Unable to use/access newly upgraded domain [Was: Upgrade from S3 to a Samba4 DC [with LDAPSAM]]

Adam Tauno Williams awilliam at whitemice.org
Mon Nov 7 14:26:26 MST 2011 

On Tue, 2011-11-01 at 12:36 +1100, Andrew Bartlett wrote:
> On Mon, 2011-10-31 at 15:54 -0400, Adam Tauno Williams wrote:
> > It appears the error is here -
> > [2011/10/31 15:49:00,  5] ../source4/dsdb/samdb/samdb.c:81(samdb_credentials)
> >    (normal if no LDAP backend) Could not find entry to match filter:  
> > '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such  
> > object: (null)
> > [2011/10/31 15:49:00,  5] ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> >    Starting GENSEC mechanism spnego
> > [2011/10/31 15:49:00,  5] ../auth/gensec/gensec_start.c:616(gensec_start_mech)
> >    Starting GENSEC submechanism gssapi_krb5
> > [2011/10/31 15:49:00,  1]  
> > ../source4/auth/gensec/gensec_gssapi.c:638(gensec_gssapi_update)
> >    GSS server Update(krb5)(1) Update failed:  An unsupported mechanism  
> > was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
> > [2011/10/31 15:49:00,  1]  
> > ../source4/auth/gensec/spnego.c:555(gensec_spnego_parse_negTokenInit)
> >    SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> > [2011/10/31 15:49:00,  2]  
> > ../source4/auth/gensec/spnego.c:727(gensec_spnego_server_negTokenTarg)
> >    SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> > [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> >    smbsrv_recv
> > [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
> >    smbsrv_recv
> > [2011/10/31 15:49:00,  5]  
> > ../source4/smb_server/smb/receive.c:507(switch_message)
> >    switch message SMBtconX (task_id 0:2328.0)
> > Is this a problem in the provisioned database [No such object: (null)]  
> > or in some interaction with the XP client [unknown mech-code 0 for  
> > mech].
> I'm not really sure what is wrong here.  It isn't the [No such object:
> (null)] because that is '(normal if no LDAP backend)'.  I will remove
> the confusing error message here to avoid this being raised again.
> Somehow the ticket isn't being accepted by GSSAPI, and we need to work
> out why that is.  Does the same thing happen with smbcleint (from
> samba4) using this command?
>  smbclient //server/share -k yes

Also if I try to log onto a workstation as a domain user I simply
receive a "The system cannot log you on now because domain BACKBONE is
not available".  That attempt doesn't seem to cause any log activity on
the server.

In this case the client is 10.66.77.100 and the "DC" is 10.66.77.1 (my
laptop is 10.66.77.2, but it is only ssh'd to the DC).

BootAndLogin.pcap is all the traffic between the workstation and the
client up to and including attempting to login as a domain user.

Then if I login as local Administrator on the workstation I can see the
DC in "Windows Explorer" *and* see shares.  Browsing the server prompts
for - and accepts - a domain user's credentials.  But then the shares
are inaccessible.  Oddly, in Windows Explorer the navigation tree
appears as -

- Microsoft Windows Network
  + Backbone
    + PC02372
  + Unknown
    + Barbel

Where PC02372 is the workstation and Barbel is the DC.  Almost as if the
migrated domain ended up with a different NetBIOS name (???).

The output of the upgrade/provisioning with samba-tool said -

....
Once the above files are installed, your Samba4 server will be ready to
use
Server Role:           domain controller
Hostname:              BARBEL
NetBIOS Domain:        BACKBONE
DNS Domain:            micore.us
DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
Admin password:        None
Importing WINS database
Importing Account policy
...


barbel:~ # /opt/s4/sbin/samba --version
Version 4.0.0alpha18-GIT-fa5475e

-------------- next part --------------
A non-text attachment was scrubbed...
Name: AccessAttempt.pcap.zip
Type: application/zip
Size: 9972 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111107/67a415f2/attachment.zip>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: BootAndLogin.pcap.zip
Type: application/zip
Size: 851 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20111107/67a415f2/attachment-0001.zip>

More information about the samba-technical mailing list