[Samba] Windows member servers have lost their minds...

Rubin Bennett rbennett at thatitguy.com
Tue Jun 12 01:20:21 GMT 2007 

Hello all...
I'm having a serious problem after a Samba upgrade from 3.0.20 to
3.0.23c.
A bit of background: I have a network with a Samba PDC and several
member servers running Windows 2000 server.
I upgraded my PDC from Mandrivalinux to RHEL5, which (obviously)
included a Samba upgrade.
I renamed the old server to a different hostname and IP address, and
disabled Samba on it, then I copied my configs and tdb files over to the
new server.
Everything appeared to work fine; domain logons worked, the 50+ client
machines appear to be completely happy (i.e. didn't notice a change at
all), life was good.  Until...

I noticed that administering shares on the member servers wasn't
working.  Nor were Backup Exec, or SQL*Server.  All died with
"insufficient privileges" when the services started.  In addition, if I
logged in as DOMAIN\Administrator, then I was running as a non
administrator.  I couldn't change anything on the server, or go into
privileges areas (most, anyway), or shut down.  I could restart some
services but not all, and any service that used the DOMAIN\Administrator
account (backup exec) didn't start, and I couldn't change the password
or user account.  All of my SQL resources are offline, and refuse to
start, because they appear to be tied in somehow to the domain model.

I have 'unjoined' the servers from the domain (joined WORKGROUP), and
removed their accounts from both the PAM subsystem: 
userdel machinename and
net rpc user delete machinename

I added the server back into the domain, and it's all exactly the same.

These servers were running throughout the upgrade process, if that makes
a difference.

Finally, the output of pdbedit -L is quite different than what I'm used
to:
[root at PDC ~]# pdbedit -L MEMBERSERVER$
WARNING: The "printer admin" option is deprecated
INFO: Current debug levels:
  all: True/10
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
  dmapi: False/0
doing parameter security = user
doing parameter encrypt passwords = yes
doing parameter pam password change = yes
doing parameter username map = /etc/samba/smbusers
doing parameter winbind uid = 10000-20000
doing parameter winbind gid = 10000-20000
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
doing parameter os level = 133
doing parameter domain master = yes
doing parameter preferred master = yes
doing parameter domain logons = yes
doing parameter logon script = login.bat
doing parameter logon path = \\%L\profiles\%U
doing parameter logon home = \\%L\%U
doing parameter profile acls = yes
doing parameter logon drive = H:
doing parameter passdb backend = tdbsam
doing parameter name resolve order = wins lmhosts bcast
doing parameter wins support = yes
doing parameter dns proxy = no
doing parameter add user script = /usr/sbin/useradd -s /bin/false '%u'
doing parameter delete user script = /usr/sbin/userdel '%s'
doing parameter add user to group script = /usr/bin/gpasswd -a '%u' '%g'
doing parameter delete user from group script = /usr/bin/gpasswd -d '%u'
'%g'
doing parameter set primary group script = /usr/sbin/usermod -g '%g' '%
u'
doing parameter add group script = /usr/sbin/groupadd %g && getent group
'%g'|awk -F: '{print $3}'
doing parameter delete group script = /usr/sbin/groupdel '%g'
doing parameter add machine script = /usr/sbin/useradd -d /dev/null -g
machines -c 'Machine Account' -s /bin/false -M %u
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_PDC
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
Netbios name list:-
my_netbios_names[0]="PDC"
Attempting to find an passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
tdbsam_open: successfully opened /etc/samba/passdb.tdb
pdb_set_username: setting username MEMBERSERVER$, was
pdb_set_domain: setting domain DOMAIN, was
pdb_set_nt_username: setting nt username , was
pdb_set_full_name: setting full name MEMBERSERVER$, was
pdb_set_homedir: setting home dir \\PDC\MEMBERSERVER_, was
pdb_set_dir_drive: setting dir drive H:, was NULL
pdb_set_logon_script: setting logon script login.bat, was
pdb_set_profile_path: setting profile path \\PDC\profiles\MEMBERSERVER_,
was
pdb_set_workstations: setting workstations , was
grant_privilege: S-1-1-0
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-548
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-549
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-550
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-551
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-544
original privilege mask:
SE_PRIV  0xff0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0xff0 0x0 0x0 0x0
account_policy_get: name: password history, val: 0
pdb_set_user_sid: setting user sid
S-1-5-21-217398797-1463318779-1850952788-2106
pdb_set_user_sid_from_rid:
        setting user sid S-1-5-21-217398797-1463318779-1850952788-2106
from rid 2106
lookup_global_sam_rid: looking up RID 513.
tdbsam_open: Incrementing open reference count.  Ref count is now 2
pdb_getsampwrid (TDB): error looking up RID 513 by key RID_00000201.
 Error: Record does not exist
tdbsam_close: Reference count is now 1.
sid_to_gid: S-1-5-21-217398797-1463318779-1850952788-513 -> 100
store_gid_sid_cache: gid 100 in cache ->
S-1-5-21-217398797-1463318779-1850952788-513
pdb_set_group_sid: setting group sid
S-1-5-21-217398797-1463318779-1850952788-513
pdb_set_group_sid_from_rid:
        setting group sid S-1-5-21-217398797-1463318779-1850952788-513
from rid 513
tdbsam_close: Reference count is now 0.
MEMBERSERVER$:553:memberserver$

Any help would be appreciated... I performed this upgrade on Friday
night, and so I haven't been able to back my systems up (with the
exception of the PDC...) since Thursday night.

I've googled extensively and have thus far come up with very little of
relevance.  Thank you in advance for any light you may be able to shed,
and my apologies for the long post...

Rubin

Rubin Bennett
High Commander and Janitor
RB Technologies
http://thatitguy.com
rbennett at thatitguy.com
(802)223-4448
"They that can give up essential liberty to obtain a little temporary
security deserve neither liberty nor safety"   --Benjamin Franklin,
Historical Review of Pennsylvania, 1759

More information about the samba mailing list