[Samba] can join but unable to login to the domain +
ldapaccountproblems
Adi Nugraha
adi at westindo.co.id
Fri Jan 14 07:12:14 GMT 2005
Update !!!!!!!!
I just noticed that I have a previously installed samba from the rpm which
samba 3.0.2a, out curiosity I tried copying all the configuration files to
the /etc/samba/ directory and now I CAN LOGIN to the domain, no idea why
though, anyway I'm still trying to make the 3.0.9 version work as well,
please help
----- Original Message -----
From: "Adi Nugraha" <adi at westindo.co.id>
To: <jht at samba.org>; <samba at lists.samba.org>
Sent: Friday, January 14, 2005 10:34 AM
Subject: Re: [Samba] can join but unable to login to the domain +
ldapaccountproblems
>
> > I happen to be the author of that book. Suggest you delete the
> Administrator
> > account and add an account for 'root' that matches your /etc/passwd
entry
> for
> > the 'root' user. I will be fixing this information in the update that I
> will
> > soon make to the book.
>
> I deleted the Administrator account and added a root user using
> ./smbldap-useradd.pl, but it seems similar to adding my own __admin__
> account, would it be a problem if I used the __admin__ account ??
>
> > > 1. According to the book the account that can be used to join a domain
> is
> > > the Administrator account with the password set from the ldap admin dn
> > > which is secret is my installation,but I was unable to join the domain
> with
> > > the account, not even just to see the shares, something like wrong
> > > password, when I look at the log it seem the Administrator is mapped
to
> > > root, which has a different password in the linux, does this matter?
in
> the
> > > end I tried creating a new Account with 0 uid to join the domain
(let's
> > > call it __admin__ ), and it worked, but I still would like to know why
> the
> > > Administrator account didn't work,
> >
> > Winbind will break if there is any ambiguity in the forward and reverse
> > mapping of login names to UID. You can NOT have both root with UID=0 and
> > Administrator with UID=0. If you do, when Samba does a reverse lookup of
> the
> > Windows SID for Administrator it will find it has UNIX UID=0, but then
can
> > not determine which UNIX account that represents - i.e.: Is it 'root' or
> is
> > it 'Administrator'.
> >
> > Additionally, all accounts Samba uses must be in the LDAP backend (both
> the
> > POSIX account details and the SambaSamAccount details) if you are using
an
> > LDAP backend.
> >
> > >
> > > 2. A W2k workstation can join the domain with the __admin__ account ,
> but
> > > after reboot It can't login with any User name, not even with the
> account
> > > that succesfully joined the workstation the error message is 'The
system
> > > cannot log you o now because the domain is not available, I am able to
> see
> > > the shares with the __admin__ Account, but not with any other accounts
(
> > > even newly created ones)
> >
> > Did you add the LDAP admin password to the secrets.tdb file?
> >
> > Do the following work?:
> >
> > getent passwd
> > pdbedit -Lw
> >
>
> when you said ldap admin password do you mean the one with the
smbpasswd -w
> secret command if so then I already did, getent passwd and pdbedit -Lw
> worked fine, all the accounts I added to login to the domain is there
>
> > If you have a service definition for [IPC$] in your smb.conf file,
please
> > delete it, then try again.
>
> No, I don't have a service definition for [IPC$] in my smb.conf file, but
> the result from smbclient -L localhost -Uadmin%1234 have an IPC service,
but
> when I used a different account like the domain user account it returned :
>
> Domain=[VALHALLA] OS=[Unix] Server=[Samba 3.0.9]
> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
>
> Does this mean that there's something wrong with the domain user group ??
>
> > >
> > > 3. when trying to net rpc join the samba box itself it returned
> > > Unable to join domain VALHALLA.
> > >
> > > and when I tried smbclient -L localhost
> > >
> > > Anonymous login successful
> > > Domain=[VALHALLA] OS=[Unix] Server=[Samba 3.0.9]
> > > tree connect failed: NT_STATUS_BAD_NETWORK_NAME
> > >
> > > but when I tried smbclient //valkyrie/user -Uuser%1234 it wored just
> fine
> > > of course the administrator password still didn't work
> > >
> > > this is the level 1 log :
> > >
> > > [2005/01/13 13:03:09, 0] smbd/service.c:make_connection_snum(620)
> > > '/root/tmp' does not exist or is not a directory, when connecting to
> > > [IPC$]
> >
> > What version of Samba? Did you compile it yourself? If so, what
parameters
> did
> > you pass to configure?
>
> > - John T.
>
>
>
> I used samba version 3.0.9 from the samba source on a Mandrake Linux 10.0
,
> I compiled it myself with the default configuration as in just ./configure
> because I read that since samba 3 ldap support is on by default.
>
> BTW I found some logs that seems suspicious please take a look :
>
> [2005/01/14 04:55:33, 2] smbd/sesssetup.c:setup_new_vc_session(608)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all
> old resources.
> [2005/01/14 04:55:33, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
> Doing spnego session setup
> [2005/01/14 04:55:33, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
> NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> PrimaryDomain=[]
> [2005/01/14 04:55:33, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
> Got user=[] domain=[] workstation=[VPC1] len1=1 len2=0
> [2005/01/14 04:55:33, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2005/01/14 04:55:33, 3] smbd/uid.c:push_conn_ctx(365)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2005/01/14 04:55:33, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2005/01/14 04:55:33, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/14 04:55:33, 3] auth/auth.c:check_ntlm_password(219)
> check_ntlm_password: Checking password for unmapped user []\[]@[VPC1]
> with the new password interface
> [2005/01/14 04:55:33, 3] auth/auth.c:check_ntlm_password(222)
> check_ntlm_password: mapped user is: [VALHALLA]\[]@[VPC1]
>
> the log is from when I tried to login form a W2K PC that is already joined
> to the domain, why is the primary domain [] ??? and it seems that the
> workstation didn't send any username or password either and it
authenticates
> as a guest account ???
>
>
> this is the log from when tried joining the domain from the samba box
itself
> :
>
>
>
> Adding homes service for user 'adi' using home directory: '/home//adi'
> [2005/01/14 05:20:15, 3] param/loadparm.c:lp_add_home(2341)
> adding home's share [adi] for user 'adi' at '/home//adi'
> :
> :
> :
> cut
> :
> :
> :
> :
> [2005/01/14 05:20:15, 3] smbd/ipc.c:api_fd_reply(296)
> Got API command 0x26 on pipe "NETLOGON" (pnum 76c8)
> [2005/01/14 05:20:15, 3] rpc_server/srv_pipe.c:api_pipe_bind_req(890)
> api_pipe_bind_req: \PIPE\NETLOGON -> \PIPE\lsass
> [2005/01/14 05:20:15, 3] rpc_server/srv_pipe.c:check_bind_req(762)
> check_bind_req for \PIPE\NETLOGON
> [2005/01/14 05:20:15, 3] smbd/process.c:process_smb(1092)
> Transaction 27 of length 45
> [2005/01/14 05:20:15, 3] smbd/process.c:switch_message(887)
> switch message SMBclose (pid 8730) conn 0x834b730
> [2005/01/14 05:20:15, 3] smbd/process.c:process_smb(1092)
> Transaction 28 of length 45
> [2005/01/14 05:20:15, 3] smbd/process.c:switch_message(887)
> switch message SMBclose (pid 8730) conn 0x834b730
> [2005/01/14 05:20:15, 3] smbd/process.c:process_smb(1092)
> Transaction 29 of length 39
> [2005/01/14 05:20:15, 3] smbd/process.c:switch_message(887)
> [2005/01/14 05:20:15, 3] smbd/process.c:switch_message(887)
> switch message SMBtdis (pid 8730) conn 0x834b730
> [2005/01/14 05:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/14 05:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/14 05:20:15, 3] smbd/service.c:close_cnum(836)
> valkyrie (192.168.88.2) closed connection to service IPC$
> [2005/01/14 05:20:15, 3] smbd/connection.c:yield_connection(69)
> Yielding connection to IPC$
> [2005/01/14 05:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/14 05:20:15, 3] smbd/process.c:timeout_processing(1337)
> timeout_processing: End of file from client (client has disconnected).
> [2005/01/14 05:20:15, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2005/01/14 05:20:15, 2] smbd/server.c:exit_server(571)
> Closing connections
> [2005/01/14 05:20:15, 3] smbd/connection.c:yield_connection(69)
> Yielding connection to
> [2005/01/14 05:20:15, 3] smbd/connection.c:yield_connection(76)
> [2005/01/14 05:20:15, 3] smbd/connection.c:yield_connection(76)
> yield_connection: tdb_delete for name failed with error Record does not
> exist.
> [2005/01/14 05:20:15, 3] smbd/server.c:exit_server(614)
> Server exit (normal exit)
>
>
> from what I can tell it seems to repeat alot of the process, and the
> NETLOGON part was where it was timed out
>
>
> any help will be great thanks
>
>
>
> Adi
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list