[Samba] strange access problems with SAMBA 2.2.3a/Winbindd and Security = DOMAIN

Petry Roman, ITS-IT Roman.Petry at dillinger.de
Mon Apr 29 15:06:02 GMT 2002 

Hello..

i have some strange behavior with my Samba 2.2.3a with WINBIND (Linux
2.4.17acl enabled)and a NT4.0 SP6 Domain with nearly 2000 users... Here
comes some more infos for you...
We want to migrate from one of our fileservers (NT4.0) to a new samba
server.. nearly 400 users use this new machine for normal fileservice...
everything looks good, but some of my users can´t login...  and they change
from day to day...they get everytime the message "password wrong"....
 
i turned debug levet to 5 and i saw some strange things.. they are listed on
the bottom of this mail..

First my config...

[global]
        workgroup = DH-COM
        netbios name = NRZ90
        server string = Samba Server
        security = DOMAIN
        encrypt passwords = Yes
### tried also password server = nt07 no luck !!!
        password server = *
        log file = /usr/local/samba/var/log.%m
        wins server = 172.31.1.151
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind separator = +
        winbind cache time = 10
	log level = 5
	nt acl support = yes
[info]
        nt acl support = yes
        comment = INFO-Server
        path = /webserver/htdocs/infoserver
        browseable = no
        public = no
        writeable = yes

I succesfully joined our Domain with ( NT07 is our PDC)
smbpasswd -j DH-COM -r NT07 -U Administrator%xxxxxx
and i got.. 
joined domain DH-COM.... 8-)
I did also the other way with server manager no changes in the behavior..

I made all changes to the pam configs and i can do all things with wbinfo..

nrz90:/usr/local/samba/bin # ./wbinfo -t
Secret is good
nrz90:/usr/local/samba/bin # ./wbinfo -u
DH-COM+test-user1
DH-COM+test-user2
nrz90:/usr/local/samba/bin # ./wbinfo -u
DH-COM+SWG-Test
DH-COM+SWG-Time
nrz90:/usr/local/samba/bin # ./wbinfo -n DH-COM+test
S-1-5-21-1558126179-1158248748-102967255-5977 2
nrz90:/usr/local/samba/bin # ./wbinfo -a DH-COM+test%test
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user DH-COM+test%test with challenge/response
nrz90:/usr/local/samba/bin #

Everything looks good... But here comes a log from a user which is unable to
login to the server.. he gets always (bad password) if he trys to login.. 

-- cut --- from a log.workstation
[2002/04/27 12:57:58, 5] rpc_parse/parse_prs.c:prs_ntstatus(588)
      0024 status: NT_STATUS_ACCESS_DENIED
[2002/04/27 12:57:58, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
  cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2002/04/27 12:57:58, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
  cli_nt_setup_creds: auth2 challenge failed
[2002/04/27 12:57:58, 0]
smbd/password.c:connect_to_domain_password_server(1336)
  connect_to_domain_password_server: unable to setup the PDC credentials to
machine
NT51. Error was : NT_STATUS_OK.
[2002/04/27 12:57:58, 5] lib/util.c:show_msg(275)
[2002/04/27 12:57:59, 0] smbd/password.c:domain_client_validate(1554)
  domain_client_validate: Domain password server not available.
[2002/04/27 12:57:59, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170)
  startsmbfilepwent_internal: unable to open file
/usr/local/samba/private/smbpasswd
. Error was No such file or directory
[2002/04/27 12:57:59, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
  unable to open passdb database.
[2002/04/27 12:57:59, 1] smbd/password.c:pass_check_smb(555)
  Couldn't find user 'dh-com+di12822' in passdb.
[2002/04/27 12:57:59, 2] smbd/reply.c:reply_sesssetup_and_X(962)
  NT Password did not match for user 'dh-com+di12822'!
[2002/04/27 12:57:59, 2] smbd/reply.c:reply_sesssetup_and_X(972)
  Defaulting to Lanman password for dh-com+di12822
[2002/04/27 12:57:59, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170)
---- cut ----

no luck with this user.. i run for debug reasons wbinfo -t in a cron job
every minute, and it works everytime. ..

the only thing i see on the nt side is in the event log on the pdc or bdc
... messages is like this..

-- cut ---NETLOGON Failure ID 5722
The session setup from the computer NRZ90 failed to authenticate. the name
of the account referenced in the security database is NRZ90$. The following
error occured. ACCESS DENIED 
--- cut ---

i checked everything, deleted the computer account 3-4 time.. changed the
name.. .made first the computer account in the server manager and then
joined the domain and so on.. everytime the same problem...

Some of my users can´t login , others could.. nearly 450 of my users can
work, and 50 not... but the users change every day..

Any help is welcome. if you  need more debug i can mail them.. i have
winbind.. smb.log, nmbd.log and so on...It looks like the samba machine
could sometimes not validate his account in the nt domain, but most time it
works... i also checked the secure channels between the pdc and bdc and they
are ok and synced..

I have no idea what goes wrong.. some tips , hints would be great..

thanks a lot..

roman

mfg
Roman Petry
Microsoft Certified System Engineer (MCSE) 
ITS-IT
AG der Dillinger Huettenwerke
Tel.: 0049-6831-474670
Fax.: 0049-6831-473505

More information about the samba mailing list