[Samba] Issues after Samba updating a Samba PDC to 3.0.23c

Daniel Bramkamp bramkamp at team-datentechnik.de
Thu Oct 5 09:39:52 GMT 2006 

Hi,

last Saturday we reinstalled our fileserver to setup redundancy using  
DRBD and Heartbeat. We also upgraded Samba to 3.0.23c, which is acting  
as a PDC. We are using OpenLDAP to store accounts.

I populated the OpenLDAP database using a LDIF file that I created on  
the old server before shutting it down. I also transfered all Samba  
tdb files to the new server. Everything went pretty smooth. I could  
logon to the domain on different terminalservers and workstations. To  
make sure things are not coming from some cache I logged on users that  
never logged on to a particular terminalserver. The terminalserver  
created a user profile and accessing files was possible. However, on  
Monday a user called me up because he could not logon to his  
workstation. I removed his computer from the domain. I renamed the  
workstation and joined it up to the domain again, which worked  
flawlessly as far as I can tell. However, it did not solve the  
problem. Yesterday the problem happened again on a different  
workstation. I tried the same procedure, again without success. I have  
no idea why, but the user, which had the problem a day earlier could  
log on to the domain again. A bit later the other user was able to  
login as well.

I had a look through the logfiles and found 2 messages that may be a problem :

"ldapsam_getgroup: Did not find group"
"smbldap_open: cannot access LDAP when not root"

Also, when running "pdbedit -L -v username" I get a message about a  
SID, that cannot be found. That also happens if username is a machine  
account. The error message did not appear on the old server.

--- Output pdbedit -L -v administrator ---
WARNING: The "printer admin" option is deprecated
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match  
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching  
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
Attempting to find an passdb backend to match  
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching  
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
init_sam_from_ldap: Entry found for user: administrator
Opening cache file at /var/cache/samba/login_cache.tdb
Unix username:        administrator
NT username:          administrator
Account Flags:        [U          ]
User SID:             S-1-5-21-3718409077-3004042761-2237186970-21000
init_group_from_ldap: Entry found for group: 512
lookup_global_sam_rid: looking up RID 512.
ldapsam_getsampwsid: Unable to locate SID  
[S-1-5-21-3718409077-3004042761-2237186970-512] count=0
init_group_from_ldap: Entry found for group: 512
lookup_rids: Domain Admins:2
Primary Group SID:    S-1-5-21-3718409077-3004042761-2237186970-512
Full Name:            Administrator
Home Directory:
HomeDir Drive:        H:
Logon Script:         administrator.bat
Profile Path:
Domain:               STW-GMH
Account desc:         administrator
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Mon, 02 Oct 2006 17:53:12 CEST
Password can change:  Tue, 04 Jul 2006 17:05:04 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

--- Output pdbedit -L -v stw-031$ ---
WARNING: The "printer admin" option is deprecated
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match  
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching  
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
Attempting to find an passdb backend to match  
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching  
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
init_sam_from_ldap: Entry found for user: stw-031$
Opening cache file at /var/cache/samba/login_cache.tdb
Unix username:        stw-031$
NT username:          stw-031$
Account Flags:        [W          ]
User SID:             S-1-5-21-3718409077-3004042761-2237186970-1005
init_group_from_ldap: Entry found for group: 515
lookup_global_sam_rid: looking up RID 515.
ldapsam_getsampwsid: Unable to locate SID  
[S-1-5-21-3718409077-3004042761-2237186970-515] count=0
init_group_from_ldap: Entry found for group: 515
lookup_rids: Domain Computers:2
Primary Group SID:    S-1-5-21-3718409077-3004042761-2237186970-515
Full Name:            STW-031$
Home Directory:
HomeDir Drive:
Logon Script:         stw-031_.bat
Profile Path:
Domain:               STW-GMH
Account desc:         Computer
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Wed, 04 Oct 2006 08:56:17 CEST
Password can change:  Wed, 04 Oct 2006 08:56:17 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

--- ---

AFAIK the group mappings should be OK:

Domain Admins (S-1-5-21-3718409077-3004042761-2237186970-512) -> Domain Admins
Domain Users (S-1-5-21-3718409077-3004042761-2237186970-513) -> Domain Users
Domain Guests (S-1-5-21-3718409077-3004042761-2237186970-514) -> Domain Guests
Domain Computers (S-1-5-21-3718409077-3004042761-2237186970-515) ->  
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators

According the the Release Notes, changes were made in regards to group  
mappings. However, that should only affect access rights to shares,  
right ?

Any help solving this issue would be much appreciated.

Thanks in advance.
-- 
Daniel Bramkamp

More information about the samba mailing list