[Samba] can join a domain, but users are not able to log in
Chris Hellwig
chris at hellwig-netz.de
Sun Dec 3 10:16:42 GMT 2006
Imran K schrieb:
> Seems to me like the machine is not sending any machine name to the
> server.
No, I don't think so
- the attached log file is the clients log (log.clientname)
- in that log-file one can find "Checking password for unmapped user
[]\[]@[POSEIDON] with the new password interface" where poseidon is the
clients name.
But there is nothing in the log-file which points to a users name.
Chris
>
> On 12/3/06, *Chris Hellwig* <chris at hellwig-netz.de
> <mailto:chris at hellwig-netz.de>> wrote:
>
> Hi,
>
> I have a samba server which should act as a domain controller. I
> did not
> set up the server by myself.
>
> I can "see" and use the servers shares with windows and linux clients.
> Everithing - including the security settings - for the shares works as
> expected.
>
> I can join a client to the domain, this works with manual adding the
> machine account as well as with the adduser script . I can remove the
> client from the domain an rejoin it again....
>
> But if I try to login with a user account from a client it rejects me
> with a (german) message
> "Das System kann sie nicht bei dieser Domäne anmelden, da das
> Computerkonto des Systems in seiner primären Domäne fehlt, oder das
> Kennwort für dieses Computerkonto falsch ist."
>
> That measns (more or less) "The system could not log on you the
> domain
> since the machine account of the system is missing in it's private
> domain or the password of the machine account is wrong."
>
> Here is what the clients says (loglevel 3)
>
> [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
> Transaction 1 of length 137
> [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
> switch message SMBnegprot (pid 472) conn 0x0
> [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [LANMAN1.0]
> [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [Windows for Workgroups 3.1a]
> [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [LM1.2X002]
> [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [ LANMAN2.1]
> [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
> Requested protocol [NT LM 0.12]
> [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_nt1(333)
> using SPNEGO
> [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(555)
> Selected protocol NT LM 0.12
> [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
> Transaction 2 of length 202
> [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
> switch message SMBsesssetupX (pid 472) conn 0x0
> [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
> wct=12 flg2=0xc807
> [2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(608)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2006/11/27 18:28:48, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
> Doing spnego session setup
> [2006/11/27 18:28:48, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
> NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> PrimaryDomain=[]
> [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
> Got OID 1 3 6 1 4 1 311 2 2 10
> [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
> Got secblob of size 32
> [2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0xe0008297
> [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
> Transaction 3 of length 240
> [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
> switch message SMBsesssetupX (pid 472) conn 0x0
> [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
> wct=12 flg2=0xc807
> [2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(608)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2006/11/27 18:28:48, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
> Doing spnego session setup
> [2006/11/27 18:28:48, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
> NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0]
> PrimaryDomain=[]
> [2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
> Got user=[] domain=[] workstation=[POSEIDON] len1=1 len2=0
> [2006/11/27 18:28:48, 3] smbd/sec_ctx.cush_sec_ctx(256)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2006/11/27 18:28:48, 3] smbd/uid.cush_conn_ctx(365)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2006/11/27 18:28:48, 3] smbd/sec_ctx.cop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(219)
> check_ntlm_password: Checking password for unmapped user
> []\[]@[POSEIDON] with the new password interface
> [2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(222)
> check_ntlm_password: mapped user is: [xxx-xxxxxx]\[]@[POSEIDON]
> [2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(268)
> check_ntlm_password: guest authentication for user [] succeeded
> [2006/11/27 18:28:48, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
> NTLMSSP Sign/Seal - Initialising with flags:
> [2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
> Got NTLMSSP neg_flags=0x60008295
> [2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(222)
> User name: nobody Real name: nobody
> [2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(241)
> UNIX uid 65534 is UNIX user nobody, and will be vuid 100
> [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
> Transaction 4 of length 78
> [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
> switch message SMBtconX (pid 472) conn 0x0
> [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/11/27 18:28:48, 3] smbd/service.c:make_connection_snum(479)
> Connect path is '/tmp' for service [IPC$]
> [2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(251)
> [2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(252)
> se_access_check: user sid is
> S-1-5-21-500209785-908428947-3421464510-501
> se_access_check: also S-1-5-21-500209785-908428947-3421464510-514
> se_access_check: also S-1-1-0
> se_access_check: also S-1-5-2
> se_access_check: also S-1-5-32-546
> se_access_check: also S-1-5-21-500209785-908428947-3421464510-132069
> [2006/11/27 18:28:48, 3] smbd/vfs.c:vfs_init_default(206)
> Initialising default vfs hooks
> [2006/11/27 18:28:48, 2] smbd/uid.c:change_to_user(202)
> change_to_user: SMB user (unix user nobody, vuid 100) not permitted
> access to share IPC$.
> [2006/11/27 18:28:48, 0] smbd/service.c:make_connection_snum(577)
> Can't become connected user!
> [2006/11/27 18:28:48, 3] smbd/error.c:error_packet(129)
> error packet at smbd/reply.c(415) cmd=117 (SMBtconX)
> NT_STATUS_LOGON_FAILURE
> [2006/11/27 18:29:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/11/27 18:29:56, 3] smbd/process.crocess_smb(1091)
> Transaction 5 of length 43
> [2006/11/27 18:29:56, 3] smbd/process.c:switch_message(886)
> switch message SMBulogoffX (pid 472) conn 0x0
> [2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/11/27 18:29:56, 3] smbd/reply.c:reply_ulogoffX(1264)
> ulogoffX vuid=100
> [2006/11/27 18:29:56, 3] smbd/process.c:timeout_processing(1334)
> timeout_processing: End of file from client (client has disconnected).
> [2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(288)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/11/27 18:29:56, 2] smbd/server.c:exit_server(609)
> Closing connections
> [2006/11/27 18:29:56, 3] smbd/connection.c:yield_connection(69)
> Yielding connection to
> [2006/11/27 18:29:56, 3] smbd/server.c:exit_server(652)
> Server exit (normal exit)
>
>
> It looks to my like the client does not send ANY password to the
> server
> "Checking password for unmapped user []\[]@[POSEIDON] with the new
> password interface"
>
>
> Silly enough: I WAS able to login to the domain a few weeks
> ago.... But
> I don't know what happens since then.
>
>
>
> The sbm.conf:
>
> # Global parameters
> [global]
> log file = /var/log/samba/log.%m
> protocol = NT1
> smb passwd file = /etc/samba/smbpasswd
> ldap ssl = no
> client signing = auto
> client schannel = auto
> username map = /etc/samba/user.map
> domain master = Yes
> time server = Yes
> encrypt passwords = yes
> keepalive = 0
> passwd program = /usr/bin/passwd %u
> wins support = true
> netbios name = XXXX
> server string = XXXXXXXXXX
> writeable = yes
> logon script = logon.bat
> workgroup = XXX-XXXXX
> logon path = \\%L\profiles\%u
> os level = 34
> server signing = off
> valid users = @users
> syslog = 5
> security = user
> panic action = /usr/share/samba/panic-action %d
> add machine script = /usr/sbin/useradd -g computers -c Client -d
> /dev/null -s /bin/false %u
> server schannel = auto
> log level = 5
> domain logons = Yes
> pam password change = Yes
>
> [netlogon]
> profile acls = Yes
> browseable = No
> writeable = no
> path = /etc/samba/netlogon
> write list = ntadmins
> comment = Logonscripte
>
> [profiles]
> path = /data/profiles
> write list = @users
> force group = users
> comment = Das Verzeichnis mit den Nutzerprofilen
> valid users = @users
> create mode = 0777
> directory mode = 775
>
> [homes]
> create mask = 0600
> browseable = no
> comment = Nutzerverzeichnis
> path = /home/%u
>
> [printers]
> comment = Alle Drucker
> browseable = no
> printable = yes
> public = yes
> path = /home/guest
> use client driver = Yes
>
> Any help available?
>
> Chris
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
>
>
>
> --
> IK
More information about the samba
mailing list