Confused [Was: Upgrade from S3 to a Samba4 DC [with LDAPSAM]]

Andrew Bartlett abartlet at samba.org
Mon Oct 31 19:36:33 MDT 2011 

On Mon, 2011-10-31 at 15:54 -0400, Adam Tauno Williams wrote:
> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> >> So I have an S4 instance I've built from an upgrade of a Samba 3  
> >> LDAPSAM domain.
> >> I took an XP workstation off the production network, created the  
> >> Samba4 instance, brought it up on its own network and connected the  
> >> XP workstation.  Attempting to login on the XP workstation and it  
> >> says "domain unavailable".  Hrmm....
> >> I can get tickets as an 'upgraded' domain user.
> >>  kinit adam at MICORE.US
> >> DNS is working.
> >>  host -t SRV _ldap._tcp.micore.us.
> >>  host -t SRV _kerberos._udp.micore.us.
> >>  host -t A barbel.micore.us.
> >> But -
> >> Ignoring unknown parameter "server role"
> >> SID for domain BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> >> barbel:~ # net getdomainsid
> >> Ignoring unknown parameter "server role"
> >> SID for local machine BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> >> Could not fetch domain SID
> >> ... should the domain SID be fetchable?  Is the upgraded domain  
> >> somehow disabled?
> >> That is the same SID as the S3 DC.
> > Attempting to access the domain from the XP workstation by  
> > specifying \\{serverName}\netlogon and using "BACKBONE\adam" and the  
> > password appears to authenticate but then fails with a "The security  
> > ID structure is invalid."  [BACKBONE was the NetBIOS domain of the  
> > upgraded domain].
> 
> I Updated the Samba4 to the latest git [4.0.0alpha18-GIT-63c7107]
> 
> It appears the error is here -
> [2011/10/31 15:49:00,  5] ../source4/dsdb/samdb/samdb.c:81(samdb_credentials)
>    (normal if no LDAP backend) Could not find entry to match filter:  
> '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such  
> object: (null)
> [2011/10/31 15:49:00,  5] ../auth/gensec/gensec_start.c:616(gensec_start_mech)
>    Starting GENSEC mechanism spnego
> [2011/10/31 15:49:00,  5] ../auth/gensec/gensec_start.c:616(gensec_start_mech)
>    Starting GENSEC submechanism gssapi_krb5
> [2011/10/31 15:49:00,  1]  
> ../source4/auth/gensec/gensec_gssapi.c:638(gensec_gssapi_update)
>    GSS server Update(krb5)(1) Update failed:  An unsupported mechanism  
> was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
> [2011/10/31 15:49:00,  1]  
> ../source4/auth/gensec/spnego.c:555(gensec_spnego_parse_negTokenInit)
>    SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> [2011/10/31 15:49:00,  2]  
> ../source4/auth/gensec/spnego.c:727(gensec_spnego_server_negTokenTarg)
>    SPNEGO login failed: NT_STATUS_LOGON_FAILURE
> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
>    smbsrv_recv
> [2011/10/31 15:49:00, 10] ../source4/smb_server/smb_server.c:94(smbsrv_recv)
>    smbsrv_recv
> [2011/10/31 15:49:00,  5]  
> ../source4/smb_server/smb/receive.c:507(switch_message)
>    switch message SMBtconX (task_id 0:2328.0)
> 
> Is this a problem in the provisioned database [No such object: (null)]  
> or in some interaction with the XP client [unknown mech-code 0 for  
> mech].

I'm not really sure what is wrong here.  It isn't the [No such object:
(null)] because that is '(normal if no LDAP backend)'.  I will remove
the confusing error message here to avoid this being raised again.

Somehow the ticket isn't being accepted by GSSAPI, and we need to work
out why that is.  Does the same thing happen with smbcleint (from
samba4) using this command?

 smbclient //server/share -k yes

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list