[Samba] classicupgrade error

Marco Querci mquerci75 at gmail.com
Sun Feb 16 09:16:08 MST 2014 

Many thanks for your reply.
I was expecting to see in the new samba4 AD all the content of the LDAP
where I was importing from, users, computers and groups but no group was
imported ... no problem there are few groups ... I will recreate them
manually.
After the successfully ended classicupgrade procedure (except for domain
groups), I'm facing another problem: when I try to logon to the new domain
from a pc (Windows XP) already joined in the samba3 domain, I receive the
error "Windows cannot connect to the domain either because the domain
controller is down or otherwise unavailable, or because your computer
account was not found. Please try again later. If this message continues to
appear contact your System Administrator for assistance."
Here is what samba has logged:

[2014/02/16 16:54:27.146159,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ quercigi at CORMATEX from ipv4:192.168.20.11:1828 for
krbtgt/CORMATEX at CORMATEX
[2014/02/16 16:54:27.272459,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2014/02/16 16:54:27.272541,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- quercigi at CORMATEX
[2014/02/16 16:54:27.272602,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- quercigi at CORMATEX
[2014/02/16 16:54:27.272647,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- quercigi at CORMATEX using
arcfour-hmac-md5
[2014/02/16 16:54:27.272675,  4]
../source4/auth/sam.c:170(authsam_account_ok)
  authsam_account_ok: Checking SMB password for user quercigi at CORMATEX
[2014/02/16 16:54:27.278126,  5] ../source4/auth/sam.c:145(logon_hours_ok)
  logon_hours_ok: user quercigi at CORMATEX allowed to logon at this time (Sun
Feb 16 15:54:27 2014
  )
[2014/02/16 16:54:27.285643,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2014-02-16T16:54:27 starttime: unset endtime:
2014-02-17T02:54:27 renew till: 2014-02-23T16:54:27
[2014/02/16 16:54:27.286381,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
des-cbc-md5, des-cbc-crc, 24, -135, using arcfour-hmac-md5/arcfour-hmac-md5
[2014/02/16 16:54:27.287693,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable
[2014/02/16 16:54:27.293918,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ quercigi at CORMATEX from ipv4:192.168.20.11:1829 for
krbtgt/CORMATEX at CORMATEX
[2014/02/16 16:54:27.304287,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2014/02/16 16:54:27.305217,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- quercigi at CORMATEX
[2014/02/16 16:54:27.305443,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- quercigi at CORMATEX
[2014/02/16 16:54:27.305664,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- quercigi at CORMATEX using
arcfour-hmac-md5
[2014/02/16 16:54:27.306166,  4]
../source4/auth/sam.c:170(authsam_account_ok)
  authsam_account_ok: Checking SMB password for user quercigi at CORMATEX
[2014/02/16 16:54:27.306383,  5] ../source4/auth/sam.c:145(logon_hours_ok)
  logon_hours_ok: user quercigi at CORMATEX allowed to logon at this time (Sun
Feb 16 15:54:27 2014
  )
[2014/02/16 16:54:27.309900,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2014-02-16T16:54:27 starttime: unset endtime:
2014-02-17T02:54:27 renew till: 2014-02-23T16:54:27
[2014/02/16 16:54:27.310317,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
des-cbc-md5, des-cbc-crc, 24, -135, using arcfour-hmac-md5/arcfour-hmac-md5
[2014/02/16 16:54:27.310524,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Requested flags: renewable-ok, canonicalize, renewable,
forwardable
[2014/02/16 16:54:27.313464,  3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
[2014/02/16 16:54:27.316099,  5]
../source4/lib/messaging/messaging.c:554(imessaging_cleanup)
  imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.1649.28
[2014/02/16 16:54:27.316381,  3]
../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
[2014/02/16 16:54:27.323184,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ quercigi at CORMATEX.LAN from ipv4:192.168.20.11:1830 for
host/pc-cormatex.cormatex.lan at CORMATEX.LAN [renewable, forwardable]

It seems to first validate the user but then gives the error
NT_STATUS_CONNECTION_DISCONNECTED.

Can you suggest me something to solve the problem?

Many thanks


2014-02-12 10:09 GMT+01:00 Chan Min Wai <dcmwai at gmail.com>:

> Hi Marco,
>
> I'm also upgrading from LDAP
> and I do see the group...
>
> but only Samba Group only not the Unix group.
>
>
> On Wed, Feb 12, 2014 at 3:53 PM, Marco Querci <mquerci75 at gmail.com> wrote:
>
>> I'm upgrading from ldap system.
>> It's quite strange that I can see users and machine accounts but not
>> groups.
>>
>>
>> 2014-02-12 2:42 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:
>>
>> > On Tue, 2014-02-11 at 09:09 +0100, Marco Querci wrote:
>> > > Many thanks for the tip.
>> > > Without the "log level" directive, the command "samba-tool domain
>> > > classicupgrade ..." ends without errors (neither successfull messages
>> > ... I
>> > > think it's ok).
>> > > In the samba 4 domain I'll see computer accounts and users but not
>> > groups.
>> > > Is it correct or it is due to a problem?
>> >
>> > Perhaps it didn't find your group_mapping.tdb file, or the system groups
>> > on the system you did the upgrade on?
>> >
>> > Andrew Bartlett
>> >
>> > --
>> > Andrew Bartlett
>> > http://samba.org/~abartlet/
>> > Authentication Developer, Samba Team  http://samba.org
>> > Samba Developer, Catalyst IT
>> > http://catalyst.net.nz/services/samba
>> >
>> >
>> >
>> >
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list