[Samba] Upgrade 3.0.10 to 3.0.24 on RHEL4 - NT_STATUS_LOGON_FAILURE
Mark Redding
mark.redding at linuxit.com
Mon Mar 26 14:43:25 GMT 2007
Hi all,
I'm having a problem with an upgrade of Samba running on a Redhat4 Update 4 system. The default installation provides only 3.0.10 which doesn't include the privilege model or a number of fixes including some in 3.0.21a and 3.0.23 which it looks like we'll need.
The system runs in PDC mode with user accounts in an ldap database. On a test system which I'm using to replicate the problem I've stripped all the ldap security stuff back on the principle that simple is best at least for troubleshooting.
We are using the 3.0.24 rpms from http://ftp.sernet.de/pub/samba/rhel/rhel4-i386/ although a compiled from source version of 3.0.24 exhibits the same problems.
After the upgrade the services start fine however I can't connect to the domain from a client machine. To test I've been using smbclient like so:
[root at eddie ~]# smbclient -L localhost
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root at eddie ~]#
I've been through the changelog a couple of times and I believe my settings (see group mapping below) should be alright. The set up works fine with 3.0.10 it works fine but as soon as I upgrade I lose the domain.
Many Thanks for your help and apologies for the long email.
Regards
Mark
Debug information -
My configuration file:
[global]
workgroup = KCS
server string = KCS Domain Controller
netbios name = eddie
netbios aliases = george
time server = yes
log level = 2 passdb:5 auth:10 winbind:2
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 5000
security = user
encrypt passwords = yes
passdb backend = ldapsam:"ldap://localhost ldap://harry.kcs.cambs.sch.uk"
ldap admin dn = cn=Directory Manager
ldap suffix = dc=kcs,dc=cambs,dc=sch,dc=uk
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
# ldap ssl = start_tls
ldap delete dn = yes
obey pam restrictions = yes
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%m"
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g%"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
ldap passwd sync = yes
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
logon script = logon.bat
logon path = \\%L\netlogon
logon drive = S:
logon home = \\eddie\%U
browseable = no
strict locking = yes
wins support = yes
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
My samba log file:
[2007/03/26 15:30:46, 5] auth/auth_util.c:make_user_info_map(161)
make_user_info_map: Mapping user [KCS]\[root] from workstation [EDDIE]
[2007/03/26 15:30:46, 5] auth/auth_util.c:is_trusted_domain(2020)
is_trusted_domain: Checking for domain trust with [KCS]
[2007/03/26 15:30:46, 5] passdb/secrets.c:secrets_fetch_trusted_domain_password(340)
secrets_fetch failed!
[2007/03/26 15:30:46, 5] auth/auth_util.c:make_user_info(75)
attempting to make a user_info for root (root)
[2007/03/26 15:30:46, 5] auth/auth_util.c:make_user_info(85)
making strings for root's user_info struct
[2007/03/26 15:30:46, 5] auth/auth_util.c:make_user_info(117)
making blobs for root's user_info struct
[2007/03/26 15:30:46, 10] auth/auth_util.c:make_user_info(135)
made an encrypted user_info for root (root)
[2007/03/26 15:30:46, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user [KCS]\[root]@[EDDIE] with the new password interface
[2007/03/26 15:30:46, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [KCS]\[root]@[EDDIE]
[2007/03/26 15:30:46, 10] auth/auth.c:check_ntlm_password(233)
check_ntlm_password: auth_context challenge created by NTLMSSP callback (NTLM2)
[2007/03/26 15:30:46, 10] auth/auth.c:check_ntlm_password(235)
challenge is:
[2007/03/26 15:30:46, 10] auth/auth.c:check_ntlm_password(261)
check_ntlm_password: guest had nothing to say
[2007/03/26 15:30:46, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2007/03/26 15:30:46, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: root
[2007/03/26 15:30:46, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/03/26 15:30:46, 5] passdb/pdb_interface.c:lookup_global_sam_rid(1480)
lookup_global_sam_rid: looking up RID 513.
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1491)
ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-3942376556-572954482-4204431875-513] count=0
[2007/03/26 15:30:46, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/03/26 15:30:46, 5] passdb/pdb_interface.c:pdb_default_lookup_rids(1601)
lookup_rids: Domain Users:2
[2007/03/26 15:30:46, 4] libsmb/ntlm_check.c:ntlm_password_check(326)
ntlm_password_check: Checking NT MD4 password
[2007/03/26 15:30:46, 4] auth/auth_sam.c:sam_account_ok(138)
sam_account_ok: Checking SMB password for user root
[2007/03/26 15:30:46, 5] auth/auth_sam.c:logon_hours_ok(120)
logon_hours_ok: user root allowed to logon at this time (Mon Mar 26 14:30:46 2007
)
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 5] auth/auth_util.c:make_server_info_sam(625)
make_server_info_sam: made server info for user root -> root
[2007/03/26 15:30:46, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: sam authentication for user [root] succeeded
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(459)
smb_pam_start: PAM: Init user: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(476)
smb_pam_start: PAM: setting rhost to: 127.0.0.1
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(485)
smb_pam_start: PAM: setting tty
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(493)
smb_pam_start: PAM: Init passed for user: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_account(551)
smb_pam_account: PAM: Account Management for User: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_account(570)
smb_pam_account: PAM: Account OK for User: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_end(440)
smb_pam_end: PAM: PAM_END OK.
[2007/03/26 15:30:46, 5] auth/auth.c:check_ntlm_password(296)
check_ntlm_password: PAM Account for user [root] succeeded
[2007/03/26 15:30:46, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded
[2007/03/26 15:30:46, 5] auth/auth_util.c:free_user_info(1867)
attempting to free (and zero) a user_info structure
[2007/03/26 15:30:46, 10] auth/auth_util.c:free_user_info(1871)
structure was created for root
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 10] auth/auth_util.c:create_local_token(1023)
Could not convert SID S-1-1-0 to gid, ignoring it
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 10] auth/auth_util.c:create_local_token(1023)
Could not convert SID S-1-5-2 to gid, ignoring it
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 10] auth/auth_util.c:create_local_token(1023)
Could not convert SID S-1-5-11 to gid, ignoring it
[2007/03/26 15:30:46, 10] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-3942376556-572954482-4204431875-1000
contains 13 SIDs
SID[ 0]: S-1-5-21-3942376556-572954482-4204431875-1000
SID[ 1]: S-1-5-21-3942376556-572954482-4204431875-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-22-2-0
SID[ 6]: S-1-22-2-1
SID[ 7]: S-1-22-2-2
SID[ 8]: S-1-22-2-3
SID[ 9]: S-1-22-2-4
SID[ 10]: S-1-22-2-6
SID[ 11]: S-1-22-2-10
SID[ 12]: S-1-22-2-513
SE_PRIV 0x0 0x0 0x0 0x0
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(459)
smb_pam_start: PAM: Init user: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(476)
smb_pam_start: PAM: setting rhost to: 127.0.0.1
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(485)
smb_pam_start: PAM: setting tty
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(493)
smb_pam_start: PAM: Init passed for user: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_internal_pam_session(630)
smb_internal_pam_session: PAM: tty set to: smb/5302/101
[2007/03/26 15:30:46, 0] auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: session setup failed : System error
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_end(440)
smb_pam_end: PAM: PAM_END OK.
[2007/03/26 15:30:46, 1] smbd/session.c:session_claim(134)
pam_session rejected the session for root [smb/5302/101]
[2007/03/26 15:30:46, 1] smbd/password.c:register_vuid(310)
Failed to claim session for vuid=101
Group mapping :
[root at eddie ~]# net groupmap list
Domain Computers (S-1-5-21-3942376556-572954482-4204431875-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
pupils (S-1-5-21-3942376556-572954482-4204431875-3003) -> pupils
rec (S-1-5-21-3942376556-572954482-4204431875-3005) -> rec
staff (S-1-5-21-3942376556-572954482-4204431875-3011) -> staff
Domain Admins (S-1-5-21-3942376556-572954482-4204431875-512) -> Domain Admins
Domain Users (S-1-5-21-3942376556-572954482-4204431875-513) -> Domain Users
Domain Guests (S-1-5-21-3942376556-572954482-4204431875-514) -> Domain Guests
More information about the samba
mailing list