[Samba] Migrating from Samba- LDAP-2.2.8a to Samba-LDAP-3.0.2a
problem
zergio
zergio at isma.kharkov.ua
Wed Mar 3 11:50:42 GMT 2004
1. Problem
Shot list that I’ve done:
1. I dumped old ldap database to ldif file. 2.
2. Converted it with convertSambaAccount script.
3. Updated ldap server with new schema and indexes.
4. Imported new ldif to ldap.
5. Set necessary parameters in smb.conf
6. Set test share and tried to connect to it with smbclient
//host/test –u test
Test is old user. Connection failed and I got NT_STATUS_LOGON_FAILURE
Samba server with log level 3 gave me this:
[2004/03/03 13:11:03, 3] smbd/process.c:process_smb(890)
Transaction 1 of length 168
[2004/03/03 13:11:03, 3] smbd/process.c:switch_message(685)
switch message SMBnegprot (pid 11160)
[2004/03/03 13:11:03, 3] smbd/sec_ctx.c:set_sec_ctx(287)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/03 13:11:03, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2004/03/03 13:11:03, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [MICROSOFT NETWORKS 1.03]
[2004/03/03 13:11:03, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [MICROSOFT NETWORKS 3.0]
[2004/03/03 13:11:03, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [LANMAN1.0]
[2004/03/03 13:11:03, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [LM1.2X002]
[2004/03/03 13:11:03, 3] smbd/negprot.c:reply_negprot(455)
Requested protocol [Samba]
[2004/03/03 13:11:03, 3] smbd/negprot.c:reply_nt1(323)
not using SPNEGO
[2004/03/03 13:11:03, 3] smbd/negprot.c:reply_negprot(532)
Selected protocol NT LANMAN 1.0
[2004/03/03 13:11:06, 3] smbd/process.c:process_smb(890)
Transaction 2 of length 160
[2004/03/03 13:11:06, 3] smbd/process.c:switch_message(685)
switch message SMBsesssetupX (pid 11160)
[2004/03/03 13:11:06, 3] smbd/sec_ctx.c:set_sec_ctx(287)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/03 13:11:06, 3] smbd/sesssetup.c:reply_sesssetup_and_X(638)
wct=13 flg2=0xc001
[2004/03/03 13:11:06, 3] smbd/sesssetup.c:reply_sesssetup_and_X(771)
Domain=[ISMA] NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2004/03/03 13:11:06, 3] smbd/sesssetup.c:reply_sesssetup_and_X(787)
sesssetupX:name=[ISMA]\[ZERGIO]@[pdc-srv]
[2004/03/03 13:11:06, 3] smbd/sec_ctx.c:push_sec_ctx(255)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/03/03 13:11:06, 3] smbd/uid.c:push_conn_ctx(286)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/03/03 13:11:06, 3] smbd/sec_ctx.c:set_sec_ctx(287)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/03/03 13:11:06, 3] smbd/sec_ctx.c:pop_sec_ctx(385)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/03 13:11:06, 3] auth/auth.c:check_ntlm_password(218)
check_ntlm_password: Checking password for unmapped user [ISMA]\[ZERGIO]@[pdc-srv] with the new password interface
[2004/03/03 13:11:06, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: mapped user is: [ISMA-TEST]\[ZERGIO]@[pdc-srv]
[2004/03/03 13:11:06, 3] smbd/sec_ctx.c:push_sec_ctx(255)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/03/03 13:11:06, 3] smbd/uid.c:push_conn_ctx(286)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/03/03 13:11:06, 3] smbd/sec_ctx.c:set_sec_ctx(287)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/03/03 13:11:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462)
init_sam_from_ldap: Entry found for user: zergio
[2004/03/03 13:11:06, 3] smbd/sec_ctx.c:pop_sec_ctx(385)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/03 13:11:06, 3] libsmb/ntlm_check.c:ntlm_password_check(181)
ntlm_password_check: NO NT password stored for user zergio.
[2004/03/03 13:11:06, 3] libsmb/ntlm_check.c:ntlm_password_check(308)
ntlm_password_check: NO LanMan password set for user zergio (and no NT password supplied)
[2004/03/03 13:11:06, 3] auth/auth_winbind.c:check_winbind_security(79)
check_winbind_security: Not using winbind, requested domain [ISMA-TEST] was for this SAM.
[2004/03/03 13:11:06, 2] auth/auth.c:check_ntlm_password(310)
check_ntlm_password: Authentication for user [ZERGIO] -> [ZERGIO] FAILED with error NT_STATUS_WRONG_PASSWORD
[2004/03/03 13:11:06, 3] smbd/error.c:error_packet(114)
error packet at smbd/sesssetup.c(870) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2004/03/03 13:11:06, 3] smbd/process.c:timeout_processing(1104)
timeout_processing: End of file from client (client has disconnected).
[2004/03/03 13:11:06, 3] smbd/sec_ctx.c:set_sec_ctx(287)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/03/03 13:11:06, 2] smbd/server.c:exit_server(558)
Closing connections
[2004/03/03 13:11:06, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2004/03/03 13:11:06, 3] smbd/server.c:exit_server(601)
Server exit (normal exit)
Strange part is:
ntlm_password_check: NO NT password stored for user zergio.
ntlm_password_check: NO LanMan password set for user zergio
because both of them are set in ldap.
If I add new user with smbldap-useradd.pl script, everything works fine.
I analyzed differences between to records and found what cause the problem.
2. Solution.
Almost all old records have sambaPwdLastSet=0 unless user changed
password after account creation. Value of 0 caused the problem. If I set
it to something else it works.
3. Question.
Is the incident with sambaPwdLastSet=0 is by samba server design? Log
appears to me to be incomprehensive and even confusing.
I hope the information may be useful.
Thank you!
More information about the samba
mailing list