Guillaume wrote:
Marian Neagul wrote:
Hello,
I have a problem with a LDAP backed based Samba PDC.
Last week, due an hardware problem, I lost my primary LDAP server
and PDC. I reinstalled the LDAP server and populated it with the old
data, I also reinstalled Samba.
The problem is that I can't log in to samba as root
(cn=root,dc=info,dc=uvt,dc=ro). All others user accounts ar working
except root.
Eg.:
`smbclient -U root //blue/` says: "session setup failed:
NT_STATUS_UNSUCCESSFUL"
The machine accounts and the other user accounts are working
correctly but I can't join new machines using the root account.
I want to mention that my Samba server is a production server with
~100 simultaneous users (2000 User accounts in LDAP).
We use Samba 3.0.22 and openldap 2.3.
My smb.conf file is (the comments are in romanian :) ):
#==================== Setari globale ===================
[global]
; Numele domeniului
workgroup = Terra
; Numele serverului vizibil din retea
netbios name = BLUE
; Descrierea serverului: NT Description
server string = Free Windows V1.2a
;===== Setari legate de jurnal!
; Tin un log separat pentru fiecare masina in parte
log file = /var/log/samba/log.%m
; Dimensiunea maxima a fisierului de jurnal (in Kilo)
max log size = 2048
; Nivelul de jurnalizare
log level = 6
;===== Securitate
; Clientii care au voie sa se conecteze
hosts allow = 194.102.62. 10.10.10. 127.
; Modelul de securitate
security = user
; Daca criptez sau nu parolele
encrypt passwords = yes
; Chestiuni legate de socketuri
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
; Interfetele pe care asculta samba
interfaces = lo eth0 eth0:1 eth0:2
; Ne limitam doar la aceste interfete si ignoram restul
bind interfaces only = yes
; Chestiuni referitoare la parole
;password level = 12
;username level = 12
; Incercam sa sincronizam parola de windows cu cea de UNIX
unix password sync = Yes
pam password change = yes
; Fisierele de configurare per masina
; Decomenteaza daca ai nevoie
# include = /etc/samba/smb.conf.%m
; Cum procedam cu parolele :
; Parole vide
null passwords = no
; Fisierele ascunse.
hide unreadable = yes
hide dot files = yes
; Contul `oaspete'. Momentan nu i-am setat parola ci doar shell
ca /bin/false
guest account = pdcguest
;======= PDC
; Samba este master browser in domeniu
local master = yes
; Precedenta serverului in alegeri
os level = 65
; Samba este master de domeniu
domain master = yes
; Samba forteaza alegerile si aproape sigur le castiga
preferred master = yes
; Il face pe samba PDC
domain logons = yes
; Drive-ul de logon
logon drive = H:
;======== WINS - Rezolutia de nume
; Activez suportul pentru WINS
wins support = yes
; Ordinea in care rezolv numele
name resolve order = wins lmhosts host bcast
; Samba nu se comporta ca un proxy DNS
dns proxy = no
;======== TIME - Server de timp
; Samba se comporta ca un server de `timp`
time server = yes
;======== USER Management - Foloseste scripturile de la IDEALX
add user script = /usr/sbin/smbldap-useradd -m "%u" set
primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
;========LDAP
; Serverul de LDAP
passdb backend = ldapsam:ldap://127.0.0.1/
; Daca sterg DN-ul sterg tot (Yes) sau doar atributele lui Samba
(No)
ldap delete dn = Yes
; Toate informatiile sunt tinute in LDAP - Atnetie trebuie
testat
ldapsam:trusted = yes
; Conectarea la director nu se face criptat
ldap ssl = no
; Sufixul nostru
ldap suffix = dc=info,dc=uvt,dc=ro
; Administratorul
ldap admin dn = cn=root,dc=info,dc=uvt,dc=ro
; Sufixul pentru grupuri
ldap group suffix = ou=Groups
; Sufixul pentry utilizatori
ldap user suffix = ou=Users
; Sufixul pentru Masini
ldap machine suffix = ou=Computers
; Sufixul pentru Idmap
ldap idmap suffix = ou=Idmap
; Mapare de id-uri
idmap gid = 40000-50000
idmap uid = 40000-50000
;=========================== SHARE
; In acest share se gaseste profilul implicit si scriptul de logon
[netlogon]
path = /var/lib/samba/netlogon
guest ok = Yes
browseable = no
write list = root
; In acest share se gasesc profilele
[profiles]
; Atentie trebuie modificata calea
path = /home/%U
browseable = no
valid users = %S
read only = no
create mask = 0664
directory mask = 0775
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
Do you have a sugestion related to this problem?
Marian Neagul
Hi,
Did you had the ldap root password in the samba config with the
command smbpasswd -w 'ldap root passwd' ???
It should be the problem...
Regards
Guillaume
I get the same error: "session setup failed: NT_STATUS_UNSUCCESSFUL"
The error log:
[2006/08/02 15:23:53, 6] param/loadparm.c:lp_file_list_changed(2947)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Tue
Aug 1 13:54:33 2006
[2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info_map(163)
make_user_info_map: Mapping user [TERRA]\[root] from workstation [BLUE]
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/08/02 15:23:53, 3] smbd/uid.c:push_conn_ctx(393)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
NT user token: (NULL)
[2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/08/02 15:23:53, 5] auth/auth_util.c:is_trusted_domain(1665)
is_trusted_domain: Checking for domain trust with [TERRA]
[2006/08/02 15:23:53, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(337)
secrets_fetch failed!
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/08/02 15:23:53, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
no entry for trusted domain TERRA found.
[2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info(69)
attempting to make a user_info for root (root)
[2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info(79)
making strings for root's user_info struct
[2006/08/02 15:23:53, 5] auth/auth_util.c:make_user_info(121)
making blobs for root's user_info struct
[2006/08/02 15:23:53, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
[2006/08/02 15:23:53, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
[2006/08/02 15:23:53, 5] lib/util.c:dump_data(2058)
[000] 58 1C F4 6C 99 CE 29 41 X..l..)A
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/08/02 15:23:53, 3] smbd/uid.c:push_conn_ctx(393)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
NT user token: (NULL)
[2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/08/02 15:23:53, 5] lib/smbldap.c:smbldap_search_ext(1080)
smbldap_search_ext: base => [dc=info,dc=uvt,dc=ro], filter =>
[(&(uid=root)(objectclass=sambaSamAccount))], scope => [2]
[2006/08/02 15:23:53, 5] lib/smbldap.c:smbldap_close(989)
The connection to the LDAP server was closed
[2006/08/02 15:23:53, 2] lib/smbldap.c:smbldap_open_connection(722)
smbldap_open_connection: connection opened
[2006/08/02 15:23:53, 3] lib/smbldap.c:smbldap_connect_system(905)
ldap_connect_system: succesful connection to the LDAP server
[2006/08/02 15:23:53, 4] lib/smbldap.c:smbldap_open(969)
The LDAP server is succesfully connected
[2006/08/02 15:23:53, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: root
[2006/08/02 15:23:53, 4] lib/substitute.c:automount_server(359)
Home server: blue
[2006/08/02 15:23:53, 4] lib/substitute.c:automount_server(359)
Home server: blue
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/08/02 15:23:53, 4] libsmb/ntlm_check.c:ntlm_password_check(326)
ntlm_password_check: Checking NT MD4 password
[2006/08/02 15:23:53, 4] auth/auth_sam.c:sam_account_ok(123)
sam_account_ok: Checking SMB password for user root
[2006/08/02 15:23:53, 5] auth/auth_sam.c:logon_hours_ok(105)
logon_hours_ok: user root allowed to logon at this time (Wed Aug 2
15:23:53 2006
)
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/08/02 15:23:53, 3] smbd/uid.c:push_conn_ctx(393)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
NT user token: (NULL)
[2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/08/02 15:23:53, 5] lib/smbldap.c:smbldap_search_ext(1080)
smbldap_search_ext: base => [ou=Groups,dc=info,dc=uvt,dc=ro], filter
=> [(&(objectClass=posixGroup)(|(memberUid=root)(gidNumber=0)))], scope
=> [2]
[2006/08/02 15:23:53, 3]
passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2711)
primary group of [root] not found
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/08/02 15:23:53, 4] auth/auth_util.c:add_user_groups(832)
get_user_groups_from_local_sam failed
[2006/08/02 15:23:53, 5] auth/auth_util.c:free_server_info(1511)
attempting to free (and zero) a server_info structure
[2006/08/02 15:23:53, 5] auth/auth_util.c:free_server_info(1511)
attempting to free (and zero) a server_info structure
[2006/08/02 15:23:53, 0] auth/auth_sam.c:check_sam_security(331)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_UNSUCCESSFUL'
*[2006/08/02 15:23:53, 5] auth/auth.c:check_ntlm_password(271)
check_ntlm_password: sam authentication for user [root] FAILED with
error NT_STATUS_UNSUCCESSFUL*
[2006/08/02 15:23:53, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain [TERRA]
was for this SAM.
*[2006/08/02 15:23:53, 2] auth/auth.c:check_ntlm_password(317)
check_ntlm_password: Authentication for user [root] -> [root] FAILED
with error NT_STATUS_UNSUCCESSFUL*
[2006/08/02 15:23:53, 5] auth/auth_util.c:free_user_info(1485)
attempting to free (and zero) a user_info structure
[2006/08/02 15:23:53, 5] lib/util.c:show_msg(454)
[2006/08/02 15:23:53, 5] lib/util.c:show_msg(464)
size=100
smb_com=0x73
smb_rcls=1
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=19222
smb_uid=100
smb_mid=3
smt_wct=4
smb_vwv[ 0]= 255 (0xFF)
smb_vwv[ 1]= 0 (0x0)
smb_vwv[ 2]= 0 (0x0)
smb_vwv[ 3]= 9 (0x9)
smb_bcc=57
[2006/08/02 15:23:53, 3] smbd/process.c:timeout_processing(1447)
timeout_processing: End of file from client (client has disconnected).
[2006/08/02 15:23:53, 5] lib/gencache.c:gencache_shutdown(89)
Closing cache file
[2006/08/02 15:23:53, 5] libsmb/namecache.c:namecache_shutdown(79)
namecache_shutdown: netbios namecache closed successfully.
[2006/08/02 15:23:53, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/08/02 15:23:53, 5] auth/auth_util.c:debug_nt_user_token(433)
NT user token: (NULL)
[2006/08/02 15:23:53, 5] auth/auth_util.c:debug_unix_user_token(454)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/08/02 15:23:53, 5] smbd/uid.c:change_to_root_user(324)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2006/08/02 15:23:53, 2] smbd/server.c:exit_server(614)
Closing connections
[2006/08/02 15:23:53, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/08/02 15:23:53, 3] smbd/server.c:exit_server(655)
Server exit (normal exit)
