[Samba] SOLVED samba - sql server authentication

McKeever Chris tech-mail at prupref.com
Wed Dec 10 17:35:28 GMT 2003


In my conversion to a samba backend, I changed the services that sql ran under to the machine administrator.  This is what caused my 
attaching to remote fileshares to fail.  The jobs need to be set to sa in order to run because of some issue with it not finsing the correct 
username/group when doing a domain lookup via the job-agent.  This is something that 2000 Native Authentication has an issue with as well, 
so all the how-tos pointed to creating a pre-2000 user group configuration..which I dont think is possible with the samba setip

but this work around does the trick

thanks


On Tue, 9 Dec 2003 23:00 , McKeever Chris <tech-mail at prupref.com> sent:

>
>On Tue, 9 Dec 2003 14:18 , McKeever Chris tech-mail at prupref.com> sent:
>
>>samba 2.2.8a/LDAP backend
>>Red Hat 7.3
>>Windows 2000 server, connected to the samba controlled domain
>>Sql Server 7.0
>>
>>
>>It seems that my sql server does not want to run scheduled jobs as a domain user, I am needing to do this for a network share that I am 
>>saving to, otherwise I would just run as SA
>>
>>Error from sql server:
>>The job failed.  Unable to determine if the owner (PRUPREF.COM\Administrator) of job Transaction Log Backup Job for DB Maintenance 
>>Plan 'Morning Database Backup' has server access (reason: Could not obtain information about Windows NT 
>>group/user 'PRUPREF.COM\Administrator'. [SQLSTATE 42000] (Error 8198)).
>>
>>I have turned the samba debuglevel up to 10, and I can see where it fails, but I am not sure why.  Administrator is a proper username, and 
>it 
>>logs into the domain no problem.  It is almost like the NT password is not correct, this happens for any account I use, same error. 
>>I have marked the failure location below
>>
>>I am able to log into the machine using the domain accoutn and password no problem
>>
>>Any ideas?  Thanks
>>Chris
>>
>>
>>SAMBA LOG:
>>[2003/12/09 14:02:51, 6] param/loadparm.c:lp_file_list_changed(2302)
>>  lp_file_list_changed()
>>  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Tue Dec  9 13:52:49 2003
>>  
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:ldap_open_connection(122)
>>  ldap_open_connection: starting...
>>[2003/12/09 14:02:51, 10] passdb/pdb_ldap.c:ldap_open_connection(148)
>>  Initializing connection to ldap.prupref.com on port 389
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:ldap_open_connection(186)
>>  StartTLS issued: using a TLS connection
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:ldap_open_connection(217)
>>  ldap_open_connection: connection opened
>>[2003/12/09 14:02:51, 0] passdb/pdb_ldap.c:ldap_connect_system(315)
>>  ldap_connect_system: Binding to ldap server as "cn=root,dc=prupref,dc=com"
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:ldap_connect_system(331)
>>  ldap_connect_system: succesful connection to the LDAP server
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:ldap_search_one_user(343)
>>  ldap_search_one_user: searching for:[(&(uid=administrator)(objectclass=sambaAccount))]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [uid] = [administrator]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:init_sam_from_ldap(576)
>>  Entry found for user: administrator
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [pwdLastSet] = [1068626880]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [logonTime] = [0]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [logoffTime] = [2147483647]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [kickoffTime] = [2147483647]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [pwdCanChange] = [0]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [pwdMustChange] = [2147483647]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [cn] = [administrator administrator]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [homeDrive] = []
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:init_sam_from_ldap(626)
>>  homeDrive fell back to 
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [smbHome] = []
>>[2003/12/09 14:02:51, 4] lib/substitute.c:automount_server(183)
>>  Home server: prupref-ldap
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:init_sam_from_ldap(635)
>>  smbHome fell back to \\prupref-ldap\administrator
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [scriptPath] = []
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:init_sam_from_ldap(644)
>>  scriptPath fell back to 
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [profilePath] = []
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:init_sam_from_ldap(653)
>>  profilePath fell back to 
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [description] = []
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [userWorkstations] = []
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [rid] = [98478]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [primaryGroupID] = [3005]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [lmPassword] = []
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [ntPassword] = ]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [acctFlags] = [[UX         ]]
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(475)
>>
>>
>>Here is where it starts to flake out:
>>
>>  smb_password_ok: Checking SMB password for user administrator
>>[2003/12/09 14:02:51, 5] smbd/password.c:smb_password_ok(489)
>>  smb_password_ok: challenge received
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(499)
>>  smb_password_ok: Checking NT MD4 password
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(504)
>>  smb_password_ok: NT MD4 password check failed
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(518)
>>  smb_password_ok: Checking LM password
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(523)
>>  smb_password_ok: LM password check failed
>>[2003/12/09 14:02:51, 2] smbd/password.c:pass_check_smb(575)
>>  pass_check_smb failed - invalid password for user [administrator]
>>[2003/12/09 14:02:51, 2] smbd/reply.c:reply_sesssetup_and_X(997)
>>  NT Password did not match for user 'administrator'!
>>[2003/12/09 14:02:51, 2] smbd/reply.c:reply_sesssetup_and_X(1007)
>>  Defaulting to Lanman password for administrator
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:ldap_open_connection(122)
>>  ldap_open_connection: starting...
>>[2003/12/09 14:02:51, 10] passdb/pdb_ldap.c:ldap_open_connection(148)
>>  Initializing connection to ldap.prupref.com on port 389
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:ldap_open_connection(186)
>>  StartTLS issued: using a TLS connection
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:ldap_open_connection(217)
>>  ldap_open_connection: connection opened
>>[2003/12/09 14:02:51, 0] passdb/pdb_ldap.c:ldap_connect_system(315)
>>  ldap_connect_system: Binding to ldap server as "cn=root,dc=prupref,dc=com"
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:ldap_connect_system(331)
>>  ldap_connect_system: succesful connection to the LDAP server
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:ldap_search_one_user(343)
>>  ldap_search_one_user: searching for:[(&(uid=administrator)(objectclass=sambaAccount))]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [uid] = [administrator]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:init_sam_from_ldap(576)
>>  Entry found for user: administrator
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [pwdLastSet] = [1068626880]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [logonTime] = [0]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [logoffTime] = [2147483647]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [kickoffTime] = [2147483647]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [pwdCanChange] = [0]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [pwdMustChange] = [2147483647]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [cn] = [administrator administrator]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [homeDrive] = []
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:init_sam_from_ldap(626)
>>  homeDrive fell back to 
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [smbHome] = []
>>[2003/12/09 14:02:51, 4] lib/substitute.c:automount_server(183)
>>  Home server: prupref-ldap
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:init_sam_from_ldap(635)
>>  smbHome fell back to \\prupref-ldap\administrator
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [scriptPath] = []
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:init_sam_from_ldap(644)
>>  scriptPath fell back to 
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [profilePath] = []
>>[2003/12/09 14:02:51, 5] passdb/pdb_ldap.c:init_sam_from_ldap(653)
>>  profilePath fell back to 
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [description] = []
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(435)
>>  get_single_attribute: [userWorkstations] = []
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [rid] = [98478]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [primaryGroupID] = [3005]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [lmPassword] = [949591E535F780E34234234234]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [ntPassword] = [9951F4C2FF5234234234234234234]
>>[2003/12/09 14:02:51, 2] passdb/pdb_ldap.c:get_single_attribute(441)
>>  get_single_attribute: [acctFlags] = [[UX         ]]
>>
>>
>>Second Pass through it looks like, same results
>>
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(475)
>>  smb_password_ok: Checking SMB password for user administrator
>>[2003/12/09 14:02:51, 5] smbd/password.c:smb_password_ok(489)
>>  smb_password_ok: challenge received
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(499)
>>  smb_password_ok: Checking NT MD4 password
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(504)
>>  smb_password_ok: NT MD4 password check failed
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(518)
>>  smb_password_ok: Checking LM password
>>[2003/12/09 14:02:51, 4] smbd/password.c:smb_password_ok(523)
>>  smb_password_ok: LM password check failed
>>[2003/12/09 14:02:51, 2] smbd/password.c:pass_check_smb(575)
>>  pass_check_smb failed - invalid password for user [administrator]
>>[2003/12/09 14:02:51, 1] smbd/reply.c:reply_sesssetup_and_X(1023)
>>  Rejecting user 'administrator': authentication failed
>>[2003/12/09 14:02:51, 3] smbd/error.c:error_packet(109)
>>
>>Here is the failure message back to NT
>>
>>  error packet at smbd/reply.c(1025) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>>[2003/12/09 14:02:51, 5] lib/util.c:show_msg(268)
>>
>>
>
>Logs under a normal login show that the NT password is infact good:
>
>[2003/12/09 22:51:36, 4] smbd/password.c:smb_password_ok(475)
>  smb_password_ok: Checking SMB password for user administrator
>[2003/12/09 22:51:36, 5] smbd/password.c:smb_password_ok(489)
>  smb_password_ok: challenge received
>[2003/12/09 22:51:36, 4] smbd/password.c:smb_password_ok(499)
>  smb_password_ok: Checking NT MD4 password
>[2003/12/09 22:51:36, 4] smbd/password.c:smb_password_ok(501)
>  smb_password_ok: NT MD4 password check succeeded
>
>
>
>Any ideas???
>
>thanks
>
>
>
>
>>
-------------------------------------------
Chris McKeever
If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com
http://www.prupref.com



---- Prudential Preferred Properties   www.prupref.com  



More information about the samba mailing list