[Samba] can join a domain, but users are not able to log in
Chris Hellwig
chris at hellwig-netz.de
Sun Dec 3 09:14:04 GMT 2006
Hi,
I have a samba server which should act as a domain controller. I did not
set up the server by myself.
I can "see" and use the servers shares with windows and linux clients.
Everithing - including the security settings - for the shares works as
expected.
I can join a client to the domain, this works with manual adding the
machine account as well as with the adduser script . I can remove the
client from the domain an rejoin it again....
But if I try to login with a user account from a client it rejects me
with a (german) message
"Das System kann sie nicht bei dieser Domäne anmelden, da das
Computerkonto des Systems in seiner primären Domäne fehlt, oder das
Kennwort für dieses Computerkonto falsch ist."
That measns (more or less) "The system could not log on you the domain
since the machine account of the system is missing in it's private
domain or the password of the machine account is wrong."
Here is what the clients says (loglevel 3)
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 1 of length 137
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBnegprot (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN1.0]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [Windows for Workgroups 3.1a]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [LM1.2X002]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN2.1]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [NT LM 0.12]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_nt1(333)
using SPNEGO
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(555)
Selected protocol NT LM 0.12
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 2 of length 202
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBsesssetupX (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
wct=12 flg2=0xc807
[2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 3 6 1 4 1 311 2 2 10
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
Got secblob of size 32
[2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xe0008297
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 3 of length 240
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBsesssetupX (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
wct=12 flg2=0xc807
[2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
PrimaryDomain=[]
[2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
Got user=[] domain=[] workstation=[POSEIDON] len1=1 len2=0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.cush_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/11/27 18:28:48, 3] smbd/uid.cush_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/11/27 18:28:48, 3] smbd/sec_ctx.cop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[]\[]@[POSEIDON] with the new password interface
[2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [xxx-xxxxxx]\[]@[POSEIDON]
[2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: guest authentication for user [] succeeded
[2006/11/27 18:28:48, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60008295
[2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(222)
User name: nobody Real name: nobody
[2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(241)
UNIX uid 65534 is UNIX user nobody, and will be vuid 100
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 4 of length 78
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBtconX (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/service.c:make_connection_snum(479)
Connect path is '/tmp' for service [IPC$]
[2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(251)
[2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-500209785-908428947-3421464510-501
se_access_check: also S-1-5-21-500209785-908428947-3421464510-514
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
se_access_check: also S-1-5-21-500209785-908428947-3421464510-132069
[2006/11/27 18:28:48, 3] smbd/vfs.c:vfs_init_default(206)
Initialising default vfs hooks
[2006/11/27 18:28:48, 2] smbd/uid.c:change_to_user(202)
change_to_user: SMB user (unix user nobody, vuid 100) not permitted
access to share IPC$.
[2006/11/27 18:28:48, 0] smbd/service.c:make_connection_snum(577)
Can't become connected user!
[2006/11/27 18:28:48, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(415) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
[2006/11/27 18:29:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:29:56, 3] smbd/process.crocess_smb(1091)
Transaction 5 of length 43
[2006/11/27 18:29:56, 3] smbd/process.c:switch_message(886)
switch message SMBulogoffX (pid 472) conn 0x0
[2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:29:56, 3] smbd/reply.c:reply_ulogoffX(1264)
ulogoffX vuid=100
[2006/11/27 18:29:56, 3] smbd/process.c:timeout_processing(1334)
timeout_processing: End of file from client (client has disconnected).
[2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:29:56, 2] smbd/server.c:exit_server(609)
Closing connections
[2006/11/27 18:29:56, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/11/27 18:29:56, 3] smbd/server.c:exit_server(652)
Server exit (normal exit)
It looks to my like the client does not send ANY password to the server
"Checking password for unmapped user []\[]@[POSEIDON] with the new
password interface"
Silly enough: I WAS able to login to the domain a few weeks ago.... But
I don't know what happens since then.
The sbm.conf:
# Global parameters
[global]
log file = /var/log/samba/log.%m
protocol = NT1
smb passwd file = /etc/samba/smbpasswd
ldap ssl = no
client signing = auto
client schannel = auto
username map = /etc/samba/user.map
domain master = Yes
time server = Yes
encrypt passwords = yes
keepalive = 0
passwd program = /usr/bin/passwd %u
wins support = true
netbios name = XXXX
server string = XXXXXXXXXX
writeable = yes
logon script = logon.bat
workgroup = XXX-XXXXX
logon path = \\%L\profiles\%u
os level = 34
server signing = off
valid users = @users
syslog = 5
security = user
panic action = /usr/share/samba/panic-action %d
add machine script = /usr/sbin/useradd -g computers -c Client -d
/dev/null -s /bin/false %u
server schannel = auto
log level = 5
domain logons = Yes
pam password change = Yes
[netlogon]
profile acls = Yes
browseable = No
writeable = no
path = /etc/samba/netlogon
write list = ntadmins
comment = Logonscripte
[profiles]
path = /data/profiles
write list = @users
force group = users
comment = Das Verzeichnis mit den Nutzerprofilen
valid users = @users
create mode = 0777
directory mode = 775
[homes]
create mask = 0600
browseable = no
comment = Nutzerverzeichnis
path = /home/%u
[printers]
comment = Alle Drucker
browseable = no
printable = yes
public = yes
path = /home/guest
use client driver = Yes
Any help available?
Chris
More information about the samba
mailing list