[Samba] windows 7

Todd E Thomas todd_dsm at ssiresults.com
Mon Nov 22 11:11:44 MST 2010


I too have this very same problem. I've searched my Samba List mail 
folder and there are 64 emails on this very subject - all seemingly 
unanswered. Perhaps we could put a wooden steak through the heart of 
this beast once and for all.

I'm not sure what the cone of silence is about but, once again, for 
posterity...

Apply fixes from the samba wiki:
http://wiki.samba.org/index.php/Windows7
   *Registry hacks (attached)
   *kb2171571 hotfixes


$ smbd -V
Version 3.3.8-0.52.el5_5.2

cat /etc/redhat-release
CentOS release 5.5 (Final) (though this seems not to be platform-specific)

Client: Win7 Pro (registered and fully patched)
1) Right-click on Computer > Properties > Change Settings
2) Enter workgroup value > OK; authenticate to add Windows 7 client to 
the domain
3) tail -f /var/log/messages for relevant entries:
...
(A full log of all transactions is attached)
Nov 22 10:06:15 mail smbd[28796]: [2010/11/22 10:06:15,  2] 
lib/smbldap.c:smbldap_open_connection(856)
Nov 22 10:06:15 mail smbd[28796]:   smbldap_open_connection: connection 
opened
...
Nov 22 10:06:15 mail smbd[28796]: [2010/11/22 10:06:15,  2] 
auth/auth.c:check_ntlm_password(308)
Nov 22 10:06:15 mail smbd[28796]:   check_ntlm_password:  authentication 
for user [admin] -> [root] -> [root] succeeded
...
Nov 22 10:06:16 mail smbd[28796]: [2010/11/22 10:06:16,  2] 
lib/smbldap_util.c:smbldap_search_domain_info(277)
Nov 22 10:06:16 mail smbd[28796]:   smbldap_search_domain_info: 
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE))]
Nov 22 10:06:16 mail smbd[28796]: [2010/11/22 10:06:16,  2] 
passdb/pdb_ldap.c:init_ldap_from_sam(1128)
Nov 22 10:06:16 mail smbd[28796]:   init_ldap_from_sam: Setting entry 
for user: 7TEST1$
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17,  2] 
passdb/pdb_ldap.c:ldapsam_add_sam_account(2303)
Nov 22 10:06:17 mail smbd[28796]:   ldapsam_add_sam_account: added: uid 
== 7TEST1$ in the LDAP database
...
Strangely, this happens 12 times
Nov 22 10:06:17 mail smbd[28796]:   init_sam_from_ldap: Entry found for 
user: 7TEST1$
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17,  2] 
passdb/pdb_ldap.c:init_sam_from_ldap(571)

And this, another 5 times:
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17,  2] 
passdb/pdb_ldap.c:init_ldap_from_sam(1128)
Nov 22 10:06:17 mail smbd[28796]:   init_ldap_from_sam: Setting entry 
for user: 7TEST1$
maybe this is normal for setting flags, passwords, sids, et al(?).
---
Nov 22 10:07:34 mail smbd[28796]: [2010/11/22 10:07:34,  2] 
passdb/pdb_ldap.c:ldapsam_update_sam_account(1979)
Nov 22 10:07:34 mail smbd[28796]:   ldapsam_update_sam_account: 
successfully modified uid = 7TEST1$ in the LDAP database
...
Nov 22 10:07:37 mail smbd[28796]: [2010/11/22 10:07:37,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555)
Nov 22 10:07:37 mail smbd[28796]:   _netr_ServerAuthenticate2: 
netlogon_creds_server_check failed. Rejecting auth request from client 
7TEST1 machine account 7TEST1$

4) Reboot anyway...
5) Login as user thomas
Nov 22 10:07:45 mail smbd[28796]: [2010/11/22 10:07:45,  2] 
auth/auth.c:check_ntlm_password(318)
Nov 22 10:07:45 mail smbd[28796]:   check_ntlm_password:  Authentication 
for user [7TEST1] -> [7TEST1] FAILED with error NT_STATUS_NO_SUCH_USER
...
Nov 22 10:38:00 mail smbd[19317]: [2010/11/22 10:38:00,  2] 
auth/auth.c:check_ntlm_password(308)
Nov 22 10:38:00 mail smbd[19317]:   check_ntlm_password:  authentication 
for user [thomas] -> [thomas] -> [thomas] succeeded

6) Desktop loads as it should. Brief permissions check on mapped drives 
from logon script seem to be solid. Workstation account still fails to auth.

7) Double checked for CentOS AVC Denials: none.
---


The workstation account can be verified from a few different angles:


$  getent passwd
...
7test1$:x:10013:100:Workstation (7test1$):/nohome:/sbin/nologin
...


$ pdbedit -Lv 7TEST1$
smbldap_search_domain_info: Searching 
for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_domain_info: Searching 
for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: 7TEST1$
Unix username:        7TEST1$
NT username:          7TEST1$
Account Flags:        [W          ]
User SID:             S-1-5-21-1521813849-199949043-3839498338-1005
Primary Group SID:    S-1-5-21-1521813849-199949043-3839498338-513
Full Name:            Workstation (7test1$)
Home Directory:
HomeDir Drive:        H:
Logon Script:         users.vbs
Profile Path:
Domain:               OFFICE
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Mon, 22 Nov 2010 10:07:34 CST
Password can change:  Mon, 22 Nov 2010 10:07:34 CST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF


$  ldapsearch -x -H ldap://${FQDNAME} -b "${LDAPBASEDN}" 
"(&(uid=7TEST1$)(objectClass=sambaSamAccount))" -D cn=config -w 
${LDAPPASSWD}
# extended LDIF
#
# LDAPv3
# base <dc=ptest,dc=us> with scope subtree
# filter: (&(uid=7TEST1$)(objectClass=sambaSamAccount))
# requesting: ALL
#

# 7TEST1$, machines, ptest.us
dn: uid=7TEST1$,ou=machines,dc=ptest,dc=us
uid: 7TEST1$
sambaSID: S-1-5-21-1521813849-199949043-3839498338-1005
displayName: Workstation (7test1$)
objectClass: sambaSamAccount
objectClass: account
sambaAcctFlags: [W          ]
sambaNTPassword: B801FD816E64791F0AA328E8FD7586BE
sambaPwdLastSet: 1290442054

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

This looks identical to the WinXP workstations I've added except for the 
errors:
Nov 22 10:07:37 mail smbd[28796]: [2010/11/22 10:07:37,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555)
Nov 22 10:07:37 mail smbd[28796]:   _netr_ServerAuthenticate2: 
netlogon_creds_server_check failed. Rejecting auth request from client 
7TEST1
&
Nov 22 10:07:45 mail smbd[28796]: [2010/11/22 10:07:45,  2] 
auth/auth.c:check_ntlm_password(318)
Nov 22 10:07:45 mail smbd[28796]:   check_ntlm_password:  Authentication 
for user [7TEST1] -> [7TEST1] FAILED with error NT_STATUS_NO_SUCH_USER


--
Thanks in advance :)

Todd E Thomas
"It's a frail music knits the world together."
-Robert Dana





On 10/25/2010 01:41 AM, Pascal Legrand wrote:
> Hello,
> i'm using Samba  Version : 2:3.5.5~dfsg-1~bpo50+2 from backports
>
> Patch applied :
> http://support.microsoft.com/kb/2171571
>
> Key modified :
> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
> "DNSNameResolutionRequired"=dword:00000000
> "DomainCompatibilityMode"=dword:00000001
>
> --------------------------------------------------------------------------------------
>
> When i include windows7 station into samba domain, everything works fine, but
> i've got a lot of error message :
>
> [2010/10/25 08:19:53.174725,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
> resources.
> [2010/10/25 08:19:53.177153,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
>    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
> resources.
> [2010/10/25 08:19:53.177843,  2] auth/auth.c:304(check_ntlm_password)
>    check_ntlm_password:  authentication for user [root] ->  [root] ->  [root] succeeded
> [2010/10/25 08:19:55.607701,  2] rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>    Returning domain sid for domain TEST-SAMBA ->
> S-1-5-21-3551297527-875676932-1423664221
> [2010/10/25 08:19:59.095642,  2]
> ../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal)
>    credentials check failed
> [2010/10/25 08:19:59.095692,  0]
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
>    _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth
> request from client WINDOWS7 machine account WINDOWS7$
> [2010/10/25 08:20:06.623691,  2] auth/auth.c:314(check_ntlm_password)
>    check_ntlm_password:  Authentication for user [WINDOWS7] ->  [WINDOWS7] FAILED
> with error NT_STATUS_NO_SUCH_USER
>
> pdbedit -v WINDOWS7$ :
> -----------------------
> Unix username:        WINDOWS7$
> NT username:
> Account Flags:        [W          ]
> User SID:             S-1-5-21-3551297527-875676932-1423664221-1005
> Primary Group SID:    S-1-5-21-3551297527-875676932-1423664221-513
> Full Name:            WINDOWS7$
> Home Directory:       \\test\windows7_
> HomeDir Drive:        m:
> Logon Script:
> Profile Path:
> Domain:               TEST-SAMBA
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    lun, 25 oct 2010 08:19:55 CEST
> Password can change:  lun, 25 oct 2010 08:19:55 CEST
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
> pdbedit -L WINDOWS7$ :
> -----------------------
> WINDOWS7$:4294967295:WINDOWS7$
>
> What's means "4294967295" ???
>
> After that when i connect on the windows 7 station with "tiptop" user, i've got
> also some error messages :
>
> [2010/10/25 08:32:58.833370,  2] auth/auth.c:304(check_ntlm_password)
>    check_ntlm_password:  authentication for user [tiptop] ->  [tiptop] ->  [tiptop]
> succeeded
> [2010/10/25 08:32:58.860904,  1] auth/auth_util.c:580(make_server_info_sam)
>    User WINDOWS7$ in passdb, but getpwnam() fails!
> [2010/10/25 08:32:58.860939,  0] auth/auth_sam.c:493(check_sam_security)
>    check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
> [2010/10/25 08:32:58.861009,  2] auth/auth.c:314(check_ntlm_password)
>    check_ntlm_password:  Authentication for user [WINDOWS7$] ->  [WINDOWS7$]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2010/10/25 08:33:00.510068,  2] auth/auth.c:304(check_ntlm_password)
>    check_ntlm_password:  authentication for user [tiptop] ->  [tiptop] ->  [tiptop]
> succeeded
> [2010/10/25 08:33:00.544211,  1] smbd/service.c:1070(make_connection_snum)
>    windows7 (192.168.151.73) connect to service tiptop initially as user tiptop
> (uid=1002, gid=1002) (pid 2098)
>
>
>
> but everything works fine.
> the station exist in the domain, the user can connect on it
>
> is it normal?
> this samba version doesnt well support windows 7 station yet ?
>
>
> Thanks for your help


More information about the samba mailing list