[Samba] W2k joining a domain controlled by samba 3.0.2a (PDC)
Rafal Pietrak
rafal at zorro.isa-geek.com
Tue May 11 09:10:23 GMT 2004
Hi all,
I've just setup a samba(PDC)+ldap-(no)winbind and it works OK for W98
client, but W2K client isn't able to join the domain.
my checklist:
1. ldap works:
example$ ldapsearch -LL -x -b 'ou=KAROWA' -s sub
'(&(objectclass=*)(uid=lenec))'
**ldap*> dn: uid=lenec,ou=People,ou=KAROWA
**ldap*> uid: lenec
**ldap*> objectClass: sambaSamAccount
**ldap*> objectClass: posixAccount
**ldap*> objectClass: account
**ldap*> sambaAcctFlags: [U ]
**ldap*> sambaSID: S-1-5-21-3658755377-320826499-3197562212-1081
**ldap*> sambaPrimaryGroupSID: S-1-5-21-3658755377-320826499-3197562212-512
2. libnss-ldap works:
example$ getent passwd ; getent group
**pass*> lenec:x:1081:513:User Lenec:/home/lenec:/bin/false
**pass*> MORIA$:x:121:65534:Komputer MORIA:/root:/bin/false
**group*> domainadmins:x:512:lenec
**group*> domainguests:x:514:501
**group*> domainusers:x:513:
3. pam-ldap works: user 'lenec' can access samba shares AND can change his
password from a W98 client machine while logged-in to 'domain' (a
tree-field login window when loggin into W98).
Now, when I test this with W2K: selecting "My_Comp->
(right-click)Propert-> Network_ident-> (second-button-from-top)Properties
->(lower-box/I-select)Domain=WORKGROUP"; I'm asked then for a domain
administrator login and password. So, the questions are:
(I) Who is this? Where in SAMBA configration I tell samba that THIS is
domain administrator (capable of doing the above)? (In my 'best gues', I
have made user lenec a member of "domainadmins" with rid=512, but may be
it has nothing to do with admin priviledges?).
(II) Then, in samba logfiles (at the end of the e-mail - exerpts, the
whole thing is 1MB) I can see, that samba at certain points fails to
accept 'somebodies' credencials. I cannot figure out whos credencials they
are, and how to change it :(.
But, I also tried to add the workstation account directly at samba BEFORE
I try to execute the above at the workstation itself. The result is:
example$ getent passwd WYDAWNIC-LDC0LG\$
**pass*> WYDAWNIC-LDC0LG$:x:60000:65534:Komputer \
WYDAWNIC-LDC0LG:/home/hosts:
to no avail - the W2K still gets decline from samba.
Any clue what's wrong here?
Thenx,
-R
---------------exerpts from /var/log/samba/log.wydaw* ---------------
[2004/05/10 22:35:43, 10] lib/username.c:user_in_list(521)
user_in_list: checking user lenec in list
[2004/05/10 22:35:43, 10] lib/username.c:user_in_list(525)
user_in_list: checking user |lenec| against |root|
[2004/05/10 22:35:43, 4] rpc_server/srv_srvsvc_nt.c:get_share_security(217)
get_share_security: using default secdesc for IPC$
[2004/05/10 22:35:43, 10] lib/util_seaccess.c:se_map_generic(176)
se_map_generic(): mapped mask 0x10000000 to 0x001f01ff
[2004/05/10 22:35:43, 10] lib/util_seaccess.c:se_access_check(234)
se_access_check: requested access 0x00000001, for NT token with 6
entries and first sid S-1-5-21-3658755377-320826499-3197562212-1081.
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(251)
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-3658755377-320826499-3197562212-1081
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-512
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-513
se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask =
101f01ff, current desired = 1
[2004/05/10 22:35:43, 5] lib/util_seaccess.c:se_access_check(309)
se_access_check: access (1) granted.
[2004/05/10 22:35:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (1081, 513) - sec_ctx_stack_ndx = 0
[2004/05/10 22:35:43, 5] auth/auth_util.c:debug_nt_user_token(491)
NT user token of user S-1-5-21-3658755377-320826499-3197562212-1081
contains 6 SIDs
SID[ 0]: S-1-5-21-3658755377-320826499-3197562212-1081
SID[ 1]: S-1-5-21-3658755377-320826499-3197562212-512
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-3658755377-320826499-3197562212-513
[2004/05/10 22:35:43, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 1081
Primary group is 513 and contains 3 supplementary groups
Group[ 0]: 513
Group[ 1]: 513
Group[ 2]: 512
[2004/05/10 22:35:43, 5] smbd/uid.c:change_to_user(203)
change_to_user uid=(1081,1081) gid=(0,513)
[2004/05/10 22:35:43, 3] smbd/service.c:make_connection_snum(705)
wydawnic-ldc0lg (192.168.239.129) connect to service IPC$ initially as
user lenec (uid=1081, gid=513) (pid 27658)
===========
[2004/05/10 22:35:43, 5] rpc_server/srv_samr_nt.c:_samr_connect4(2396)
_samr_connect4: 2396
[2004/05/10 22:35:43, 10] lib/util_seaccess.c:se_access_check(234)
se_access_check: requested access 0x00000030, for NT token with 6
entries and first sid S-1-5-21-3658755377-320826499-3197562212-1081.
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(251)
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-3658755377-320826499-3197562212-1081
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-512
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-513
se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask =
20031, current desired = 30
[2004/05/10 22:35:43, 5] lib/util_seaccess.c:se_access_check(309)
se_access_check: access (30) granted.
[2004/05/10 22:35:43, 10] rpc_server/srv_samr_nt.c:get_samr_info_by_sid(144)
get_samr_info_by_sid: created new info for sid (NULL)
[2004/05/10 22:35:43, 10] rpc_server/srv_samr_nt.c:get_samr_info_by_sid(148)
get_samr_info_by_sid: created new info for NULL sid.
==============
[2004/05/10 22:35:43, 10] lib/util_seaccess.c:se_access_check(234)
se_access_check: requested access 0x00000211, for NT token with 6
entries and first sid S-1-5-21-3658755377-320826499-3197562212-1081.
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(251)
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-3658755377-320826499-3197562212-1081
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-512
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-513
se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask =
20385, current desired = 211
se_access_check: ACE 1: type 0, flags = 0x00, SID = S-1-5-32-544 mask =
f07ff, current desired = 10
se_access_check: ACE 2: type 0, flags = 0x00, SID = S-1-5-32-548 mask =
f07ff, current desired = 10
[2004/05/10 22:35:43, 5] lib/util_seaccess.c:se_access_check(315)
se_access_check: access (211) denied.
[2004/05/10 22:35:43, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
=============
[2004/05/10 22:35:43, 4] rpc_server/srv_pipe.c:api_rpcTNP(1502)
api_rpcTNP: samr op 0x5 - created /tmp/in_samr_5.2.prs
[2004/05/10 22:35:43, 3] rpc_server/srv_pipe.c:api_rpcTNP(1509)
api_rpcTNP: rpc command: SAMR_LOOKUP_DOMAIN
[2004/05/10 22:35:43, 6] rpc_server/srv_pipe.c:api_rpcTNP(1528)
api_rpc_cmds[41].fn == 0x812e500
.............
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:dbg_rw_punival(807)
0028 buffer : W.O.R.K.G.R.O.U.P.
[2004/05/10 22:35:43, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 9F E7 9F
40 ........ .......@
[010] 0A 6C 00 00 .l..
[2004/05/10 22:35:43, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
_samr_lookup_domain: access check ((granted: 0x00000030; required:
0x00000010)
[2004/05/10 22:35:43, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
Returning domain sid for domain WORKGROUP ->
S-1-5-21-3658755377-320826499-3197562212
[2004/05/10 22:35:43, 5]
rpc_parse/parse_samr.c:init_samr_r_lookup_domain(138)
init_samr_r_lookup_domain
......................
[2004/05/10 22:35:43, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 04 00 00 00 00 00 00 00 9F E7 9F
40 ........ .......@
[010] 0A 6C 00 00 .l..
[2004/05/10 22:35:43, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
_samr_open_domain: access check ((granted: 0x00000030; required:
0x00000020)
[2004/05/10 22:35:43, 10] lib/util_seaccess.c:se_access_check(234)
se_access_check: requested access 0x00000201, for NT token with 6
entries and first sid S-1-5-21-3658755377-320826499-3197562212-1081.
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(251)
[2004/05/10 22:35:43, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-3658755377-320826499-3197562212-1081
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-512
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-11
se_access_check: also S-1-5-21-3658755377-320826499-3197562212-513
se_access_check: ACE 0: type 0, flags = 0x00, SID = S-1-1-0 mask =
20385, current desired = 201
[2004/05/10 22:35:43, 5] lib/util_seaccess.c:se_access_check(309)
se_access_check: access (201) granted.
[2004/05/10 22:35:43, 10] rpc_server/srv_samr_nt.c:get_samr_info_by_sid(144)
get_samr_info_by_sid: created new info for sid
S-1-5-21-3658755377-320826499-3197562212
[2004/05/10 22:35:43, 4] rpc_server/srv_lsa_hnd.c:create_policy_hnd(142)
Opened policy hnd[3] [000] 00 00 00 00 05 00 00 00 00 00 00 00 9F E7 9F
40 ........ .......@
[010] 0A 6C 00 00 .l..
[2004/05/10 22:35:43, 5] rpc_server/srv_samr_nt.c:_samr_open_domain(405)
samr_open_domain: 405
==================================
[2004/05/10 22:35:43, 4] rpc_server/srv_pipe.c:api_rpcTNP(1502)
api_rpcTNP: samr op 0x32 - created /tmp/in_samr_50.1.prs
[2004/05/10 22:35:43, 3] rpc_server/srv_pipe.c:api_rpcTNP(1509)
api_rpcTNP: rpc command: SAMR_CREATE_USER
..................
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0024 uni_str_len: 00000010
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:dbg_rw_punival(807)
0028 buffer : W.Y.D.A.W.N.I.C.-.L.D.C.0.L.G.$.
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0048 acb_info : 00000080
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:prs_uint32(635)
004c access_mask: e00500b0
[2004/05/10 22:35:43, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 9F E7
9F 40 ........ .......@
[010] 0A 6C 00 00 .l..
[2004/05/10 22:35:43, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
_samr_create_user: access check ((granted: 0x00000201; required:
0x00000010) [2004/05/10 22:35:43, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
[2004/05/10 22:35:43, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_create_user
==================================
[2004/05/10 22:35:43, 5] rpc_server/srv_pipe.c:api_pipe_request(1468)
Requested \PIPE\lsarpc
[2004/05/10 22:35:43, 4] rpc_server/srv_pipe.c:api_rpcTNP(1502)
api_rpcTNP: lsarpc op 0x0 - created /tmp/in_lsarpc_0.1.prs
[2004/05/10 22:35:43, 3] rpc_server/srv_pipe.c:api_rpcTNP(1509)
api_rpcTNP: rpc command: LSA_CLOSE
..................
[2004/05/10 22:35:43, 5] rpc_server/srv_pipe.c:api_rpcTNP(1549)
api_rpcTNP: called lsarpc successfully
...................
[2004/05/10 22:35:43, 0] smbd/process.c:smb_dump(640)
created /tmp/SMBtrans.19.resp len 108
[2004/05/10 22:35:43, 10]
lib/util_sock.c:read_smb_length_return_keepalive(463)
got smb length of 41
....................
[2004/05/10 22:35:43, 3] smbd/process.c:switch_message(685)
switch message SMBclose (pid 27658)
[2004/05/10 22:35:43, 0] smbd/process.c:smb_dump(640)
created /tmp/SMBclose.3.req len 45
[2004/05/10 22:35:43, 4] smbd/uid.c:change_to_user(122)
change_to_user: Skipping user change - already user
.......................
[2004/05/10 22:35:43, 4] rpc_server/srv_pipe_hnd.c:close_rpc_pipe_hnd(1083)
closed pipe name lsarpc pnum=7395 (pipes_open=0)
[2004/05/10 22:35:43, 0] smbd/process.c:smb_dump(640)
created /tmp/SMBclose.3.resp len 39
........................
[2004/05/10 22:35:43, 0] smbd/process.c:smb_dump(640)
created /tmp/SMBtdis.1.req len 39
[2004/05/10 22:35:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/05/10 22:35:43, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/05/10 22:35:43, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/05/10 22:35:43, 5] smbd/uid.c:change_to_root_user(218)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/05/10 22:35:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/05/10 22:35:43, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/05/10 22:35:43, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/05/10 22:35:43, 5] smbd/uid.c:change_to_root_user(218)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/05/10 22:35:43, 3] smbd/service.c:close_cnum(887)
wydawnic-ldc0lg (192.168.239.129) closed connection to service IPC$
[2004/05/10 22:35:43, 3] smbd/connection.c:yield_connection(69)
Yielding connection to IPC$
[2004/05/10 22:35:43, 4] smbd/vfs.c:vfs_ChDir(654)
vfs_ChDir to /
===============================
[2004/05/10 22:35:43, 3] smbd/server.c:exit_server(601)
Server exit (normal exit)
[2004/05/10 22:35:44, 6] param/loadparm.c:lp_file_list_changed(2661)
lp_file_list_changed()
file /etc/samba/passdb-ldapsam.conf -> /etc/samba/passdb-ldapsam.conf
last mod_time: Sun May 9 11:48:00 2004
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon May
10 11:22:40 2004
[2004/05/10 22:35:44, 5] auth/auth_util.c:make_user_info_map(216)
make_user_info_map: Mapping user [WORKGROUP]\[lenec] from workstation
[WYDAWNIC-LDC0LG]
[2004/05/10 22:35:44, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2004/05/10 22:35:44, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2004/05/10 22:35:44, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2004/05/10 22:35:44, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/05/10 22:35:44, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/05/10 22:35:44, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(299)
secrets_fetch failed!
[2004/05/10 22:35:44, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/05/10 22:35:44, 10] lib/gencache.c:gencache_get(286)
Cache entry with key = TDOM/WORKGROUP couldn't be found
[2004/05/10 22:35:44, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(172)
no entry for trusted domain WORKGROUP found.
[2004/05/10 22:35:44, 5] auth/auth_util.c:make_user_info(132)
attempting to make a user_info for lenec (lenec)
[2004/05/10 22:35:44, 5] auth/auth_util.c:make_user_info(142)
making strings for lenec's user_info struct
[2004/05/10 22:35:44, 5] auth/auth_util.c:make_user_info(184)
making blobs for lenec's user_info struct
[2004/05/10 22:35:44, 10] auth/auth_util.c:make_user_info(193)
made an encrypted user_info for lenec (lenec)
[2004/05/10 22:35:44, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[WORKGROUP]\[lenec]@[WYDAWNIC-LDC0LG] with the new password interface
[2004/05/10 22:35:44, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is:
[WORKGROUP]\[lenec]@[WYDAWNIC-LDC0LG] [2004/05/10 22:35:44, 10]
auth/auth.c:check_ntlm_password(231)
check_ntlm_password: auth_context challenge created by random
[2004/05/10 22:35:44, 10] auth/auth.c:check_ntlm_password(233)
challenge is:
[2004/05/10 22:35:44, 5] lib/util.c:dump_data(1830)
[000] F7 55 7D 39 6C DC FB 78 .U}9l..x
[2004/05/10 22:35:44, 10] auth/auth.c:check_ntlm_password(259)
check_ntlm_password: guest had nothing to say
[2004/05/10 22:35:44, 8] lib/util.c:is_myname(1678)
is_myname("WORKGROUP") returns 0
....etc. looks like it tries again....
[2004/05/10 22:35:44, 10] auth/auth_util.c:debug_nt_user_token(491)
NT user token of user S-1-5-21-3658755377-320826499-3197562212-1081
contains 6 SIDs
SID[ 0]: S-1-5-21-3658755377-320826499-3197562212-1081
SID[ 1]: S-1-5-21-3658755377-320826499-3197562212-512
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-5-21-3658755377-320826499-3197562212-513
[2004/05/10 22:35:44, 5] auth/auth_util.c:make_server_info_sam(841)
make_server_info_sam: made server info for user lenec -> lenec
[2004/05/10 22:35:44, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: sam authentication for user [lenec] succeeded
=======================================================================
More information about the samba
mailing list