[Samba] PDC forgot it was part of domain... "official" (ha!) samba hack around to fix...

Linda Walsh samba at tlinx.org
Thu Aug 18 04:20:53 MDT 2011 



Michael Wood wrote:
> Hi
>
> On 3 August 2011 08:59, Linda Walsh <samba at tlinx.org> wrote:
>   
>> Among various problems since I upgraded to 3.6 (none of which got answered
>> really, -- so I backgraded to 3.5.10 and started debugging from there,
>> considering 3.6.0 too unstable/too incompatible for 'whatever' reason...
>>
>> One of the probs I had was 'root' couldn't use "net rpc" <anything> --
>> kept getting auth failures.
>>     
>
> Was this with 3.6.0 or after you downgraded again to 3.5.10?
>   
Both .. haven't tried it since my servername started coming back together
(the 'mixed case' v. forced case causing parts of server not to know who it
was or similar -- (along with that param you mentioned).

>> Wasn't the passwd, -- could reset it via smbpasswd, no prob, and my
>> normal UID could do an rpc user, but didn't have the auth to the
>> local files to read them (so got no results back).
>>
>>
>> Steps...
>> 1) add self to group root
>> 2) in /var/lib/samba and /etc/samba:
>> find . -gid 0 -print0|xargs -0 chmod g+rw
>> find . -gid 0 -type d|xargs -0 chmod g+xs
>>     
>
> You're missing a -print0 on the second one there, but I assume that's
> just a copy/paste error or something.
>
>   
>> Then I noted that my 'user' could no longer auth either!
>> Bonus!
>>
>> turned on -d10 on net rpc cmd,
>> Noted, it was trying to look up '*' for a pw server,
>>
>> '*' doesn't resolve so well on my DNS server.
>>     
>
> What was the actual log message?  Did you find out where this '*' was
> coming from?
>   
----
    It had to do with the trusted domains -- Because part of the server
was now upcasing everything, it thought it was a different 'server' than
the mixed-case' server...so it was looking for a '*' meta server to tell it
where it's old name was...(very sad! ;-))...

> It seems to me that finding out why there are no builtin SIDs might
> have been a better idea than manually adding them.  But I suppose if
> your idmap tdb was suspect then maybe this was indeed the best thing
> to do.
>   
---
    I am a bit impulsive @ times...but often, I *REALLY* want to get things
working again, on some level, as when things are badly broken,
no email, no files, no videos, no music, no programming, no homedirs
no internet, no art/wall/scan work/design...basically not good;
My Win7WS isn't at all setup to be useful w/o the server running.




>> /tmp/domsid:
>> "Administrators" sid="S-1-5-32-544" type=builtin
>> "Users" sid="S-1-5-32-545" type=builtin
>> "Domain Controllers" sid="S-1-5-32-516" type=builtin
>> "Guests" sid="S-1-5-32-546" type=builtin
>> "Power Users" sid="S-1-5-32-547" type=builtin
>> "Account Operators" sid="S-1-5-32-552" type=builtin
>>     

---
    I don't think the above was entirely the 'right' thing to do, even 
though
those are documented to be 'well known SIDS in the MS literature -- as
now many of those sids no longer can be added or browsed...


I'm not getting the '*' message any more, -- turning of the trusted-only
and getting my methods resolutions in the right order seems to have
helped, though now I'm getting new messages:


Aug 17 02:12:32 Ishtar winbindd[11885]: [2011/08/17 02:12:32,  0, 
class=winbind] winbindd/winbindd_passdb.c:194(rids_to_names)
Aug 17 02:12:32 Ishtar winbindd[11885]:   Possible deadlock: Trying to 
lookup SID S-1-5-21-33333-77777-33333 with passdb backend
Aug 17 02:12:32 Ishtar winbindd[11885]: [2011/08/17 02:12:32,  0, 
class=winbind] winbindd/winbindd_passdb.c:194(rids_to_names)
Aug 17 02:12:32 Ishtar winbindd[11885]:   Possible deadlock: Trying to 
lookup SID S-1-5-21-33333-77777-33333 with passdb backend
Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32,  0, 
class=rpc_srv] rpc_server/srv_netlog_nt.c:475(get_md4pw)
Aug 17 02:12:32 Ishtar smbd[7382]:   get_md4pw: Workstation ASTARTE$: no 
account in domain
Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32,  0, 
class=rpc_srv] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
Aug 17 02:12:32 Ishtar smbd[7382]:   _netr_ServerAuthenticate2: failed 
to get machine password for account ASTARTE$: NT_STATUS_ACCESS_DENIED
Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32,  0, 
class=rpc_srv] rpc_server/srv_netlog_nt.c:475(get_md4pw)
Aug 17 02:12:32 Ishtar smbd[7382]:   get_md4pw: Workstation ASTARTE$: no 
account in domain
Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32,  0, 
class=rpc_srv] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
Aug 17 02:12:32 Ishtar smbd[7382]:   _netr_ServerAuthenticate2: failed 
to get machine password for account ASTARTE$: NT_STATUS_ACCESS_DENIED


----
These just started after I turned off that param...and some of the cases
got realigned again due to changes in resolution order.  the SID that it 
is trying
to lookup is the server's SID.  ASTARTE$, of course doesn't exist -- 
Astarte$ does.
Listed that way in /etc/passwd, and I know linux doesn't ignore case.

So that just means some part of "some"  DB needs to be cleaned up after 
being
mangled by libsmb's internal set-case code.

Still limping along...but I don't sit here and bang on samba probs, I do 
a few
things when I get ideas or get energy, but this has been such a long-term
problem (since installing 3.6 ~ May-Jun) that there's no way I can deal 
with it
for prolonged periods now.

More information about the samba mailing list