[Samba] Very strange login errors.

Don Krause dkrause at optivus.com
Mon Mar 22 12:45:27 MDT 2010


We're finally trying to move off of Samba 2.x, and are having some very strange login issues.

I've built two identical boxes, both running fully patched Ubuntu 9.10 x64, both have as packaged by Ubuntu 3.4.0 samba installs.

Both are joined to the Active Directory server fine.

net ads testjoin on both hosts reports "Join is OK"

getent passwd on both hosts returns the full user list, as seen from our nis servers.

net ads users -U Administrator on both hosts returns all users from AD.

the /etc/nsswitch.conf file is identical on both servers.

For most folks, things appear to be working, however:

Some users can connect to samba1, while gettting denied on samba2
Some users can connect to samba2, but not samba1.

Some users, particularly if their laptops are NOT part of the domain, can not log onto either server.

Some can though. It seems to fail regardless if the client is XP, Vista, Win7.

On users who cannot log on, the error in the log file is almost always similar to:

(This is from the second samba server, actually named FILES7.)

[2010/03/22 11:29:08,  3] libsmb/namequery.c:1971(get_dc_list)
  get_dc_list: preferred server list: "optad.optivus.com, optad.optivus.com"
[2010/03/22 11:29:08,  3] libads/ldap.c:621(ads_connect)
  Successfully contacted LDAP server 143.197.200.216
[2010/03/22 11:29:08,  3] libsmb/namequery.c:1971(get_dc_list)
  get_dc_list: preferred server list: "optad.optivus.com, optad.optivus.com"
[2010/03/22 11:29:08,  3] libsmb/namequery.c:1971(get_dc_list)
  get_dc_list: preferred server list: "optad.optivus.com, optad.optivus.com"
[2010/03/22 11:29:08,  3] libsmb/cliconnect.c:2031(cli_start_connection)
  Connecting to host=OPTAD.OPTIVUS.COM
[2010/03/22 11:29:08,  3] lib/util_sock.c:1025(open_socket_out_send)
  Connecting to 143.197.200.216 at port 445
[2010/03/22 11:29:08,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [LH-PT3E9ECTVQJQ]\[dkrause]@[LH-PT3E9ECTVQJQ] with the new password interface
[2010/03/22 11:29:08,  3] auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [FILES7]\[dkrause]@[LH-PT3E9ECTVQJQ]
[2010/03/22 11:29:08,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/03/22 11:29:08,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/03/22 11:29:08,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/03/22 11:29:08,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/03/22 11:29:08,  3] auth/auth_sam.c:282(check_sam_security)
  check_sam_security: Couldn't find user 'dkrause' in passdb.
[2010/03/22 11:29:08,  3] auth/auth_winbind.c:54(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [FILES7] was for this SAM.
[2010/03/22 11:29:08,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [dkrause] -> [dkrause] FAILED with error NT_STATUS_NO_SUCH_USER
[2010/03/22 11:29:08,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2010/03/22 11:29:08,  3] smbd/process.c:1453(process_smb)
  Transaction 3 of length 142 (0 toread)
[2010/03/22 11:29:08,  3] smbd/process.c:1272(switch_message)
  switch message SMBsesssetupX (pid 1635) conn 0x0
[2010/03/22 11:29:08,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/03/22 11:29:08,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
  wct=12 flg2=0xc807
[2010/03/22 11:29:08,  2] smbd/sesssetup.c:1360(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2010/03/22 11:29:08,  3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2010/03/22 11:29:08,  3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2010/03/22 11:29:08,  3] smbd/sesssetup.c:786(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 40
[2010/03/22 11:29:08,  3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)


This same user has no problems logging onto the first samba server.

The global section of the smb.conf file is: (Both servers)

[global]
        workgroup = OPTIVUS
        security = ADS
        realm = OPTIVUS.COM
        encrypt passwords = yes
        password server = optad.optivus.com
        log level = 3
        log file = /var/log/samba/%m.log
        max log size = 50
        template shell = /bin/bash

We don't use winbind, User authentication to the unix servers is NIS.

I'm at a complete loss here.

It works for some folks some of the time on some servers, with identical configuration.

Any Ideas?

Thanks




--
Don Krause                                                                   









More information about the samba mailing list