[Samba] Re: Can join domain; can't logon

Chris St. Pierre stpierre at NebrWesleyan.edu
Fri Oct 8 14:19:53 GMT 2004


On the LDAP server:

> ldapsearch -b "ou=people,o=nebrwesleyan.edu,o=isp" "uid=guinea-pig$" \
sambaSID
uid=guinea-pig$,ou=people,o=nebrwesleyan.edu,o=isp
sambaSID=S-1-5-21-2507527290-1625623118-1076039497-3002

On the Samba server:

> /usr/local/samba/bin/net getlocalsid
SID for domain TESTERATOR is: S-1-5-21-2507527290-1625623118-1076039497

So yes, they match.

I did some further investigation, and it appears that in the
conditional on lines 250-254 of rpc_server/srv_netlog_nt.c in
get_md4pw() is where the failure point is.  Namely, the account is not
disabled, and the pass is not null, but none of the trust checks pass.
(acct_ctrl == 16).  I put a quick hack in pdb_get_acct_ctrl() on line
45 of passdb/pdb_get_set.c ("return ACB_WSTRUST;") to get past this
immediate problem; it worked, but logins still don't work.  There's
some sort of problem with credentials that I've been trying to work
out.

Anyhow, that's everything I know about the problem; here's the smbd
log.  Thanks for looking at this.

[...snip...]
[2004/10/07 16:14:09, 5] lib/smbldap.c:smbldap_search(963)
  smbldap_search: base => [o=nebrwesleyan.edu,o=isp], filter => [(&(uid=GUINEA-PIG$)(objectclass=sambaSamAccount))], scope => [2]
[2004/10/07 16:14:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485)
  init_sam_from_ldap: Entry found for user: guinea-pig$
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_username(625)
  pdb_set_username: setting username guinea-pig$, was 
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
  element 12 -> now SET
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_domain(652)
  pdb_set_domain: setting domain NWU_TEST, was 
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_nt_username(679)
  pdb_set_nt_username: setting nt username guinea-pig$, was 
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
  element 15 -> now SET
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_user_sid_from_string(565)
  pdb_set_user_sid_from_string: setting user sid S-1-5-21-2507527290-1625623118-1076039497-3002
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_user_sid(552)
  pdb_set_user_sid: setting user sid S-1-5-21-2507527290-1625623118-1076039497-3002
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
  element 18 -> now SET
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaPrimaryGroupSID] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_group_sid(588)
  pdb_set_group_sid: setting group sid S-1-5-21-2507527290-1625623118-1076039497-513
[2004/10/07 16:14:09, 10] passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100)
  pdb_set_group_sid_from_rid:
  	setting group sid S-1-5-21-2507527290-1625623118-1076039497-513 from rid 513
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaPwdLastSet] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaLogonTime] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaLogoffTime] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaKickoffTime] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaPwdCanChange] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaPwdMustChange] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_fullname(706)
  pdb_set_full_name: setting full name guinea-pig$, was 
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
  element 13 -> now SET
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaHomeDrive] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_dir_drive(787)
  pdb_set_dir_drive: setting dir drive , was NULL
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaHomePath] = [<does not exist>]
[2004/10/07 16:14:09, 4] lib/substitute.c:automount_server(323)
  Home server: testerator
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_homedir(814)
  pdb_set_homedir: setting home dir \\testerator\guinea-pig_, was 
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaLogonScript] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_logon_script(733)
  pdb_set_logon_script: setting logon script scripts\logon.bat, was 
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaProfilePath] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_profile_path(760)
  pdb_set_profile_path: setting profile path \\testerator\profiles\guinea-pig_, was 
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [description] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaUserWorkstations] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaMungedDial] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
  element 32 -> now SET
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
  element 33 -> now SET
[2004/10/07 16:14:09, 10] lib/account_pol.c:account_policy_get(158)
  account_policy_get: password history:0
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaAcctFlags] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
  element 16 -> now SET
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
  element 17 -> now SET
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaBadPasswordCount] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaBadPasswordTime] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
  smbldap_get_single_attribute: [sambaLogonHours] = [<does not exist>]
[2004/10/07 16:14:09, 5] passdb/login_cache.c:login_cache_init(41)
  Opening cache file at /usr/local/samba/var/locks/login_cache.tdb
[2004/10/07 16:14:09, 7] passdb/login_cache.c:login_cache_read(83)
  Looking up login cache for user guinea-pig$
[2004/10/07 16:14:09, 7] passdb/login_cache.c:login_cache_read(97)
  No cache entry found
[2004/10/07 16:14:09, 9] passdb/pdb_ldap.c:init_sam_from_ldap(804)
  No cache entry, bad count = 0, bad time = 0
[2004/10/07 16:14:09, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0
[2004/10/07 16:14:09, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261)
  get_md4pw: Workstation GUINEA-PIG$: no account in domain
[2004/10/07 16:14:09, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 net_io_r_auth_2 
[2004/10/07 16:14:09, 6] rpc_parse/parse_prs.c:prs_debug(82)
      000000 smb_io_chal 
[2004/10/07 16:14:09, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
          0000 data: c8 ea ff bf 4a 18 0e 08 
[2004/10/07 16:14:09, 6] rpc_parse/parse_prs.c:prs_debug(82)
      000008 net_io_neg_flags 
[2004/10/07 16:14:09, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          0008 neg_flags: 400001ff
[2004/10/07 16:14:09, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
      000c status: NT_STATUS_ACCESS_DENIED
[...snip...]

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

On Thu, 7 Oct 2004, Igor Belyi wrote:

>Chris St. Pierre wrote:
>> An update:  I managed to get a domain entry added to my LDAP directory.
>> Still got the same error.  Googled for it; found out that I had to put
>> my machine trust accounts in ou=people instead of ou=machines.  Did
>> so.  Still get the same message from Windows:
>> 
>> 
>> > > > "The system cannot log you on to this domain because the system's
>> > > > computer account in its primary domain is missing or the password on
>> > > > that account is incorrect."
>> 
>> 
>> > From Samba, it's the same old thing:
>> 
>>   get_md4pw: Workstation GUINEA-PIG$: no account in domain
>> 
>> What the heck does this mean?  How can I fix it?  Does Samba just hate me?
>> 
>> I've attached the section of the smbd log that appears to pertain to
>> the immediate problem.  Any insights you can offer would be greatly
>> appreciated.  Thank you.
>
>Verify that sambaSID of your GUINEA-PIG$ contains SID of the Domain (sambaSID
>field of the sambaDomain entry or result of 'net getlocalsid' which should be
>the same).
>
>And yes, I can take a look at your Samba log. Note, attachments don't get
>through when sent to this list.
>
>Igor
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba
>


More information about the samba mailing list