[Samba] Re: Can join domain; can't logon
Igor Belyi
sambauser at katehok.ac93.org
Tue Oct 5 17:21:43 GMT 2004
Chris St. Pierre wrote:
> I had a problem similar to my current one a week or so ago, and I was
> encouraged to upgrade from Samba 2.2.9 to 3.0.7, which I did. Now
> that I've completed that nightmare, the problem I initially set out to
> fix is still there, just different. Namely:
>
> I am trying to set up Samba 3.0.7 on a SuSE 9.1 box as an LDAP PDC
> whose only job will be authentication. Our LDAP server is on a
> separate box. I can join the domain just fine, but when I try to
> login via Windows, I get the following error:
>
> "The system cannot log you on to this domain because the system's
> computer account in its primary domain is missing or the password on
> that account is incorrect."
>
> I suspected that neither of these were the case, as I created the
> account with idealx's smbldap-tools. I verified that the account is
> there with ldapsearch. Last time I had this problem, Samba wasn't
> even communicating with LDAP, but this time it is. When I try to
> login, here's what the LDAP logs show:
smbldap-tools create posixAccounts in case you use NSS LDAP support. You
should verify that it's there with 'getent passwd GUINEA-PIG$'. If not -
you probably use passwd or shadow in which case you need to use adduser
to to the job.
Besides posixAccount you should also have Samba account as well. You
should look at what was responses to the LDAP requests by looking at the
SEARCH RESULT lines with the same 'conn=' and 'op='. I would guess that
response was 'nentries=0' And it has nothing to do with some optional
attributes being empty - just with the fact that there's no such entry
with 'objectClass=sambaSamAccount'.
It can also be a problem of nscd if you have one. Your LDAP requests are
at 10:03 and your nmbd log extract is for 11:14 which means LDAP
requests were done long before Samba requests unless there's a timezone
issue between the machines or that their clocks are really scrude up.
I would also recommend to post smbd log instead of nmbd since its smbd
which interacts with LDAP.
Igor
> [05/Oct/2004:10:03:52 -0500] conn=53576 op=7 SRCH
> base="o=nebrwesleyan.edu,o=isp" scope=2
> filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
> sambabadpasswordtime sambapasswordhistory modifyTimestamp
> sambalogonhours modifyTimestamp"
> [05/Oct/2004:10:03:52 -0500] conn=53576 op=8 SRCH
> base="o=nebrwesleyan.edu,o=isp" scope=2
> filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
> sambabadpasswordtime sambapasswordhistory modifyTimestamp
> sambalogonhours modifyTimestamp"
>
> It searches twice for the machine trust account, which I've verified
> exists. The only thing I can think of is that not all of the
> attributes it's asking for exist. (In fact, a lot of them don't.) As
> you can see in the attached nmbd log, though, Samba doesn't show any
> obvious errors. I've also included my smb.conf (with some changes to
> protect my server's innocence). Any ideas are greatly appreciated.
> Thanks.
>
> Chris St. Pierre
> Unix Systems Administrator
> Nebraska Wesleyan University
> 402.465.7549
>
>
> ------------------------------------------------------------------------
>
> [global]
> server string = test
> workgroup = NWU_TEST
> netbios name = TESTERATOR
>
> log level = 1
> encrypt passwords = yes
> max smbd processes = 0
> socket options = TCP_NODELAY
>
> add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
>
> logon script = scripts\logon.bat
> logon path = \\%L\profiles\%U
>
> domain logons = yes
> local master = yes
> preferred master = yes
> wins server = 10.9.1.12
> security = user
>
> passdb backend = ldapsam:ldap://server.nebrwesleyan.edu
> ldap suffix = o=nebrwesleyan,o=edu
> ldap machine suffix = ou=Machines
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap filter = (uid=%u)
> ldap admin dn = cn=foo
> ldap ssl = no
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> guest ok = yes
> locking = No
>
> [profiles]
> comment = Profile Share
> path = /var/lib/samba/profiles
> read only = No
>
> [tmp]
> comment = temporary files
> path = /tmp
> read only = yes
>
>
> ------------------------------------------------------------------------
>
> [2004/10/05 11:14:43, 5] nmbd/nmbd_packets.c:process_dgram(1194)
> process_dgram: ignoring dgram packet sent to name COMPUTER LABS<1d> from 10.9.1.10
> [2004/10/05 11:14:43, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet 10.9.1.111: found.
> [2004/10/05 11:14:43, 10] nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382)
> announce_myself_to_domain_master_browser: t (1096992883) - last(1096992397) < 900
> [2004/10/05 11:14:43, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet UNICAST_SUBNET: found.
> [2004/10/05 11:14:43, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet UNICAST_SUBNET: found.
> [2004/10/05 11:14:48, 10] lib/util_sock.c:read_udp_socket(230)
> read_udp_socket: lastip 10.9.1.97 lastport 138 read: 290
> [2004/10/05 11:14:48, 5] libsmb/nmblib.c:read_packet(757)
> Received a packet of len 290 from (10.9.1.97) port 138
> [2004/10/05 11:14:48, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
> nmbd_subnetdb:namelist_entry_compare()
> -1 == memcmp( "NWU_TEST<1c>", "NWU_TEST<1d>", 84 )
> [2004/10/05 11:14:48, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
> nmbd_subnetdb:namelist_entry_compare()
> 0 == memcmp( "NWU_TEST<1c>", "NWU_TEST<1c>", 84 )
> [2004/10/05 11:14:48, 9] nmbd/nmbd_namelistdb.c:find_name_on_subnet(124)
> find_name_on_subnet: on subnet 10.9.1.111 - found name NWU_TEST<1c> source=2
> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:process_dgram(1259)
> process_dgram: datagram from GUINEA-PIG<00> to NWU_TEST<1c> IP 10.9.1.97 for \MAILSLOT\NET\NETLOGON of type 18 len=116
> [2004/10/05 11:14:48, 4] nmbd/nmbd_processlogon.c:process_logon_packet(95)
> process_logon_packet: Logon from 10.9.1.97: code = 0x12
> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(315)
> process_logon_packet: SAMLOGON sidsize 24, len = 116
> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(322)
> process_logon_packet: len = 116 PTR_DIFF(q, buf) = 108
> [2004/10/05 11:14:48, 3] nmbd/nmbd_processlogon.c:process_logon_packet(347)
> process_logon_packet: SAMLOGON sidsize 24 ntv 11
> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(356)
> process_logon_packet: SAMLOGON user GUINEA-PIG$
> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(363)
> process_logon_packet: SAMLOGON request from GUINEA-PIG(10.9.1.97) for GUINEA-PIG$, returning logon svr \\TESTERATOR domain NWU_TEST code 13 token=ffff
> [2004/10/05 11:14:48, 4] lib/util.c:dump_data(1835)
> [000] 13 00 5C 00 5C 00 54 00 45 00 53 00 54 00 45 00 ..\.\.T. E.S.T.E.
> [010] 52 00 41 00 54 00 4F 00 52 00 00 00 47 00 55 00 R.A.T.O. R...G.U.
> [020] 49 00 4E 00 45 00 41 00 2D 00 50 00 49 00 47 00 I.N.E.A. -.P.I.G.
> [030] 24 00 00 00 4E 00 57 00 55 00 5F 00 54 00 45 00 $...N.W. U._.T.E.
> [040] 53 00 54 00 00 00 01 00 00 00 FF FF FF FF S.T..... ......
> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:send_mailslot(1902)
> send_mailslot: Sending to mailslot \MAILSLOT\NET\GETDC468 from TESTERATOR<00> IP 10.9.1.111 to GUINEA-PIG<00> IP 10.9.1.97
> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:debug_browse_data(100)
> debug_browse_data():
> 0 char ..\.\.T.E.S.T.E. hex 13 00 5c 00 5c 00 54 00 45 00 53 00 54 00 45 00
> 10 char R.A.T.O.R...G.U. hex 52 00 41 00 54 00 4f 00 52 00 00 00 47 00 55 00
> 20 char I.N.E.A.-.P.I.G. hex 49 00 4e 00 45 00 41 00 2d 00 50 00 49 00 47 00
> 30 char $...N.W.U._.T.E. hex 24 00 00 00 4e 00 57 00 55 00 5f 00 54 00 45 00
> 40 char S.T........... hex 53 00 54 00 00 00 01 00 00 00 ff ff ff ff
> [2004/10/05 11:14:48, 5] libsmb/nmblib.c:send_udp(779)
> Sending a packet of len 252 to (10.9.1.97) on port 138
> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet 10.9.1.111: found.
> [2004/10/05 11:14:48, 10] nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382)
> announce_myself_to_domain_master_browser: t (1096992883) - last(1096992397) < 900
> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet UNICAST_SUBNET: found.
> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet UNICAST_SUBNET: found.
> [2004/10/05 11:14:48, 10] lib/util_sock.c:read_udp_socket(230)
> read_udp_socket: lastip 10.9.1.97 lastport 138 read: 290
> [2004/10/05 11:14:48, 5] libsmb/nmblib.c:read_packet(757)
> Received a packet of len 290 from (10.9.1.97) port 138
> [2004/10/05 11:14:48, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
> nmbd_subnetdb:namelist_entry_compare()
> 0 == memcmp( "NWU_TEST<1c>", "NWU_TEST<1c>", 84 )
> [2004/10/05 11:14:48, 9] nmbd/nmbd_namelistdb.c:find_name_on_subnet(124)
> find_name_on_subnet: on subnet 10.9.1.111 - found name NWU_TEST<1c> source=2
> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:process_dgram(1259)
> process_dgram: datagram from GUINEA-PIG<00> to NWU_TEST<1c> IP 10.9.1.97 for \MAILSLOT\NET\NETLOGON of type 18 len=116
> [2004/10/05 11:14:48, 4] nmbd/nmbd_processlogon.c:process_logon_packet(95)
> process_logon_packet: Logon from 10.9.1.97: code = 0x12
> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(315)
> process_logon_packet: SAMLOGON sidsize 24, len = 116
> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(322)
> process_logon_packet: len = 116 PTR_DIFF(q, buf) = 108
> [2004/10/05 11:14:48, 3] nmbd/nmbd_processlogon.c:process_logon_packet(347)
> process_logon_packet: SAMLOGON sidsize 24 ntv 11
> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(356)
> process_logon_packet: SAMLOGON user GUINEA-PIG$
> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(363)
> process_logon_packet: SAMLOGON request from GUINEA-PIG(10.9.1.97) for GUINEA-PIG$, returning logon svr \\TESTERATOR domain NWU_TEST code 13 token=ffff
> [2004/10/05 11:14:48, 4] lib/util.c:dump_data(1835)
> [000] 13 00 5C 00 5C 00 54 00 45 00 53 00 54 00 45 00 ..\.\.T. E.S.T.E.
> [010] 52 00 41 00 54 00 4F 00 52 00 00 00 47 00 55 00 R.A.T.O. R...G.U.
> [020] 49 00 4E 00 45 00 41 00 2D 00 50 00 49 00 47 00 I.N.E.A. -.P.I.G.
> [030] 24 00 00 00 4E 00 57 00 55 00 5F 00 54 00 45 00 $...N.W. U._.T.E.
> [040] 53 00 54 00 00 00 01 00 00 00 FF FF FF FF S.T..... ......
> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:send_mailslot(1902)
> send_mailslot: Sending to mailslot \MAILSLOT\NET\GETDC468 from TESTERATOR<00> IP 10.9.1.111 to GUINEA-PIG<00> IP 10.9.1.97
> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:debug_browse_data(100)
> debug_browse_data():
> 0 char ..\.\.T.E.S.T.E. hex 13 00 5c 00 5c 00 54 00 45 00 53 00 54 00 45 00
> 10 char R.A.T.O.R...G.U. hex 52 00 41 00 54 00 4f 00 52 00 00 00 47 00 55 00
> 20 char I.N.E.A.-.P.I.G. hex 49 00 4e 00 45 00 41 00 2d 00 50 00 49 00 47 00
> 30 char $...N.W.U._.T.E. hex 24 00 00 00 4e 00 57 00 55 00 5f 00 54 00 45 00
> 40 char S.T........... hex 53 00 54 00 00 00 01 00 00 00 ff ff ff ff
> [2004/10/05 11:14:48, 5] libsmb/nmblib.c:send_udp(779)
> Sending a packet of len 252 to (10.9.1.97) on port 138
> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet 10.9.1.111: found.
> [2004/10/05 11:14:48, 10] nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382)
> announce_myself_to_domain_master_browser: t (1096992888) - last(1096992397) < 900
> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:dump_workgroups(271)
> dump_workgroups()
> dump workgroup on subnet 10.9.1.111: netmask= 255.255.0.0:
> COMPSERV(4) current master browser = SPOOLWATCH
> WORKGROUP(3) current master browser = EDUCATION
> NWU_EXODUS(2) current master browser = BELL
> NWU_TEST(1) current master browser = TESTERATOR
> TESTERATOR 400c9b0b (test)
> GUINEA-PIG 40011003 ()
> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:dump_workgroups(271)
> dump_workgroups()
> dump workgroup on subnet UNICAST_SUBNET: netmask= 0.0.0.0:
> NWU_TEST(1) current master browser = UNKNOWN
> TESTERATOR 40099b0b (test)
> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet UNICAST_SUBNET: found.
> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet UNICAST_SUBNET: found.
>
More information about the samba
mailing list