[Samba] Samba upgrade problem with ADS

Nitin Thakur nitinthakur at hotmail.com
Tue Sep 4 20:10:48 MDT 2012 

hi gurus

My samba upgrade woes: -

I have to run 2 instances of samba one for dev and one for UAT. both the instances are giving me hard time after the upgrade.

One instance keeps giving me following error: -

  connect_to_domain_password_server: unable to open the domain client session to machine xxxxx.xxxxx.xxxxx.xxxxxxx.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2012/09/04 16:19:36.993000,  0] auth/auth_domain.c:292(domain_client_validate)

It returns this error for all the password servers. I deleted the server from ad and tried to rejoin the domain. it did join the domain but returned the error: -


# /opt/local/samba/bin/net -s /opt/local/samba/lib/smb.conf.dev ads join -U admin
Enter admin's password:
Using short domain name -- XXXX
Joined 'XXXX' to realm 'xxxx.xxxx.xxxx.com'
DNS Update for xxxxx.xxxx.xx.xxxxxxx.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!

since then it keeps giving me error: -
[2012/09/04 21:43:10.299657,  0] smbd/server.c:1109(main)
  standard input is not a socket, assuming -D option
[2012/09/04 21:43:10.606915,  0] libads/kerberos_util.c:101(ads_kinit_password)
  kerberos_kinit_password XXXXX$@XXX.XX.XXXXXX.COM failed: Preauthentication failed
[2012/09/04 21:43:10.608476,  0] printing/nt_printing.c:102(nt_printing_init)
  nt_printing_init: error checking published printers: WERR_ACCESS_DENIED


moving on to other instance: -

[2012/09/04 15:51:47.207600,  5] rpc_client/cli_pipe.c:738(rpc_api_pipe_send)                
  rpc_api_pipe: host XXXXXX.XXXXX.XXXXX.XXXXXX.COM
[2012/09/04 15:51:47.209191,  5] rpc_client/cli_pipe.c:97(rpc_read_send)
  rpc_read_send: data_to_read: 52
[2012/09/04 15:51:47.209422,  5] rpc_client/cli_pipe.c:1521(check_bind_response)
  check_bind_response: accepted!
[2012/09/04 15:51:47.209687,  5] passdb/passdb.c:2365(get_trust_pw_clear)
  get_trust_pw_clear: could not fetch clear text trust account password for domain XXXXXX
[2012/09/04 15:51:47.209844,  5] passdb/machine_account_secrets.c:267(secrets_fetch_trust_account_password_legacy)
  secrets_fetch failed!
[2012/09/04 15:51:47.209998,  5] passdb/passdb.c:2403(get_trust_pw_hash)
  get_trust_pw_hash: could not fetch trust account password for domain XXXXXXX
[2012/09/04 15:51:47.210109,  0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
  get_schannel_session_key: could not fetch trust account password for domain 'XXXXX'
[2012/09/04 15:51:47.211665,  0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server XXXXXXX.XXXXXXXXX.XXXXXXX.XXXXXX.COM for domain XXXXXX.
[2012/09/04 15:51:47.211845,  0] auth/auth_domain.c:193(connect_to_domain_password_server)
  connect_to_domain_password_server: unable to open the domain client session to machine XXXXXXXX.XXXXXXXX.XXXX.XXXXXXXX.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2012/09/04 15:51:47.213484,  0] auth/auth_domain.c:292(domain_client_validate)
  domain_client_validate: Domain password server not available.
[2012/09/04 15:51:47.213654,  5] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [XXXX] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2012/09/04 15:51:47.213779,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [XXXXX] -> [XXXXXX] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2012/09/04 15:51:47.213950,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Here is the smbd.conf for 1st instance
#======================= Global Settings =====================================
[global]

socket options = TCP_NODELAY IPTOS_LOWDELAY
netbios name = XXXXX
workgroup = XXXXX
server string = XXXX Samba Server ver %v
security = ADS
log file = /opt/local/samba/dev/logs/log.%m
max log size = 50
password server =  xxxxxx.xxxx.xxxx.xxxxxxx.com, xxxx.xxxx.xxxx.xxxxxxx.com
encrypt passwords = yes
realm = XXXXXXX.XXXX.XXXXXXXXX.COM
local master = no
domain master = no
domain logons = no
dns proxy = no
smb passwd file = /opt/local/samba/dev/private
private dir = /opt/local/samba/dev/private
username map = /opt/local/samba/dev/users.map
pid directory = /opt/local/samba/dev
bind interfaces only = yes
wins support = no
domain master = no
allow trusted domains = yes
locking = yes
lock directory = /opt/local/samba/var/dev/locks
preserve case = yes
short preserve case = yes
name resolve order = host bcast
load printers = no
printcap name = /dev/null
deadtime = 15
preferred master = no
guest account = nobody
guest ok = yes
syslog = 0
interfaces = xxx.xxx.xxx.xxx
socket address = xxx.xxx.xxx.xxx

[share]
   comment  =  share
   path = /share
   read only = No
   create mask = 0774
   browseable = yes
   preserve case = yes


and smb.conf.uat for second instance 
[global]

socket options = TCP_NODELAY IPTOS_LOWDELAY
netbios name = XXXXX-UAT
workgroup = XXXXX
server string = XXXX-UAT Samba Server ver %v
security = ADS
map untrusted to domain = Yes
log file = /opt/local/samba/uat/logs/log.%m
log level = 5
max log size = 50
password server =  xxx.xxx.xxx.xxxx.xxx xxxx.xxxx.xxxx.xxxx.com 
encrypt passwords = yes
realm = XXXXX.XXXX.XXXX.COM
local master = no
domain master = no
domain logons = no
dns proxy = no
smb passwd file = /opt/local/samba/uat/private
private dir = /opt/local/samba/uat/private
username map = /opt/local/samba/uat/users.map
pid directory = /opt/local/samba/uat
bind interfaces only = yes
wins support = no
domain master = no
allow trusted domains = yes
locking = yes
lock directory = /opt/local/samba/uat/var/locks
preserve case = yes
short preserve case = yes
name resolve order = host bcast
load printers = no
printcap name = /dev/null
deadtime = 15
preferred master = no
guest account = nobody
guest ok = yes
syslog = 0
interfaces = xxx.xxx.xxx.xxx
socket address = xxx.xxx.xxx.xxx

[uat-share]
   comment  =  uat-share
   path = /uat-share
   read only = No
   create mask = 0774
   browseable = yes


-------------------------------------------------------------------------------------------------------

I am using: -
krb5-1.10.3
openldap-2.4.31
samba-3.6.7


The same config files work fine with: -
krb5-1.7
openldap-2.4.16
samba-3.3.5


Any pointers?

Thanks

Nitin

More information about the samba mailing list