[Samba] Re: Can join domain; can't logon
Chris St. Pierre
stpierre at NebrWesleyan.edu
Fri Oct 8 14:19:53 GMT 2004
On the LDAP server:
> ldapsearch -b "ou=people,o=nebrwesleyan.edu,o=isp" "uid=guinea-pig$" \
sambaSID
uid=guinea-pig$,ou=people,o=nebrwesleyan.edu,o=isp
sambaSID=S-1-5-21-2507527290-1625623118-1076039497-3002
On the Samba server:
> /usr/local/samba/bin/net getlocalsid
SID for domain TESTERATOR is: S-1-5-21-2507527290-1625623118-1076039497
So yes, they match.
I did some further investigation, and it appears that in the
conditional on lines 250-254 of rpc_server/srv_netlog_nt.c in
get_md4pw() is where the failure point is. Namely, the account is not
disabled, and the pass is not null, but none of the trust checks pass.
(acct_ctrl == 16). I put a quick hack in pdb_get_acct_ctrl() on line
45 of passdb/pdb_get_set.c ("return ACB_WSTRUST;") to get past this
immediate problem; it worked, but logins still don't work. There's
some sort of problem with credentials that I've been trying to work
out.
Anyhow, that's everything I know about the problem; here's the smbd
log. Thanks for looking at this.
[...snip...]
[2004/10/07 16:14:09, 5] lib/smbldap.c:smbldap_search(963)
smbldap_search: base => [o=nebrwesleyan.edu,o=isp], filter => [(&(uid=GUINEA-PIG$)(objectclass=sambaSamAccount))], scope => [2]
[2004/10/07 16:14:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485)
init_sam_from_ldap: Entry found for user: guinea-pig$
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_username(625)
pdb_set_username: setting username guinea-pig$, was
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
element 12 -> now SET
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_domain(652)
pdb_set_domain: setting domain NWU_TEST, was
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_nt_username(679)
pdb_set_nt_username: setting nt username guinea-pig$, was
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
element 15 -> now SET
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_user_sid_from_string(565)
pdb_set_user_sid_from_string: setting user sid S-1-5-21-2507527290-1625623118-1076039497-3002
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_user_sid(552)
pdb_set_user_sid: setting user sid S-1-5-21-2507527290-1625623118-1076039497-3002
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
element 18 -> now SET
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaPrimaryGroupSID] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_group_sid(588)
pdb_set_group_sid: setting group sid S-1-5-21-2507527290-1625623118-1076039497-513
[2004/10/07 16:14:09, 10] passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100)
pdb_set_group_sid_from_rid:
setting group sid S-1-5-21-2507527290-1625623118-1076039497-513 from rid 513
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaPwdLastSet] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaLogonTime] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaLogoffTime] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaKickoffTime] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaPwdCanChange] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaPwdMustChange] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_fullname(706)
pdb_set_full_name: setting full name guinea-pig$, was
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
element 13 -> now SET
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaHomeDrive] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_dir_drive(787)
pdb_set_dir_drive: setting dir drive , was NULL
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaHomePath] = [<does not exist>]
[2004/10/07 16:14:09, 4] lib/substitute.c:automount_server(323)
Home server: testerator
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_homedir(814)
pdb_set_homedir: setting home dir \\testerator\guinea-pig_, was
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaLogonScript] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_logon_script(733)
pdb_set_logon_script: setting logon script scripts\logon.bat, was
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaProfilePath] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_profile_path(760)
pdb_set_profile_path: setting profile path \\testerator\profiles\guinea-pig_, was
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [description] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaUserWorkstations] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaMungedDial] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
element 32 -> now SET
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
element 33 -> now SET
[2004/10/07 16:14:09, 10] lib/account_pol.c:account_policy_get(158)
account_policy_get: password history:0
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaAcctFlags] = [<does not exist>]
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
element 16 -> now SET
[2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525)
element 17 -> now SET
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaBadPasswordCount] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaBadPasswordTime] = [<does not exist>]
[2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309)
smbldap_get_single_attribute: [sambaLogonHours] = [<does not exist>]
[2004/10/07 16:14:09, 5] passdb/login_cache.c:login_cache_init(41)
Opening cache file at /usr/local/samba/var/locks/login_cache.tdb
[2004/10/07 16:14:09, 7] passdb/login_cache.c:login_cache_read(83)
Looking up login cache for user guinea-pig$
[2004/10/07 16:14:09, 7] passdb/login_cache.c:login_cache_read(97)
No cache entry found
[2004/10/07 16:14:09, 9] passdb/pdb_ldap.c:init_sam_from_ldap(804)
No cache entry, bad count = 0, bad time = 0
[2004/10/07 16:14:09, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (65534, 65533) - sec_ctx_stack_ndx = 0
[2004/10/07 16:14:09, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261)
get_md4pw: Workstation GUINEA-PIG$: no account in domain
[2004/10/07 16:14:09, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 net_io_r_auth_2
[2004/10/07 16:14:09, 6] rpc_parse/parse_prs.c:prs_debug(82)
000000 smb_io_chal
[2004/10/07 16:14:09, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
0000 data: c8 ea ff bf 4a 18 0e 08
[2004/10/07 16:14:09, 6] rpc_parse/parse_prs.c:prs_debug(82)
000008 net_io_neg_flags
[2004/10/07 16:14:09, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0008 neg_flags: 400001ff
[2004/10/07 16:14:09, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
000c status: NT_STATUS_ACCESS_DENIED
[...snip...]
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
On Thu, 7 Oct 2004, Igor Belyi wrote:
>Chris St. Pierre wrote:
>> An update: I managed to get a domain entry added to my LDAP directory.
>> Still got the same error. Googled for it; found out that I had to put
>> my machine trust accounts in ou=people instead of ou=machines. Did
>> so. Still get the same message from Windows:
>>
>>
>> > > > "The system cannot log you on to this domain because the system's
>> > > > computer account in its primary domain is missing or the password on
>> > > > that account is incorrect."
>>
>>
>> > From Samba, it's the same old thing:
>>
>> get_md4pw: Workstation GUINEA-PIG$: no account in domain
>>
>> What the heck does this mean? How can I fix it? Does Samba just hate me?
>>
>> I've attached the section of the smbd log that appears to pertain to
>> the immediate problem. Any insights you can offer would be greatly
>> appreciated. Thank you.
>
>Verify that sambaSID of your GUINEA-PIG$ contains SID of the Domain (sambaSID
>field of the sambaDomain entry or result of 'net getlocalsid' which should be
>the same).
>
>And yes, I can take a look at your Samba log. Note, attachments don't get
>through when sent to this list.
>
>Igor
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list