[Samba] Issues after Samba updating a Samba PDC to 3.0.23c
Daniel Bramkamp
bramkamp at team-datentechnik.de
Thu Oct 5 09:39:52 GMT 2006
Hi,
last Saturday we reinstalled our fileserver to setup redundancy using
DRBD and Heartbeat. We also upgraded Samba to 3.0.23c, which is acting
as a PDC. We are using OpenLDAP to store accounts.
I populated the OpenLDAP database using a LDIF file that I created on
the old server before shutting it down. I also transfered all Samba
tdb files to the new server. Everything went pretty smooth. I could
logon to the domain on different terminalservers and workstations. To
make sure things are not coming from some cache I logged on users that
never logged on to a particular terminalserver. The terminalserver
created a user profile and accessing files was possible. However, on
Monday a user called me up because he could not logon to his
workstation. I removed his computer from the domain. I renamed the
workstation and joined it up to the domain again, which worked
flawlessly as far as I can tell. However, it did not solve the
problem. Yesterday the problem happened again on a different
workstation. I tried the same procedure, again without success. I have
no idea why, but the user, which had the problem a day earlier could
log on to the domain again. A bit later the other user was able to
login as well.
I had a look through the logfiles and found 2 messages that may be a problem :
"ldapsam_getgroup: Did not find group"
"smbldap_open: cannot access LDAP when not root"
Also, when running "pdbedit -L -v username" I get a message about a
SID, that cannot be found. That also happens if username is a machine
account. The error message did not appear on the old server.
--- Output pdbedit -L -v administrator ---
WARNING: The "printer admin" option is deprecated
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
Attempting to find an passdb backend to match
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
init_sam_from_ldap: Entry found for user: administrator
Opening cache file at /var/cache/samba/login_cache.tdb
Unix username: administrator
NT username: administrator
Account Flags: [U ]
User SID: S-1-5-21-3718409077-3004042761-2237186970-21000
init_group_from_ldap: Entry found for group: 512
lookup_global_sam_rid: looking up RID 512.
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-3718409077-3004042761-2237186970-512] count=0
init_group_from_ldap: Entry found for group: 512
lookup_rids: Domain Admins:2
Primary Group SID: S-1-5-21-3718409077-3004042761-2237186970-512
Full Name: Administrator
Home Directory:
HomeDir Drive: H:
Logon Script: administrator.bat
Profile Path:
Domain: STW-GMH
Account desc: administrator
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 04:14:07 CET
Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
Password last set: Mon, 02 Oct 2006 17:53:12 CEST
Password can change: Tue, 04 Jul 2006 17:05:04 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
--- Output pdbedit -L -v stw-031$ ---
WARNING: The "printer admin" option is deprecated
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
Attempting to find an passdb backend to match
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
init_sam_from_ldap: Entry found for user: stw-031$
Opening cache file at /var/cache/samba/login_cache.tdb
Unix username: stw-031$
NT username: stw-031$
Account Flags: [W ]
User SID: S-1-5-21-3718409077-3004042761-2237186970-1005
init_group_from_ldap: Entry found for group: 515
lookup_global_sam_rid: looking up RID 515.
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-3718409077-3004042761-2237186970-515] count=0
init_group_from_ldap: Entry found for group: 515
lookup_rids: Domain Computers:2
Primary Group SID: S-1-5-21-3718409077-3004042761-2237186970-515
Full Name: STW-031$
Home Directory:
HomeDir Drive:
Logon Script: stw-031_.bat
Profile Path:
Domain: STW-GMH
Account desc: Computer
Workstations:
Munged dial:
Logon time: 0
Logoff time: Tue, 19 Jan 2038 04:14:07 CET
Kickoff time: Tue, 19 Jan 2038 04:14:07 CET
Password last set: Wed, 04 Oct 2006 08:56:17 CEST
Password can change: Wed, 04 Oct 2006 08:56:17 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
--- ---
AFAIK the group mappings should be OK:
Domain Admins (S-1-5-21-3718409077-3004042761-2237186970-512) -> Domain Admins
Domain Users (S-1-5-21-3718409077-3004042761-2237186970-513) -> Domain Users
Domain Guests (S-1-5-21-3718409077-3004042761-2237186970-514) -> Domain Guests
Domain Computers (S-1-5-21-3718409077-3004042761-2237186970-515) ->
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
According the the Release Notes, changes were made in regards to group
mappings. However, that should only affect access rights to shares,
right ?
Any help solving this issue would be much appreciated.
Thanks in advance.
--
Daniel Bramkamp
More information about the samba
mailing list