TNG-2.x --with-ldap && PDC broken?

Ignacio Coupeau icoupeau at unav.es
Sat Apr 22 11:14:32 GMT 2000


For several hours I have tested the TNG with-ldap stuff.
I found that the account maintenance via samedit runs with the ldap:
1. can add an ws account
2. can add an user account
3. can change an user passwd with smbpasswd
the ldap logs a lot and fine.

the bad things are these:
1. can't join a ws to the domain
2. can't use the samedit/use nor smbclient...
the ldap says nothing... I think the private/smbpasswd is used instead
the ldap database... 


The error I found is that the logon process don't ask __nothing__ to the
ldap, instead, the error messages:
> LSA_OPENSECRET..:/_lsa_open_secret failed with 0xc0000034; 
> SMB LM/NT Password did not match!
> error packet at line 749 cmd=115 (SMBsesssetupX) eclass=2 ecode=2 become ubiquitous.

Any help/suggestion ?

Thanks.
PS: below, I append a test (long):
----------------------------------------------------------------------------


The samrd is running... and all the *d
and the private/smbpasswd exists... but if I use ldap...
Tested with TNG 2.2 and 2.4.2
Linux kernel 2.2.10
the smb.conf is OK:

> ldap suffix = "o=SMB-Universidad de Navarra, c=ES"
> ldap bind as = "uid=root, o=SMB-Universidad de Navarra, c=ES"
> ldap passwd file = /usr/local/etc/samba/private/ldappasswd
> #ldap server = localhost
> ldap server = bilbo
> ldap port = 389

... 


[root at bilbo bin]# samedit -S . -U root
added interface ip=159.237.12.42 bcast=159.237.12.255
nmask=255.255.255.0
Enter Password:
...
[root at .]$ createuser CTI-PORTATIL$
createuser CTI-PORTATIL$
socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
SAM Create Domain User
Domain: CTI-SMB-DEV Name: cti-portatil$ ACB: [W          ]
Resetting Trust Account to insecure, initial, well-known value:
"cti-portatil"
CTI-PORTATIL can now be joined to the domain, which should
be done on a private, secure network as soon as possible
socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
Create Domain User: OK

-----
the log yields:


remove on /usr/local/etc/samba/var/locks/.msrpc/svcctl failed
TODO: verify that the rid exists
TODO: verify that the rid exists
Changed root to /

---
Of course, the ldap account is created:
[root at bilbo openldap]# sh samba-search "uid=CTI-PORT*"
dn: uid=CTI-PORTATIL$, o=SMB-Universidad de Navarra, c=ES
objectclass: sambaAccount
uid: CTI-PORTATIL$
uidnumber: 515
ntuid: cti-portatil$
rid: 55e7
lmpassword: 15E26A2E30265B2E1113404FD56A01A4
ntpassword: BD07481A531FD209CF0EE276C5E41201
pwdlastset: 3901715D
acctflags: [W          ]
gidnumber: 100
grouprid: 579
cn: desarrollo-WS
pwdcanchange: 3901715B
pwdmustchange: 00000000
logontime: 00000000
logofftime: 00000000
kickofftime: 00000000



-------------------------------------------------------
When I try to add the machine to the domain.... yields:
-------------------------------------------------------
Changed root to /
netbios connect: name1=BILBO            name2=CTI-PORTATIL   
authorise_login: TODO. split function, it's 6 levels!
socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
LSA_OPENSECRET: 
_lsa_open_secret failed with 0xc0000034
socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
LSA_OPENSECRET: 
_lsa_open_secret failed with 0xc0000034
Changed root to /
netbios connect: name1=BILBO            name2=CTI-PORTATIL   
socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
LSA_OPENSECRET: 
SMB LM/NT Password did not match!
Closing connections
_lsa_open_secret failed with 0xc0000034
Changed root to /
netbios connect: name1=BILBO            name2=CTI-PORTATIL   
authorise_login: TODO. split function, it's 6 levels!
socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
LSA_OPENSECRET: 
_lsa_open_secret failed with 0xc0000034
socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
LSA_OPENSECRET: 
_lsa_open_secret failed with 0xc0000034
socket connect to /tmp/.msrpc/.wkssvc/agent failed: Connection refused
socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
_lsa_open_secret: couldn't open secret_db. Possible attack?
uid=0, gid=0, euid=99, egid=99
_lsa_open_secret failed with 0xc0000022
Closing connections
Changed root to /
netbios connect: name1=BILBO            name2=CTI-PORTATIL   
socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
LSA_OPENSECRET: 
Closing connections
_lsa_open_secret failed with 0xc0000034
-----

but the NT says "can't connect to the controler for this domain..."

and the LDAP with -d 255 says nothing: none bind is received.
-- 
____________________________________________________
Ignacio Coupeau, Ph.D.     e-mail: icoupeau at unav.es
CTI, Director              fax:    948 425619
University of Navarra      voice:  948 425600
Pamplona, SPAIN            http://www.unav.es/cti/


More information about the samba-ntdom mailing list