[Samba] samba/ldap setup stopped working (might be a challenge)

Yvan Vander Sanden yvan at youngmusic.org
Wed Jun 4 17:45:51 GMT 2008


Hi,

two days ago my functioning samba/ldap server stopped working. I *think* the
problem is somehow related to the fact i transfered everything to a new
server, but that was two months ago. Trouble started yesterday morning after
a power-outage.

Configuration: ubuntu 8.04, with a standard samba, ldap and smbldap-tools
installed via apt-get.

When users tried to login, they got a message "a device connected to the
system is not working". (All windows messages are roughly translated from
Dutch.) After some research, i discovered that there was a conflict between
the SID on my server and the ones users had in the ldap database. Obviously
this is because of the server migration i did a few months ago. But why
problems started only now, i do not really know. At any rate, things
improved when i changed the sambaSID so that it contained the server SID.

Now some users can login on machines they used before, but not on all
machines. If they try to login on a machine where they did not work before,
they get a message saying that their password is wrong. However, the samba
logs show the following:

[2008/06/04 19:20:43, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
  init_sam_from_ldap: Entry found for user: yvan
[2008/06/04 19:20:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162)
  init_group_from_ldap: Entry found for group: 1000
[2008/06/04 19:20:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162)
  init_group_from_ldap: Entry found for group: 1000
[2008/06/04 19:20:43, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [yvan] -> [yvan] -> [yvan]
succeeded

Seems ok to me.

I figured it might perhaps have something to do with the computer accounts
themselves, which still have the wrong SID. But changing one manually didn't
solve anything. The problem stays the same. I also took a machine from the
domain, but cannot add it again. Windows gives me a "user unknown" reply
when i do. The samba logs tell me this:

[2008/06/04 17:49:13, 2] smbd/reply.c:reply_special(324)
  netbios connect: name1=OCTOPUS         name2=CO114-PC12
[2008/06/04 17:49:13, 2] smbd/reply.c:reply_special(331)
  netbios connect: local=octopus remote=co114-pc12, name type = 0
[2008/06/04 17:49:13, 2] smbd/sesssetup.c:setup_new_vc_session(1209)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2008/06/04 17:49:13, 2] smbd/sesssetup.c:setup_new_vc_session(1209)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2008/06/04 17:49:13, 2] lib/smbldap.c:smbldap_open_connection(786)
  smbldap_open_connection: connection opened
[2008/06/04 17:49:13, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
  init_sam_from_ldap: Entry found for user: root
[2008/06/04 17:49:13, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [root] -> [root] -> [root]
succeeded
[2008/06/04 17:49:13, 0] groupdb/mapping.c:pdb_create_builtin_alias(739)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 544
(NT_STATUS_GROUP_EXISTS)
[2008/06/04 17:49:13, 0] auth/auth_util.c:create_builtin_administrators(792)
  create_builtin_administrators: Failed to create Administrators
[2008/06/04 17:49:13, 2] auth/auth_util.c:create_local_nt_token(914)
  create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2008/06/04 17:49:13, 0] groupdb/mapping.c:pdb_create_builtin_alias(739)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 545
(NT_STATUS_GROUP_EXISTS)
[2008/06/04 17:49:13, 0] auth/auth_util.c:create_builtin_users(758)
  create_builtin_users: Failed to create Users
[2008/06/04 17:49:13, 2] auth/auth_util.c:create_local_nt_token(941)
  create_local_nt_token: Failed to create BUILTIN\Users group!
[2008/06/04 17:49:13, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2916)
  Returning domain sid for domain SCHOOL ->
S-1-5-21-2448809205-3807961929-1645749690

The machine account is created, that much is sure. (I'll tell more about the
"Failed to create ..." errors later on.)

In the ldap database, the machine gets an entry like this:

cn co114-pc12$
description Computer
gecos Computer
gidNumber 515
homeDirectory /dev/null
loginShell /bin/false
uid co114-pc12$
uidNumber 1008

while existing accounts look like this:

cn co114-pc11$
description Computer
displayName co114-pc11$
gidNumber 100
homeDirectory /dev/null
loginShell /bin/false
sambaAcctFlags [W ]
sambaNTPassword 76B04CE668008AA41E9ED6829A71EE5E
sambaPrimaryGroupSID S-1-5-21-474648322-3185173744-4186694333-1201
sambaPwdCanChange 1192187861
sambaPwdLastSet 1192187861
sambaPwdMustChange 2147483647
sambaSID S-1-5-21-474648322-3185173744-4186694333-7194
sn co114-pc11$
uid co114-pc11$
uidNumber 3097

I think the samba information is needed for the machine. Or should it get
created when the machine contacts the domain for the first time? Anyway,
that does not happen. The computer does not join the domain after it gets
the SID from the server.

Now about the other errors in the logs. From the moment the server is
started, i get a lot of these:

[2008/06/04 19:20:43, 0] groupdb/mapping.c:pdb_create_builtin_alias(739)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 544
(NT_STATUS_GROUP_EXISTS)
[2008/06/04 19:20:43, 0] auth/auth_util.c:create_builtin_administrators(792)
  create_builtin_administrators: Failed to create Administrators
[2008/06/04 19:20:43, 2] auth/auth_util.c:create_local_nt_token(914)
  create_local_nt_token: Failed to create BUILTIN\Administrators group!
[2008/06/04 19:20:43, 0] groupdb/mapping.c:pdb_create_builtin_alias(739)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 545
(NT_STATUS_GROUP_EXISTS)
[2008/06/04 19:20:43, 0] auth/auth_util.c:create_builtin_users(758)
  create_builtin_users: Failed to create Users
[2008/06/04 19:20:43, 2] auth/auth_util.c:create_local_nt_token(941)
  create_local_nt_token: Failed to create BUILTIN\Users group!

At first i thought this was the core of the problem. But i'm not sure about
that anymore. All the things that were failed to create do exist and seem
the have the correct SID's. I also deleted all those items (created by
smbldap-populate), and ran smbldap-populate again. It neatly created
everything again. But the errors above persist. One of the few talks about
this on the web say it's not important, but of course that's just one...

Well, thanks for reading all this. If any of you have a clue about what is
going in, i would be very happy to hear from you. I have about 2000 accounts
and 200 computers in this domain, so a fresh install is really not an
option.

Regards,

yvan vander sanden
-- 
Copyright only exists in the imagination of those who do not have any.


More information about the samba mailing list