[Samba] Problem authenticating from standalone servers via Samba 3.0.34 domain member servers to Samba 3.2.5 domain controller
Eric Shubert
ejs at shubes.net
Sun Aug 25 10:49:46 MDT 2013
I think I've come across this same problem, although I'm migrating from
3.0.33 (CentOS5) to 3.6 (CentOS6).
I've migrated the domain controller from 3.0.33 to 3.6 first. I dumped
and restored the passwd, secrets and schannel_store tdb files from 3.0
to 3.6, and also migrated the linux accounts and groups. Windows XP
clients are able to log into the domain. However, the 3.0.33 file server
is unable to find the domain controller.
I can see the shares on the DC from the file server:
# net rpc -S tacs-dc.stor -U shubes SHARE
Password:
homes
admin
ops
r3i
IPC$
shubes
#
However, the file server cannot find the DC:
# net rpc trustdom list
Unable to find a suitable server
[2013/08/25 08:26:15, 0] utils/net_rpc.c:rpc_trustdom_list(6083)
Couldn't connect to domain controller
#
I'm also seeing this in the file server's log:
[2013/08/25 07:45:43, 3] libsmb/namequery.c:get_dc_list(1495)
get_dc_list: preferred server list: ", tacs-dc.stor"
[2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_lmhosts(966)
resolve_lmhosts: Attempting lmhosts lookup for name tacs-dc.stor<0x20>
[2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_wins(863)
resolve_wins: Attempting wins lookup for name tacs-dc.stor<0x20>
[2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_wins(866)
resolve_wins: WINS server resolution selected and no WINS servers listed.
[2013/08/25 07:45:43, 3] libsmb/namequery.c:resolve_hosts(1029)
resolve_hosts: Attempting host lookup for name tacs-dc.stor<0x20>
[2013/08/25 07:45:48, 3] libsmb/trusts_util.c:enumerate_domain_trusts(167)
enumerate_domain_trusts: can't locate a DC for domain R3I
The domain SID in the secrets.tdb files on both hosts match the SID of
the the DC host.
I figure there's something I've missed in migrating the DC that has
broken the trust, but haven't been able to find the problem yet.
Any ideas will be appreciated.
Thanks.
--
-Eric 'shubes'
On 01/24/2010 02:33 PM, Michael Lenaghan wrote:
> We recently upgraded our PDC from Debian 4 to Debian 5. That entailed
> an upgrade of Samba from 3.0.24 to 3.2.5. Since the upgrade we've had
> a very specific problem connecting to shares on a commercial NAS
> running Samba 3.0.34.
>
> The problem happens when users try to connect to shares from
> standalone servers--e.g., Windows XP Pro boxes that we use for
> testing. From those boxes users should be able to expand the domain in
> My Network Places\Entire Network\Microsoft Windows Network, navigate
> to the NAS, click on it and then get a login dialog where they can
> supply domain credentials. What instead happens is that they're told
> "There are currently no logon servers available…".
>
> I have run across problems connecting one version of Samba to another
> in the past. In those cases I've been able to track down a bug report.
> In this case I haven't been able to find a report that matches my test
> case so I'm looking for a possible mis-configuration that may have
> lain dormant until the PDC was upgraded. (Of course, it's possible
> that I just missed a bug report; I'm still looking.)
>
> In order to investigate this problem I configured two Debian boxes as
> domain member servers--one with Debian 4 (Samba 3.0.24) and one with
> Debian 5 (Samba 3.2.5). On each box I installed nothing but samba and
> winbind. I copied the smb.conf [global] section from the NAS and just
> did the essential configuration: smbpsswd -a root, net rpc join,
> winbind in nsswitch.conf. (Actually, I'm not sure winbind has anything
> to do with this--but I was trying to replicate the NAS setup.) After
> those steps I selected both boxes in Explorer from a standalone
> server. The Debian 4 box showed the same problem as the NAS while the
> Debian 5 box worked as expected. (In both cases the PDC was the newly
> upgraded box running Samba 3.2.5.)
>
> Everything I've tried seems to indicate that things are properly
> configured--with the exception of "wbinfo --getdcname HQ" which
> returns "Could not get dc name for HQ" and "wbinfo -a ..." which also
> fails. Those two things are probably related--but as you can see below
> all other wbinfo commands work correctly.
>
> Is this a known issue that I missed? Any thoughts on where to look further?
>
> Thanks.
>
> ===
>
> smb.conf from Debian 5 domain controller (partial):
>
> [global]
> security = user
> workgroup = HQ
> domain logons = yes
> domain master = yes
> local master = yes
> preferred master = yes
> os level = 65
> wins support = yes
> dns proxy = no
> name resolve order = lmhosts wins host bcast
> smb ports = 139
> time server = yes
> panic action = /usr/share/samba/panic-action %d
> log file = /var/log/samba/log.%m
> log level = 2
> passdb backend = ldapsam:ldap://srv....
> ldapsam:trusted = yes
> ldap ssl = start_tls
> ldap suffix = ...
> ...
> username map = /etc/samba/smbusers
> ...scripts...
> logon path =
> logon drive = H:
> logon home = \\nas\%U
> logon script = logon.bat
> encrypt passwords = yes
> admin users = root
> guest account = Guest
> map to guest = bad user
> ...printing...
> idmap alloc backend = ldap
> ...
> idmap config HQ:default = yes
> idmap config HQ:backend = ldap
> ...
> winbind enum groups = yes
> winbind enum users = yes
> winbind use default domain = yes
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> browseable = no
> read only = yes
> guest ok = yes
>
> [printers]
> ...
>
> ===
>
> smb.conf from Debian 4 domain member server:
>
> [global]
> allow trusted domains = 1
> delete readonly = 1
> delete veto files = 1
> dos charset = CP437
> encrypt passwords = 1
> follow symlinks = 1
> force unknown acl user = 1
> force writeback = 1
> guest account = nobody
> hostname lookups = 1
> idmap gid = 35000-65000
> idmap uid = 35000-65000
> level2 oplocks = 0
> load printers = 1
> log level = 2 auth:10 lanman:10 smb:10 rpc_parse_:10 rpc_srv:10
> rpc_cli:10 passdb:10 sam: 10 winbind:10 idmap:10
> map acl inherit = 1
> max log size = 256
> name resolve order = lmhosts host wins bcast
> null passwords = 1
> obey pam restrictions = 1
> oplocks = 0
> orgunit =
> passwd program = "/usr/bin/passwd %u"
> password server = 192.168.10.10
> preserve case = 1
> security = domain
> server string = %h
> short preserve case = 1
> store dos attributes = 1
> syslog = 0
> syslog only = 0
> template homedir = /c/home/%D/%U
> unix charset = UTF-8
> unix password sync = 1
> veto files = "/.AppleDouble/.AppleDB/.AppleDesktop/:2eDS_Store/:2eTemporaryItem
> winbind enum groups = 1
> winbind enum users = 1
> winbind use default domain = 1
> wins server = 192.168.10.10
> workgroup = HQ
>
> ===
>
> tests run from Debian 4 domain member server:
>
> # wbinfo --getdcname=HQ
> Could not get dc name for HQ
>
> # wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> # wbinfo --own-domain
> HQ
>
> # wbinfo --trusted-domains
>
> # wbinfo --all-domains
> HQ
>
> # wbinfo -u
> michaell
> ...
>
> # wbinfo -g
> BUILTIN\administrators
> BUILTIN\users
> domain admins
> domain users
> domain guests
> domain computers
> ...
>
> # wbinfo -N srv
> 192.168.10.10 srv
>
> # wbinfo -I 192.168.10.10
> 192.168.10.10 SRV
>
> # wbinfo -n michaell
> S-1-5-21-675904651-409210946-1000085797-1004 User (1)
>
> # wbinfo -s S-1-5-21-675904651-409210946-1000085797-1004
> HQ\michaell 1
>
> # wbinfo -i michaell
> michaell:*:6004:5513:...:/c/home/HQ/michaell:/bin/false
>
> # wbinfo -S S-1-5-21-675904651-409210946-1000085797-1004
> 6004
>
> # wbinfo -U 6004
> S-1-5-21-675904651-409210946-1000085797-1004
>
> # wbinfo -r michaell
> 5513
> 10001
> 10003
> 35001
>
> # wbinfo -G 5513
> S-1-5-21-675904651-409210946-1000085797-513
>
> # wbinfo -Y S-1-5-21-675904651-409210946-1000085797-513
> 5513
>
> # net lookup dc
> 192.168.10.10
>
> # net lookup master
> 192.168.10.10
>
> # net lookup srv
> 192.168.10.10
>
> # net cache list
> Key: SAF/DOMAIN/HQ Timeout: 10:19:31 Value: SRV
> Key: NBT/HQ#1D Timeout: 10:23:12 Value: 192.168.10.10:0
> Key: NBT/SRV#20 Timeout: 10:13:04 Value: 192.168.10.10:0 (expired)
> Key: NBT/HQ#1C Timeout: 10:23:03 Value: 192.168.10.10:0
> Key: NBT/HQ#1B Timeout: 10:23:03 Value: 192.168.10.10:0
>
> # nmblookup -M HQ
> added interface ip=192.168.10.120 bcast=192.168.10.255 nmask=255.255.255.0
> querying HQ on 192.168.10.255
> Got a positive name query response from 192.168.10.10 ( 192.168.10.10 )
> 192.168.10.10 HQ<1d>
>
> # nmblookup -A 192.168.10.10
> added interface ip=192.168.10.120 bcast=192.168.10.255 nmask=255.255.255.0
> Looking up status of 192.168.10.10
> SRV <00> - H <ACTIVE>
> SRV <03> - H <ACTIVE>
> SRV <20> - H <ACTIVE>
> ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
> HQ <1d> - H <ACTIVE>
> HQ <1b> - H <ACTIVE>
> HQ <1c> - <GROUP> H <ACTIVE>
> HQ <1e> - <GROUP> H <ACTIVE>
> HQ <00> - <GROUP> H <ACTIVE>
>
> MAC Address = 00-00-00-00-00-00
>
> # nmblookup -S SRV
> added interface ip=192.168.10.120 bcast=192.168.10.255 nmask=255.255.255.0
> querying SRV on 192.168.10.255
> Got a positive name query response from 192.168.10.10 ( 192.168.10.10 )
> 192.168.10.10 SRV<00>
> Looking up status of 192.168.10.10
> SRV <00> - H <ACTIVE>
> SRV <03> - H <ACTIVE>
> SRV <20> - H <ACTIVE>
> ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE>
> HQ <1d> - H <ACTIVE>
> HQ <1b> - H <ACTIVE>
> HQ <1c> - <GROUP> H <ACTIVE>
> HQ <1e> - <GROUP> H <ACTIVE>
> HQ <00> - <GROUP> H <ACTIVE>
>
> MAC Address = 00-00-00-00-00-00
>
> ===
>
> selected log excerpts from Debian 4 domain member server when user
> selects the box in Explorer:
>
> ==> log.smbd <==
> [2010/01/24 10:50:23, 2] smbd/reply.c:reply_special(496)
> netbios connect: name1=DEBIAN4TEST name2=ML-WINXP
> ...
> [2010/01/24 10:50:23, 5] auth/auth_util.c:make_user_info_map(161)
> make_user_info_map: Mapping user [ML-WINXP]\[Administrator] from
> workstation [ML-WINXP]
> ...
> [2010/01/24 10:50:23, 3] auth/auth.c:check_ntlm_password(221)
> check_ntlm_password: Checking password for unmapped user
> [ML-WINXP]\[Administrator]@[ML-WINXP] with the new password interface
> [2010/01/24 10:50:23, 3] auth/auth.c:check_ntlm_password(224)
> check_ntlm_password: mapped user is: [HQ]\[Administrator]@[ML-WINXP]
> [2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(233)
> check_ntlm_password: auth_context challenge created by NTLMSSP
> callback (NTLM2)
> [2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(235)
> challenge is:
> [2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(261)
> check_ntlm_password: guest had nothing to say
> [2010/01/24 10:50:23, 6] auth/auth_sam.c:check_samstrict_security(414)
> check_samstrict_security: HQ is not one of my local names (ROLE_DOMAIN_MEMBER)
> [2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(261)
> check_ntlm_password: sam had nothing to say
> [2010/01/24 10:50:23, 5] auth/auth.c:check_ntlm_password(273)
> check_ntlm_password: winbind authentication for user [Administrator]
> FAILED with error NT_STATUS_NO_LOGON_SERVERS
> [2010/01/24 10:50:23, 2] auth/auth.c:check_ntlm_password(319)
> check_ntlm_password: Authentication for user [Administrator] ->
> [Administrator] FAILED with error NT_STATUS_NO_LOGON_SERVERS
>
> *** Note: The above login *should* fail, but it's failing for the
> wrong reason. I'm logged into a non-domain member server as
> Administrator. That account has a different password than the
> Administrator on the domain. Presumably the failure should be an
> invalid password, which would then bring up the login dialog on the
> client; instead NT_STATUS_NO_LOGON_SERVERS is being passed to the
> client, preventing any login attempt. ***
>
> ===
>
> # wbinfo -a HQ\\michaell%...
> plaintext password authentication failed
> error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> error messsage was: No logon servers
> Could not authenticate user HQ\michaell%... with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
> error messsage was: No logon servers
> Could not authenticate user HQ\michaell with challenge/response
>
> log for above:
>
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357)
> add_schannel_auth_footer: SCHANNEL seq_num=41
> [2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770)
> rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4
> [2010/01/24 11:10:57, 10]
> rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577)
> cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843)
> rpc_api_pipe: got PDU len of 304 at offset 0
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894)
> rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned
> 472 bytes.
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357)
> add_schannel_auth_footer: SCHANNEL seq_num=43
> [2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770)
> rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4
> [2010/01/24 11:10:57, 10]
> rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577)
> cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843)
> rpc_api_pipe: got PDU len of 304 at offset 0
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894)
> rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned
> 472 bytes.
> [2010/01/24 11:10:57, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1290)
> Plain-text authentication for user HQ\michaell returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357)
> add_schannel_auth_footer: SCHANNEL seq_num=45
> [2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770)
> rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4
> [2010/01/24 11:10:57, 10]
> rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577)
> cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843)
> rpc_api_pipe: got PDU len of 304 at offset 0
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894)
> rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned
> 472 bytes.
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357)
> add_schannel_auth_footer: SCHANNEL seq_num=47
> [2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770)
> rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4
> [2010/01/24 11:10:57, 10]
> rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577)
> cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843)
> rpc_api_pipe: got PDU len of 304 at offset 0
> [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894)
> rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned
> 472 bytes.
> [2010/01/24 11:10:57, 2]
> nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1635)
> NTLM CRAP authentication for user [HQ]\[michaell] returned
> NT_STATUS_NO_LOGON_SERVERS (PAM: 4)
>
More information about the samba
mailing list