[Samba] LDAP & PDC: Can join domain, but cannot login afterwards.

[Linux Addict]

On Tue, Jan 18, 2011 at 1:03 PM, Farhan Ahmad <farhan at thebitguru.com> wrote:

> Hi,
>
> I am setting up a PDC with LDAP, but having no luck with it.  Basically,
> the
> Win XP computer successfully joins the domain, but after restarting when I
> try to login it says "The system cannot log you on now because the domain
> THEBITGURU.LAN is not available."  I am running a Ubuntu 10.10 server with
> Samba 3.5.4 and OpenLDAP 2.4.3 (slapd).
>
> I have compressed all of the samba logs (/var/log/samba) files along with
> the smb.conf:
> http://www.thebitguru.com/site_media/uploads/samba_troubleshooting.tar.gz I
> turned up the logging (log level = 4) and created a folder with the log
> files after each step.
>
> Below is what I have gathered so far about the different steps.
>
> *Relevant Notes*
>
>   1. I installed ClearOS on another virtual machine and set it up as a PDC.
>    This same WinXP virtual machine successfully joined that domain and was
>   able to login without any issues.  So, I am concluding that the client is
>   setup correctly.
>      1. I even tried comparing the smb.conf files and updating the one my
>      actual server, but no luck.
>   2. Another Windows 7 machine with the changes listed on
>   http://wiki.samba.org/index.php/Windows7 behaves similarly, i.e. cannot
>   login after joining the domain.
>   3. I can mount the share (\\visionary\shared) served by this server on
>   both WinXP and Windows 7 without any issues.  This tells me that the
>   authentication with the LDAP server is working OK.
>
> *
> *
> *Domain Join (log files in after_domain_join folder)*
> 1. Note how the sending machine correctly sent the user and domains in this
> case.
> [2011/01/18 10:24:35.521835,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
>  Got user=[root] domain=[THEBITGURU.LAN] workstation=[VIRTUALXP-32744]
> len1=24 len2=24
>
> 2. Also, note that the user authentication and mapping seemed to work OK in
> this case.
> [2011/01/18 10:24:35.521954,  3] auth/auth.c:219(check_ntlm_password)
>  check_ntlm_password:  mapped user is:
> [THEBITGURU.LAN]\[root]@[VIRTUALXP-32744]
> .
> .
> .
> [2011/01/18 10:24:35.523891,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
>  init_sam_from_ldap: Entry found for user: root
>
>
> 3. Even though the Win XP system says that it joined the domain OK, the
> following output in the log file seems suspicious.  This is at the end of
> log.virtualxp-32744.
> [2011/01/18 10:24:36.932921,  3] smbd/connection.c:31(yield_connection)
>  Yielding connection to
> [2011/01/18 10:24:36.933031,  3] smbd/server.c:906(exit_server_common)
>  Server exit (failed to receive smb request)
>
>
> *First Failed Login** (log files in after_first_failed_login folder)*
> 1. Unlike #1 above, in this case we neither see the user nor the domain.  I
> think this is where the problem lies.
> [2011/01/18 10:26:01.920055,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
>  Got user=[] domain=[] workstation=[VIRTUALXP-32744] len1=1 len2=0
>
> 2. The server still falls back to the domain, but still no user.
> [2011/01/18 10:26:01.920172,  3] auth/auth.c:219(check_ntlm_password)
>  check_ntlm_password:  mapped user is:
> [THEBITGURU.LAN]\[]@[VIRTUALXP-32744]
>
> 3. So it goes looking for the guest user.
> [2011/01/18 10:26:01.922536,  3] auth/auth.c:265(check_ntlm_password)
>  check_ntlm_password: guest authentication for user [] succeeded
>
> 4. There might be other weird things, for instance, the "Server exit
> (failed
> to receive smb request)" message, but I can figure out the issue with #1
> then I am thinking that the rest will be fixed.
>
>
>
> I have tried a lot of stuff, but haven't had any luck.  What should I do
> next to fix this issue?
>
> Thanks!
> Farhan
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


It looks to me like communication issue. Put tcpdump and check for dropped
packets. Is there a firewall between the systems?

Does the kinit <username> works?