[Samba] Authentication Failure in member server
Diego Alencar Alves de Lima
diego-lima at prodesan.com.br
Wed May 30 18:12:55 GMT 2007
On Wednesday 30 May 2007 09:37:44 Gerald (Jerry) Carter wrote:
> Did you make sure to keep the domain SID setting from the
> original Samba PDC?
We did indeed forget to do that. However we have now already set it to the =
old=20
domain SID (using net rpc getsid at the old server) and we still can't=20
authenticate the users. We have tried to delete the old machine account fro=
m=20
our server in order to try to rejoin it, but now we can't. Here is what=20
happens at the server:
# net join -U root
root's password:
[2007/05/30 14:58:44, 0] utils/net_ads.c:ads_startup(191)
ads_connect: No results returned
Creation of workstation account failed
Unable to join domain PRODESAN.COM.BR.
And here are the logs for that machine on the PDC:
[2007/05/30 14:58:55, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: root
[2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/05/30 14:58:55, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] -> [root]=
=20
succeeded
[2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: root
[2007/05/30 14:58:55, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
There doesn't seem to be any visible errors, so I went to check the LDAP lo=
gs=20
and I only thought this looked a bit strange:
May 30 15:02:42 servsso slapd[22129]: conn=3D79 op=3D6 SRCH=20
base=3D"ou=3Dgrupos,dc=3Dprodesan,dc=3Dcom,dc=3Dbr" scope=3D2 deref=3D0 fil=
ter=3D"(&(|
(objectClass=3DsambaGroupMapping)(sambaGroupType=3D4))(|
(sambaSIDList=3Ds-1-5-21-3756370324-611414431-635963119-501)
(sambaSIDList=3Ds-1-1-0)(sambaSIDList=3Ds-1-5-2)(sambaSIDList=3Ds-1-5-32-54=
6)))"
May 30 15:02:42 servsso slapd[22129]: conn=3D79 op=3D6 SRCH attr=3DsambaSID
May 30 15:02:42 servsso slapd[22129]: <=3D bdb_equality_candidates:=20
(sambaGroupType) index_param failed (18)
May 30 15:02:42 servsso slapd[22129]: <=3D bdb_equality_candidates:=20
(sambaSIDList) index_param failed (18)
May 30 15:02:42 servsso last message repeated 3 times
May 30 15:02:42 servsso slapd[22129]: conn=3D79 op=3D6 SEARCH RESULT tag=3D=
101 err=3D0=20
nentries=3D0 text=3D
May 30 15:02:42 servsso slapd[22129]: conn=3D79 op=3D7 SRCH=20
base=3D"ou=3Dgrupos,dc=3Dprodesan,dc=3Dcom,dc=3Dbr" scope=3D2 deref=3D0 fil=
ter=3D"(&(|
(objectClass=3DsambaGroupMapping)(sambaGroupType=3D4))(|
(sambaSIDList=3Ds-1-5-21-3756370324-611414431-635963119-501)
(sambaSIDList=3Ds-1-1-0)(sambaSIDList=3Ds-1-5-2)(sambaSIDList=3Ds-1-5-32-54=
6)))"
May 30 15:02:42 servsso slapd[22129]: conn=3D79 op=3D7 SRCH attr=3DsambaSID
May 30 15:02:42 servsso slapd[22129]: <=3D bdb_equality_candidates:=20
(sambaGroupType) index_param failed (18)
May 30 15:02:42 servsso slapd[22129]: <=3D bdb_equality_candidates:=20
(sambaSIDList) index_param failed (18)
May 30 15:02:42 servsso last message repeated 3 times
When I check the LDAP I can see that the=20
entry "uid=3Dservproducao$,ou=3Dcomputadores,dc=3Dprodesan,dc=3Dcom,dc=3Dbr=
" was=20
created but it doesn't have the sambaSamAccount objectclass attribute, and=
=20
therefore no samba attributes set.
Simply importing the old account from the old PDC doesn't seem to work, as =
I=20
get some access denied when the server tries to connect to LDAP.
--=20
Diego Alencar Alves de Lima
Departamento de Inform=C3=A1tica - DINF
www.prodesan.com.br
--=20
Esta mensagem foi verificada pelo sistema de antiv=EDrus e
acredita-se estar livre de perigo.
More information about the samba
mailing list