[Samba] Re: Can join domain; can't logon
Chris St. Pierre
stpierre at NebrWesleyan.edu
Tue Oct 5 19:37:42 GMT 2004
I did verify that the account exists in LDAP. To prove it:
# ldapsearch -b "o=nebrwesleyan.edu,o=isp" "(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))"
uid=guinea-pig$,ou=machines,o=nebrwesleyan.edu,o=isp
[...snip...]
And moreover:
# getent passwd guinea-pig$
guinea-pig$:x:1001:1000:guinea-pig$:/dev/null:/bin/false
I am not running ncsd. The samba machine has a decidedly out-of-sync
system clock, but I haven't bothered with it since it's only a test
box.
However! Here's the smbd log:
[2004/10/05 16:24:17, 1] lib/smbldap.c:add_new_domain_info(1289)
failed to add domain dn= sambaDomainName=NWU_TEST,o=nebrwesleyan.edu,o=isp with: Object class violation
[2004/10/05 16:24:17, 0] lib/smbldap.c:smbldap_search_domain_info(1338)
Adding domain info for NWU_TEST failed with NT_STATUS_UNSUCCESSFUL
[2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261)
get_md4pw: Workstation GUINEA-PIG$: no account in domain
[2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261)
get_md4pw: Workstation GUINEA-PIG$: no account in domain
Which alerts me to the fact that it's the creation of the domain in
LDAP that's causing problems. I properly installed the 3.0.7 schema
-- as is evidenced by other things working -- but this is giving me an
object class violation. I cranked the log level up to 10, but it
didn't give me much more information that was readily useful to me;
the full 157K log is available, though, if you want it.
Any ideas? Or, if anyone has a typical LDAP domain entry I can look
at, I can add it by hand and get more info from it.
Thanks.
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
402.465.7549
On Tue, 5 Oct 2004, Igor Belyi wrote:
>Chris St. Pierre wrote:
>> I had a problem similar to my current one a week or so ago, and I was
>> encouraged to upgrade from Samba 2.2.9 to 3.0.7, which I did. Now
>> that I've completed that nightmare, the problem I initially set out to
>> fix is still there, just different. Namely:
>>
>> I am trying to set up Samba 3.0.7 on a SuSE 9.1 box as an LDAP PDC
>> whose only job will be authentication. Our LDAP server is on a
>> separate box. I can join the domain just fine, but when I try to
>> login via Windows, I get the following error:
>>
>> "The system cannot log you on to this domain because the system's
>> computer account in its primary domain is missing or the password on
>> that account is incorrect."
>>
>> I suspected that neither of these were the case, as I created the
>> account with idealx's smbldap-tools. I verified that the account is
>> there with ldapsearch. Last time I had this problem, Samba wasn't
>> even communicating with LDAP, but this time it is. When I try to
>> login, here's what the LDAP logs show:
>
>smbldap-tools create posixAccounts in case you use NSS LDAP support. You
>should verify that it's there with 'getent passwd GUINEA-PIG$'. If not - you
>probably use passwd or shadow in which case you need to use adduser to to the
>job.
>
>Besides posixAccount you should also have Samba account as well. You should
>look at what was responses to the LDAP requests by looking at the SEARCH
>RESULT lines with the same 'conn=' and 'op='. I would guess that response was
>'nentries=0' And it has nothing to do with some optional attributes being
>empty - just with the fact that there's no such entry with
>'objectClass=sambaSamAccount'.
>
>It can also be a problem of nscd if you have one. Your LDAP requests are at
>10:03 and your nmbd log extract is for 11:14 which means LDAP requests were
>done long before Samba requests unless there's a timezone issue between the
>machines or that their clocks are really scrude up.
>
>I would also recommend to post smbd log instead of nmbd since its smbd which
>interacts with LDAP.
>
>Igor
>
>> [05/Oct/2004:10:03:52 -0500] conn=53576 op=7 SRCH
>> base="o=nebrwesleyan.edu,o=isp" scope=2
>> filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
>> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
>> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
>> displayName sambaHomeDrive sambaHomePath sambaLogonScript
>> sambaProfilePath description sambaUserWorkstations sambaSID
>> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
>> objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
>> sambabadpasswordtime sambapasswordhistory modifyTimestamp
>> sambalogonhours modifyTimestamp"
>> [05/Oct/2004:10:03:52 -0500] conn=53576 op=8 SRCH
>> base="o=nebrwesleyan.edu,o=isp" scope=2
>> filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
>> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
>> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
>> displayName sambaHomeDrive sambaHomePath sambaLogonScript
>> sambaProfilePath description sambaUserWorkstations sambaSID
>> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
>> objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
>> sambabadpasswordtime sambapasswordhistory modifyTimestamp
>> sambalogonhours modifyTimestamp"
>>
>> It searches twice for the machine trust account, which I've verified
>> exists. The only thing I can think of is that not all of the
>> attributes it's asking for exist. (In fact, a lot of them don't.) As
>> you can see in the attached nmbd log, though, Samba doesn't show any
>> obvious errors. I've also included my smb.conf (with some changes to
>> protect my server's innocence). Any ideas are greatly appreciated.
>> Thanks.
>>
>> Chris St. Pierre
>> Unix Systems Administrator
>> Nebraska Wesleyan University
>> 402.465.7549
>>
>>
>> ------------------------------------------------------------------------
>>
>> [global] server string = test
>> workgroup = NWU_TEST
>> netbios name = TESTERATOR
>>
>> log level = 1
>> encrypt passwords = yes
>> max smbd processes = 0
>> socket options = TCP_NODELAY
>>
>> add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
>>
>> logon script = scripts\logon.bat logon path = \\%L\profiles\%U domain
>> logons = yes
>> local master = yes
>> preferred master = yes
>> wins server = 10.9.1.12
>> security = user
>>
>> passdb backend = ldapsam:ldap://server.nebrwesleyan.edu
>> ldap suffix = o=nebrwesleyan.edu,o=isp
>> ldap machine suffix = ou=Machines
>> ldap user suffix = ou=People
>> ldap group suffix = ou=Groups
>> ldap filter = (uid=%u)
>> ldap admin dn = cn=foo
>> ldap ssl = no
>>
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>>
>> [netlogon]
>> comment = Network Logon Service path = /var/lib/samba/netlogon guest
>> ok = yes locking = No [profiles] comment = Profile Share path =
>> /var/lib/samba/profiles read only = No [tmp]
>> comment = temporary files
>> path = /tmp
>> read only = yes
>>
>>
>> ------------------------------------------------------------------------
>>
>> [2004/10/05 11:14:43, 5] nmbd/nmbd_packets.c:process_dgram(1194)
>> process_dgram: ignoring dgram packet sent to name COMPUTER LABS<1d> from
>> 10.9.1.10
>> [2004/10/05 11:14:43, 4]
>> nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
>> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
>> 10.9.1.111: found.
>> [2004/10/05 11:14:43, 10]
>> nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382)
>> announce_myself_to_domain_master_browser: t (1096992883) -
>> last(1096992397) < 900
>> [2004/10/05 11:14:43, 4]
>> nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
>> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
>> UNICAST_SUBNET: found.
>> [2004/10/05 11:14:43, 4]
>> nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
>> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
>> UNICAST_SUBNET: found.
>> [2004/10/05 11:14:48, 10] lib/util_sock.c:read_udp_socket(230)
>> read_udp_socket: lastip 10.9.1.97 lastport 138 read: 290
>> [2004/10/05 11:14:48, 5] libsmb/nmblib.c:read_packet(757)
>> Received a packet of len 290 from (10.9.1.97) port 138
>> [2004/10/05 11:14:48, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
>> nmbd_subnetdb:namelist_entry_compare()
>> -1 == memcmp( "NWU_TEST<1c>", "NWU_TEST<1d>", 84 )
>> [2004/10/05 11:14:48, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
>> nmbd_subnetdb:namelist_entry_compare()
>> 0 == memcmp( "NWU_TEST<1c>", "NWU_TEST<1c>", 84 )
>> [2004/10/05 11:14:48, 9] nmbd/nmbd_namelistdb.c:find_name_on_subnet(124)
>> find_name_on_subnet: on subnet 10.9.1.111 - found name NWU_TEST<1c>
>> source=2
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:process_dgram(1259)
>> process_dgram: datagram from GUINEA-PIG<00> to NWU_TEST<1c> IP 10.9.1.97
>> for \MAILSLOT\NET\NETLOGON of type 18 len=116
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_processlogon.c:process_logon_packet(95)
>> process_logon_packet: Logon from 10.9.1.97: code = 0x12
>> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(315)
>> process_logon_packet: SAMLOGON sidsize 24, len = 116
>> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(322)
>> process_logon_packet: len = 116 PTR_DIFF(q, buf) = 108
>> [2004/10/05 11:14:48, 3] nmbd/nmbd_processlogon.c:process_logon_packet(347)
>> process_logon_packet: SAMLOGON sidsize 24 ntv 11
>> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(356)
>> process_logon_packet: SAMLOGON user GUINEA-PIG$
>> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(363)
>> process_logon_packet: SAMLOGON request from GUINEA-PIG(10.9.1.97) for
>> GUINEA-PIG$, returning logon svr \\TESTERATOR domain NWU_TEST code 13
>> token=ffff
>> [2004/10/05 11:14:48, 4] lib/util.c:dump_data(1835)
>> [000] 13 00 5C 00 5C 00 54 00 45 00 53 00 54 00 45 00 ..\.\.T. E.S.T.E.
>> [010] 52 00 41 00 54 00 4F 00 52 00 00 00 47 00 55 00 R.A.T.O. R...G.U.
>> [020] 49 00 4E 00 45 00 41 00 2D 00 50 00 49 00 47 00 I.N.E.A. -.P.I.G.
>> [030] 24 00 00 00 4E 00 57 00 55 00 5F 00 54 00 45 00 $...N.W. U._.T.E.
>> [040] 53 00 54 00 00 00 01 00 00 00 FF FF FF FF S.T..... ......
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:send_mailslot(1902)
>> send_mailslot: Sending to mailslot \MAILSLOT\NET\GETDC468 from
>> TESTERATOR<00> IP 10.9.1.111 to GUINEA-PIG<00> IP 10.9.1.97
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:debug_browse_data(100)
>> debug_browse_data():
>> 0 char ..\.\.T.E.S.T.E. hex 13 00 5c 00 5c 00 54 00 45 00 53 00 54 00 45
>> 00
>> 10 char R.A.T.O.R...G.U. hex 52 00 41 00 54 00 4f 00 52 00 00 00 47 00 55
>> 00
>> 20 char I.N.E.A.-.P.I.G. hex 49 00 4e 00 45 00 41 00 2d 00 50 00 49 00 47
>> 00
>> 30 char $...N.W.U._.T.E. hex 24 00 00 00 4e 00 57 00 55 00 5f 00 54 00 45
>> 00
>> 40 char S.T........... hex 53 00 54 00 00 00 01 00 00 00 ff ff ff ff
>> [2004/10/05 11:14:48, 5] libsmb/nmblib.c:send_udp(779)
>> Sending a packet of len 252 to (10.9.1.97) on port 138
>> [2004/10/05 11:14:48, 4]
>> nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
>> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
>> 10.9.1.111: found.
>> [2004/10/05 11:14:48, 10]
>> nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382)
>> announce_myself_to_domain_master_browser: t (1096992883) -
>> last(1096992397) < 900
>> [2004/10/05 11:14:48, 4]
>> nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
>> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
>> UNICAST_SUBNET: found.
>> [2004/10/05 11:14:48, 4]
>> nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
>> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
>> UNICAST_SUBNET: found.
>> [2004/10/05 11:14:48, 10] lib/util_sock.c:read_udp_socket(230)
>> read_udp_socket: lastip 10.9.1.97 lastport 138 read: 290
>> [2004/10/05 11:14:48, 5] libsmb/nmblib.c:read_packet(757)
>> Received a packet of len 290 from (10.9.1.97) port 138
>> [2004/10/05 11:14:48, 10] nmbd/nmbd_subnetdb.c:namelist_entry_compare(69)
>> nmbd_subnetdb:namelist_entry_compare()
>> 0 == memcmp( "NWU_TEST<1c>", "NWU_TEST<1c>", 84 )
>> [2004/10/05 11:14:48, 9] nmbd/nmbd_namelistdb.c:find_name_on_subnet(124)
>> find_name_on_subnet: on subnet 10.9.1.111 - found name NWU_TEST<1c>
>> source=2
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:process_dgram(1259)
>> process_dgram: datagram from GUINEA-PIG<00> to NWU_TEST<1c> IP 10.9.1.97
>> for \MAILSLOT\NET\NETLOGON of type 18 len=116
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_processlogon.c:process_logon_packet(95)
>> process_logon_packet: Logon from 10.9.1.97: code = 0x12
>> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(315)
>> process_logon_packet: SAMLOGON sidsize 24, len = 116
>> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(322)
>> process_logon_packet: len = 116 PTR_DIFF(q, buf) = 108
>> [2004/10/05 11:14:48, 3] nmbd/nmbd_processlogon.c:process_logon_packet(347)
>> process_logon_packet: SAMLOGON sidsize 24 ntv 11
>> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(356)
>> process_logon_packet: SAMLOGON user GUINEA-PIG$
>> [2004/10/05 11:14:48, 5] nmbd/nmbd_processlogon.c:process_logon_packet(363)
>> process_logon_packet: SAMLOGON request from GUINEA-PIG(10.9.1.97) for
>> GUINEA-PIG$, returning logon svr \\TESTERATOR domain NWU_TEST code 13
>> token=ffff
>> [2004/10/05 11:14:48, 4] lib/util.c:dump_data(1835)
>> [000] 13 00 5C 00 5C 00 54 00 45 00 53 00 54 00 45 00 ..\.\.T. E.S.T.E.
>> [010] 52 00 41 00 54 00 4F 00 52 00 00 00 47 00 55 00 R.A.T.O. R...G.U.
>> [020] 49 00 4E 00 45 00 41 00 2D 00 50 00 49 00 47 00 I.N.E.A. -.P.I.G.
>> [030] 24 00 00 00 4E 00 57 00 55 00 5F 00 54 00 45 00 $...N.W. U._.T.E.
>> [040] 53 00 54 00 00 00 01 00 00 00 FF FF FF FF S.T..... ......
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:send_mailslot(1902)
>> send_mailslot: Sending to mailslot \MAILSLOT\NET\GETDC468 from
>> TESTERATOR<00> IP 10.9.1.111 to GUINEA-PIG<00> IP 10.9.1.97
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_packets.c:debug_browse_data(100)
>> debug_browse_data():
>> 0 char ..\.\.T.E.S.T.E. hex 13 00 5c 00 5c 00 54 00 45 00 53 00 54 00 45
>> 00
>> 10 char R.A.T.O.R...G.U. hex 52 00 41 00 54 00 4f 00 52 00 00 00 47 00 55
>> 00
>> 20 char I.N.E.A.-.P.I.G. hex 49 00 4e 00 45 00 41 00 2d 00 50 00 49 00 47
>> 00
>> 30 char $...N.W.U._.T.E. hex 24 00 00 00 4e 00 57 00 55 00 5f 00 54 00 45
>> 00
>> 40 char S.T........... hex 53 00 54 00 00 00 01 00 00 00 ff ff ff ff
>> [2004/10/05 11:14:48, 5] libsmb/nmblib.c:send_udp(779)
>> Sending a packet of len 252 to (10.9.1.97) on port 138
>> [2004/10/05 11:14:48, 4]
>> nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
>> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
>> 10.9.1.111: found.
>> [2004/10/05 11:14:48, 10]
>> nmbd/nmbd_sendannounce.c:announce_myself_to_domain_master_browser(382)
>> announce_myself_to_domain_master_browser: t (1096992888) -
>> last(1096992397) < 900
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:dump_workgroups(271)
>> dump_workgroups()
>> dump workgroup on subnet 10.9.1.111: netmask= 255.255.0.0:
>> COMPSERV(4) current master browser = SPOOLWATCH
>> WORKGROUP(3) current master browser = EDUCATION
>> NWU_EXODUS(2) current master browser = BELL
>> NWU_TEST(1) current master browser = TESTERATOR
>> TESTERATOR 400c9b0b (test)
>> GUINEA-PIG 40011003 ()
>> [2004/10/05 11:14:48, 4] nmbd/nmbd_workgroupdb.c:dump_workgroups(271)
>> dump_workgroups()
>> dump workgroup on subnet UNICAST_SUBNET: netmask= 0.0.0.0:
>> NWU_TEST(1) current master browser = UNKNOWN
>> TESTERATOR 40099b0b (test)
>> [2004/10/05 11:14:48, 4]
>> nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
>> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
>> UNICAST_SUBNET: found.
>> [2004/10/05 11:14:48, 4]
>> nmbd/nmbd_workgroupdb.c:find_workgroup_on_subnet(162)
>> find_workgroup_on_subnet: workgroup search for NWU_TEST on subnet
>> UNICAST_SUBNET: found.
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list