# openldap, samba3 - root user outside DIT



## jontheil (Jan 24, 2015)

Hi forum users,

A couple of years ago, I succeeded in making my server authenticate via LDAP as described the documentation. At the same time, I configured my Samba server to use openldap.
It has been working as intended since then, but now I have a problem that I cannot solve even if it seems trivial: I can no longer log into the samba server as user root. If I run a command like smbclient -I 192.168.1.31 -L myserver and I enter my root password, I am denied access. The command outputs something like this:

```
smbclient -I 192.168.1.31 -L myserver
ldap_url_parse_ext(ldap://localhost/)
ldap_init: trying /usr/local/etc/openldap/ldap.conf
ldap_init: using /usr/local/etc/openldap/ldap.conf
ldap_url_parse_ext(ldap://ldap.domain.com)
ldap_init: HOME env is /root
ldap_init: trying /root/ldaprc
ldap_init: trying /root/.ldaprc
ldap_init: trying ldaprc
ldap_init: LDAPCONF env is NULL
ldap_init: LDAPRC env is NULL
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE
```
Obviously, the Samba server is searching through the LDAP entries and fails.
Even though my notes have disappeared, I am quite sure the root user was never included in the DIT and that Samba was working just fine with that.
Maybe I missed checking some configuration files being updated when I went from 10.0 to 10.1-RELEASE. I have checked e.g. the /etc/pam.d/sshd, and for me it seems correct:

```
auth  required     pam_nologin.so  no_warn
auth  sufficient   pam_opie.so  no_warn no_fake_prompts
auth  requisite    pam_opieaccess.so  no_warn allow_local
auth  sufficient   /usr/local/lib/pam_ldap.so  no_warn
auth  required     pam_unix.so  no_warn try_first_pass

account  required  pam_login_access.so
account  required  /usr/local/lib/pam_ldap.so  no_warn ignore_authinfo_unavail ignore_unknown_user

session  required  pam_permit.so
session  required  /usr/local/lib/pam_mkhomedir.so

password  required pam_unix.so  no_warn try_first_pass
```
I can post much more of the configuration and logs. But before I do that, someone might lead me in the right direction.

Any help is much appreciated.

Regards,
Jon Theil Nielsen


----------

