[Samba] PDC problem

Guillaume silencer at free-4ever.net
Wed Aug 2 12:37:40 GMT 2006


Marian Neagul wrote:
> Guillaume wrote:
>> Marian Neagul wrote:
>>> Hello,
>>>
>>>     I have a problem with a LDAP backed based Samba PDC.
>>>     Last week, due an hardware problem, I lost my primary LDAP server
>>> and PDC. I reinstalled the LDAP server and populated it with the old
>>> data, I also reinstalled Samba.
>>>     The problem is that I can't log in to samba as root
>>> (cn=root,dc=info,dc=uvt,dc=ro). All others user accounts ar working 
>>> except root.
>>>      Eg.:
>>>        `smbclient -U root //blue/` says: "session setup failed:
>>> NT_STATUS_UNSUCCESSFUL"
>>>        The machine accounts and the other user accounts are working
>>> correctly but I can't join new machines using the root account.
>>>     I want to mention that my Samba server is a production server with
>>> ~100 simultaneous users (2000 User accounts in LDAP).
>>>
>>>     We use Samba 3.0.22 and openldap 2.3.
>>>
>>>     My smb.conf file is (the comments are in romanian :) ):
>>>        #==================== Setari globale ===================
>>> [global]
>>>         ; Numele domeniului
>>>         workgroup = Terra
>>>         ; Numele serverului vizibil din retea
>>>         netbios name = BLUE
>>>         ; Descrierea serverului:  NT Description
>>>         server string = Free Windows V1.2a
>>>
>>>
>>>         ;===== Setari legate de jurnal!
>>>         ; Tin un log separat pentru fiecare masina in parte
>>>         log file = /var/log/samba/log.%m
>>>         ; Dimensiunea maxima a fisierului de jurnal (in Kilo)
>>>         max log size = 2048
>>>         ; Nivelul de jurnalizare
>>>         log level = 6
>>>
>>>
>>>         ;===== Securitate
>>>         ; Clientii care au voie sa se conecteze
>>>         hosts allow = 194.102.62. 10.10.10. 127.
>>>         ; Modelul de securitate
>>>         security = user
>>>         ; Daca criptez sau nu parolele
>>>         encrypt passwords = yes
>>>         ; Chestiuni legate de socketuri
>>>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>         ; Interfetele pe care asculta samba
>>>         interfaces = lo eth0 eth0:1 eth0:2
>>>         ; Ne limitam doar la aceste interfete si ignoram restul
>>>         bind interfaces only = yes
>>>         ; Chestiuni referitoare la parole
>>>         ;password level = 12
>>>         ;username level = 12
>>>         ; Incercam sa sincronizam parola de windows cu cea de UNIX
>>>         unix password sync = Yes
>>>         pam password change = yes
>>>
>>>         ; Fisierele de configurare per masina
>>>         ; Decomenteaza daca ai nevoie
>>>         # include = /etc/samba/smb.conf.%m
>>> ; Cum procedam cu parolele :
>>>         ; Parole vide
>>>         null passwords = no
>>>         ; Fisierele ascunse.
>>>         hide unreadable = yes
>>>         hide dot files = yes
>>>         ; Contul `oaspete'. Momentan nu i-am setat parola ci doar shell
>>> ca /bin/false
>>>         guest account = pdcguest
>>>
>>>         ;======= PDC
>>>         ; Samba este master browser in domeniu
>>>         local master = yes
>>>         ; Precedenta serverului in alegeri
>>>         os level = 65
>>>         ; Samba este master de domeniu
>>>         domain master = yes
>>>         ; Samba forteaza alegerile si aproape sigur le castiga
>>>         preferred master = yes
>>>         ; Il face pe samba PDC
>>>         domain logons = yes
>>>
>>>         ; Drive-ul de logon
>>>         logon drive = H:
>>>
>>>
>>>         ;======== WINS - Rezolutia de nume
>>>         ; Activez suportul pentru WINS
>>>         wins support = yes
>>>         ; Ordinea in care rezolv numele
>>>         name resolve order = wins lmhosts host bcast
>>>         ; Samba nu se comporta ca un proxy DNS
>>>         dns proxy = no
>>>
>>>
>>>         ;======== TIME - Server de timp
>>>         ; Samba se comporta ca un server de `timp`
>>>         time server = yes
>>>
>>>
>>>         ;======== USER Management - Foloseste scripturile de la IDEALX
>>>         add user script = /usr/sbin/smbldap-useradd -m "%u"        set
>>> primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>>>
>>>         ;========LDAP
>>>         ; Serverul de LDAP
>>>         passdb backend = ldapsam:ldap://127.0.0.1/
>>>         ; Daca sterg DN-ul sterg tot (Yes) sau doar atributele lui Samba
>>> (No)
>>>         ldap delete dn = Yes
>>>         ; Toate informatiile sunt tinute in LDAP - Atnetie trebuie 
>>> testat
>>>         ldapsam:trusted = yes
>>>         ; Conectarea la director nu se face criptat
>>>         ldap ssl = no
>>>         ; Sufixul nostru
>>>         ldap suffix = dc=info,dc=uvt,dc=ro
>>>         ; Administratorul
>>>         ldap admin dn = cn=root,dc=info,dc=uvt,dc=ro
>>>         ; Sufixul pentru grupuri
>>>         ldap group suffix = ou=Groups
>>>         ; Sufixul pentry utilizatori
>>>         ldap user suffix = ou=Users
>>>         ; Sufixul pentru Masini
>>>         ldap machine suffix = ou=Computers
>>>         ; Sufixul pentru Idmap
>>>         ldap idmap suffix = ou=Idmap
>>>
>>>         ; Mapare de id-uri
>>>         idmap gid = 40000-50000
>>>         idmap uid = 40000-50000
>>>
>>> ;=========================== SHARE
>>>
>>> ; In acest share se gaseste profilul implicit si scriptul de logon
>>> [netlogon]
>>>         path = /var/lib/samba/netlogon
>>>         guest ok = Yes
>>>         browseable = no
>>>         write list = root
>>>
>>> ; In acest share se gasesc profilele
>>> [profiles]
>>>         ; Atentie trebuie modificata calea
>>>         path = /home/%U
>>>         browseable = no
>>>         valid users = %S
>>>         read only = no
>>>         create mask = 0664
>>>         directory mask = 0775
>>>
>>>         add machine script = /usr/sbin/smbldap-useradd -w "%u"
>>>         add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>>         add user to group script = /usr/sbin/smbldap-groupmod -m "%u" 
>>> "%g"
>>>         delete user from group script = /usr/sbin/smbldap-groupmod -x
>>> "%u" "%g"
>>>
>>>
>>>
>>>
>>> Do you have a sugestion related to this problem?
>>>
>>> Marian Neagul
>>>
>>
>> Hi,
>>
>> Did you had the ldap root password in the samba config with the 
>> command smbpasswd -w 'ldap root passwd' ???
>>
>> It should be the problem...
>>
>> Regards
>> Guillaume
>>
>>
> I get the same error: "session setup failed: NT_STATUS_UNSUCCESSFUL"
> 
> The error log:
> 
> 
> [2006/08/02 15:23:53, 6] param/loadparm.c:lp_file_list_changed(2947)
>   lp_file_list_changed()
>   file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Tue 
> Aug  1 13:54:33 2006
> 
> [2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info_map(163)
>   make_user_info_map: Mapping user [TERRA]\[root] from workstation [BLUE]
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 3] smbd/uid.c:push_conn_ctx(393)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
>   NT user token: (NULL)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2006/08/02 15:23:53, 5] auth/auth_util.c:is_trusted_domain(1665)
>   is_trusted_domain: Checking for domain trust with [TERRA]
> [2006/08/02 15:23:53, 5] 
> passdb/secrets.c:secrets_fetch_trusted_domain_password(337)
>   secrets_fetch failed!
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
>   no entry for trusted domain TERRA found.
> [2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info(69)
>   attempting to make a user_info for root (root)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info(79)
>   making strings for root's user_info struct
> [2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info(121)
>   making blobs for root's user_info struct
> [2006/08/02 15:23:53, 3] auth/auth.c:check_ntlm_password(219)
>   check_ntlm_password:  Checking password for unmapped user 
> [TERRA]\[root]@[BLUE] with the new password interface
> [2006/08/02 15:23:53, 3] auth/auth.c:check_ntlm_password(222)
>   check_ntlm_password:  mapped user is: [TERRA]\[root]@[BLUE]
> [2006/08/02 15:23:53, 5] lib/util.c:dump_data(2058)
>   [000] 58 1C F4 6C 99 CE 29 41                           X..l..)A
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 3] smbd/uid.c:push_conn_ctx(393)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
>   NT user token: (NULL)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2006/08/02 15:23:53, 5] lib/smbldap.c:smbldap_search_ext(1080)
>   smbldap_search_ext: base => [dc=info,dc=uvt,dc=ro], filter => 
> [(&(uid=root)(objectclass=sambaSamAccount))], scope => [2]
> [2006/08/02 15:23:53, 5] lib/smbldap.c:smbldap_close(989)
>   The connection to the LDAP server was closed
> [2006/08/02 15:23:53, 2] lib/smbldap.c:smbldap_open_connection(722)
>   smbldap_open_connection: connection opened
> [2006/08/02 15:23:53, 3] lib/smbldap.c:smbldap_connect_system(905)
>   ldap_connect_system: succesful connection to the LDAP server
> [2006/08/02 15:23:53, 4] lib/smbldap.c:smbldap_open(969)
>   The LDAP server is succesfully connected
> [2006/08/02 15:23:53, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
>   init_sam_from_ldap: Entry found for user: root
> [2006/08/02 15:23:53, 4] lib/substitute.c:automount_server(359)
>   Home server: blue
> [2006/08/02 15:23:53, 4] lib/substitute.c:automount_server(359)
>   Home server: blue
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 4] libsmb/ntlm_check.c:ntlm_password_check(326)
>   ntlm_password_check: Checking NT MD4 password
> [2006/08/02 15:23:53, 4] auth/auth_sam.c:sam_account_ok(123)
>   sam_account_ok: Checking SMB password for user root
> [2006/08/02 15:23:53, 5] auth/auth_sam.c:logon_hours_ok(105)
>   logon_hours_ok: user root allowed to logon at this time (Wed Aug  2 
> 15:23:53 2006
>   )
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 3] smbd/uid.c:push_conn_ctx(393)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
>   NT user token: (NULL)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2006/08/02 15:23:53, 5] lib/smbldap.c:smbldap_search_ext(1080)
>   smbldap_search_ext: base => [ou=Groups,dc=info,dc=uvt,dc=ro], filter 
> => [(&(objectClass=posixGroup)(|(memberUid=root)(gidNumber=0)))], scope 
> => [2]
> [2006/08/02 15:23:53, 3] 
> passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2711)
>   primary group of [root] not found
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 4] auth/auth_util.c:add_user_groups(832)
>   get_user_groups_from_local_sam failed
> [2006/08/02 15:23:53, 5] auth/auth_util.c:free_server_info(1511)
>   attempting to free (and zero) a server_info structure
> [2006/08/02 15:23:53, 5] auth/auth_util.c:free_server_info(1511)
>   attempting to free (and zero) a server_info structure
> [2006/08/02 15:23:53, 0] auth/auth_sam.c:check_sam_security(331)
>   check_sam_security: make_server_info_sam() failed with 
> 'NT_STATUS_UNSUCCESSFUL'
> *[2006/08/02 15:23:53, 5] auth/auth.c:check_ntlm_password(271)
>   check_ntlm_password: sam authentication for user [root] FAILED with 
> error NT_STATUS_UNSUCCESSFUL*
> [2006/08/02 15:23:53, 3] auth/auth_winbind.c:check_winbind_security(80)
>   check_winbind_security: Not using winbind, requested domain [TERRA] 
> was for this SAM.
> *[2006/08/02 15:23:53, 2] auth/auth.c:check_ntlm_password(317)
>   check_ntlm_password:  Authentication for user [root] -> [root] FAILED 
> with error NT_STATUS_UNSUCCESSFUL*
> [2006/08/02 15:23:53, 5] auth/auth_util.c:free_user_info(1485)
>   attempting to free (and zero) a user_info structure
> [2006/08/02 15:23:53, 5] lib/util.c:show_msg(454)
> [2006/08/02 15:23:53, 5] lib/util.c:show_msg(464)
>   size=100
>   smb_com=0x73
>   smb_rcls=1
>   smb_reh=0
>   smb_err=49152
>   smb_flg=136
>   smb_flg2=51201
>   smb_tid=0
>   smb_pid=19222
>   smb_uid=100
>   smb_mid=3
>   smt_wct=4
>   smb_vwv[ 0]=  255 (0xFF)
>   smb_vwv[ 1]=    0 (0x0)
>   smb_vwv[ 2]=    0 (0x0)
>   smb_vwv[ 3]=    9 (0x9)
>   smb_bcc=57
> [2006/08/02 15:23:53, 3] smbd/process.c:timeout_processing(1447)
>   timeout_processing: End of file from client (client has disconnected).
> [2006/08/02 15:23:53, 5] lib/gencache.c:gencache_shutdown(89)
>   Closing cache file
> [2006/08/02 15:23:53, 5] libsmb/namecache.c:namecache_shutdown(79)
>   namecache_shutdown: netbios namecache closed successfully.
> [2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
>   NT user token: (NULL)
> [2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2006/08/02 15:23:53, 5] smbd/uid.c:change_to_root_user(324)
>   change_to_root_user: now uid=(0,0) gid=(0,0)
> [2006/08/02 15:23:53, 2] smbd/server.c:exit_server(614)
>   Closing connections
> [2006/08/02 15:23:53, 3] smbd/connection.c:yield_connection(69)
>   Yielding connection to
> [2006/08/02 15:23:53, 3] smbd/server.c:exit_server(655)
>   Server exit (normal exit)
> 

Please post to the list, not to me directly, I'm reading the list !

Are you sure you restore all datas from the LDAP directory ?
The problem should be your root account is not a samba account.... or 
not an ldap account...

Guillaume


-- 
Guillaume
E-mail: silencer_<at>_free-4ever_<dot>_net
Blog: http://guillaume.free-4ever.net
----
Site: http://www.free-4ever.net


More information about the samba mailing list