[Samba] Can join domain; can't logon
Nathan Benson
nathan.benson at sourcefire.com
Wed Nov 17 19:46:15 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
i am having a similar problem when using samba 3.0.7 and LDAP. i get
the same error message, but on random machines at random times.
for instance, my (other) workstation was working just fine. i rebooted
and was unable to log back into the domain (same error you were having).
~ it was working just a few minutes earlier. nothing had changed on the
entry in LDAP at all, but to be sure, i removed the LDAP entry, and
added it back again. i still was unable to log in.
so, i logged in locally as myself, changed my settings from using a
domain to using a workgroup (same name). when i was welcomed to the
workgroup, i went back in and changed it back to domain. i used the
administrator username/password to add the machine back to the domain,
logged out and back into the domain, and it's been fine ever since.
i did have this problem spring up on two more computers today. they
were working fine, then *poof*. everything has been working fine for
over a month, then these things started happening.
so any help you or anyone else reading this may be able to provide would
be greatly appreciated (i know that Daniel Gapinski on this list is
having the same problem as well, but non-LDAP).
regards,
nb
Chris St. Pierre thus spake on 10/05/2004 11:24 AM:
| I had a problem similar to my current one a week or so ago, and I was
| encouraged to upgrade from Samba 2.2.9 to 3.0.7, which I did. Now
| that I've completed that nightmare, the problem I initially set out to
| fix is still there, just different. Namely:
|
| I am trying to set up Samba 3.0.7 on a SuSE 9.1 box as an LDAP PDC
| whose only job will be authentication. Our LDAP server is on a
| separate box. I can join the domain just fine, but when I try to
| login via Windows, I get the following error:
|
| "The system cannot log you on to this domain because the system's
| computer account in its primary domain is missing or the password on
| that account is incorrect."
|
| I suspected that neither of these were the case, as I created the
| account with idealx's smbldap-tools. I verified that the account is
| there with ldapsearch. Last time I had this problem, Samba wasn't
| even communicating with LDAP, but this time it is. When I try to
| login, here's what the LDAP logs show:
|
| [05/Oct/2004:10:03:52 -0500] conn=53576 op=7 SRCH
| base="o=nebrwesleyan.edu,o=isp" scope=2
| filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
| uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
| sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
| displayName sambaHomeDrive sambaHomePath sambaLogonScript
| sambaProfilePath description sambaUserWorkstations sambaSID
| sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
| objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
| sambabadpasswordtime sambapasswordhistory modifyTimestamp
| sambalogonhours modifyTimestamp"
| [05/Oct/2004:10:03:52 -0500] conn=53576 op=8 SRCH
| base="o=nebrwesleyan.edu,o=isp" scope=2
| filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
| uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
| sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
| displayName sambaHomeDrive sambaHomePath sambaLogonScript
| sambaProfilePath description sambaUserWorkstations sambaSID
| sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
| objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
| sambabadpasswordtime sambapasswordhistory modifyTimestamp
| sambalogonhours modifyTimestamp"
|
| It searches twice for the machine trust account, which I've verified
| exists. The only thing I can think of is that not all of the
| attributes it's asking for exist. (In fact, a lot of them don't.) As
| you can see in the attached nmbd log, though, Samba doesn't show any
| obvious errors. I've also included my smb.conf (with some changes to
| protect my server's innocence). Any ideas are greatly appreciated.
| Thanks.
|
| Chris St. Pierre
| Unix Systems Administrator
| Nebraska Wesleyan University
| 402.465.7549
|
|
| ------------------------------------------------------------------------
|
| [global]
| server string = test
| workgroup = NWU_TEST
| netbios name = TESTERATOR
|
| log level = 1
| encrypt passwords = yes
| max smbd processes = 0
| socket options = TCP_NODELAY
|
| add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
|
| logon script = scripts\logon.bat
| logon path = \\%L\profiles\%U
|
| domain logons = yes
| local master = yes
| preferred master = yes
| wins server = 10.9.1.12
| security = user
|
| passdb backend = ldapsam:ldap://server.nebrwesleyan.edu
| ldap suffix = o=nebrwesleyan,o=edu
| ldap machine suffix = ou=Machines
| ldap user suffix = ou=People
| ldap group suffix = ou=Groups
| ldap filter = (uid=%u)
| ldap admin dn = cn=foo
| ldap ssl = no
|
| idmap uid = 10000-20000
| idmap gid = 10000-20000
|
| [netlogon]
| comment = Network Logon Service
| path = /var/lib/samba/netlogon
| guest ok = yes
| locking = No
|
| [profiles]
| comment = Profile Share
| path = /var/lib/samba/profiles
| read only = No
|
| [tmp]
| comment = temporary files
| path = /tmp
| read only = yes
|
|
| ------------------------------------------------------------------------
|
| [2004/10/05 11:14:43, 5] nmbd/nmbd_packets.c:process_dgram(1194)
| process_dgram: ignoring dgram packet sent to name COMPUTER LABS<1d>
from 10.9.1.10
| [2004/10/05 11:14:43, 4]
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
| find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
10.9.1.111: found.
| [2004/10/05 11:14:43, 10]
nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382)
| announce_myself_to_domain_master_browser: t (1096992883) -
last(1096992397) < 900
| [2004/10/05 11:14:43, 4]
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
| find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
UNICAST_SUBNET: found.
| [2004/10/05 11:14:43, 4]
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
| find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
UNICAST_SUBNET: found.
| [2004/10/05 11:14:48, 10] lib/util_sock.c:read_udp_socket(230)
| read_udp_socket: lastip 10.9.1.97 lastport 138 read: 290
| [2004/10/05 11:14:48, 5] libsmb/nmblib.c:read_packet(757)
| Received a packet of len 290 from (10.9.1.97) port 138
| [2004/10/05 11:14:48, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
| nmbd_subnetdb:namelist_entry_compare()
| -1 == memcmp( "NWU_TEST<1c>", "NWU_TEST<1d>", 84 )
| [2004/10/05 11:14:48, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
| nmbd_subnetdb:namelist_entry_compare()
| 0 == memcmp( "NWU_TEST<1c>", "NWU_TEST<1c>", 84 )
| [2004/10/05 11:14:48, 9] nmbd/nmbd_namelistdb.c:find_name_on_subnet(124)
| find_name_on_subnet: on subnet 10.9.1.111 - found name NWU_TEST<1c>
source=2
| [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:process_dgram(1259)
| process_dgram: datagram from GUINEA-PIG<00> to NWU_TEST<1c> IP
10.9.1.97 for \MAILSLOT\NET\NETLOGON of type 18 len=116
| [2004/10/05 11:14:48, 4] nmbd/nmbd_processlogon.c:process_logon_packet(95)
| process_logon_packet: Logon from 10.9.1.97: code = 0x12
| [2004/10/05 11:14:48, 5]
nmbd/nmbd_processlogon.c:process_logon_packet(315)
| process_logon_packet: SAMLOGON sidsize 24, len = 116
| [2004/10/05 11:14:48, 5]
nmbd/nmbd_processlogon.c:process_logon_packet(322)
| process_logon_packet: len = 116 PTR_DIFF(q, buf) = 108
| [2004/10/05 11:14:48, 3]
nmbd/nmbd_processlogon.c:process_logon_packet(347)
| process_logon_packet: SAMLOGON sidsize 24 ntv 11
| [2004/10/05 11:14:48, 5]
nmbd/nmbd_processlogon.c:process_logon_packet(356)
| process_logon_packet: SAMLOGON user GUINEA-PIG$
| [2004/10/05 11:14:48, 5]
nmbd/nmbd_processlogon.c:process_logon_packet(363)
| process_logon_packet: SAMLOGON request from GUINEA-PIG(10.9.1.97)
for GUINEA-PIG$, returning logon svr \\TESTERATOR domain NWU_TEST code
13 token=ffff
| [2004/10/05 11:14:48, 4] lib/util.c:dump_data(1835)
| [000] 13 00 5C 00 5C 00 54 00 45 00 53 00 54 00 45 00 ..\.\.T.
E.S.T.E.
| [010] 52 00 41 00 54 00 4F 00 52 00 00 00 47 00 55 00 R.A.T.O.
R...G.U.
| [020] 49 00 4E 00 45 00 41 00 2D 00 50 00 49 00 47 00 I.N.E.A.
- -.P.I.G.
| [030] 24 00 00 00 4E 00 57 00 55 00 5F 00 54 00 45 00 $...N.W.
U._.T.E.
| [040] 53 00 54 00 00 00 01 00 00 00 FF FF FF FF S.T..... ......
| [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:send_mailslot(1902)
| send_mailslot: Sending to mailslot \MAILSLOT\NET\GETDC468 from
TESTERATOR<00> IP 10.9.1.111 to GUINEA-PIG<00> IP 10.9.1.97
| [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:debug_browse_data(100)
| debug_browse_data():
| 0 char ..\.\.T.E.S.T.E. hex 13 00 5c 00 5c 00 54 00 45 00 53 00 54
00 45 00
| 10 char R.A.T.O.R...G.U. hex 52 00 41 00 54 00 4f 00 52 00 00 00 47
00 55 00
| 20 char I.N.E.A.-.P.I.G. hex 49 00 4e 00 45 00 41 00 2d 00 50 00 49
00 47 00
| 30 char $...N.W.U._.T.E. hex 24 00 00 00 4e 00 57 00 55 00 5f 00 54
00 45 00
| 40 char S.T........... hex 53 00 54 00 00 00 01 00 00 00 ff ff ff ff
| [2004/10/05 11:14:48, 5] libsmb/nmblib.c:send_udp(779)
| Sending a packet of len 252 to (10.9.1.97) on port 138
| [2004/10/05 11:14:48, 4]
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
| find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
10.9.1.111: found.
| [2004/10/05 11:14:48, 10]
nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382)
| announce_myself_to_domain_master_browser: t (1096992883) -
last(1096992397) < 900
| [2004/10/05 11:14:48, 4]
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
| find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
UNICAST_SUBNET: found.
| [2004/10/05 11:14:48, 4]
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
| find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
UNICAST_SUBNET: found.
| [2004/10/05 11:14:48, 10] lib/util_sock.c:read_udp_socket(230)
| read_udp_socket: lastip 10.9.1.97 lastport 138 read: 290
| [2004/10/05 11:14:48, 5] libsmb/nmblib.c:read_packet(757)
| Received a packet of len 290 from (10.9.1.97) port 138
| [2004/10/05 11:14:48, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
| nmbd_subnetdb:namelist_entry_compare()
| 0 == memcmp( "NWU_TEST<1c>", "NWU_TEST<1c>", 84 )
| [2004/10/05 11:14:48, 9] nmbd/nmbd_namelistdb.c:find_name_on_subnet(124)
| find_name_on_subnet: on subnet 10.9.1.111 - found name NWU_TEST<1c>
source=2
| [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:process_dgram(1259)
| process_dgram: datagram from GUINEA-PIG<00> to NWU_TEST<1c> IP
10.9.1.97 for \MAILSLOT\NET\NETLOGON of type 18 len=116
| [2004/10/05 11:14:48, 4] nmbd/nmbd_processlogon.c:process_logon_packet(95)
| process_logon_packet: Logon from 10.9.1.97: code = 0x12
| [2004/10/05 11:14:48, 5]
nmbd/nmbd_processlogon.c:process_logon_packet(315)
| process_logon_packet: SAMLOGON sidsize 24, len = 116
| [2004/10/05 11:14:48, 5]
nmbd/nmbd_processlogon.c:process_logon_packet(322)
| process_logon_packet: len = 116 PTR_DIFF(q, buf) = 108
| [2004/10/05 11:14:48, 3]
nmbd/nmbd_processlogon.c:process_logon_packet(347)
| process_logon_packet: SAMLOGON sidsize 24 ntv 11
| [2004/10/05 11:14:48, 5]
nmbd/nmbd_processlogon.c:process_logon_packet(356)
| process_logon_packet: SAMLOGON user GUINEA-PIG$
| [2004/10/05 11:14:48, 5]
nmbd/nmbd_processlogon.c:process_logon_packet(363)
| process_logon_packet: SAMLOGON request from GUINEA-PIG(10.9.1.97)
for GUINEA-PIG$, returning logon svr \\TESTERATOR domain NWU_TEST code
13 token=ffff
| [2004/10/05 11:14:48, 4] lib/util.c:dump_data(1835)
| [000] 13 00 5C 00 5C 00 54 00 45 00 53 00 54 00 45 00 ..\.\.T.
E.S.T.E.
| [010] 52 00 41 00 54 00 4F 00 52 00 00 00 47 00 55 00 R.A.T.O.
R...G.U.
| [020] 49 00 4E 00 45 00 41 00 2D 00 50 00 49 00 47 00 I.N.E.A.
- -.P.I.G.
| [030] 24 00 00 00 4E 00 57 00 55 00 5F 00 54 00 45 00 $...N.W.
U._.T.E.
| [040] 53 00 54 00 00 00 01 00 00 00 FF FF FF FF S.T..... ......
| [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:send_mailslot(1902)
| send_mailslot: Sending to mailslot \MAILSLOT\NET\GETDC468 from
TESTERATOR<00> IP 10.9.1.111 to GUINEA-PIG<00> IP 10.9.1.97
| [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:debug_browse_data(100)
| debug_browse_data():
| 0 char ..\.\.T.E.S.T.E. hex 13 00 5c 00 5c 00 54 00 45 00 53 00 54
00 45 00
| 10 char R.A.T.O.R...G.U. hex 52 00 41 00 54 00 4f 00 52 00 00 00 47
00 55 00
| 20 char I.N.E.A.-.P.I.G. hex 49 00 4e 00 45 00 41 00 2d 00 50 00 49
00 47 00
| 30 char $...N.W.U._.T.E. hex 24 00 00 00 4e 00 57 00 55 00 5f 00 54
00 45 00
| 40 char S.T........... hex 53 00 54 00 00 00 01 00 00 00 ff ff ff ff
| [2004/10/05 11:14:48, 5] libsmb/nmblib.c:send_udp(779)
| Sending a packet of len 252 to (10.9.1.97) on port 138
| [2004/10/05 11:14:48, 4]
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
| find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
10.9.1.111: found.
| [2004/10/05 11:14:48, 10]
nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382)
| announce_myself_to_domain_master_browser: t (1096992888) -
last(1096992397) < 900
| [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:dump_workgroups(271)
| dump_workgroups()
| dump workgroup on subnet 10.9.1.111: netmask= 255.255.0.0:
| COMPSERV(4) current master browser = SPOOLWATCH
| WORKGROUP(3) current master browser = EDUCATION
| NWU_EXODUS(2) current master browser = BELL
| NWU_TEST(1) current master browser = TESTERATOR
| TESTERATOR 400c9b0b (test)
| GUINEA-PIG 40011003 ()
| [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:dump_workgroups(271)
| dump_workgroups()
| dump workgroup on subnet UNICAST_SUBNET: netmask= 0.0.0.0:
| NWU_TEST(1) current master browser = UNKNOWN
| TESTERATOR 40099b0b (test)
| [2004/10/05 11:14:48, 4]
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
| find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
UNICAST_SUBNET: found.
| [2004/10/05 11:14:48, 4]
nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
| find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
UNICAST_SUBNET: found.
|
- --
Nathan Benson
http://sourcefire.com/
1C1A F2C1 82AD F75F 9B6B E501 0D73 DC9B E96B DD96
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFBm6qGDXPcm+lr3ZYRApj4AJ4sH9LtottlDrCT9KY+o4P/8xSciACeKh9v
1x4FSAz9woX7Jcfz87JOMVc=
=sJny
-----END PGP SIGNATURE-----
More information about the samba
mailing list