Problems joining a domain with a Samba-TNG PDC

Paul Kennedy pkennedy at loudcloud.com
Tue Feb 29 22:43:24 GMT 2000 


Luke Kenneth Casson Leighton wrote:

> paul,
>
> the passdb/ code is probably going recursive / infinite loop black hole
> because of lib/domain_namemap.c
>
> check that there are no duplicate names in users and groups that could
> cause domain_namemap to go recursive.
>
> either rename, remove or remap them ("doman group/alias/user/builtin map).

Ok, so I think this was caused by this line in smb.conf

> password server = millstreet
>

After removing this entry from the file, the Samba server is no longer
consuming 100% cpu.

Then I renamed my PC host from "paulpc" to "other" and made it join a
workgroup named "workgroup".

I then ran samedit and recreated the paulpc$ machine account

    samedit -S . -U root
    createuser paulpc$

This operation caused modification of the paulpc$ entry's lmpassword and
ntpassword attribute values in LDAP.

After a reboot, I changed the PC name back to paulpc, and made it rejoin the
domain. I got a "Welcome to domain Airius" dialog. But in log.netlogon,
(with debug level = 100) I see this, repeated 14 times:

PANIC: internal error

After rebooting paulpc, I try to logon to the domain Airius and fail. The
message dialog which pops up says "The system cannot log you on to this
domain because the systems computer account in it's primary domain is
missing or the password on that account is incorrect".

I see from log.netlogon that Samba is searching the LDAP server using a
search filter containing "ntuid=nobody", another containing "cn=nobody*" and
a third containing "cn=nobody". Now, I haven't created an entry in LDAP for
this UNIX account, using samedit or smbpasswd, making an entry corresponding
to the UNIX /etc/passwd entry. Should I have ? If I need to create this LDAP
entry, what should the password be ?

Other logfiles, log.lsarpc, log.smb, log.srvsvc, log.wkssvc also have
entries indicating access by "nobody".

Pk.

>
>
> On Tue, 29 Feb 2000, Paul Kennedy wrote:
>
> > I'm getting pretty frustrated trying to get a Samba PDC working with an
> > LDAP backend. Here's how I'm configuring my system.
> >
> > I am running Samba, built --with-ldap and installed from the latest
> > Samba-TNG cvs source (as of Sunday Feb 27 2000 3pm PST) , on a host
> > running RHL 2.2.12-20-smp, which is a HP Lpr Pentium III named
> > millstreet.loudcloud.com. I am running all 8 daemons (nmbd, lsarpcd,
> > smbd, etc) required for PDC support.
> >
> > [root at millstreet bin]# pdc-smb start
> > Starting smbd...
> > Starting nmbd...
> > Starting srvsvcd...
> > Starting wkssvcd...
> > Starting lsarpcd...
> > Starting samrd...
> > Starting netlogond...
> > Starting winregd...
> > [root at millstreet bin]#
> >
> > For LDAP backend, I'm using Netscape Directory Server 4.12 on the same
> > Linux host.
> >
> > I also have a PC with hostname PAULPC, running NT Server 4.0 SP5, which
> > I am trying to make a member of the domain.
> >
> > The Linux host (PDC ) and PC (NT Server) are on different subnets.
> >
> > The Samba server's shares can be successfully viewed from other hosts.
> > The problems arise when I try to add a new member to the domain.
> >
> > I've followed all but the out-of-date instructions at
> > http://www.kneschke.de/projekte/samba_tng/faq/configuration.php3. In
> > other words, I'm not using smbpasswd -m as directed there. Instead, I'm
> > adding workstation accounts to the /etc/passwd file on the Linux system
> > with /usr/sbin/useradd.
> >
> > In summary:
> >     Samba Domain name: AIRIUS
> >     Samba PDC Hostname: MILLSTREET
> >     NT Server:  PAULPC
> >
> > [root at millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c
> > "NT Workstation Trust Account Samba" "millstreet\$"
> > [root at millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c
> > "NT Workstation Trust Account Samba" "paulpc\$"
> > [root at millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -d
> > /h/paul -c "User Account" nelson -p o9Huu26
> > [root at millstreet slapd-millstreet]# cat /etc/passwd | grep $:
> > millstreet$:x:10107:10107:NT Workstation Trust Account
> > Samba:/home/millstreet$:/bin/false
> > paulpc$:x:10108:10108:NT Workstation Trust Account
> > Samba:/home/paulpc$:/bin/false
> > [root at millstreet slapd-millstreet]# cat /etc/passwd | grep nelson
> > nelson:x:10109:10109:User Account:/h/paul:/bin/false
> > [root at millstreet slapd-millstreet]#
> >
> >
> > [root at millstreet bin]# samedit -S . -U root
> > Added interface ip=192.168.100.62 bcast=192.168.100.255
> > nmask=255.255.255.0
> > Enter Password:
> > [root at .]$
> > [root at .]$
> > [root at .]$ createuser millstreet$ -j
> > createuser millstreet$ -j
> > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> > SAM Create Domain User
> > Domain: AIRIUS Name: millstreet$ ACB: [W          ]
> > socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
> > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> > Create Domain User: OK
> > Join MILLSTREET to Domain AIRIUS
> > LSA_OPENSECRET:
> > Set $MACHINE.ACC: OK
> > [root at .]$
> > [root at .]$
> > [root at .]$ createuser paulpc$
> > createuser paulpc$
> > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> > SAM Create Domain User
> > Domain: AIRIUS Name: paulpc$ ACB: [W          ]
> > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> > Create Domain User: OK
> > [root at .]$
> > [root at .]$
> > [root at .]$ createuser nelson -p o9Huu26
> > createuser nelson -p o9Huu26
> > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> > SAM Create Domain User
> > Domain: AIRIUS Name: nelson ACB: [U          ]
> > socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> > Create Domain User: OK
> > [root at .]$
> >
> > Normally the PC running NT Server is a member of a workgroup, but when I
> > make it a member of my AIRIUS domain, reboot and try to login to the
> > AIRIUS domain using the nelson credentials which I've added above, the
> > Linux host immediately ramps up to 100% cpu usage, and quickly reports
> > "too many files open" when I try to run any commands at any shell
> > prompt. Eventually, the NT Server logon attempt fails and a dialog is
> > raised containing the message "The system cannot log you on now because
> > the domain AIRIUS is not ".
> >
> > Questions:
> >
> > 1) Is the above sequence of operations for joining a workstation/server
> > to a domain correct ?
> >
> > 2) Has anyone experienced similar behaviour ?
> >
> > I can post any fragments of logfiles. Here are some fragments which look
> > useful:
> >
> > >From log.lsarpc:
> >
> > Changed root to /
> > msrpc_process: client_name: lsarpc my_name: millstreet
> > api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd
> > Doing \PIPE\lsarpc
> > api_rpc_command: LSA_OPENPOLICY2
> > Doing \PIPE\lsarpc
> > api_rpc_command: LSA_OPENSECRET
> > Doing \PIPE\lsarpc
> > api_rpc_command: LSA_CLOSE
> > policy(pnum=1 ): Closing
> > end of file from client
> > Error getting policy state
> > Error getting policy state
> > Error getting policy rid
> > policy(pnum=2 ): Closing
> > Closing connections
> > Server exit (normal exit)
> > Changed root to /
> > msrpc_process: client_name: lsarpc my_name: millstreet
> > api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd
> > Doing \PIPE\lsarpc
> > api_rpc_command: LSA_OPENPOLICY2
> >
> >
> > >From log.nmb
> >
> > process_logon_packet: SAMLOGON request from PAULPC(192.168.1.87) for
> > PAULPC$, returning logon svr \\MILLSTREET domain AIRIUS code 13
> > token=ffff
> > process_logon_packet: Logon from 192.168.1.87: code = 7
> > process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87,
> > reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff
> > lm_20 token=ffff
> > wins_process_name_registration_request: Unique name registration for
> > name AIRIUS<1d> IP 192.168.1.87
> > wins_process_name_registration_request: Ignoring request to register
> > name AIRIUS<1d> from IP
> > 192.168.1.87.wins_process_name_registration_request: Group name
> > registration for name __MSBROWSE__<01> IP 192.168.1.87
> > wins_process_name_registration_request: Adding IP 255.255.255.255 to
> > group name __MSBROWSE__<01>.
> > wins_process_name_query: name query for name AIRIUS<1b> from IP
> > 192.168.1.87
> > wins_process_name_query: name query for name AIRIUS<1b> returning first
> > IP 192.168.100.62.
> > process_logon_packet: Logon from 192.168.1.87: code = 7
> > process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87,
> > reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff
> > lm_20 token=ffff
> >
> > : Negative DNS answer for *SMBSERVER
> > add_name_to_subnet: Added netbios name *SMBSERVER<20> with first IP
> > 0.0.0.0 ttl=3600 nb_flags= 4 to subnet WINS_SERVER_SUBNET
> > DNS calling send_wins_name_query_response
> > process_name_query_request: Name query from 192.168.100.62 on subnet
> > 192.168.100.62 for name MILLSTREET<20>
> > OK
> > process_name_query_request: Name query from 192.168.100.62 on subnet
> > 192.168.100.62 for name MILLSTREET<20>
> > OK
> > process_name_query_request: Name query from 192.168.100.62 on subnet
> > 192.168.100.62 for name MILLSTREET<20>
> > OK
> > process_name_query_request: Name query from 192.168.100.62 on subnet
> > 192.168.100.62 for name *SMBSERVER<20>
> > wins_process_name_query: name query for name *SMBSERVER<20> from IP
> > 192.168.100.62
> > wins_process_name_query: name query for name *SMBSERVER<20> returning
> > DNS fail.
> > process_name_query_request: Name query from 192.168.100.62 on subnet
> > 192.168.100.62 for name MILLSTREET<20>
> > OK
> > process_name_query_request: Name query from 192.168.100.62 on subnet
> > 192.168.100.62 for name MILLSTREET<20>
> > OK
> > process_name_query_request: Name query from 192.168.100.62 on subnet
> > 192.168.100.62 for name *SMBSERVER<20>
> > wins_process_name_query: name query for name *SMBSERVER<20> from IP
> > 192.168.100.62
> > wins_process_name_query: name query for name *SMBSERVER<20> returning
> > DNS fail.
> > process_name_query_request: Name query from 192.168.100.62 on subnet
> > 192.168.100.62 for name *SMBSERVER<20>
> >
> >
> >
> > Below is my smb.conf
> >
> > [global]
> > ldap suffix = "o=airius.com, o=loudcloud.com"
> > ldap bind as = "uid=admin, ou=Administrators, ou=TopologyManagement,
> > o=NetscapeRoot"
> > ldap passwd file = /usr/local/etc/samba/private/ldappasswd
> > ldap server = millstreet.loudcloud.com
> > ldap port = 389
> >
> > workgroup = AIRIUS
> > netbios name = MILLSTREET
> > comment = Linux RedHat PDC Samba Server with LDAP backend
> > security = user
> > null passwords = yes
> > encrypt passwords = yes
> > password server = millstreet
> >
> > logon path = \\MERCURY\profiles\%G
> > logon script = %U.bat
> > logon drive = U:
> >
> > socket options = TCP_NODELAY
> > keep alive = 60
> > dead time = 30
> >
> > domain master = yes
> > domain logons = yes
> >
> > wins support = yes
> > name resolve order = wins lmhosts hosts bcast
> > wins proxy = yes
> >
> > time server = yes
> >
> > name resolve order = wins lmhosts hosts bcast
> >
> > [netlogon]
> > path = /usr/local/etc/samba/netlogon
> > locking = no
> > writeable = yes
> > comment = Net Logon share
> > guest ok = no
> > browseable = yes
> >
> > [joffre]
> > path = /tmp/samba
> > locking = no
> > writeable = yes
> > comment = Joffre share
> > guest ok = yes
> > browseable = yes
> >
> >
> >
> >
>
> <a href=" mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton    </a>
> <a href=" http://cb1.com/~lkcl"  > Samba and Network Development   </a>
> <a href=" http://samba.org"      > Samba Web site                  </a>
> <a href=" http://www.iss.net"    > Internet Security Systems, Inc. </a>
> <a href=" http://mcp.com"        > Macmillan Technical Publishing  </a>
>
> ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

More information about the samba-ntdom mailing list