[Samba] SAMBA 3 as PDC - W2K/WXP Pro logon trouble
Scott Gross
SGross at newsgroupwest.com
Thu Feb 26 19:13:33 GMT 2004
I have a Samba 3 PDC running with an LDAP backend on Red Hat 8. All
authentication appears to be working correctly but I can't login to the
domain from a W2K or WXP Pro workstation after I have successfully joined
them to the domain. If I login locally to the workstation I can browse the
Samba shares just fine. I have checked the schannel and sign or seal
settings on both the workstations and the server and made sure they were set
to disable but still no luck. Can anyone give me any ideas on how to solve
this problem.
TIA
Scott
Smb.conf
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2003/11/25 10:42:04
# Global parameters
[global]
workgroup = FIFEDEV
netbios name = Dev
null passwords = Yes
passdb backend = ldapsam
passwd program = /usr/local/bin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
passwd chat debug = Yes
log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/local/sbin/smbldap-useradd.pl -a "%u"
delete user script = /usr/local/sbin/smbldap-useradd.pl -d "%u"
add group script = /usr/local/sbin/smbldap-useradd.pl -a -g "%g%
delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g "%g"
add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u
"%u" -g "%g"
delete user from group script = /usr/local/sbin/smbldap-useradd.pl
-j -u "%u" -g "%g"
set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u
"%u" -gid "%g"
add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w "%m"
logon script = logon.bat
logon path =
logon drive =
domain logons = Yes
os level = 22
preferred master = Yes
domain master = Yes
wins support = Yes
wins proxy = No
ldap suffix = dc=test,dc=com
ldap machine suffix = ou=_COMPUTERS_
ldap user suffix = ou=_USERS_
ldap group suffix = ou=_GROUPS_
ldap admin dn = "cn=Manager,dc=test,dc=com"
ldap ssl = No
ldap passwd sync = yes
comment = Samba-PDC Server
public = No
browseable = Yes
writable = No
client schannel = No
server schannel = No
client signing = No
server signing = No
[netlogon]
path = /usr/local/samba/lib/netlogon
read only = Yes
write list = ntadmin
locking = No
[tmp]
path = /tmp
guest ok = Yes
read only = Yes
[profiles]
path = /profiles
read only = No
writable = Yes
create mask = 0600
directory mask = 0700
[homes]
comment = Home Directories
browsable = no
writeable = yes
valid users = %S
create mask = 0700
directory mask = 0700
hide dot files = yes
testparm -v (output)
# Global parameters
[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = FIFEDEV
realm =
afs username map =
netbios name = DEV
netbios aliases =
netbios scope =
server string = Samba 3.0.1
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = No
server schannel = No
allow trusted domains = Yes
hosts equiv =
min passwd length = 5
map to guest = Never
null passwords = Yes
obey pam restrictions = No
password server = *
smb passwd file = /usr/local/samba/private/smbpasswd
private dir = /usr/local/samba/private
passdb backend = ldapsam
algorithmic rid base = 1000
root directory =
guest account = nobody
pam password change = No
passwd program = /usr/local/bin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
passwd chat debug = Yes
passwd chat timeout = 2
username map =
password level = 0
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = Yes
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes
preload modules =
log level = 0
syslog = 1
syslog only = No
log file = /var/log/samba/%m.log
max log size = 5000
timestamp logs = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
smb ports = 445 139
protocol = NT1
large readwrite = Yes
max protocol = NT1
min protocol = CORE
unicode = Yes
read bmpx = No
read raw = Yes
write raw = Yes
disable netbios = No
acl compatibility =
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts wins host bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = Yes
use spnego = Yes
client signing = No
server signing = No
client use spnego = Yes
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
kernel change notify = Yes
lpq cache time = 10
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 10000
read size = 16384
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
use mmap = Yes
hostname lookups = No
name cache timeout = 660
load printers = Yes
printcap name = /etc/printcap
disable spoolss = No
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
stat cache = Yes
machine password timeout = 604800
add user script = /usr/local/sbin/smbldap-useradd.pl -a "%u"
delete user script = /usr/local/sbin/smbldap-useradd.pl -d "%u"
add group script = /usr/local/sbin/smbldap-useradd.pl -a -g "%g%
delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g "%g"
add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u
"%u" -g "%g"
delete user from group script = /usr/local/sbin/smbldap-useradd.pl
-j -u "%u" -g "%g"
set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u
"%u" -gid "%g"
add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w "%m"
shutdown script =
abort shutdown script =
logon script = logon.bat
logon path =
logon drive =
logon home = \\%N\%U
domain logons = Yes
os level = 22
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = Yes
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = No
wins server =
wins support = Yes
wins hook =
wins partners =
kernel oplocks = Yes
lock spin count = 3
lock spin time = 10
oplock break wait time = 0
ldap suffix = dc=test,dc=com
ldap machine suffix = ou=_COMPUTERS_
ldap user suffix = ou=_USERS_
ldap group suffix = ou=_GROUPS_
ldap idmap suffix =
ldap filter = (uid=%u)
ldap admin dn = "cn=Manager,dc=test,dc=com"
ldap ssl = no
ldap passwd sync = Yes
ldap delete dn = No
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /usr/local/samba/var/locks
pid directory = /usr/local/samba/var/locks
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
dfree command =
get quota command =
set quota command =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map =
time offset = 0
NIS homedir = No
source environment =
panic action =
host msdfs = No
enable rid algorithm = Yes
idmap backend =
idmap uid =
idmap gid =
template primary group = nobody
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind enable local accounts = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = No
winbind trusted domains only = No
comment = Samba-PDC Server
path =
username =
invalid users =
valid users =
admin users =
read list =
write list =
printer admin =
force user =
force group =
read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
only user = No
hosts allow =
hosts deny =
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
printing = bsd
print command = lpr -r -P'%p' %s
lpq command = lpq -P'%p'
lprm command = lprm -P'%p' %j
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = No
default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = No
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map =
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Yes
share modes = Yes
copy =
include =
exec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs objects =
msdfs root = No
msdfs proxy =
[netlogon]
path = /usr/local/samba/lib/netlogon
write list = ntadmin
locking = No
[tmp]
path = /tmp
guest ok = Yes
[profiles]
path = /profiles
read only = No
create mask = 0600
directory mask = 0700
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
browseable = No
excerpt from workstation log
Closed policy
[2004/02/26 11:24:51, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544)
free_pipe_context: destroying talloc pool of size 0
[2004/02/26 11:24:51, 3] smbd/pipes.c:reply_pipe_write_and_X(199)
writeX-IPC pnum=723e nwritten=44
[2004/02/26 11:24:51, 3] smbd/process.c:process_smb(890)
Transaction 31 of length 63
[2004/02/26 11:24:51, 3] smbd/process.c:switch_message(685)
switch message SMBreadX (pid 27199)
[2004/02/26 11:24:51, 3] smbd/pipes.c:reply_pipe_read_and_X(242)
readX-IPC pnum=723e min=1024 max=1024 nread=48
[2004/02/26 11:24:51, 3] smbd/process.c:process_smb(890)
Transaction 32 of length 45
[2004/02/26 11:24:51, 3] smbd/process.c:switch_message(685)
switch message SMBclose (pid 27199)
[2004/02/26 11:24:51, 3] smbd/process.c:process_smb(890)
Transaction 33 of length 378
[2004/02/26 11:24:51, 3] smbd/process.c:switch_message(685)
switch message SMBwriteX (pid 27199)
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (99, 99) - sec_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544)
free_pipe_context: destroying talloc pool of size 0
[2004/02/26 11:24:51, 3] rpc_server/srv_pipe.c:api_rpcTNP(1509)
api_rpcTNP: rpc command: NET_SAMLOGON
[2004/02/26 11:24:51, 3] rpc_server/srv_netlog_nt.c:_net_sam_logon(570)
SAM Logon (Interactive). Domain:[FIFEDEV].
User:[Administrator at FIFEMOBILE14] Requested Domain:[FIFEDEV]
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[FIFEDEV]\[Administrator]@[FIFEMOBILE14] with the new password interface
[2004/02/26 11:24:51, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is:
[FIFEDEV]\[Administrator]@[FIFEMOBILE14]
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 2] lib/smbldap.c:smbldap_search_suffix(1068)
smbldap_search_suffix: searching
for:[(&(uid=Administrator)(objectclass=sambaSamAccount))]
[2004/02/26 11:24:51, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: Administrator
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2004/02/26 11:24:51, 3]
smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1636)
ldapsam_search_one_group: searching
for:[(&(objectClass=sambaGroupMapping)(gidNumber=512))]
[2004/02/26 11:24:51, 2] passdb/pdb_ldap.c:init_group_from_ldap(1680)
init_group_from_ldap: Entry found for group: 512
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(235)
fetch sid from gid cache 512 ->
S-1-5-21-3516781642-1962875130-3438800523-512
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1636)
ldapsam_search_one_group: searching
for:[(&(objectClass=sambaGroupMapping)(gidNumber=544))]
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: sam authentication for user [Administrator] succeeded
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/02/26 11:24:51, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2004/02/26 11:24:51, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [Administrator] ->
[Administrator] -> [Administrator] succeeded
[2004/02/26 11:24:51, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(544)
free_pipe_context: destroying talloc pool of size 4832
[2004/02/26 11:24:51, 3] smbd/pipes.c:reply_pipe_write_and_X(199)
writeX-IPC pnum=723d nwritten=310
[2004/02/26 11:24:51, 3] smbd/process.c:process_smb(890)
Transaction 34 of length 63
[2004/02/26 11:24:51, 3] smbd/process.c:switch_message(685)
switch message SMBreadX (pid 27199)
[2004/02/26 11:24:51, 3] smbd/pipes.c:reply_pipe_read_and_X(242)
readX-IPC pnum=723d min=1024 max=1024 nread=600
[2004/02/26 11:25:02, 3] smbd/process.c:process_smb(890)
Transaction 35 of length 43
[2004/02/26 11:25:02, 3] smbd/process.c:switch_message(685)
switch message SMBulogoffX (pid 27199)
[2004/02/26 11:25:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:02, 3] smbd/reply.c:reply_ulogoffX(1108)
ulogoffX vuid=101
[2004/02/26 11:25:02, 3] smbd/process.c:process_smb(890)
Transaction 36 of length 39
[2004/02/26 11:25:02, 3] smbd/process.c:switch_message(685)
switch message SMBtdis (pid 27199)
[2004/02/26 11:25:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:02, 3] smbd/service.c:close_cnum(887)
fifemobile14 (192.168.17.164) closed connection to service IPC$
[2004/02/26 11:25:02, 3] smbd/connection.c:yield_connection(69)
Yielding connection to IPC$
[2004/02/26 11:25:02, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:21, 3] smbd/process.c:process_smb(890)
Transaction 37 of length 45
[2004/02/26 11:25:21, 3] smbd/process.c:switch_message(685)
switch message SMBclose (pid 27199)
[2004/02/26 11:25:21, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (99, 99) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:32, 3] smbd/process.c:process_smb(890)
Transaction 38 of length 43
[2004/02/26 11:25:32, 3] smbd/process.c:switch_message(685)
switch message SMBulogoffX (pid 27199)
[2004/02/26 11:25:32, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:32, 3] smbd/reply.c:reply_ulogoffX(1108)
ulogoffX vuid=100
[2004/02/26 11:25:32, 3] smbd/process.c:process_smb(890)
Transaction 39 of length 39
[2004/02/26 11:25:32, 3] smbd/process.c:switch_message(685)
switch message SMBtdis (pid 27199)
[2004/02/26 11:25:32, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:32, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:32, 3] smbd/service.c:close_cnum(887)
fifemobile14 (192.168.17.164) closed connection to service IPC$
[2004/02/26 11:25:32, 3] smbd/connection.c:yield_connection(69)
Yielding connection to IPC$
[2004/02/26 11:25:32, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:32, 3] smbd/process.c:timeout_processing(1104)
timeout_processing: End of file from client (client has disconnected).
[2004/02/26 11:25:32, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/02/26 11:25:32, 2] smbd/server.c:exit_server(558)
Closing connections
[2004/02/26 11:25:32, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2004/02/26 11:25:32, 3] smbd/server.c:exit_server(601)
Server exit (normal exit)
More information about the samba
mailing list