[Samba] trouble joining win xp machines to samba with ldap backend DC

Gary Dale garydale at rogers.com
Fri Sep 24 11:07:00 MDT 2010 

On 24/09/10 11:53 AM, Osmany wrote:
> Greetings,
>
> I would like some help figuring this out. I really don't know what to do
> anymore. whenever I try to join an XP machine to the domain it comes up
> that username or password is not correct. However I know that the
> credentials are correct, but when I check the logs of that specific
> machine, this comes up:
>
> [2010/09/24 11:42:38, 5] auth/auth_util.c:make_user_info_map(161)
>    make_user_info_map: Mapping user [oc.quimefa.cu]\[root] from
> workstation [CLIENTEWINDOW]
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:push_sec_ctx(208)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2010/09/24 11:42:38, 3] smbd/uid.c:push_conn_ctx(358)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/09/24 11:42:38, 5] auth/auth_util.c:debug_nt_user_token(448)
>    NT user token: (NULL)
> [2010/09/24 11:42:38, 5] auth/auth_util.c:debug_unix_user_token(474)
>    UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2010/09/24 11:42:38, 5] auth/auth_util.c:is_trusted_domain(2261)
>    is_trusted_domain: Checking for domain trust with [oc.quimefa.cu]
> [2010/09/24 11:42:38, 5]
> passdb/secrets.c:secrets_fetch_trusted_domain_password(491)
>    secrets_fetch failed!
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/09/24 11:42:38, 5]
> libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
>    no entry for trusted domain oc.quimefa.cu found.
> [2010/09/24 11:42:38, 5] auth/auth_util.c:make_user_info(75)
>    attempting to make a user_info for root (root)
> [2010/09/24 11:42:38, 5] auth/auth_util.c:make_user_info(85)
>    making strings for root's user_info struct
> [2010/09/24 11:42:38, 5] auth/auth_util.c:make_user_info(117)
>    making blobs for root's user_info struct
> [2010/09/24 11:42:38, 3] auth/auth.c:check_ntlm_password(221)
>    check_ntlm_password:  Checking password for unmapped user
> [oc.quimefa.cu]\[root]@[CLIENTEWINDOW] with the new password interface
> [2010/09/24 11:42:38, 3] auth/auth.c:check_ntlm_password(224)
>    check_ntlm_password:  mapped user is:
> [oc.quimefa.cu]\[root]@[CLIENTEWINDOW]
> [2010/09/24 11:42:38, 5] lib/util.c:dump_data(2286)
>    [000] 9C CA 80 B4 84 2B C6 8A                           .....+..
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:push_sec_ctx(208)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2010/09/24 11:42:38, 3] smbd/uid.c:push_conn_ctx(358)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/09/24 11:42:38, 5] auth/auth_util.c:debug_nt_user_token(448)
>    NT user token: (NULL)
> [2010/09/24 11:42:38, 5] auth/auth_util.c:debug_unix_user_token(474)
>    UNIX token of user 0Primary group is 0 and contains 0 supplementary
> groups
> [2010/09/24 11:42:38, 5] lib/smbldap.c:smbldap_search_ext(1182)
>    smbldap_search_ext: base =>  [dc=oc,dc=quimefa,dc=cu], filter =>
> [(&(uid=root)(objectclass=sambaSamAccount))], scope =>  [2]
> [2010/09/24 11:42:38, 5] lib/smbldap.c:smbldap_close(1085)
>    The connection to the LDAP server was closed
> [2010/09/24 11:42:38, 2] lib/smbldap.c:smbldap_open_connection(786)
>    smbldap_open_connection: connection opened
> [2010/09/24 11:42:38, 3] lib/smbldap.c:smbldap_connect_system(997)
>    ldap_connect_system: successful connection to the LDAP server
> [2010/09/24 11:42:38, 4] lib/smbldap.c:smbldap_open(1065)
>    The LDAP server is successfully connected
> [2010/09/24 11:42:38, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>    init_sam_from_ldap: Entry found for user: root
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:push_sec_ctx(208)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2010/09/24 11:42:38, 3] smbd/uid.c:push_conn_ctx(358)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2010/09/24 11:42:38, 5] auth/auth_util.c:debug_nt_user_token(448)
>    NT user token: (NULL)
> [2010/09/24 11:42:38, 5] auth/auth_util.c:debug_unix_user_token(474)
>    UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:push_sec_ctx(208)
>    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
> [2010/09/24 11:42:38, 3] smbd/uid.c:push_conn_ctx(358)
>    push_conn_ctx(0) : conn_ctx_stack_ndx = 1
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
> [2010/09/24 11:42:38, 5] auth/auth_util.c:debug_nt_user_token(448)
>    NT user token: (NULL)
> [2010/09/24 11:42:38, 5] auth/auth_util.c:debug_unix_user_token(474)
>    UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2010/09/24 11:42:38, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/09/24 11:42:38, 5] lib/username.c:Get_Pwnam_alloc(131)
>    Finding user root
> [2010/09/24 11:42:38, 5] lib/username.c:Get_Pwnam_internals(75)
>    Trying _Get_Pwnam(), username as lowercase is root
> [2010/09/24 11:42:38, 5] lib/username.c:Get_Pwnam_internals(108)
>    Get_Pwnam_internals did find user [root]!
>
> These are not the complete logs from the joining to domain interaction
> from this machine but I figured that the rest is pretty much the same if
> anyone had an experience like this. Please help!!!
>
> thanks in advance.
>    
The problem may be that "root" is not a Domain account. You may want to 
create an Administrator account (although some security experts suggest 
giving it a different name) then mapping it to root using pdbedit.

You could also add a regular user to the admin users in smb.conf, but 
that creates a problem in that they seem to be mapped to root. If you 
opt for this solution, remove the account from admin users as soon as 
you have added the machine account(s). Otherwise the unix owner won't be 
who you expect.

More information about the samba mailing list