[Samba] LDAP & PDC: Can join domain, but cannot login afterwards.
linuxaddict7 at gmail.com
Tue Jan 25 14:52:06 MST 2011
On Tue, Jan 18, 2011 at 1:03 PM, Farhan Ahmad <farhan at thebitguru.com> wrote:
> I am setting up a PDC with LDAP, but having no luck with it. Basically,
> Win XP computer successfully joins the domain, but after restarting when I
> try to login it says "The system cannot log you on now because the domain
> THEBITGURU.LAN is not available." I am running a Ubuntu 10.10 server with
> Samba 3.5.4 and OpenLDAP 2.4.3 (slapd).
> I have compressed all of the samba logs (/var/log/samba) files along with
> the smb.conf:
> http://www.thebitguru.com/site_media/uploads/samba_troubleshooting.tar.gz I
> turned up the logging (log level = 4) and created a folder with the log
> files after each step.
> Below is what I have gathered so far about the different steps.
> *Relevant Notes*
> 1. I installed ClearOS on another virtual machine and set it up as a PDC.
> This same WinXP virtual machine successfully joined that domain and was
> able to login without any issues. So, I am concluding that the client is
> setup correctly.
> 1. I even tried comparing the smb.conf files and updating the one my
> actual server, but no luck.
> 2. Another Windows 7 machine with the changes listed on
> http://wiki.samba.org/index.php/Windows7 behaves similarly, i.e. cannot
> login after joining the domain.
> 3. I can mount the share (\\visionary\shared) served by this server on
> both WinXP and Windows 7 without any issues. This tells me that the
> authentication with the LDAP server is working OK.
> *Domain Join (log files in after_domain_join folder)*
> 1. Note how the sending machine correctly sent the user and domains in this
> [2011/01/18 10:24:35.521835, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
> Got user=[root] domain=[THEBITGURU.LAN] workstation=[VIRTUALXP-32744]
> len1=24 len2=24
> 2. Also, note that the user authentication and mapping seemed to work OK in
> this case.
> [2011/01/18 10:24:35.521954, 3] auth/auth.c:219(check_ntlm_password)
> check_ntlm_password: mapped user is:
> [2011/01/18 10:24:35.523891, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: root
> 3. Even though the Win XP system says that it joined the domain OK, the
> following output in the log file seems suspicious. This is at the end of
> [2011/01/18 10:24:36.932921, 3] smbd/connection.c:31(yield_connection)
> Yielding connection to
> [2011/01/18 10:24:36.933031, 3] smbd/server.c:906(exit_server_common)
> Server exit (failed to receive smb request)
> *First Failed Login** (log files in after_first_failed_login folder)*
> 1. Unlike #1 above, in this case we neither see the user nor the domain. I
> think this is where the problem lies.
> [2011/01/18 10:26:01.920055, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
> Got user= domain= workstation=[VIRTUALXP-32744] len1=1 len2=0
> 2. The server still falls back to the domain, but still no user.
> [2011/01/18 10:26:01.920172, 3] auth/auth.c:219(check_ntlm_password)
> check_ntlm_password: mapped user is:
> 3. So it goes looking for the guest user.
> [2011/01/18 10:26:01.922536, 3] auth/auth.c:265(check_ntlm_password)
> check_ntlm_password: guest authentication for user  succeeded
> 4. There might be other weird things, for instance, the "Server exit
> to receive smb request)" message, but I can figure out the issue with #1
> then I am thinking that the rest will be fixed.
> I have tried a lot of stuff, but haven't had any luck. What should I do
> next to fix this issue?
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
It looks to me like communication issue. Put tcpdump and check for dropped
packets. Is there a firewall between the systems?
Does the kinit <username> works?
More information about the samba