrimaryGroupSID AttributeDescription: sambaLMPassword AttributeDescription: sambaNTPassword AttributeDescription: sambaDomainName AttributeDescription: objectClass AttributeDescription: sambaAcctFlags AttributeDescription: sambaMungedDial AttributeDescription: sambaBadPasswordCount AttributeDescription: sambaBadPasswordTime AttributeDescription: sambaPasswordHistory AttributeDescription: modifyTimestamp AttributeDescription: sambaLogonHours AttributeDescription: modifyTimestamp AttributeDescription: uidNumber AttributeDescription: gidNumber AttributeDescription: homeDirectory AttributeDescription: loginShell AttributeDescription: gecos See that by Ldap DB the rlvcosta sambaSID is supposed to be S-1-5-21-1299536883-3844537390-917088389-1001. But the search made from Samba use the sufix 513, unless 1001. Samba receives appropriately the request from client but looks like it doesn't map correctly the search to LDAP server. I could not understand by the tcpdump trace the dynamic from Samba authentication with LDAP. The LDAP has the correct structure but the search from Samba doesn't create the correct sambaSID. My understand would be that Samba search the sambaSID prefix, like below, and then suffix with user. But not sure how it does it or if there is abug in Samba. dn: sambaDomainName=CACTO,dc=flores,dc=com sambaDomainName: CACTO sambaSID: S-1-5-21-1299536883-3844537390-917088389 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain Do you have any comments? Is there any documentation about detailed ldap authentication used by Samba? In the end I can only make shares available using Public guest access, not controlled access. -- View this message in context: http://samba.2283325.n4.nabble.com/Problems-ldap-authentication-for-Samba-3-5-11-2-1-tp4594155p4594155.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba