[Samba] authentication problem with samba4 as a dcerpc server
eric gou
gouyonggang at gmail.com
Sun Jun 9 11:29:40 MDT 2013
>From: Andrew Bartlett
>Sent: Saturday, June 08, 2013 1:20 AM
>To: eric gou
>Cc: samba at lists.samba.org
>Subject: Re: [Samba] authentication problem with samba4 as a dcerpc server
>>On Thu, 2013-06-06 at 09:44 -0700, eric gou wrote:
>> I made a mistake in the previous letter. I use the command “net ads
>> join”, looks that’s not for the samba4,
>>
>> now I use the “samba-tool” to join a DC domain as a member, and it
>> succeed, I can see some info stored in
>>
>> secrets.ldb.
>>
>> ./samba-tool domain join SMB3.COM MEMBER -Uadministrator --realm=SMB3.COM
>>
>>
>> unfortunately, when I start the “samba”, it still fails to find the
>> domain info, so as to the latter authenticating for msrpc:
>>
>> task_server_terminate: [dreplsrv: no DSDB replication required in domain
>> member configuration]
>> single_terminate: reason[dreplsrv: no DSDB replication required in domain
>> member configuration]
>> ldb_wrap open of secrets.ldb
>> task_server_terminate: [Cannot start Winbind (domain member): Failed to
>> find record for SMB3 in /usr/local/samba/private/secrets.ldb: No such
>> object: (null): Have you joined the SMB3 >>domain?]
>>
> >any one can help?
>I think it's the same issue in both cases. Are you sure you joined the
>domain by the correct netbios domain name?
>I think your workgroup= setting might not match the netbios domain name
>of the domain, which is why it isn't being found.
--------------------------------------------------------------------------------
Thanks for your reply, the domain name is SMB3.COM, what I set is:
workgroup = SMB3
After I joined the domain by samba-tool, the secrets.ldb info is like this:
# record 1
dn: flatname=SMB3,cn=Primary Domains
msDS-KeyVersionNumber: 5
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-4046433554-1285089214-3428912259
privateKeytab: secrets.keytab
realm: smb3.com
saltPrincipal: host/suse11-9.smb3.com at SMB3.COM
samAccountName: SUSE11-9$
secret:
W5JP at 4b$yM[dPlQ7)R%5F]!vJ>F#FfSwB$,PPC,)GQDekyU?X(MjZLg-Si=Yeg0oRmTa@&
iekMLqZ1vNMGCp_xBflL9c at Y#&7g%2FqSsc4nV7E!%RF#bQ.umf7)o)aWvesOVg?5yd6nD~2_h7Q]
$%nXQW:C:&~d$RkB9rWCr5>EMfTWPi24,%gS5z>EfB]9>Fr!wU?C=?
secureChannelType: 2
servicePrincipalName: HOST/suse11-9
distinguishedName: flatname=SMB3,cn=Primary Domains
when I start the "samba", it starts the winbind task, by using this
macro:"SECRETS_PRIMARY_DOMAIN_FILTER" to look for the info in the
secrets.ldb
it's defined like this: #define SECRETS_PRIMARY_DOMAIN_FILTER
"(&(flatname=%s)(objectclass=primaryDomain))"
the first key is :flatname, it's value is: SMB3,
apparently, there is no key named flatname in the secrets.ldb and it fails.
my solution is to redefine the macro like this:
#define SECRETS_PRIMARY_DOMAIN_FILTER "(&(dn=flatname=%s,cn=Primary
Domains))"
and use the key= "dn", value="flatname=SMB3,cn=Primary Domains" to query the
secrets.ldb, and that works.
is this a bug?
another thing im confused is, after I use the "samba-tool" to join the
domain, it seems that I have to use the "net ads join" too,
because the function "cli_credentials_set_machine_account" in
credentials_secrets.c will query both the secrets.ldb and secrets.tdb
and compare some items between them.
some items in the secrets.ldb are missing, such as "whenChanged".
and the secrets.keytab seems not be created if I join samba4 as a domain
member.
More information about the samba
mailing list