[Samba] PDC problem
Guillaume
silencer at free-4ever.net
Wed Aug 2 12:37:40 GMT 2006
Marian Neagul wrote:
> Guillaume wrote:
>> Marian Neagul wrote:
>>> Hello,
>>>
>>> I have a problem with a LDAP backed based Samba PDC.
>>> Last week, due an hardware problem, I lost my primary LDAP server
>>> and PDC. I reinstalled the LDAP server and populated it with the old
>>> data, I also reinstalled Samba.
>>> The problem is that I can't log in to samba as root
>>> (cn=root,dc=info,dc=uvt,dc=ro). All others user accounts ar working
>>> except root.
>>> Eg.:
>>> `smbclient -U root //blue/` says: "session setup failed:
>>> NT_STATUS_UNSUCCESSFUL"
>>> The machine accounts and the other user accounts are working
>>> correctly but I can't join new machines using the root account.
>>> I want to mention that my Samba server is a production server with
>>> ~100 simultaneous users (2000 User accounts in LDAP).
>>>
>>> We use Samba 3.0.22 and openldap 2.3.
>>>
>>> My smb.conf file is (the comments are in romanian :) ):
>>> #==================== Setari globale ===================
>>> [global]
>>> ; Numele domeniului
>>> workgroup = Terra
>>> ; Numele serverului vizibil din retea
>>> netbios name = BLUE
>>> ; Descrierea serverului: NT Description
>>> server string = Free Windows V1.2a
>>>
>>>
>>> ;===== Setari legate de jurnal!
>>> ; Tin un log separat pentru fiecare masina in parte
>>> log file = /var/log/samba/log.%m
>>> ; Dimensiunea maxima a fisierului de jurnal (in Kilo)
>>> max log size = 2048
>>> ; Nivelul de jurnalizare
>>> log level = 6
>>>
>>>
>>> ;===== Securitate
>>> ; Clientii care au voie sa se conecteze
>>> hosts allow = 194.102.62. 10.10.10. 127.
>>> ; Modelul de securitate
>>> security = user
>>> ; Daca criptez sau nu parolele
>>> encrypt passwords = yes
>>> ; Chestiuni legate de socketuri
>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> ; Interfetele pe care asculta samba
>>> interfaces = lo eth0 eth0:1 eth0:2
>>> ; Ne limitam doar la aceste interfete si ignoram restul
>>> bind interfaces only = yes
>>> ; Chestiuni referitoare la parole
>>> ;password level = 12
>>> ;username level = 12
>>> ; Incercam sa sincronizam parola de windows cu cea de UNIX
>>> unix password sync = Yes
>>> pam password change = yes
>>>
>>> ; Fisierele de configurare per masina
>>> ; Decomenteaza daca ai nevoie
>>> # include = /etc/samba/smb.conf.%m
>>> ; Cum procedam cu parolele :
>>> ; Parole vide
>>> null passwords = no
>>> ; Fisierele ascunse.
>>> hide unreadable = yes
>>> hide dot files = yes
>>> ; Contul `oaspete'. Momentan nu i-am setat parola ci doar shell
>>> ca /bin/false
>>> guest account = pdcguest
>>>
>>> ;======= PDC
>>> ; Samba este master browser in domeniu
>>> local master = yes
>>> ; Precedenta serverului in alegeri
>>> os level = 65
>>> ; Samba este master de domeniu
>>> domain master = yes
>>> ; Samba forteaza alegerile si aproape sigur le castiga
>>> preferred master = yes
>>> ; Il face pe samba PDC
>>> domain logons = yes
>>>
>>> ; Drive-ul de logon
>>> logon drive = H:
>>>
>>>
>>> ;======== WINS - Rezolutia de nume
>>> ; Activez suportul pentru WINS
>>> wins support = yes
>>> ; Ordinea in care rezolv numele
>>> name resolve order = wins lmhosts host bcast
>>> ; Samba nu se comporta ca un proxy DNS
>>> dns proxy = no
>>>
>>>
>>> ;======== TIME - Server de timp
>>> ; Samba se comporta ca un server de `timp`
>>> time server = yes
>>>
>>>
>>> ;======== USER Management - Foloseste scripturile de la IDEALX
>>> add user script = /usr/sbin/smbldap-useradd -m "%u" set
>>> primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>>>
>>> ;========LDAP
>>> ; Serverul de LDAP
>>> passdb backend = ldapsam:ldap://127.0.0.1/
>>> ; Daca sterg DN-ul sterg tot (Yes) sau doar atributele lui Samba
>>> (No)
>>> ldap delete dn = Yes
>>> ; Toate informatiile sunt tinute in LDAP - Atnetie trebuie
>>> testat
>>> ldapsam:trusted = yes
>>> ; Conectarea la director nu se face criptat
>>> ldap ssl = no
>>> ; Sufixul nostru
>>> ldap suffix = dc=info,dc=uvt,dc=ro
>>> ; Administratorul
>>> ldap admin dn = cn=root,dc=info,dc=uvt,dc=ro
>>> ; Sufixul pentru grupuri
>>> ldap group suffix = ou=Groups
>>> ; Sufixul pentry utilizatori
>>> ldap user suffix = ou=Users
>>> ; Sufixul pentru Masini
>>> ldap machine suffix = ou=Computers
>>> ; Sufixul pentru Idmap
>>> ldap idmap suffix = ou=Idmap
>>>
>>> ; Mapare de id-uri
>>> idmap gid = 40000-50000
>>> idmap uid = 40000-50000
>>>
>>> ;=========================== SHARE
>>>
>>> ; In acest share se gaseste profilul implicit si scriptul de logon
>>> [netlogon]
>>> path = /var/lib/samba/netlogon
>>> guest ok = Yes
>>> browseable = no
>>> write list = root
>>>
>>> ; In acest share se gasesc profilele
>>> [profiles]
>>> ; Atentie trebuie modificata calea
>>> path = /home/%U
>>> browseable = no
>>> valid users = %S
>>> read only = no
>>> create mask = 0664
>>> directory mask = 0775
>>>
>>> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>>> add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>> add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
>>> "%g"
>>> delete user from group script = /usr/sbin/smbldap-groupmod -x
>>> "%u" "%g"
>>>
>>>
>>>
>>>
>>> Do you have a sugestion related to this problem?
>>>
>>> Marian Neagul
>>>
>>
>> Hi,
>>
>> Did you had the ldap root password in the samba config with the
>> command smbpasswd -w 'ldap root passwd' ???
>>
>> It should be the problem...
>>
>> Regards
>> Guillaume
>>
>>
> I get the same error: "session setup failed: NT_STATUS_UNSUCCESSFUL"
>
> The error log:
>
>
> [2006/08/02 15:23:53, 6] param/loadparm.c:lp_file_list_changed(2947)
> lp_file_list_changed()
> file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Tue
> Aug 1 13:54:33 2006
>
> [2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info_map(163)
> make_user_info_map: Mapping user [TERRA]\[root] from workstation [BLUE]
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 3] smbd/uid.c:push_conn_ctx(393)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
> NT user token: (NULL)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2006/08/02 15:23:53, 5] auth/auth_util.c:is_trusted_domain(1665)
> is_trusted_domain: Checking for domain trust with [TERRA]
> [2006/08/02 15:23:53, 5]
> passdb/secrets.c:secrets_fetch_trusted_domain_password(337)
> secrets_fetch failed!
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
> no entry for trusted domain TERRA found.
> [2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info(69)
> attempting to make a user_info for root (root)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info(79)
> making strings for root's user_info struct
> [2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info(121)
> making blobs for root's user_info struct
> [2006/08/02 15:23:53, 3] auth/auth.c:check_ntlm_password(219)
> check_ntlm_password: Checking password for unmapped user
> [TERRA]\[root]@[BLUE] with the new password interface
> [2006/08/02 15:23:53, 3] auth/auth.c:check_ntlm_password(222)
> check_ntlm_password: mapped user is: [TERRA]\[root]@[BLUE]
> [2006/08/02 15:23:53, 5] lib/util.c:dump_data(2058)
> [000] 58 1C F4 6C 99 CE 29 41 X..l..)A
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 3] smbd/uid.c:push_conn_ctx(393)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
> NT user token: (NULL)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2006/08/02 15:23:53, 5] lib/smbldap.c:smbldap_search_ext(1080)
> smbldap_search_ext: base => [dc=info,dc=uvt,dc=ro], filter =>
> [(&(uid=root)(objectclass=sambaSamAccount))], scope => [2]
> [2006/08/02 15:23:53, 5] lib/smbldap.c:smbldap_close(989)
> The connection to the LDAP server was closed
> [2006/08/02 15:23:53, 2] lib/smbldap.c:smbldap_open_connection(722)
> smbldap_open_connection: connection opened
> [2006/08/02 15:23:53, 3] lib/smbldap.c:smbldap_connect_system(905)
> ldap_connect_system: succesful connection to the LDAP server
> [2006/08/02 15:23:53, 4] lib/smbldap.c:smbldap_open(969)
> The LDAP server is succesfully connected
> [2006/08/02 15:23:53, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
> init_sam_from_ldap: Entry found for user: root
> [2006/08/02 15:23:53, 4] lib/substitute.c:automount_server(359)
> Home server: blue
> [2006/08/02 15:23:53, 4] lib/substitute.c:automount_server(359)
> Home server: blue
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 4] libsmb/ntlm_check.c:ntlm_password_check(326)
> ntlm_password_check: Checking NT MD4 password
> [2006/08/02 15:23:53, 4] auth/auth_sam.c:sam_account_ok(123)
> sam_account_ok: Checking SMB password for user root
> [2006/08/02 15:23:53, 5] auth/auth_sam.c:logon_hours_ok(105)
> logon_hours_ok: user root allowed to logon at this time (Wed Aug 2
> 15:23:53 2006
> )
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 3] smbd/uid.c:push_conn_ctx(393)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
> NT user token: (NULL)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2006/08/02 15:23:53, 5] lib/smbldap.c:smbldap_search_ext(1080)
> smbldap_search_ext: base => [ou=Groups,dc=info,dc=uvt,dc=ro], filter
> => [(&(objectClass=posixGroup)(|(memberUid=root)(gidNumber=0)))], scope
> => [2]
> [2006/08/02 15:23:53, 3]
> passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2711)
> primary group of [root] not found
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 4] auth/auth_util.c:add_user_groups(832)
> get_user_groups_from_local_sam failed
> [2006/08/02 15:23:53, 5] auth/auth_util.c:free_server_info(1511)
> attempting to free (and zero) a server_info structure
> [2006/08/02 15:23:53, 5] auth/auth_util.c:free_server_info(1511)
> attempting to free (and zero) a server_info structure
> [2006/08/02 15:23:53, 0] auth/auth_sam.c:check_sam_security(331)
> check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_UNSUCCESSFUL'
> *[2006/08/02 15:23:53, 5] auth/auth.c:check_ntlm_password(271)
> check_ntlm_password: sam authentication for user [root] FAILED with
> error NT_STATUS_UNSUCCESSFUL*
> [2006/08/02 15:23:53, 3] auth/auth_winbind.c:check_winbind_security(80)
> check_winbind_security: Not using winbind, requested domain [TERRA]
> was for this SAM.
> *[2006/08/02 15:23:53, 2] auth/auth.c:check_ntlm_password(317)
> check_ntlm_password: Authentication for user [root] -> [root] FAILED
> with error NT_STATUS_UNSUCCESSFUL*
> [2006/08/02 15:23:53, 5] auth/auth_util.c:free_user_info(1485)
> attempting to free (and zero) a user_info structure
> [2006/08/02 15:23:53, 5] lib/util.c:show_msg(454)
> [2006/08/02 15:23:53, 5] lib/util.c:show_msg(464)
> size=100
> smb_com=0x73
> smb_rcls=1
> smb_reh=0
> smb_err=49152
> smb_flg=136
> smb_flg2=51201
> smb_tid=0
> smb_pid=19222
> smb_uid=100
> smb_mid=3
> smt_wct=4
> smb_vwv[ 0]= 255 (0xFF)
> smb_vwv[ 1]= 0 (0x0)
> smb_vwv[ 2]= 0 (0x0)
> smb_vwv[ 3]= 9 (0x9)
> smb_bcc=57
> [2006/08/02 15:23:53, 3] smbd/process.c:timeout_processing(1447)
> timeout_processing: End of file from client (client has disconnected).
> [2006/08/02 15:23:53, 5] lib/gencache.c:gencache_shutdown(89)
> Closing cache file
> [2006/08/02 15:23:53, 5] libsmb/namecache.c:namecache_shutdown(79)
> namecache_shutdown: netbios namecache closed successfully.
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
> NT user token: (NULL)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2006/08/02 15:23:53, 5] smbd/uid.c:change_to_root_user(324)
> change_to_root_user: now uid=(0,0) gid=(0,0)
> [2006/08/02 15:23:53, 2] smbd/server.c:exit_server(614)
> Closing connections
> [2006/08/02 15:23:53, 3] smbd/connection.c:yield_connection(69)
> Yielding connection to
> [2006/08/02 15:23:53, 3] smbd/server.c:exit_server(655)
> Server exit (normal exit)
>
Please post to the list, not to me directly, I'm reading the list !
Are you sure you restore all datas from the LDAP directory ?
The problem should be your root account is not a samba account.... or
not an ldap account...
Guillaume
--
Guillaume
E-mail: silencer_<at>_free-4ever_<dot>_net
Blog: http://guillaume.free-4ever.net
----
Site: http://www.free-4ever.net
More information about the samba
mailing list