Oh LDAP and Samba, why do you have to be such a headache? Individually and together, you raise my ire.
A recent new hire had Linux server login issues due to LDAP not replicating the account; once we resolved that by restarting SlapD and NSCD and NSLCD on various machines (both LDAP servers and clients), we still couldn't get the Samba connection to authenticate this account.
The Samba error message, which of course does not at all reference the user account I was trying, read:
[2013/04/20 11:00:00.703214, 0] passdb/passdb.c:2242(pdb_increment_bad_password_count)
pdb_increment_bad_password_count: pdb_get_account_policy failed.
Various searches for the that error has people telling you to reset the Samba password count, which doesn't work if your LDAP doesn't allow replicating passwords from Samba to the LDAP servers. That incorrect suggestion is to run something along the lines of:
# pdbedit -r -c "[U]" username
add_new_domain_info: failed to add domain dn= sambaDomainName=SAMBA,dc=company, dc=com with: Server is unwilling to perform
shadow context; no update referral
smbldap_search_domain_info: Adding domain info for SAMBA failed with NT_STATUS_UNSUCCESSFUL
We tried resetting the password and restarting various services, but the ultimate solution was to change the password in LDAP, save it, and then change it back in LDAP again; Samba was able to use the password after that. Dumb. Yes we probably could have changed this password to begin with, but we had already given all documentation for that user/pass to the new hire.
A recent new hire had Linux server login issues due to LDAP not replicating the account; once we resolved that by restarting SlapD and NSCD and NSLCD on various machines (both LDAP servers and clients), we still couldn't get the Samba connection to authenticate this account.
The Samba error message, which of course does not at all reference the user account I was trying, read:
[2013/04/20 11:00:00.703214, 0] passdb/passdb.c:2242(pdb_increment_bad_password_count)
pdb_increment_bad_password_count: pdb_get_account_policy failed.
Various searches for the that error has people telling you to reset the Samba password count, which doesn't work if your LDAP doesn't allow replicating passwords from Samba to the LDAP servers. That incorrect suggestion is to run something along the lines of:
# pdbedit -r -c "[U]" username
add_new_domain_info: failed to add domain dn= sambaDomainName=SAMBA,dc=company, dc=com with: Server is unwilling to perform
shadow context; no update referral
smbldap_search_domain_info: Adding domain info for SAMBA failed with NT_STATUS_UNSUCCESSFUL
We tried resetting the password and restarting various services, but the ultimate solution was to change the password in LDAP, save it, and then change it back in LDAP again; Samba was able to use the password after that. Dumb. Yes we probably could have changed this password to begin with, but we had already given all documentation for that user/pass to the new hire.