[Samba] strange access problems with SAMBA 2.2.3a/Winbindd and Security =
DOMAIN
Petry Roman, ITS-IT
Roman.Petry at dillinger.de
Mon Apr 29 15:06:02 GMT 2002
Hello..
i have some strange behavior with my Samba 2.2.3a with WINBIND (Linux
2.4.17acl enabled)and a NT4.0 SP6 Domain with nearly 2000 users... Here
comes some more infos for you...
We want to migrate from one of our fileservers (NT4.0) to a new samba
server.. nearly 400 users use this new machine for normal fileservice...
everything looks good, but some of my users can´t login... and they change
from day to day...they get everytime the message "password wrong"....
i turned debug levet to 5 and i saw some strange things.. they are listed on
the bottom of this mail..
First my config...
[global]
workgroup = DH-COM
netbios name = NRZ90
server string = Samba Server
security = DOMAIN
encrypt passwords = Yes
### tried also password server = nt07 no luck !!!
password server = *
log file = /usr/local/samba/var/log.%m
wins server = 172.31.1.151
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind separator = +
winbind cache time = 10
log level = 5
nt acl support = yes
[info]
nt acl support = yes
comment = INFO-Server
path = /webserver/htdocs/infoserver
browseable = no
public = no
writeable = yes
I succesfully joined our Domain with ( NT07 is our PDC)
smbpasswd -j DH-COM -r NT07 -U Administrator%xxxxxx
and i got..
joined domain DH-COM.... 8-)
I did also the other way with server manager no changes in the behavior..
I made all changes to the pam configs and i can do all things with wbinfo..
nrz90:/usr/local/samba/bin # ./wbinfo -t
Secret is good
nrz90:/usr/local/samba/bin # ./wbinfo -u
DH-COM+test-user1
DH-COM+test-user2
nrz90:/usr/local/samba/bin # ./wbinfo -u
DH-COM+SWG-Test
DH-COM+SWG-Time
nrz90:/usr/local/samba/bin # ./wbinfo -n DH-COM+test
S-1-5-21-1558126179-1158248748-102967255-5977 2
nrz90:/usr/local/samba/bin # ./wbinfo -a DH-COM+test%test
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user DH-COM+test%test with challenge/response
nrz90:/usr/local/samba/bin #
Everything looks good... But here comes a log from a user which is unable to
login to the server.. he gets always (bad password) if he trys to login..
-- cut --- from a log.workstation
[2002/04/27 12:57:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(588)
0024 status: NT_STATUS_ACCESS_DENIED
[2002/04/27 12:57:58, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2002/04/27 12:57:58, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
cli_nt_setup_creds: auth2 challenge failed
[2002/04/27 12:57:58, 0]
smbd/password.c:connect_to_domain_password_server(1336)
connect_to_domain_password_server: unable to setup the PDC credentials to
machine
NT51. Error was : NT_STATUS_OK.
[2002/04/27 12:57:58, 5] lib/util.c:show_msg(275)
[2002/04/27 12:57:59, 0] smbd/password.c:domain_client_validate(1554)
domain_client_validate: Domain password server not available.
[2002/04/27 12:57:59, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170)
startsmbfilepwent_internal: unable to open file
/usr/local/samba/private/smbpasswd
. Error was No such file or directory
[2002/04/27 12:57:59, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
unable to open passdb database.
[2002/04/27 12:57:59, 1] smbd/password.c:pass_check_smb(555)
Couldn't find user 'dh-com+di12822' in passdb.
[2002/04/27 12:57:59, 2] smbd/reply.c:reply_sesssetup_and_X(962)
NT Password did not match for user 'dh-com+di12822'!
[2002/04/27 12:57:59, 2] smbd/reply.c:reply_sesssetup_and_X(972)
Defaulting to Lanman password for dh-com+di12822
[2002/04/27 12:57:59, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170)
---- cut ----
no luck with this user.. i run for debug reasons wbinfo -t in a cron job
every minute, and it works everytime. ..
the only thing i see on the nt side is in the event log on the pdc or bdc
... messages is like this..
-- cut ---NETLOGON Failure ID 5722
The session setup from the computer NRZ90 failed to authenticate. the name
of the account referenced in the security database is NRZ90$. The following
error occured. ACCESS DENIED
--- cut ---
i checked everything, deleted the computer account 3-4 time.. changed the
name.. .made first the computer account in the server manager and then
joined the domain and so on.. everytime the same problem...
Some of my users can´t login , others could.. nearly 450 of my users can
work, and 50 not... but the users change every day..
Any help is welcome. if you need more debug i can mail them.. i have
winbind.. smb.log, nmbd.log and so on...It looks like the samba machine
could sometimes not validate his account in the nt domain, but most time it
works... i also checked the secure channels between the pdc and bdc and they
are ok and synced..
I have no idea what goes wrong.. some tips , hints would be great..
thanks a lot..
roman
mfg
Roman Petry
Microsoft Certified System Engineer (MCSE)
ITS-IT
AG der Dillinger Huettenwerke
Tel.: 0049-6831-474670
Fax.: 0049-6831-473505
More information about the samba
mailing list