[Samba] Running SQL Server xp_logininfo with Samba PDC
Matthieu Patou
mat at samba.org
Sun Nov 3 23:06:41 MST 2013
Hi,
On 11/03/2013 07:14 PM, Jason wrote:
> We have setup Samba 4.1 as a PDC. We have successfully connected several
> Windows 2008 Servers to the domain and created various users/groups.
> During an application installation on the Windows server, it runs the
> command in SQL server:
>
> master..xp_logininfo 'MYDOMAIN\useraccount'
>
> SQLserver is running as a service user created on the domain (here called
> MYDOMAIN)
>
> This returns:
>
> Msg 15404, Level 16, State 19, Procedure xp_logininfo, Line 64
> Could not obtain information about Windows NT group/user
> 'DOMAIN\useraccount', error code 0x5.
>
> In the security log on windows it has:
>
> An account failed to log on.
>
> Subject:
> Security ID: MYDOMAIN\SQLService
> Account Name: SQLService
> Account Domain: MYDOMAIN
> Logon ID: 0x1063d
>
> Logon Type: 3
>
> Account For Which Logon Failed:
> Security ID: NULL SID
> Account Name:
> Account Domain:
>
> Failure Information:
> Failure Reason: Unknown user name or bad password.
> Status: 0xc000006e
> Sub Status: 0xc000006e
>
> Process Information:
> Caller Process ID: 0x52c
> Caller Process Name: C:\Program Files\Microsoft SQL
> Server\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
>
>
> In the Samba Log on the PDC it gives the following messages:
>
> [2013/11/04 14:05:12.684946, 4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Mon Nov 4 14:05:18 2013 EST
> [2013/11/04 14:05:17.693823, 4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Mon Nov 4 14:05:23 2013 EST
> [2013/11/04 14:05:17.839450, 3]
> ../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)
> ldb_wrap open of secrets.ldb
> [2013/11/04 14:05:17.840862, 5]
> ../auth/gensec/gensec_start.c:649(gensec_start_mech)
> Starting GENSEC mechanism schannel
> [2013/11/04 14:05:17.887505, 3]
> ../libcli/auth/schannel_state_tdb.c:181(schannel_fetch_session_key_tdb)
> schannel_fetch_session_key_tdb: restored schannel info key
> SECRETS/SCHANNEL/SERVERNAME
> [2013/11/04 14:05:17.927963, 3]
> ../source4/rpc_server/dcerpc_server.c:963(dcesrv_request)
> Warning: 60 extra bytes in incoming RPC request
> [2013/11/04 14:05:17.945518, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ SQLService at AD.MYDOMAIN.COM.AU from ipv4:
> 172.17.1.20:61630 for
> SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU[canonicalize,
> renewable, forwardable]
> [2013/11/04 14:05:17.956953, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: s4u2self SQLService at AD.MYDOMAIN.COM.AU impersonating
> sodadm at MYDOMAIN to service SQLService\@AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU
> [2013/11/04 14:05:17.957371, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Principal may not act as server -- SQLService\@
> AD.MYDOMAIN.COM.AU at AD.MYDOMAIN.COM.AU
> [2013/11/04 14:05:17.972537, 3]
^^^^^ This is the key of the problem.
> Our smb.conf is currently:
>
> # Global parameters
> [global]
> workgroup = MYDOMAIN
> realm = AD.MYDOMAIN.COM.AU
> netbios name = GATEWAY
> server role = active directory domain controller
> dns forwarder = 8.8.8.8
> interfaces = eth1 lo
> log level = 5
> bind interfaces only = yes
>
> [netlogon]
> path = /opt/samba4/var/locks/sysvol/ad.mydomain.com.au/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba4/var/locks/sysvol
> read only = No
>
> I have replicated the exact same application installation using a Windows
> Server PDC and it worked successfully.
Are you sure it's exactly the same ? it could be that some flags on the
user account are missing.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba
mailing list