[Samba] Same configs, different results

Massimiliano Mirra mmirra at libero.it
Fri Oct 11 15:14:00 GMT 2002 

I am configuring two identical PDCs so that, if one goes down, the
other can start to serve logins.

The first PDC, a Debian 3.0 with Samba 2.999+3.0cvs20020723-1, works
fine.

The second PDC, that I bring up after killing manually smbd and nmbd
on the first one, is a Red Hat 7.3 with Samba compiled from the same
sources (but with gcc2.96 instead of 2.95) and the same smb.conf,
except for the interfaces parameter.  It serves logins to XP clients
well.  It does not with W2k.

Both get account data from the same LDAP server.

In log.smbd, after a failed login from a W2k host, I cannot find what
goes wrong (the Domain Group warning appears when clients successfully
log with the other PDC, too):


[2002/10/11 16:58:55, 3] rpc_server/srv_pipe.c:api_pipe_request(1136)
  Doing \PIPE\NETLOGON
[2002/10/11 16:58:55, 3] rpc_server/srv_pipe.c:api_rpcTNP(1168)
  api_rpcTNP: rpc command: NET_SAMLOGON
[2002/10/11 16:58:55, 3]
rpc_server/srv_netlog_nt.c:_net_sam_logon(547)
  SAM Logon (Interactive). Domain:[DEBIAN].  User:[foo at HAL9000]
  Requested Domain:[DEBIAN]
[2002/10/11 16:58:55, 3] auth/auth.c:check_ntlm_password(190)
  check_password:  Checking password for unmapped user
  [DEBIAN]\[foo]@[HAL9000] with the new password interface
[2002/10/11 16:58:55, 3] auth/auth.c:check_ntlm_password(193)
  check_password:  mapped user is: [DEBIAN]\[foo]@[HAL9000]
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:push_sec_ctx(255)
  push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2002/10/11 16:58:55, 3] smbd/uid.c:push_conn_ctx(278)
  push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:set_sec_ctx(287)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2002/10/11 16:58:55, 2]
passdb/pdb_ldap.c:ldapsam_open_connection(249)
  ldap_open_connection: connection opened
[2002/10/11 16:58:55, 2] passdb/pdb_ldap.c:ldapsam_connect_system(326)
  ldap_connect_system: succesful connection to the LDAP server
[2002/10/11 16:58:55, 2]
passdb/pdb_ldap.c:ldapsam_search_one_user(338)
  ldapsam_search_one_user: searching
  for:[(&(uid=foo)(objectclass=sambaAccount))]
[2002/10/11 16:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(584)
  Entry found for user: foo
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:pop_sec_ctx(394)
  pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2002/10/11 16:58:55, 3] auth/auth.c:check_ntlm_password(222)
  check_password: sam authentication for user [foo] suceeded
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:push_sec_ctx(255)
  push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2002/10/11 16:58:55, 3] smbd/uid.c:push_conn_ctx(278)
  push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:set_sec_ctx(287)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:pop_sec_ctx(394)
  pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2002/10/11 16:58:55, 2] auth/auth.c:check_ntlm_password(261)
  check_password:  authentication for user [foo] -> [foo] -> [foo]
  suceeded
[2002/10/11 16:58:55, 0]
rpc_server/srv_util.c:get_domain_user_groups(346)
  get_domain_user_groups: primary gid of user [foo] is not a Domain
  group !
  get_domain_user_groups: You should fix it, NT doesn't like that
[2002/10/11 16:58:55, 3]
rpc_server/srv_pipe_hnd.c:free_pipe_context(548)
  free_pipe_context: destroying talloc pool of size 4742
[2002/10/11 16:58:55, 3] smbd/pipes.c:reply_pipe_write_and_X(198)
  writeX-IPC pnum=74d7 nwritten=272
[2002/10/11 16:58:55, 3] smbd/process.c:process_smb(868)
  Transaction 33 of length 63
[2002/10/11 16:58:55, 3] smbd/process.c:switch_message(679)
  switch message SMBreadX (pid 6689)
[2002/10/11 16:58:55, 3] smbd/pipes.c:reply_pipe_read_and_X(241)
  readX-IPC pnum=74d7 min=1024 max=1024 nread=524


The message on the W2k host says (translated):

``Access denied.  Make sure username and password are correct...''

This is the smb.conf on both machines:


[global]
	workgroup = DEBIAN
	server string = Debian Samba Server
	encrypt passwords = true
	interfaces = 192.168.65.222/24
	
	domain logons = yes
	os level = 34
	preferred master = yes
	local master = yes
	domain master = yes

	# providing fqdn of ldap server when using ssl is CRITICAL
	passdb backend = ldapsam:ldaps://my.ldap.server tdbsam
	log level = 3
	# remove root from the following prior to adding a new machine 
	invalid users = root daemon bin sys sync games man lp mail news uucp proxy postgres www-data backup operator list irc gnats identd sshd postfix dictd bard
	security = user
	browseable = no
	writeable = no
	guest ok = no
	
	use spnego = no
	ldap suffix = dc=rcost,dc=unisannio,dc=it
	ldap machine suffix = ou=Computers,dc=rcost,dc=unisannio,dc=it
	ldap user suffix = ou=Users,dc=rcost,dc=unisannio,dc=it
	ldap admin dn = cn=admin,dc=rcost,dc=unisannio,dc=it
	ldap ssl = yes
	#add user script = /usr/local/sbin/smbldap-useradd.pl -w %u 

	logon path = \\%N\profiles\%U
	# Following two are default.  LDAP attributes override smb.conf.
	# logon home = \\%N\%U
	# logon drive = Z:

	unix password sync = yes
	passwd program = /usr/bin/passwd %u

	
[common]
	comment = Area comune
	path = /lan/samba/common
	writeable = yes
	guest ok = yes
	browseable = yes
	

[netlogon]
	path = /lan/samba/logon

[profiles]
	path = /lan/samba/profile
	writeable = yes
	guest ok = yes
	create mode = 0600
	directory mode = 0700

[homes]
	read only = no
	writable = yes
	valid users = %S
	create mode = 0644
	directory mode = 0775



Anybody has an idea of what is happening?  The fact that XP logs fine
puzzles me, I thought RequireSignOrSeal was the only difference to
keep in mind when setting them up.


Massimiliano

More information about the samba mailing list