[Samba] LDAP & PDC: Can join domain, but cannot login afterwards.

Farhan Ahmad farhan at thebitguru.com
Tue Jan 18 11:03:31 MST 2011


Hi,

I am setting up a PDC with LDAP, but having no luck with it.  Basically, the
Win XP computer successfully joins the domain, but after restarting when I
try to login it says "The system cannot log you on now because the domain
THEBITGURU.LAN is not available."  I am running a Ubuntu 10.10 server with
Samba 3.5.4 and OpenLDAP 2.4.3 (slapd).

I have compressed all of the samba logs (/var/log/samba) files along with
the smb.conf:
http://www.thebitguru.com/site_media/uploads/samba_troubleshooting.tar.gz  I
turned up the logging (log level = 4) and created a folder with the log
files after each step.

Below is what I have gathered so far about the different steps.

*Relevant Notes*

   1. I installed ClearOS on another virtual machine and set it up as a PDC.
    This same WinXP virtual machine successfully joined that domain and was
   able to login without any issues.  So, I am concluding that the client is
   setup correctly.
      1. I even tried comparing the smb.conf files and updating the one my
      actual server, but no luck.
   2. Another Windows 7 machine with the changes listed on
   http://wiki.samba.org/index.php/Windows7 behaves similarly, i.e. cannot
   login after joining the domain.
   3. I can mount the share (\\visionary\shared) served by this server on
   both WinXP and Windows 7 without any issues.  This tells me that the
   authentication with the LDAP server is working OK.

*
*
*Domain Join (log files in after_domain_join folder)*
1. Note how the sending machine correctly sent the user and domains in this
case.
[2011/01/18 10:24:35.521835,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
  Got user=[root] domain=[THEBITGURU.LAN] workstation=[VIRTUALXP-32744]
len1=24 len2=24

2. Also, note that the user authentication and mapping seemed to work OK in
this case.
[2011/01/18 10:24:35.521954,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is:
[THEBITGURU.LAN]\[root]@[VIRTUALXP-32744]
.
.
.
[2011/01/18 10:24:35.523891,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: root


3. Even though the Win XP system says that it joined the domain OK, the
following output in the log file seems suspicious.  This is at the end of
log.virtualxp-32744.
[2011/01/18 10:24:36.932921,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2011/01/18 10:24:36.933031,  3] smbd/server.c:906(exit_server_common)
  Server exit (failed to receive smb request)


*First Failed Login** (log files in after_first_failed_login folder)*
1. Unlike #1 above, in this case we neither see the user nor the domain.  I
think this is where the problem lies.
[2011/01/18 10:26:01.920055,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
  Got user=[] domain=[] workstation=[VIRTUALXP-32744] len1=1 len2=0

2. The server still falls back to the domain, but still no user.
[2011/01/18 10:26:01.920172,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is:
[THEBITGURU.LAN]\[]@[VIRTUALXP-32744]

3. So it goes looking for the guest user.
[2011/01/18 10:26:01.922536,  3] auth/auth.c:265(check_ntlm_password)
  check_ntlm_password: guest authentication for user [] succeeded

4. There might be other weird things, for instance, the "Server exit (failed
to receive smb request)" message, but I can figure out the issue with #1
then I am thinking that the rest will be fixed.



I have tried a lot of stuff, but haven't had any luck.  What should I do
next to fix this issue?

Thanks!
Farhan


More information about the samba mailing list