Confused [Was: Upgrade from S3 to a Samba4 DC [with LDAPSAM]]

Adam Tauno Williams awilliam at whitemice.org
Wed Nov 2 10:01:07 MDT 2011 

Quoting Andrew Bartlett <abartlet at samba.org>:
> On Mon, 2011-10-31 at 15:54 -0400, Adam Tauno Williams wrote:
>> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
>> > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
>> >> So I have an S4 instance I've built from an upgrade of a Samba 3
>> >> LDAPSAM domain.
>> >> I took an XP workstation off the production network, created the
>> >> Samba4 instance, brought it up on its own network and connected the
>> >> XP workstation.  Attempting to login on the XP workstation and it
>> >> says "domain unavailable".  Hrmm....
>> >> I can get tickets as an 'upgraded' domain user.
>> >>  kinit adam at MICORE.US
>> >> DNS is working.
>> >>  host -t SRV _ldap._tcp.micore.us.
>> >>  host -t SRV _kerberos._udp.micore.us.
>> >>  host -t A barbel.micore.us.
>> >> But -
>> >> Ignoring unknown parameter "server role"
>> >> SID for domain BARBEL is: S-1-5-21-2037442776-3290224752-88127236
>> >> barbel:~ # net getdomainsid
>> >> Ignoring unknown parameter "server role"
>> >> SID for local machine BARBEL is: S-1-5-21-2037442776-3290224752-88127236
>> >> Could not fetch domain SID
>> >> ... should the domain SID be fetchable?  Is the upgraded domain
>> >> somehow disabled?
>> >> That is the same SID as the S3 DC.
>> > Attempting to access the domain from the XP workstation by
>> > specifying \\{serverName}\netlogon and using "BACKBONE\adam" and the
>> > password appears to authenticate but then fails with a "The security
>> > ID structure is invalid."  [BACKBONE was the NetBIOS domain of the
>> > upgraded domain].
>>
>> I Updated the Samba4 to the latest git [4.0.0alpha18-GIT-63c7107]
>>
>> It appears the error is here -
>> [2011/10/31 15:49:00,  5]  
>> ../source4/dsdb/samdb/samdb.c:81(samdb_credentials)
>>    (normal if no LDAP backend) Could not find entry to match filter:
>> '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such
>> object: (null)
>> [2011/10/31 15:49:00,  5]  
>> ../auth/gensec/gensec_start.c:616(gensec_start_mech)
>>    Starting GENSEC mechanism spnego
>> [2011/10/31 15:49:00,  5]  
>> ../auth/gensec/gensec_start.c:616(gensec_start_mech)
>>    Starting GENSEC submechanism gssapi_krb5
>> [2011/10/31 15:49:00,  1]
>> ../source4/auth/gensec/gensec_gssapi.c:638(gensec_gssapi_update)
>>    GSS server Update(krb5)(1) Update failed:  An unsupported mechanism
>> was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
>> [2011/10/31 15:49:00,  1]
>> ../source4/auth/gensec/spnego.c:555(gensec_spnego_parse_negTokenInit)
>>    SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> [2011/10/31 15:49:00,  2]
>> ../source4/auth/gensec/spnego.c:727(gensec_spnego_server_negTokenTarg)
>>    SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
>>    smbsrv_recv
>> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
>>    smbsrv_recv
>> [2011/10/31 15:49:00,  5]
>> ../source4/smb_server/smb/receive.c:507(switch_message)
>>    switch message SMBtconX (task_id 0:2328.0)
>> Is this a problem in the provisioned database [No such object: (null)]
>> or in some interaction with the XP client [unknown mech-code 0 for
>> mech].
> I'm not really sure what is wrong here.  It isn't the [No such object:
> (null)] because that is '(normal if no LDAP backend)'.  I will remove
> the confusing error message here to avoid this being raised again.
> Somehow the ticket isn't being accepted by GSSAPI, and we need to work
> out why that is.  Does the same thing happen with smbcleint (from
> samba4) using this command?
>  smbclient //server/share -k yes

barbel:~ # smbclient //barbel/tmp -k yes
smb: \> ls
NT_STATUS_INVALID_SID listing \*
Error in dskattr: NT_STATUS_INVALID_SID
smb: \>

I think because the box is not a DB that winbind isn't working.   
getent passwd makes many calls the Samba, and takes some time, but  
then pretty much returns just the contents of /etc/passwd and some  
stand-in entries

....
named:x:44:44:Name server daemon:/var/lib/named:/bin/false
dhcpd:x:104:65534:DHCP server daemon:/var/lib/dhcp:/bin/false
Administrator:*:0:100::/home/BACKBONE/Administrator:/bin/false
Guest:*:3000008:99::/home/BACKBONE/Guest:/bin/false
krbtgt:*:3000009:100::/home/BACKBONE/krbtgt:/bin/false

More information about the samba-technical mailing list