Confused [Was: Upgrade from S3 to a Samba4 DC [with LDAPSAM]]

Adam Tauno Williams awilliam at whitemice.org
Mon Nov 7 12:04:39 MST 2011 

On Wed, 2011-11-02 at 12:01 -0400, Adam Tauno Williams wrote:
> Quoting Andrew Bartlett <abartlet at samba.org>:
> > On Mon, 2011-10-31 at 15:54 -0400, Adam Tauno Williams wrote:
> >> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> >> > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> >> >> So I have an S4 instance I've built from an upgrade of a Samba 3
> >> >> LDAPSAM domain.
> >> >> I took an XP workstation off the production network, created the
> >> >> Samba4 instance, brought it up on its own network and connected the
> >> >> XP workstation.  Attempting to login on the XP workstation and it
> >> >> says "domain unavailable".  Hrmm....
> >> >> I can get tickets as an 'upgraded' domain user.
> >> >>  kinit adam at MICORE.US
> >> >> DNS is working.
> >> >>  host -t SRV _ldap._tcp.micore.us.
> >> >>  host -t SRV _kerberos._udp.micore.us.
> >> >>  host -t A barbel.micore.us.
> >> >> But -
> >> >> Ignoring unknown parameter "server role"
> >> >> SID for domain BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> >> >> barbel:~ # net getdomainsid
> >> >> Ignoring unknown parameter "server role"
> >> >> SID for local machine BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> >> >> Could not fetch domain SID
> >> >> ... should the domain SID be fetchable?  Is the upgraded domain
> >> >> somehow disabled?
> >> >> That is the same SID as the S3 DC.
> >> > Attempting to access the domain from the XP workstation by
> >> > specifying \\{serverName}\netlogon and using "BACKBONE\adam" and the
> >> > password appears to authenticate but then fails with a "The security
> >> > ID structure is invalid."  [BACKBONE was the NetBIOS domain of the
> >> > upgraded domain].
> >>
> >> I Updated the Samba4 to the latest git [4.0.0alpha18-GIT-63c7107]
> >>
> >> It appears the error is here -
> >> [2011/10/31 15:49:00,  5]  
> >> ../source4/dsdb/samdb/samdb.c:81(samdb_credentials)
> >>    (normal if no LDAP backend) Could not find entry to match filter:
> >> '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such
> >> object: (null)
> >> [2011/10/31 15:49:00,  5]  
> >> ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> >>    Starting GENSEC mechanism spnego
> >> [2011/10/31 15:49:00,  5]  
> >> ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> >>    Starting GENSEC submechanism gssapi_krb5
> >> [2011/10/31 15:49:00,  1]
> >> ../source4/auth/gensec/gensec_gssapi.c:638(gensec_gssapi_update)
> >>    GSS server Update(krb5)(1) Update failed:  An unsupported mechanism
> >> was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
> >> [2011/10/31 15:49:00,  1]
> >> ../source4/auth/gensec/spnego.c:555(gensec_spnego_parse_negTokenInit)
> >>    SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> >> [2011/10/31 15:49:00,  2]
> >> ../source4/auth/gensec/spnego.c:727(gensec_spnego_server_negTokenTarg)
> >>    SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> >> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> >>    smbsrv_recv
> >> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> >>    smbsrv_recv
> >> [2011/10/31 15:49:00,  5]
> >> ../source4/smb_server/smb/receive.c:507(switch_message)
> >>    switch message SMBtconX (task_id 0:2328.0)
> >> Is this a problem in the provisioned database [No such object: (null)]
> >> or in some interaction with the XP client [unknown mech-code 0 for
> >> mech].
> > I'm not really sure what is wrong here.  It isn't the [No such object:
> > (null)] because that is '(normal if no LDAP backend)'.  I will remove
> > the confusing error message here to avoid this being raised again.
> > Somehow the ticket isn't being accepted by GSSAPI, and we need to work
> > out why that is.  Does the same thing happen with smbcleint (from
> > samba4) using this command?
> >  smbclient //server/share -k yes
> barbel:~ # smbclient //barbel/tmp -k yes
> smb: \> ls
> NT_STATUS_INVALID_SID listing \*
> Error in dskattr: NT_STATUS_INVALID_SID
> smb: \>
> I think because the box is not a DC that winbind isn't working.   
> getent passwd makes many calls the Samba, and takes some time, but  
> then pretty much returns just the contents of /etc/passwd and some  
> stand-in entries

Any thoughts?  I tried this again from the beginning and still end up in
the same stopping point.

Note that I have to do the upgrade from an older GIT checkout due to the
issue that current builds will not read the TDB files [the "talloc use
after free" error/thread].

> ....
> named:x:44:44:Name server daemon:/var/lib/named:/bin/false
> dhcpd:x:104:65534:DHCP server daemon:/var/lib/dhcp:/bin/false
> Administrator:*:0:100::/home/BACKBONE/Administrator:/bin/false
> Guest:*:3000008:99::/home/BACKBONE/Guest:/bin/false
> krbtgt:*:3000009:100::/home/BACKBONE/krbtgt:/bin/false

More information about the samba-technical mailing list