[Samba] Need help configuring Samba3/LDAP PDC

rwallace at thewallacepack.net rwallace at thewallacepack.net
Wed Jun 9 20:45:54 GMT 2004 

Aaron Ogden wrote:

>
> Hello all,
> I'm following along in chapter 6 of John Terpstra's "Samba 3 By 
> Example" and I've got everything working great up until the point 
> where I join the machine to the new domain (step 17 on page 155).  The 
> command *net rpc join -U Administrator* fails with the errors below.
>
> palpatine:/var/lib/samba/sbin # net -d 4 rpc join -U Administrator
> [2004/06/09 15:13:35, 3] param/loadparm.c:lp_load(3881)
>  lp_load: refreshing parameters
> [2004/06/09 15:13:35, 3] param/loadparm.c:init_globals(1309)
>  Initialising global parameters
> [2004/06/09 15:13:35, 3] param/params.c:pm_process(566)
>  params.c:pm_process() - Processing configuration file 
> "/etc/samba/smb.conf"
> [2004/06/09 15:13:35, 3] param/loadparm.c:do_section(3379)
>  Processing section "[global]"
>  doing parameter unix charset = LOCALE
>  doing parameter workgroup = GXT
>  doing parameter netbios name = GXTPDC
> [2004/06/09 15:13:35, 4] param/loadparm.c:handle_netbios_name(2723)
>  handle_netbios_name: set global_myname to: GXTPDC
>  doing parameter interfaces = eth0, lo
>  doing parameter bind interfaces only = Yes
>  doing parameter passdb backend = ldapsam:ldap://ldap.gxt.com
>  doing parameter username map = /etc/samba/smbusers
>  doing parameter log level = 1
>  doing parameter syslog = 0
>  doing parameter log file = /var/log/samba/%m
>  doing parameter max log size = 50
>  doing parameter smb ports = 139 445
>  doing parameter name resolve order = wins bcast hosts
>  doing parameter time server = Yes
>  doing parameter printcap name = CUPS
>  doing parameter show add printer wizard = No
>  doing parameter add user script = 
> /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
>  doing parameter delete user script = 
> /var/lib/samba/sbin/smbldap-userdel.pl '%u'
>  doing parameter add group script = 
> /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
>  doing parameter delete group script = 
> /var/lib/samba/sbin/smbldap-groupdel.pl '%g'
>  doing parameter add user to group script = 
> /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
>  doing parameter delete user from group script = 
> /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
>  doing parameter set primary group script = 
> /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u'
>  doing parameter add machine script = 
> /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
>  doing parameter shutdown script = /var/lib/samba/scripts/shutdown.sh
>  doing parameter abort shutdown script = /sbin/shutdown -c
>  doing parameter logon script = scripts\logon.bat
>  doing parameter logon path = \\%L\profiles\%U
>  doing parameter logon drive = X:
>  doing parameter domain logons = Yes
>  doing parameter preferred master = Yes
>  doing parameter wins support = Yes
>  doing parameter ldap suffix = dc=gxt,dc=com
>  doing parameter ldap machine suffix = ou=people
>  doing parameter ldap user suffix = ou=people
>  doing parameter ldap group suffix = ou=groups
>  doing parameter ldap idmap suffix = ou=idmap
>  doing parameter ldap admin dn = cn=admin,dc=gxt,dc=com
>  doing parameter idmap backend = ldap://ldap.gxt.com
>  doing parameter idmap uid = 10000-20000
>  doing parameter idmap gid = 10000-20000
>  doing parameter map acl inherit = Yes
>  doing parameter printing = cups
>  doing parameter printer admin = Administrator
> [2004/06/09 15:13:35, 4] param/loadparm.c:lp_load(3913)
>  pm_process() returned Yes
> [2004/06/09 15:13:35, 2] lib/interface.c:add_interface(79)
>  added interface ip=172.17.0.240 bcast=172.17.3.255 nmask=255.255.252.0
> [2004/06/09 15:13:35, 2] lib/interface.c:add_interface(79)
>  added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
> [2004/06/09 15:13:35, 3] libsmb/cliconnect.c:cli_start_connection(1373)
>  Connecting to host=GXTPDC
> [2004/06/09 15:13:35, 3] lib/util_sock.c:open_socket_out(735)
>  Connecting to 172.17.0.240 at port 445
> [2004/06/09 15:13:35, 4] lib/time.c:get_serverzone(122)
>  Serverzone is 18000
> [2004/06/09 15:13:35, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(45)
>  cli_net_req_chal: LSA Request Challenge from GXTPDC to GXTPDC: 
> 1F9217647828E59B
> [2004/06/09 15:13:35, 4] libsmb/credentials.c:cred_session_key(59)
>  cred_session_key
> [2004/06/09 15:13:35, 4] libsmb/credentials.c:cred_create(90)
>  cred_create
> [2004/06/09 15:13:35, 4] rpc_client/cli_netlogon.c:cli_net_auth2(102)
>  cli_net_auth2: srv:\\GXTPDC acct:GXTPDC$ sc:6 mc: GXTPDC chal 
> B3BA8E48EB059670 neg: 400701ff
> [2004/06/09 15:13:35, 3] 
> rpc_client/cli_netlogon.c:cli_nt_setup_creds(283)
>  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
> [2004/06/09 15:13:35, 3] 
> libsmb/trusts_util.c:just_change_the_password(43)
>  just_change_the_password: unable to setup creds 
> (NT_STATUS_ACCESS_DENIED)!
> [2004/06/09 15:13:35, 1] utils/net_rpc.c:run_rpc_command(141)
>  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
> Password:
> [2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_start_connection(1373)
>  Connecting to host=GXTPDC
> [2004/06/09 15:14:11, 3] lib/util_sock.c:open_socket_out(735)
>  Connecting to 172.17.0.240 at port 445
> [2004/06/09 15:14:11, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(705)
>  Doing spnego session setup (blob length=58)
> [2004/06/09 15:14:11, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(730)
>  got OID=1 3 6 1 4 1 311 2 2 10
> [2004/06/09 15:14:11, 3] 
> libsmb/cliconnect.c:cli_session_setup_spnego(737)
>  got principal=NONE
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(878)
>  Got challenge flags:
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>  Got NTLMSSP neg_flags=0x60890215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_CHAL_TARGET_INFO
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(900)
>  NTLMSSP: Set final flags:
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>  Got NTLMSSP neg_flags=0x60080215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
>  NTLMSSP Sign/Seal - Initialising with flags:
> [2004/06/09 15:14:11, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
>  Got NTLMSSP neg_flags=0x60080215
>    NTLMSSP_NEGOTIATE_UNICODE
>    NTLMSSP_REQUEST_TARGET
>    NTLMSSP_NEGOTIATE_SIGN
>    NTLMSSP_NEGOTIATE_NTLM
>    NTLMSSP_NEGOTIATE_NTLM2
>    NTLMSSP_NEGOTIATE_128
>    NTLMSSP_NEGOTIATE_KEY_EXCH
> [2004/06/09 15:14:11, 3] libsmb/cliconnect.c:cli_session_setup(854)
>  SPNEGO login failed: Logon failure
> [2004/06/09 15:14:11, 1] libsmb/cliconnect.c:cli_full_connection(1461)
>  failed session setup with NT_STATUS_LOGON_FAILURE
> Could not connect to server GXTPDC
> The username or password was not correct.
> [2004/06/09 15:14:11, 2] utils/net.c:main(792)
>  return code = 1
>
> I've already set Administrator's password with *smbpasswd *and 
> *smbldap-password.pl *but I still cannot authenticate.  Anonymous 
> access (e.g. *smbclient -L localhost -U%*) works fine so it seems that 
> there is something wrong with the LDAP SAM.  I am using the same LDAP 
> directory to authenticate linux clients and provide autofs maps and 
> everything is working fine... except for Samba.  Has anyone else 
> encountered this problem?  Tridge, Terpstra, Allison, are you out there?
>
> I have torn down the LDAP/Samba stack several times and rebuilt it 
> from scratch.  I get the same behavior every time.
> I am running on SuSE 9.1 using openldap 2.2.6 and samba 3.0.4 (SuSE 
> packages).    Thanks in advance!
>
> --aaron
>
>
Have you checked the logging on OpenLDAP?  I'd set the loglevel to 488 
and look at the queries samba is doing.  If you have "root = 
administrator admin" in your smbusers file then samba will look for an 
ldap entry with uid=root.  grep the ldap log file for that and comment 
out that line in smbusers if that seems to be the case.

Rich

More information about the samba mailing list