[Samba] LDAP & PDC: Can join domain, but cannot login afterwards.

Farhan Ahmad farhan at thebitguru.com
Tue Jan 18 11:03:31 MST 2011


I am setting up a PDC with LDAP, but having no luck with it.  Basically, the
Win XP computer successfully joins the domain, but after restarting when I
try to login it says "The system cannot log you on now because the domain
THEBITGURU.LAN is not available."  I am running a Ubuntu 10.10 server with
Samba 3.5.4 and OpenLDAP 2.4.3 (slapd).

I have compressed all of the samba logs (/var/log/samba) files along with
the smb.conf:
http://www.thebitguru.com/site_media/uploads/samba_troubleshooting.tar.gz  I
turned up the logging (log level = 4) and created a folder with the log
files after each step.

Below is what I have gathered so far about the different steps.

*Relevant Notes*

   1. I installed ClearOS on another virtual machine and set it up as a PDC.
    This same WinXP virtual machine successfully joined that domain and was
   able to login without any issues.  So, I am concluding that the client is
   setup correctly.
      1. I even tried comparing the smb.conf files and updating the one my
      actual server, but no luck.
   2. Another Windows 7 machine with the changes listed on
   http://wiki.samba.org/index.php/Windows7 behaves similarly, i.e. cannot
   login after joining the domain.
   3. I can mount the share (\\visionary\shared) served by this server on
   both WinXP and Windows 7 without any issues.  This tells me that the
   authentication with the LDAP server is working OK.

*Domain Join (log files in after_domain_join folder)*
1. Note how the sending machine correctly sent the user and domains in this
[2011/01/18 10:24:35.521835,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
  Got user=[root] domain=[THEBITGURU.LAN] workstation=[VIRTUALXP-32744]
len1=24 len2=24

2. Also, note that the user authentication and mapping seemed to work OK in
this case.
[2011/01/18 10:24:35.521954,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is:
[2011/01/18 10:24:35.523891,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: root

3. Even though the Win XP system says that it joined the domain OK, the
following output in the log file seems suspicious.  This is at the end of
[2011/01/18 10:24:36.932921,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2011/01/18 10:24:36.933031,  3] smbd/server.c:906(exit_server_common)
  Server exit (failed to receive smb request)

*First Failed Login** (log files in after_first_failed_login folder)*
1. Unlike #1 above, in this case we neither see the user nor the domain.  I
think this is where the problem lies.
[2011/01/18 10:26:01.920055,  3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
  Got user=[] domain=[] workstation=[VIRTUALXP-32744] len1=1 len2=0

2. The server still falls back to the domain, but still no user.
[2011/01/18 10:26:01.920172,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is:

3. So it goes looking for the guest user.
[2011/01/18 10:26:01.922536,  3] auth/auth.c:265(check_ntlm_password)
  check_ntlm_password: guest authentication for user [] succeeded

4. There might be other weird things, for instance, the "Server exit (failed
to receive smb request)" message, but I can figure out the issue with #1
then I am thinking that the rest will be fixed.

I have tried a lot of stuff, but haven't had any luck.  What should I do
next to fix this issue?


More information about the samba mailing list