[Samba] can join but unable to login to the domain + ldap
accountproblems
Adi Nugraha
adi at westindo.co.id
Fri Jan 14 03:34:31 GMT 2005
> I happen to be the author of that book. Suggest you delete the
Administrator
> account and add an account for 'root' that matches your /etc/passwd entry
for
> the 'root' user. I will be fixing this information in the update that I
will
> soon make to the book.
I deleted the Administrator account and added a root user using
./smbldap-useradd.pl, but it seems similar to adding my own __admin__
account, would it be a problem if I used the __admin__ account ??
> > 1. According to the book the account that can be used to join a domain
is
> > the Administrator account with the password set from the ldap admin dn
> > which is secret is my installation,but I was unable to join the domain
with
> > the account, not even just to see the shares, something like wrong
> > password, when I look at the log it seem the Administrator is mapped to
> > root, which has a different password in the linux, does this matter? in
the
> > end I tried creating a new Account with 0 uid to join the domain (let's
> > call it __admin__ ), and it worked, but I still would like to know why
the
> > Administrator account didn't work,
>
> Winbind will break if there is any ambiguity in the forward and reverse
> mapping of login names to UID. You can NOT have both root with UID=0 and
> Administrator with UID=0. If you do, when Samba does a reverse lookup of
the
> Windows SID for Administrator it will find it has UNIX UID=0, but then can
> not determine which UNIX account that represents - i.e.: Is it 'root' or
is
> it 'Administrator'.
>
> Additionally, all accounts Samba uses must be in the LDAP backend (both
the
> POSIX account details and the SambaSamAccount details) if you are using an
> LDAP backend.
>
> >
> > 2. A W2k workstation can join the domain with the __admin__ account ,
but
> > after reboot It can't login with any User name, not even with the
account
> > that succesfully joined the workstation the error message is 'The system
> > cannot log you o now because the domain is not available, I am able to
see
> > the shares with the __admin__ Account, but not with any other accounts (
> > even newly created ones)
>
> Did you add the LDAP admin password to the secrets.tdb file?
>
> Do the following work?:
>
> getent passwd
> pdbedit -Lw
>
when you said ldap admin password do you mean the one with the smbpasswd -w
secret command if so then I already did, getent passwd and pdbedit -Lw
worked fine, all the accounts I added to login to the domain is there
> If you have a service definition for [IPC$] in your smb.conf file, please
> delete it, then try again.
No, I don't have a service definition for [IPC$] in my smb.conf file, but
the result from smbclient -L localhost -Uadmin%1234 have an IPC service, but
when I used a different account like the domain user account it returned :
Domain=[VALHALLA] OS=[Unix] Server=[Samba 3.0.9]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Does this mean that there's something wrong with the domain user group ??
> >
> > 3. when trying to net rpc join the samba box itself it returned
> > Unable to join domain VALHALLA.
> >
> > and when I tried smbclient -L localhost
> >
> > Anonymous login successful
> > Domain=[VALHALLA] OS=[Unix] Server=[Samba 3.0.9]
> > tree connect failed: NT_STATUS_BAD_NETWORK_NAME
> >
> > but when I tried smbclient //valkyrie/user -Uuser%1234 it wored just
fine
> > of course the administrator password still didn't work
> >
> > this is the level 1 log :
> >
> > [2005/01/13 13:03:09, 0] smbd/service.c:make_connection_snum(620)
> > '/root/tmp' does not exist or is not a directory, when connecting to
> > [IPC$]
>
> What version of Samba? Did you compile it yourself? If so, what parameters
did
> you pass to configure?
> - John T.
I used samba version 3.0.9 from the samba source on a Mandrake Linux 10.0 ,
I compiled it myself with the default configuration as in just ./configure
because I read that since samba 3 ldap support is on by default.
BTW I found some logs that seems suspicious please take a look :
[2005/01/14 04:55:33, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2005/01/14 04:55:33, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2005/01/14 04:55:33, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2005/01/14 04:55:33, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
Got user=[] domain=[] workstation=[VPC1] len1=1 len2=0
[2005/01/14 04:55:33, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/01/14 04:55:33, 3] smbd/uid.c:push_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/01/14 04:55:33, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/01/14 04:55:33, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/01/14 04:55:33, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user []\[]@[VPC1]
with the new password interface
[2005/01/14 04:55:33, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [VALHALLA]\[]@[VPC1]
the log is from when I tried to login form a W2K PC that is already joined
to the domain, why is the primary domain [] ??? and it seems that the
workstation didn't send any username or password either and it authenticates
as a guest account ???
this is the log from when tried joining the domain from the samba box itself
:
Adding homes service for user 'adi' using home directory: '/home//adi'
[2005/01/14 05:20:15, 3] param/loadparm.c:lp_add_home(2341)
adding home's share [adi] for user 'adi' at '/home//adi'
:
:
:
cut
:
:
:
:
[2005/01/14 05:20:15, 3] smbd/ipc.c:api_fd_reply(296)
Got API command 0x26 on pipe "NETLOGON" (pnum 76c8)
[2005/01/14 05:20:15, 3] rpc_server/srv_pipe.c:api_pipe_bind_req(890)
api_pipe_bind_req: \PIPE\NETLOGON -> \PIPE\lsass
[2005/01/14 05:20:15, 3] rpc_server/srv_pipe.c:check_bind_req(762)
check_bind_req for \PIPE\NETLOGON
[2005/01/14 05:20:15, 3] smbd/process.c:process_smb(1092)
Transaction 27 of length 45
[2005/01/14 05:20:15, 3] smbd/process.c:switch_message(887)
switch message SMBclose (pid 8730) conn 0x834b730
[2005/01/14 05:20:15, 3] smbd/process.c:process_smb(1092)
Transaction 28 of length 45
[2005/01/14 05:20:15, 3] smbd/process.c:switch_message(887)
switch message SMBclose (pid 8730) conn 0x834b730
[2005/01/14 05:20:15, 3] smbd/process.c:process_smb(1092)
Transaction 29 of length 39
[2005/01/14 05:20:15, 3] smbd/process.c:switch_message(887)
[2005/01/14 05:20:15, 3] smbd/process.c:switch_message(887)
switch message SMBtdis (pid 8730) conn 0x834b730
[2005/01/14 05:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/01/14 05:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/01/14 05:20:15, 3] smbd/service.c:close_cnum(836)
valkyrie (192.168.88.2) closed connection to service IPC$
[2005/01/14 05:20:15, 3] smbd/connection.c:yield_connection(69)
Yielding connection to IPC$
[2005/01/14 05:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/01/14 05:20:15, 3] smbd/process.c:timeout_processing(1337)
timeout_processing: End of file from client (client has disconnected).
[2005/01/14 05:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/01/14 05:20:15, 2] smbd/server.c:exit_server(571)
Closing connections
[2005/01/14 05:20:15, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2005/01/14 05:20:15, 3] smbd/connection.c:yield_connection(76)
[2005/01/14 05:20:15, 3] smbd/connection.c:yield_connection(76)
yield_connection: tdb_delete for name failed with error Record does not
exist.
[2005/01/14 05:20:15, 3] smbd/server.c:exit_server(614)
Server exit (normal exit)
from what I can tell it seems to repeat alot of the process, and the
NETLOGON part was where it was timed out
any help will be great thanks
Adi
More information about the samba
mailing list