[Samba] NT4 PDC -> Samba/LDAP PDC failing to work
in [Samba]
|
Prev: Truncate with libsmbclient
Next: [Samba] after winbind authentication: "no name associated with group-id 150000"
From: Alan Silver on 14 Sep 2007 13:40 Hi all: I am trying to migrate my NT4 domain to a samba server which uses an LDAP server on the backend for authentication This machine that I want to be the new PDC is running RHEL5 with samba 3.0.23c and an openldap 2.3.27 running on the same machine. I used the by-example page http://us3.samba.org/samba/docs/man/Samba-Guide/ntmigration.html as my guide I set this up in a test environment first and it worked seamlessly. Then I tried it out on the production environment........ My problems arose when I shut down the NT4 controllers and my samba server became the PDC. The samba machine became the PDC, but I was not able to log into the domain from any machine. It appears (at least to me) that the machine accounts are set up correctly. The ldap entry looks like dn: uid=SCANNER1$,ou=Computers,ou=core,dc=wisc,dc=edu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount cn: SCANNER1$ sn: SCANNER1$ uid: SCANNER1$ uidNumber: 1344 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer structuralObjectClass: inetOrgPerson entryUUID: 999999999-999a-999b-99af-9b9b99c9c999 creatorsName: cn=Manager,dc=wisc,dc=edu createTimestamp: 20070511203011Z sambaSID: S-1-5-21-111111111-2222222222-3333333333-2370 displayName: UNIVERSI-TIYXWK$ sambaNTPassword: 079999334444AB6666BBBBB2C2BB1AA sambaPwdLastSet: 1178423137 sambaAcctFlags: [W ] gidNumber: 513 sambaPrimaryGroupSID: S-1-5-21-111111111-2222222222-3333333333-513 entryCSN: 20070511203013Z#000000#00#000000 modifiersName: cn=Manager,dc=wisc,dc=edu modifyTimestamp: 20070511203013Z I have pasted what I think is the relevant portion of the log below. What is striking me is "[2007/08/26 16:52:54, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client SCANNER1 machine account SCANNER1$" Does anyone have any experience with such an error? I saw people on this mailing list having the same problem, but I didn't see any responses.... [2007/08/26 16:52:54, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=core,dc=wisc,dc=edu], filter => [(&(uid=SCANNER1$)(objectclass=sambaSamAccount))], scope => [2] [2007/08/26 16:52:54, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) init_sam_from_ldap: Entry found for user: SCANNER1$ [2007/08/26 16:52:54, 4] lib/substitute.c:automount_server(407) Home server: smb_pdc [2007/08/26 16:52:54, 4] lib/substitute.c:automount_server(407) Home server: smb_pdc [2007/08/26 16:52:54, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,ou=core,dc=wisc,dc=edu], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=513))], scope => [2] [2007/08/26 16:52:54, 2] passdb/pdb_ldap.c:init_group_from_ldap(2136) init_group_from_ldap: Entry found for group: 513 [2007/08/26 16:52:54, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2007/08/26 16:52:54, 3] smbd/uid.c:push_conn_ctx(345) push_conn_ctx(101) : conn_ctx_stack_ndx = 1 [2007/08/26 16:52:54, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2007/08/26 16:52:54, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2007/08/26 16:52:54, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2007/08/26 16:52:54, 5] passdb/pdb_interface.c:lookup_global_sam_rid(1478) lookup_global_sam_rid: looking up RID 513. [2007/08/26 16:52:54, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3 [2007/08/26 16:52:54, 3] smbd/uid.c:push_conn_ctx(345) push_conn_ctx(101) : conn_ctx_stack_ndx = 2 [2007/08/26 16:52:54, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3 [2007/08/26 16:52:54, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2007/08/26 16:52:54, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2007/08/26 16:52:54, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=core,dc=wisc,dc=edu], filter => [(&(sambaSID=S-1-5-21-111111111-2222222222-3333333333-513)(objectclass=sambaSamAcco unt))], scope => [2] [2007/08/26 16:52:54, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1491) ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-111111111-2222222222-333333333-513] count=0 [2007/08/26 16:52:54, 5] lib/smbldap.c:smbldap_search_ext(1179) smbldap_search_ext: base => [ou=Groups,ou=core,dc=wisc,dc=edu], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-111111111-2222222222 -3333333333-513))], scope => [2] [2007/08/26 16:52:54, 2] passdb/pdb_ldap.c:init_group_from_ldap(2136) init_group_from_ldap: Entry found for group: 513 [2007/08/26 16:52:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2 [2007/08/26 16:52:54, 5] passdb/pdb_interface.c:pdb_default_lookup_rids(1599) lookup_rids: Domain Users:2 [2007/08/26 16:52:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/08/26 16:52:54, 4] lib/substitute.c:automount_server(407) Home server: smb_pdc [2007/08/26 16:52:54, 4] lib/substitute.c:automount_server(407) Home server: smb_pdc [2007/08/26 16:52:54, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015) fetch gid from cache 513 -> S-1-5-21-111111111-222222222-3333333333-513 [2007/08/26 16:52:54, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0 [2007/08/26 16:52:54, 5] lib/util.c:dump_data(2237) [000] 07 88 6B 33 17 90 BC 47 88 AA DE EC 5C 2D E3 CB ..k3...G ....\-.. [2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(117) creds_init_64 [2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(118) clnt_chal_in: 466A2BB853433204 [2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(119) srv_chal_in : 00FCC40A450CB2A2 [2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(120) clnt+srv : 4666F0C2984FE4A6 [2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_init_64(121) sess_key_out : 129FCCDB3BC5AEA8 [2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_server_check(216) creds_server_check: challenge : 970510FD86A46142 [2007/08/26 16:52:54, 5] libsmb/credentials.c:creds_server_check(217) calculated: B9805F8AE69D361D [2007/08/26 16:52:54, 2] libsmb/credentials.c:creds_server_check(218) creds_server_check: credentials check failed. [2007/08/26 16:52:54, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client SCANNER1 machine account SCANNER1$ [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 net_io_r_auth_2 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8s(851) 0000 data: 00 00 00 00 00 00 00 00 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0008 neg_flags: 00000000 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) 000c status: NT_STATUS_ACCESS_DENIED [2007/08/26 16:52:54, 5] rpc_server/srv_pipe.c:api_rpcTNP(2305) api_rpcTNP: called NETLOGON successfully [2007/08/26 16:52:54, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(529) free_pipe_context: destroying talloc pool of size 58 [2007/08/26 16:52:54, 3] smbd/pipes.c:reply_pipe_write_and_X(217) writeX-IPC pnum=705b nwritten=140 [2007/08/26 16:52:54, 5] lib/util.c:show_msg(500) [2007/08/26 16:52:54, 5] lib/util.c:show_msg(510) size=47 smb_com=0x2f smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=1088 smt_wct=6 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 140 (0x8C) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_bcc=0 [2007/08/26 16:52:54, 3] smbd/process.c:process_smb(1110) Transaction 18 of length 63 [2007/08/26 16:52:54, 5] lib/util.c:show_msg(500) [2007/08/26 16:52:54, 5] lib/util.c:show_msg(510) size=59 smb_com=0x2e smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51207 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=1152 smt_wct=12 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]=57054 (0xDEDE) smb_vwv[ 2]=28763 (0x705B) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 1024 (0x400) smb_vwv[ 6]= 1024 (0x400) smb_vwv[ 7]=65535 (0xFFFF) smb_vwv[ 8]=65535 (0xFFFF) smb_vwv[ 9]= 1024 (0x400) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_bcc=0 [2007/08/26 16:52:54, 3] smbd/process.c:switch_message(914) switch message SMBreadX (pid 30319) conn 0x8228810 [2007/08/26 16:52:54, 4] smbd/uid.c:change_to_user(176) change_to_user: Skipping user change - already user [2007/08/26 16:52:54, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1264) search for pipe pnum=705b [2007/08/26 16:52:54, 5] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1268) pipe name NETLOGON pnum=705b (pipes_open=1) [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_debug(84) 000000 smb_io_rpc_hdr hdr [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0000 major : 05 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0001 minor : 00 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0002 pkt_type : 02 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0003 flags : 03 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0004 pack_type0: 10 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0005 pack_type1: 00 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0006 pack_type2: 00 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0007 pack_type3: 00 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0008 frag_len : 0028 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint16(675) 000a auth_len : 0000 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint32(704) 000c call_id : 00000006 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_debug(84) 000010 smb_io_rpc_hdr_resp resp [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint32(704) 0010 alloc_hint: 00000010 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint16(675) 0014 context_id: 0000 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0016 cancel_ct : 00 [2007/08/26 16:52:54, 5] rpc_parse/parse_prs.c:prs_uint8(615) 0017 reserved : 00 [2007/08/26 16:52:54, 3] smbd/pipes.c:reply_pipe_read_and_X(262) readX-IPC pnum=705b min=1024 max=1024 nread=40 [2007/08/26 16:52:54, 5] lib/util.c:show_msg(500) [2007/08/26 16:52:54, 5] lib/util.c:show_msg(510) size=99 smb_com=0x2e smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=1152 smt_wct=12 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 40 (0x28) smb_vwv[ 6]= 59 (0x3B) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_bcc=40 [2007/08/26 16:52:54, 3] smbd/process.c:process_smb(1110) Transaction 19 of length 45 [2007/08/26 16:52:54, 5] lib/util.c:show_msg(500) [2007/08/26 16:52:54, 5] lib/util.c:show_msg(510) size=41 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51207 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=1216 smt_wct=3 smb_vwv[ 0]=28763 (0x705B) smb_vwv[ 1]=65535 (0xFFFF) smb_vwv[ 2]=65535 (0xFFFF) smb_bcc=0 [2007/08/26 16:52:54, 3] smbd/process.c:switch_message(914) switch message SMBclose (pid 30319) conn 0x8228810 [2007/08/26 16:52:54, 4] smbd/uid.c:change_to_user(176) change_to_user: Skipping user change - already user [2007/08/26 16:52:54, 4] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1264) search for pipe pnum=705b [2007/08/26 16:52:54, 5] rpc_server/srv_pipe_hnd.c:get_rpc_pipe(1268) pipe name NETLOGON pnum=705b (pipes_open=1) [2007/08/26 16:52:54, 5] smbd/pipes.c:reply_pipe_close(282) reply_pipe_close: pnum:705b [2007/08/26 16:52:54, 4] rpc_server/srv_pipe_hnd.c:close_rpc_pipe_hnd(1169) closed pipe name NETLOGON pnum=705b (pipes_open=0) [2007/08/26 16:52:54, 5] lib/util.c:show_msg(500) [2007/08/26 16:52:54, 5] lib/util.c:show_msg(510) size=35 smb_com=0x4 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=1 smb_pid=65279 smb_uid=101 smb_mid=1216 smt_wct=0 smb_bcc=0 [2007/08/26 16:53:05, 3] smbd/process.c:process_smb(1110) Transaction 20 of length 43 [2007/08/26 16:53:05, 5] lib/util.c:show_msg(500) [2007/08/26 16:53:05, 5] lib/util.c:show_msg(510) size=39 smb_com=0x74 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51207 smb_tid=0 smb_pid=65279 smb_uid=101 smb_mid=1280 smt_wct=2 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]= 0 (0x0) smb_bcc=0 [2007/08/26 16:53:05, 3] smbd/process.c:switch_message(914) switch message SMBulogoffX (pid 30319) conn 0x0 [2007/08/26 16:53:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/08/26 16:53:05, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba |