[Samba] can join but unable to login to the domain + ldap account
problems
John H Terpstra
jht at Samba.Org
Thu Jan 13 15:51:24 GMT 2005
On Thursday 13 January 2005 04:28, Adi Nugraha wrote:
> after setting up a PDC with ldap according to the book samba 3 by example,
> almost everything worked out fine, the validations listed in the books
> turned out as expected with minor differences, but these are the problems :
Adi,
I happen to be the author of that book. Suggest you delete the Administrator
account and add an account for 'root' that matches your /etc/passwd entry for
the 'root' user. I will be fixing this information in the update that I will
soon make to the book.
>
> 1. According to the book the account that can be used to join a domain is
> the Administrator account with the password set from the ldap admin dn
> which is secret is my installation,but I was unable to join the domain with
> the account, not even just to see the shares, something like wrong
> password, when I look at the log it seem the Administrator is mapped to
> root, which has a different password in the linux, does this matter? in the
> end I tried creating a new Account with 0 uid to join the domain (let's
> call it __admin__ ), and it worked, but I still would like to know why the
> Administrator account didn't work,
Winbind will break if there is any ambiguity in the forward and reverse
mapping of login names to UID. You can NOT have both root with UID=0 and
Administrator with UID=0. If you do, when Samba does a reverse lookup of the
Windows SID for Administrator it will find it has UNIX UID=0, but then can
not determine which UNIX account that represents - i.e.: Is it 'root' or is
it 'Administrator'.
Additionally, all accounts Samba uses must be in the LDAP backend (both the
POSIX account details and the SambaSamAccount details) if you are using an
LDAP backend.
>
> 2. A W2k workstation can join the domain with the __admin__ account , but
> after reboot It can't login with any User name, not even with the account
> that succesfully joined the workstation the error message is 'The system
> cannot log you o now because the domain is not available, I am able to see
> the shares with the __admin__ Account, but not with any other accounts (
> even newly created ones)
Did you add the LDAP admin password to the secrets.tdb file?
Do the following work?:
getent passwd
pdbedit -Lw
If you have a service definition for [IPC$] in your smb.conf file, please
delete it, then try again.
>
> 3. when trying to net rpc join the samba box itself it returned
> Unable to join domain VALHALLA.
>
> and when I tried smbclient -L localhost
>
> Anonymous login successful
> Domain=[VALHALLA] OS=[Unix] Server=[Samba 3.0.9]
> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
>
> but when I tried smbclient //valkyrie/user -Uuser%1234 it wored just fine
> of course the administrator password still didn't work
>
> this is the level 1 log :
>
> [2005/01/13 13:03:09, 0] smbd/service.c:make_connection_snum(620)
> '/root/tmp' does not exist or is not a directory, when connecting to
> [IPC$]
What version of Samba? Did you compile it yourself? If so, what parameters did
you pass to configure?
- John T.
>
> and this is the level 2 log :
>
> [2005/01/13 13:13:19, 2] smbd/sesssetup.c:setup_new_vc_session(608)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> [2005/01/13 13:13:19, 2] smbd/sesssetup.c:setup_new_vc_session(608)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> [2005/01/13 13:13:19, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011)
> init_group_from_ldap: Entry found for group: 546
> [2005/01/13 13:13:19, 0] smbd/service.c:make_connection_snum(620)
> '/root/tmp' does not exist or is not a directory, when connecting to
> [IPC$]
>
>
> and the level 3 log :
>
> [2005/01/13 13:16:12, 3] smbd/process.c:process_smb(1092)
> Transaction 1 of length 137
> [2005/01/13 13:16:12, 3] smbd/process.c:switch_message(887)
> switch message SMBnegprot (pid 3842) conn 0x0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2005/01/13 13:16:12, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [LANMAN1.0]
> [2005/01/13 13:16:12, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [Windows for Workgroups 3.1a]
> [2005/01/13 13:16:12, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [LM1.2X002]
> [2005/01/13 13:16:12, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [LANMAN2.1]
> [2005/01/13 13:16:12, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [NT LM 0.12]
> [2005/01/13 13:16:12, 3] smbd/negprot.c:reply_nt1(333)
> using SPNEGO
> [2005/01/13 13:16:12, 3] smbd/negprot.c:reply_negprot(549)
> Selected protocol NT LM 0.12
> [2005/01/13 13:16:12, 3] smbd/process.c:process_smb(1092)
> Transaction 2 of length 202
> [2005/01/13 13:16:12, 3] smbd/process.c:switch_message(887)
> switch message SMBsesssetupX (pid 3842) conn 0x0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
> wct=12 flg2=0xc807
> [2005/01/13 13:16:12, 2] smbd/sesssetup.c:setup_new_vc_session(608)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> [2005/01/13 13:16:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
> Doing spnego session setup
> [2005/01/13 13:16:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
> NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> PrimaryDomain=[]
> [2005/01/13 13:16:12, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
> Got OID 1 3 6 1 4 1 311 2 2 10
> [2005/01/13 13:16:12, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
> Got secblob of size 32
> [2005/01/13 13:16:12, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0xc0008297
> [2005/01/13 13:16:12, 3] smbd/process.c:process_smb(1092)
> Transaction 3 of length 232
> [2005/01/13 13:16:12, 3] smbd/process.c:switch_message(887)
> switch message SMBsesssetupX (pid 3842) conn 0x0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
> wct=12 flg2=0xc807
> [2005/01/13 13:16:12, 2] smbd/sesssetup.c:setup_new_vc_session(608)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
> old resources.
> [2005/01/13 13:16:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
> Doing spnego session setup
> [2005/01/13 13:16:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
> NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> PrimaryDomain=[]
> [2005/01/13 13:16:12, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
> Got user=[] domain=[] workstation=[VPC1] len1=1 len2=0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 3] smbd/uid.c:push_conn_ctx(365)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] auth/auth.c:check_ntlm_password(219)
> check_ntlm_password: Checking password for unmapped user []\[]@[VPC1]
> with the new password interface
> [2005/01/13 13:16:12, 3] auth/auth.c:check_ntlm_password(222)
> check_ntlm_password: mapped user is: [VALHALLA]\[]@[VPC1]
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 3] smbd/uid.c:push_conn_ctx(365)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 3] smbd/uid.c:push_conn_ctx(365)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 3] smbd/uid.c:push_conn_ctx(365)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011)
> init_group_from_ldap: Entry found for group: 546
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 3] smbd/uid.c:push_conn_ctx(365)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] auth/auth.c:check_ntlm_password(268)
> check_ntlm_password: guest authentication for user [] succeeded
> [2005/01/13 13:16:12, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2005/01/13 13:16:12, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x40008295
> [2005/01/13 13:16:12, 3] smbd/password.c:register_vuid(222)
> User name: nobody Real name: nobody
> [2005/01/13 13:16:12, 3] smbd/password.c:register_vuid(241)
> UNIX uid 65534 is UNIX user nobody, and will be vuid 100
> [2005/01/13 13:16:12, 3] smbd/process.c:process_smb(1092)
> Transaction 4 of length 86
> [2005/01/13 13:16:12, 3] smbd/process.c:switch_message(887)
> switch message SMBtconX (pid 3842) conn 0x0
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/service.c:make_connection_snum(472)
> Connect path is '/root/tmp' for service [IPC$]
> [2005/01/13 13:16:12, 3] lib/util_seaccess.c:se_access_check(251)
> [2005/01/13 13:16:12, 3] lib/util_seaccess.c:se_access_check(252)
> se_access_check: user sid is S-1-5-21-445313069-670739273-3497575158-501
> se_access_check: also S-1-5-21-445313069-670739273-3497575158-514
> se_access_check: also S-1-1-0
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-32-546
> se_access_check: also S-1-5-21-445313069-670739273-3497575158-546
> se_access_check: also S-1-5-21-445313069-670739273-3497575158-132069
> [2005/01/13 13:16:12, 3] smbd/vfs.c:vfs_init_default(203)
> Initialising default vfs hooks
> [2005/01/13 13:16:12, 3] lib/util_seaccess.c:se_access_check(251)
> [2005/01/13 13:16:12, 3] lib/util_seaccess.c:se_access_check(252)
> se_access_check: user sid is S-1-5-21-445313069-670739273-3497575158-501
> se_access_check: also S-1-5-21-445313069-670739273-3497575158-514
> se_access_check: also S-1-1-0
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-32-546
> se_access_check: also S-1-5-21-445313069-670739273-3497575158-546
> se_access_check: also S-1-5-21-445313069-670739273-3497575158-132069
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (65534, 65534) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 0] smbd/service.c:make_connection_snum(620)
> '/root/tmp' does not exist or is not a directory, when connecting to
> [IPC$]
> [2005/01/13 13:16:12, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/13 13:16:12, 3] smbd/connection.c:yield_connection(69)
> Yielding connection to IPC$
> [2005/01/13 13:16:12, 3] smbd/error.c:error_packet(105)
> error string = Permission denied
> [2005/01/13 13:16:12, 3] smbd/error.c:error_packet(129)
> error packet at smbd/reply.c(416) cmd=117 (SMBtconX)
> NT_STATUS_BAD_NETWORK_NAME
>
>
> anyone understand anything from this log ??? if you need the smb.conf file
> or anything just tell me, Sorry if it's a repeated question, I tried
> googling but didn't find any real solution, there was something about
> changing the reg is windows, but I'd like to avoid doing that to every
> computer that need to join,
>
>
> Thanks
>
>
> Adi
--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668
Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
More information about the samba
mailing list