[Samba] NT4 PDC -> Samba/LDAP PDC failing to work
Alan Silver
acsilver at wisc.edu
Fri Sep 14 17:11:00 GMT 2007
Hi all:
I am trying to migrate my NT4 domain to a samba server which uses an
LDAP server on the backend for authentication
This machine that I want to be the new PDC is running RHEL5 with samba
3.0.23c and an openldap 2.3.27 running on the same machine.
I used the by-example page
http://us3.samba.org/samba/docs/man/Samba-Guide/ntmigration.html
as my guide
I set this up in a test environment first and it worked seamlessly.
Then I tried it out on the production environment........
My problems arose when I shut down the NT4 controllers and my samba
server became the PDC. The samba machine became the PDC, but I was not
able to log into the domain from any machine. It appears (at least to
me) that the machine accounts are set up correctly.
The ldap entry looks like
dn: uid=SCANNER1$,ou=Computers,ou=core,dc=wisc,dc=edu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: SCANNER1$
sn: SCANNER1$
uid: SCANNER1$
uidNumber: 1344
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
structuralObjectClass: inetOrgPerson
entryUUID: 999999999-999a-999b-99af-9b9b99c9c999
creatorsName: cn=Manager,dc=wisc,dc=edu
createTimestamp: 20070511203011Z
sambaSID: S-1-5-21-111111111-2222222222-3333333333-2370
displayName: UNIVERSI-TIYXWK$
sambaNTPassword: 079999334444AB6666BBBBB2C2BB1AA
sambaPwdLastSet: 1178423137
sambaAcctFlags: [W ]
gidNumber: 513
sambaPrimaryGroupSID: S-1-5-21-111111111-2222222222-3333333333-513
entryCSN: 20070511203013Z#000000#00#000000
modifiersName: cn=Manager,dc=wisc,dc=edu
modifyTimestamp: 20070511203013Z
I have pasted what I think is the relevant portion of the log below.
What is striking me is
"[2007/08/26 16:52:54, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from
client SCANNER1 machine account SCANNER1$"
Does anyone have any experience with such an error? I saw people on this
mailing list having the same problem, but I didn't see any responses....
[2007/08/26 16:52:54, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base => [ou=core,dc=wisc,dc=edu], filter =>
[(&(uid=SCANNER1$)(objectclass=sambaSamAccount))], scope => [2]
[2007/08/26 16:52:54, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: SCANNER1$
[2007/08/26 16:52:54, 4] lib/substitute.c:automount_server(407)
Home server: smb_pdc
[2007/08/26 16:52:54, 4] lib/substitute.c:automount_server(407)
Home server: smb_pdc
[2007/08/26 16:52:54, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base => [ou=Groups,ou=core,dc=wisc,dc=edu], filter
=> [(&(objectClass=sambaGroupMapping)(gidNumber=513))], scope => [2]
[2007/08/26 16:52:54, 2] passdb/pdb_ldap.c:init_group_from_ldap(2136)
init_group_from_ldap: Entry found for group: 513
[2007/08/26 16:52:54, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2007/08/26 16:52:54, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(101) : conn_ctx_stack_ndx = 1
[2007/08/26 16:52:54, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2007/08/26 16:52:54, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2007/08/26 16:52:54, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2007/08/26 16:52:54, 5] passdb/pdb_interface.c:lookup_global_sam_rid(1478)
lookup_global_sam_rid: looking up RID 513.
[2007/08/26 16:52:54, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
[2007/08/26 16:52:54, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(101) : conn_ctx_stack_ndx = 2
[2007/08/26 16:52:54, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
[2007/08/26 16:52:54, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2007/08/26 16:52:54, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2007/08/26 16:52:54, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base => [ou=core,dc=wisc,dc=edu], filter =>
[(&(sambaSID=S-1-5-21-111111111-2222222222-3333333333-513)(objectclass=sambaSamAcco
unt))], scope => [2]
[2007/08/26 16:52:54, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1491)
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-111111111-2222222222-333333333-513] count=0
[2007/08/26 16:52:54, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base => [ou=Groups,ou=core,dc=wisc,dc=edu], filter
=> [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-111111111-2222222222
-3333333333-513))], scope => [2]
[2007/08/26 16:52:54, 2] passdb/pdb_ldap.c:init_group_from_ldap(2136)
init_group_from_ldap: Entry found for group: 513
[2007/08/26 16:52:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
[2007/08/26 16:52:54, 5]
passdb/pdb_interface.c:pdb_default_lookup_rids(1599)
lookup_rids: Domain Users:2
[2007/08/26 16:52:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/08/26 16:52:54, 4] lib/substitute.c:automount_server(407)
Home server: smb_pdc
[2007/08/26 16:52:54, 4] lib/substitute.c:automount_server(407)
Home server: smb_pdc
[2007/08/26 16:52:54, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
fetch gid from cache 513 -> S-1-5-21-111111111-222222222-3333333333-513
[2007/08/26 16:52:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2007/08/26 16:52:54, 5] lib/util.c:dump_data(2237)
[000] 07 88 6B 33 17 90 BC 47 88 AA DE EC 5C 2D E3 CB ..k3...G ....\-..
[2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(117)
creds_init_64
[2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(118)
clnt_chal_in: 466A2BB853433204
[2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(119)
srv_chal_in : 00FCC40A450CB2A2
[2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(120)
clnt+srv : 4666F0C2984FE4A6
[2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(121)
sess_key_out : 129FCCDB3BC5AEA8
[2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_server_check(216)
creds_server_check: challenge : 970510FD86A46142
[2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_server_check(217)
calculated: B9805F8AE69D361D
[2007/08/26 16:52:54, 2] libsmb/credentials.c:creds_server_check(218)
creds_server_check: credentials check failed.
[2007/08/26 16:52:54, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)
_net_auth2: creds_server_check failed. Rejecting auth request from
client SCANNER1 machine account SCANNER1$
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_debug(84)
000000 net_io_r_auth_2
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8s(851)
0000 data: 00 00 00 00 00 00 00 00
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint32(704)
0008 neg_flags: 00000000
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_ntstatus(763)
000c status: NT_STATUS_ACCESS_DENIED
[2007/08/26 16:52:54, 5] rpc_server/srv_pipe.c:api_rpcTNP(2305)
api_rpcTNP: called NETLOGON successfully
[2007/08/26 16:52:54, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(529)
free_pipe_context: destroying talloc pool of size 58
[2007/08/26 16:52:54, 3] smbd/pipes.c:reply_pipe_write_and_X(217)
writeX-IPC pnum=705b nwritten=140
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(500)
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(510)
size=47
smb_com=0x2f
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=1
smb_pid=65279
smb_uid=101
smb_mid=1088
smt_wct=6
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 140 (0x8C)
smb_vwv[ 3]= 0 (0x0)
smb_vwv[ 4]= 0 (0x0)
smb_vwv[ 5]= 0 (0x0)
smb_bcc=0
[2007/08/26 16:52:54, 3] smbd/process.c:process_smb(1110)
Transaction 18 of length 63
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(500)
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(510)
size=59
smb_com=0x2e
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51207
smb_tid=1
smb_pid=65279
smb_uid=101
smb_mid=1152
smt_wct=12
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]=57054 (0xDEDE)
smb_vwv[ 2]=28763 (0x705B)
smb_vwv[ 3]= 0 (0x0)
smb_vwv[ 4]= 0 (0x0)
smb_vwv[ 5]= 1024 (0x400)
smb_vwv[ 6]= 1024 (0x400)
smb_vwv[ 7]=65535 (0xFFFF)
smb_vwv[ 8]=65535 (0xFFFF)
smb_vwv[ 9]= 1024 (0x400)
smb_vwv[10]= 0 (0x0)
smb_vwv[11]= 0 (0x0)
smb_bcc=0
[2007/08/26 16:52:54, 3] smbd/process.c:switch_message(914)
switch message SMBreadX (pid 30319) conn 0x8228810
[2007/08/26 16:52:54, 4] smbd/uid.c:change_to_user(176)
change_to_user: Skipping user change - already user
[2007/08/26 16:52:54, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1264)
search for pipe pnum=705b
[2007/08/26 16:52:54, 5] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1268)
pipe name NETLOGON pnum=705b (pipes_open=1)
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_debug(84)
000000 smb_io_rpc_hdr hdr
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0000 major : 05
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0001 minor : 00
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0002 pkt_type : 02
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0003 flags : 03
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0004 pack_type0: 10
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0005 pack_type1: 00
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0006 pack_type2: 00
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0007 pack_type3: 00
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint16(675)
0008 frag_len : 0028
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint16(675)
000a auth_len : 0000
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint32(704)
000c call_id : 00000006
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_debug(84)
000010 smb_io_rpc_hdr_resp resp
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint32(704)
0010 alloc_hint: 00000010
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint16(675)
0014 context_id: 0000
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0016 cancel_ct : 00
[2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615)
0017 reserved : 00
[2007/08/26 16:52:54, 3] smbd/pipes.c:reply_pipe_read_and_X(262)
readX-IPC pnum=705b min=1024 max=1024 nread=40
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(500)
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(510)
size=99
smb_com=0x2e
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=1
smb_pid=65279
smb_uid=101
smb_mid=1152
smt_wct=12
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 0 (0x0)
smb_vwv[ 4]= 0 (0x0)
smb_vwv[ 5]= 40 (0x28)
smb_vwv[ 6]= 59 (0x3B)
smb_vwv[ 7]= 0 (0x0)
smb_vwv[ 8]= 0 (0x0)
smb_vwv[ 9]= 0 (0x0)
smb_vwv[10]= 0 (0x0)
smb_vwv[11]= 0 (0x0)
smb_bcc=40
[2007/08/26 16:52:54, 3] smbd/process.c:process_smb(1110)
Transaction 19 of length 45
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(500)
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(510)
size=41
smb_com=0x4
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51207
smb_tid=1
smb_pid=65279
smb_uid=101
smb_mid=1216
smt_wct=3
smb_vwv[ 0]=28763 (0x705B)
smb_vwv[ 1]=65535 (0xFFFF)
smb_vwv[ 2]=65535 (0xFFFF)
smb_bcc=0
[2007/08/26 16:52:54, 3] smbd/process.c:switch_message(914)
switch message SMBclose (pid 30319) conn 0x8228810
[2007/08/26 16:52:54, 4] smbd/uid.c:change_to_user(176)
change_to_user: Skipping user change - already user
[2007/08/26 16:52:54, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1264)
search for pipe pnum=705b
[2007/08/26 16:52:54, 5] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1268)
pipe name NETLOGON pnum=705b (pipes_open=1)
[2007/08/26 16:52:54, 5] smbd/pipes.c:reply_pipe_close(282)
reply_pipe_close: pnum:705b
[2007/08/26 16:52:54, 4] rpc_server/srv_pipe_hnd.c:close_rpc_pipe_hnd(1169)
closed pipe name NETLOGON pnum=705b (pipes_open=0)
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(500)
[2007/08/26 16:52:54, 5] lib/util.c:show_msg(510)
size=35
smb_com=0x4
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=1
smb_pid=65279
smb_uid=101
smb_mid=1216
smt_wct=0
smb_bcc=0
[2007/08/26 16:53:05, 3] smbd/process.c:process_smb(1110)
Transaction 20 of length 43
[2007/08/26 16:53:05, 5] lib/util.c:show_msg(500)
[2007/08/26 16:53:05, 5] lib/util.c:show_msg(510)
size=39
smb_com=0x74
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51207
smb_tid=0
smb_pid=65279
smb_uid=101
smb_mid=1280
smt_wct=2
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_bcc=0
[2007/08/26 16:53:05, 3] smbd/process.c:switch_message(914)
switch message SMBulogoffX (pid 30319) conn 0x0
[2007/08/26 16:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/08/26 16:53:05, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
More information about the samba
mailing list