[Samba] SambaSID

Sandra sandra-nascimento at prodesan.com.br
Thu Jun 14 13:22:10 GMT 2007 

I have a samba server configured that is member of a samba domain called 
PRODESAN.COM.BR. After we had to reinstall the domain controller some samba 
shares stopped working on the member server. I get this when I try to use 
the share: 

[2007/05/29 17:26:28, 3] auth/auth.c:check_ntlm_password(219) 
  check_ntlm_password:  Checking password for unmapped user 
[WORKGROUP]\[USER1]@[HOST6] with the new password interface 
[2007/05/29 17:26:28, 3] auth/auth.c:check_ntlm_password(222) 
  check_ntlm_password:  mapped user is: [PRODESAN.COM.BR]\[USER1]@[HOST6] 
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:push_sec_ctx(256) 
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 
[2007/05/29 17:26:28, 3] smbd/uid.c:push_conn_ctx(365) 
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0 
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:set_sec_ctx(288) 
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386) 
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:push_sec_ctx(256) 
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 
[2007/05/29 17:26:28, 3] smbd/uid.c:push_conn_ctx(365) 
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0 
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:set_sec_ctx(288) 
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386) 
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 
[2007/05/29 17:26:28, 2] auth/auth.c:check_ntlm_password(312) 
  check_ntlm_password:  Authentication for user [USER1] -> [USER1] FAILED 
with error NT_STATUS_NO_SUCH_USER 

However when I try to use the same user on the domain controller things work 
perfectly: 

[2007/05/29 17:32:39, 2] lib/smbldap.c:smbldap_open_connection(788) 
  smbldap_open_connection: connection opened 
[2007/05/29 17:32:39, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) 
  init_sam_from_ldap: Entry found for user: pr907899 
[2007/05/29 17:32:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) 
  init_group_from_ldap: Entry found for group: 513 
[2007/05/29 17:32:39, 2] auth/auth.c:check_ntlm_password(309) 
  check_ntlm_password:  authentication for user [USER1] -> [USER1] -> 
[pr907899] succeeded 

I can see the domain users using wbinfo -u on the member server and
we have kept the domain SID setting from the original Samba PDC (using net 
rpc getsid at the old server) and we still can't authenticate the users. 

We have tried to delete the old machine account from our server in order to 
try to rejoin it, but now we can't. Here is what happens at the server: 

# net join -U root 
root's password: 
[2007/05/30 14:58:44, 0] utils/net_ads.c:ads_startup(191) 
  ads_connect: No results returned 
Creation of workstation account failed 
Unable to join domain PRODESAN.COM.BR. 

And here are the logs for that machine on the PDC: 

[2007/05/30 14:58:55, 2] lib/smbldap.c:smbldap_open_connection(788) 
  smbldap_open_connection: connection opened 
[2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) 
  init_sam_from_ldap: Entry found for user: root 
[2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) 
  init_group_from_ldap: Entry found for group: 513 
[2007/05/30 14:58:55, 2] auth/auth.c:check_ntlm_password(309) 
  check_ntlm_password:  authentication for user [root] -> [root] -> [root] 
succeeded 
[2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) 
  init_sam_from_ldap: Entry found for user: root 
[2007/05/30 14:58:55, 2] smbd/reply.c:reply_tcon_and_X(711) 
  Serving IPC$ as a Dfs root 

There doesn't seem to be any visible errors, so I went to check the LDAP 
logs and I only thought this looked a bit strange: 

May 30 15:02:42 servsso slapd[22129]: conn=79 op=6 SRCH 
base="ou=grupos,dc=prodesan,dc=com,dc=br" scope=2 deref=0 filter="(&(| 
(objectClass=sambaGroupMapping)(sambaGroupType=4))(| 
(sambaSIDList=s-1-5-21-3756370324-611414431-635963119-501) 
(sambaSIDList=s-1-1-0)(sambaSIDList=s-1-5-2)(sambaSIDList=s-1-5-32-546)))" 
May 30 15:02:42 servsso slapd[22129]: conn=79 op=6 SRCH attr=sambaSID 
May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates: 
(sambaGroupType) index_param failed (18) 
May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates: 
(sambaSIDList) index_param failed (18) 
May 30 15:02:42 servsso last message repeated 3 times 
May 30 15:02:42 servsso slapd[22129]: conn=79 op=6 SEARCH RESULT tag=101 
err=0 
nentries=0 text= 
May 30 15:02:42 servsso slapd[22129]: conn=79 op=7 SRCH 
base="ou=grupos,dc=prodesan,dc=com,dc=br" scope=2 deref=0 filter="(&(| 
(objectClass=sambaGroupMapping)(sambaGroupType=4))(| 
(sambaSIDList=s-1-5-21-3756370324-611414431-635963119-501) 
(sambaSIDList=s-1-1-0)(sambaSIDList=s-1-5-2)(sambaSIDList=s-1-5-32-546)))" 
May 30 15:02:42 servsso slapd[22129]: conn=79 op=7 SRCH attr=sambaSID 
May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates: 
(sambaGroupType) index_param failed (18) 
May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates: 
(sambaSIDList) index_param failed (18) 
May 30 15:02:42 servsso last message repeated 3 times 

When I check the LDAP I can see that the 
entry "uid=servproducao$,ou=computadores,dc=prodesan,dc=com,dc=br" was 
created but it doesn't have the sambaSamAccount objectclass attribute, and 
therefore no samba attributes set. 

Simply importing the old account from the old PDC doesn't seem to work, as I 
get some access denied when the server tries to connect to LDAP. 
============================================================= 

Just adding some more information: 

I am currently unable to join any new machines to the domain. Whenever I try 
to join the domain I get this message on the clients: 

$ sudo net join -U root 
Password: 
Creation of workstation account failed 
Unable to join domain PRODESAN.COM.BR. 

On the PDC side I get this: 

[2007/05/30 17:11:15, 2] lib/smbldap.c:smbldap_open_connection(788) 
  smbldap_open_connection: connection opened 
[2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) 
  init_sam_from_ldap: Entry found for user: root 
[2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) 
  init_group_from_ldap: Entry found for group: 513 
[2007/05/30 17:11:15, 2] auth/auth.c:check_ntlm_password(309) 
  check_ntlm_password:  authentication for user [root] -> [root] -> [root] 
succeeded 
[2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) 
  init_sam_from_ldap: Entry found for user: root 
[2007/05/30 17:11:15, 2] smbd/reply.c:reply_tcon_and_X(711) 
  Serving IPC$ as a Dfs root 

On my LDAP backend I have this entry: 

dn: sambaDomainName=PRODESAN.COM.BR,dc=prodesan,dc=com,dc=br 
sambaAlgorithmicRidBase: 1000 
sambaNextUserRid: 41000 
sambaNextGroupRid: 41001 
objectClass: sambaDomain 
objectClass: sambaUnixIdPool 
sambaSID: S-1-5-21-3756370324-611414431-635963119 
sambaDomainName: prodesan.com.br 
gidNumber: 1055 
uidNumber: 1454 

The sambaSID is the same that was before the migration. Do I need to set 
this 
SID somewhere else? 




-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

More information about the samba mailing list