samba - Dec 2001 - win2k joining Samba 2.2.2 PDC problems.

I'm running FreeBSD 4.4, with Samba 2.2.2 freshly installed, with
the FreeBSD Ports package to install files in correct places.
I've a Win2k system tring to join the domain "FREESIDE"

It will authenticate ok from the win2k command line.
"net use x: \\crypton\homes /USER:FREESIDE\jerry"

It seems to work ok during the first part of joining a domain, i.e.
password verifies, etc, but eventually kicks back with W2k showing:
Login failure: Unknown username or bad password.


The following is the excerpt from Debug=10

[2001/12/07 04:13:10, 10] passdb/pdb_smbpasswd.c:pdb_getsampwuid(1430)
  pdb_getsampwuid: found by name: admin
[2001/12/07 04:13:10, 4] lib/substitute.c:automount_server(161)
  Home server: crypton
[2001/12/07 04:13:10, 4] lib/substitute.c:automount_server(161)
  Home server: crypton
[2001/12/07 04:13:10, 3] smbd/sec_ctx.c:pop_sec_ctx(428)
  pop_sec_ctx (1003, 1004) - sec_ctx_stack_ndx = 0
[2001/12/07 04:13:10, 10] passdb/pdb_smbpasswd.c:pdb_getsampwrid(1453)
  pdb_getsampwrid: search by rid: 5000
[2001/12/07 04:13:10, 10] passdb/pdb_smbpasswd.c:startsmbfilepwent(168)
  startsmbfilepwent_internal: opening file /usr/local/private/smbpasswd
[2001/12/07 04:13:10, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171)
  startsmbfilepwent_internal: unable to open file /usr/local/private/smbpasswd.
Error was Permission denied
[2001/12/07 04:13:10, 0] passdb/pdb_smbpasswd.c:pdb_getsampwrid(1459)
  unable to open passdb database.

Ktrace shows the following:
 1250 smbd     CALL  geteuid
  1250 smbd     RET   geteuid 1003/0x3eb
  1250 smbd     CALL  write(0x16,0xbfbfe7f4,0x47)
  1250 smbd     GIO   fd 22 wrote 71 bytes
       "[2001/12/07 03:23:24, 10]
passdb/pdb_smbpasswd.c:pdb_getsampwrid(1453)
       "
  1250 smbd     RET   write 71/0x47
  1250 smbd     CALL  geteuid
  1250 smbd     RET   geteuid 1003/0x3eb
  1250 smbd     CALL  write(0x16,0xbfbfe484,0x27)
  1250 smbd     GIO   fd 22 wrote 39 bytes
       "  pdb_getsampwrid: search by rid: 5000
       "
  1250 smbd     RET   write 39/0x27
  1250 smbd     CALL  gettimeofday(0xbfbfed9c,0)
  1250 smbd     RET   gettimeofday 0
  1250 smbd     CALL  geteuid
  1250 smbd     RET   geteuid 1003/0x3eb
  1250 smbd     CALL  write(0x16,0xbfbfe6f4,0x48)
  1250 smbd     GIO   fd 22 wrote 72 bytes
       "[2001/12/07 03:23:24, 10]
passdb/pdb_smbpasswd.c:startsmbfilepwent(168\
        )
       "
  1250 smbd     RET   write 72/0x48
  1250 smbd     CALL  geteuid
  1250 smbd     RET   geteuid 1003/0x3eb
  1250 smbd     CALL  write(0x16,0xbfbfe384,0x48)
  1250 smbd     GIO   fd 22 wrote 72 bytes
       "  startsmbfilepwent_internal: opening file
/usr/local/private/smbpassw\
        d
       "
  1250 smbd     RET   write 72/0x48
  1250 smbd     CALL  open(0x81da500,0,0x1b6)
  1250 smbd     NAMI  "/usr/local/private/smbpasswd"
  1250 smbd     RET   open -1 errno 13 Permission denied
  1250 smbd     CALL  gettimeofday(0xbfbfed9c,0)
  1250 smbd     RET   gettimeofday 0
  1250 smbd     CALL  geteuid
  1250 smbd     RET   geteuid 1003/0x3eb
  1250 smbd     CALL  write(0x16,0xbfbfe6f4,0x47)
  1250 smbd     GIO   fd 22 wrote 71 bytes
       "[2001/12/07 03:23:24, 0]
passdb/pdb_smbpasswd.c:startsmbfilepwent(171)
       "
  1250 smbd     RET   write 71/0x47
  1250 smbd     CALL  geteuid
  1250 smbd     RET   geteuid 1003/0x3eb
  1250 smbd     CALL  write(0x16,0xbfbfe374,0x6c)
  1250 smbd     GIO   fd 22 wrote 108 bytes
       "  startsmbfilepwent_internal: unable to open file
/usr/local/private/s\
        mbpasswd. Error was Permission denied
       "
  1250 smbd     RET   write 108/0x6c
  1250 smbd     CALL  gettimeofday(0xbfbfee9c,0)
  1250 smbd     RET   gettimeofday 0
  1250 smbd     CALL  geteuid
  1250 smbd     RET   geteuid 1003/0x3eb
  1250 smbd     CALL  write(0x16,0xbfbfe7f4,0x46)
  1250 smbd     GIO   fd 22 wrote 70 bytes
       "[2001/12/07 03:23:24, 0]
passdb/pdb_smbpasswd.c:pdb_getsampwrid(1459)
       "
  1250 smbd     RET   write 70/0x46
  1250 smbd     CALL  geteuid
  1250 smbd     RET   geteuid 1003/0x3eb
  1250 smbd     CALL  write(0x16,0xbfbfe484,0x22)
  1250 smbd     GIO   fd 22 wrote 34 bytes
       "  unable to open passdb database.
       "
  1250 smbd     RET   write 34/0x22
  1250 smbd     CALL  gettimeofday(0xbfbff36c,0)
  1250 smbd     RET   gettimeofday 0
  1250 smbd     CALL  geteuid
  1250 smbd     RET   geteuid 1003/0x3eb
  1250 smbd     CALL  write(0x16,0xbfbfecc4,0x3d)
  1250 smbd     GIO   fd 22 wrote 61 bytes

So it seems that its setting the EUID to 1003 (which makes sense) but then
wants to access the smb password file, and can't.  Not sure why this is
going
on or where it starts  The debug messages don't seem to point to anything
in particular, and the 32 megs of ktrace output only go so far.

Perhaps its an obivious configuration issue, but I can't see it.




--- jerry@fc.net
Freelance Troublemaker^H^H^H^H^H^shooter

> [2001/12/07 04:13:10, 10] passdb/pdb_smbpasswd.c:startsmbfilepwent(168)
>   startsmbfilepwent_internal: opening file /usr/local/private/smbpasswd
> [2001/12/07 04:13:10, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171)
>   startsmbfilepwent_internal: unable to open file
/usr/local/private/smbpasswd.
> Error was Permission denied
> [2001/12/07 04:13:10, 0] passdb/pdb_smbpasswd.c:pdb_getsampwrid(1459)
>   unable to open passdb database.
I had just reached this same position myself when trying to work out why W2k
will
not authenticate against my SAMBA PDC.  I have had several permissions problems
with
SAMBA and have had to make various directories and files world-readable. 
However, I
understand that smbpasswd needs to be tightly restricted for security concerns,
so
have not tried to solve this problem by making it world-readable.

So, any help will be appreciated by at least two of us!

Phil.
---------------------------------------
Phil Chambers (postmaster@exeter.ac.uk)
University of Exeter

On Fri, 7 Dec 2001, Phil Chambers wrote:
>
> > [2001/12/07 04:13:10, 10]
passdb/pdb_smbpasswd.c:startsmbfilepwent(168)
> >   startsmbfilepwent_internal: opening file
/usr/local/private/smbpasswd
> > [2001/12/07 04:13:10, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(171)
> >   startsmbfilepwent_internal: unable to open file
/usr/local/private/smbpasswd.
> > Error was Permission denied
> > [2001/12/07 04:13:10, 0] passdb/pdb_smbpasswd.c:pdb_getsampwrid(1459)
> >   unable to open passdb database.
>
> I had just reached this same position myself when trying to work out why
W2k will
> not authenticate against my SAMBA PDC.  I have had several permissions
problems with
> SAMBA and have had to make various directories and files world-readable. 
However, I
> understand that smbpasswd needs to be tightly restricted for security
concerns, so
> have not tried to solve this problem by making it world-readable.
>
> So, any help will be appreciated by at least two of us!
You need to join the domain as root (as specified in the Samba-PDC-HOWTO.




chau, jerry
 ---------------------------------------------------------------------
 www.samba.org              SAMBA  Team             jerry_at_samba.org
 www.plainjoe.org                                jerry_at_plainjoe.org
 http://www.hp.com        Hewlett-Packard      gerald_carter_at_hp.com
 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--

I'd like to know where the how-to is even at.  :)

 -----Original Message-----
From: 	Jeremy Porter [mailto:jerry@freeside.com] 
Sent:	Friday, December 07, 2001 2:56 PM
Cc:	Phil Chambers; samba@lists.samba.org
Subject:	Re: win2k joining Samba 2.2.2 PDC problems. 



sure enough. although the howto is a little unclear, as it only states that
only the root can be used to create machine accounts like this.  Under the
creating machine trust accounts "on the fly".  Which is not quite the
same
as saying that you are required to join to domain as root.

The older howto's don't mention this at all, and only give the manual
method of creating machine trust accounts.  FYI

Thanks, tho.

In message <Pine.LNX.4.33.0112071216120.10896-100000@pogo.plainjoe.org>,
"Geral
d (Jerry) Carter" writes:
>On Fri, 7 Dec 2001, Phil Chambers wrote:
>
>>
>> > [2001/12/07 04:13:10, 10]
passdb/pdb_smbpasswd.c:startsmbfilepwent(168)
>> >   startsmbfilepwent_internal: opening file
/usr/local/private/smbpasswd
>> > [2001/12/07 04:13:10, 0]
passdb/pdb_smbpasswd.c:startsmbfilepwent(171)
>> >   startsmbfilepwent_internal: unable to open file
/usr/local/private/smbpa
>sswd.
>> > Error was Permission denied
>> > [2001/12/07 04:13:10, 0]
passdb/pdb_smbpasswd.c:pdb_getsampwrid(1459)
>> >   unable to open passdb database.
>>
>> I had just reached this same position myself when trying to work out
why
W2k
> will
>> not authenticate against my SAMBA PDC.  I have had several permissions
probl
>ems with
>> SAMBA and have had to make various directories and files
world-readable.
Ho
>wever, I
>> understand that smbpasswd needs to be tightly restricted for security
concer
>ns, so
>> have not tried to solve this problem by making it world-readable.
>>
>> So, any help will be appreciated by at least two of us!
>
>You need to join the domain as root (as specified in the Samba-PDC-HOWTO.
>
>
>
>
>chau, jerry
> ---------------------------------------------------------------------
> www.samba.org              SAMBA  Team             jerry_at_samba.org
> www.plainjoe.org                                jerry_at_plainjoe.org
> http://www.hp.com        Hewlett-Packard      gerald_carter_at_hp.com
> --"I never saved anything for the swim back." Ethan Hawk in
Gattaca--
>
--- jerry@fc.net
Freeside Orbitial Construction Corps


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
-------------- next part --------------
HTML attachment scrubbed and removed

I have experienced some problems with win2k SP2.
If you have it installed, try to remove SP2.

> > > [2001/12/07 04:13:10, 10]
passdb/pdb_smbpasswd.c:startsmbfilepwent(168)
> > >   startsmbfilepwent_internal: opening file
/usr/local/private/smbpasswd
> > > [2001/12/07 04:13:10, 0]
passdb/pdb_smbpasswd.c:startsmbfilepwent(171)
> > >   startsmbfilepwent_internal: unable to open file
/usr/local/private/smbpasswd.
> > > Error was Permission denied
> > > [2001/12/07 04:13:10, 0]
passdb/pdb_smbpasswd.c:pdb_getsampwrid(1459)
> > >   unable to open passdb database.
> >
> > I had just reached this same position myself when trying to work out
why W2k will
> > not authenticate against my SAMBA PDC.  I have had several permissions
problems with
> > SAMBA and have had to make various directories and files
world-readable.  However, I
> > understand that smbpasswd needs to be tightly restricted for security
concerns, so
> > have not tried to solve this problem by making it world-readable.
> >
> > So, any help will be appreciated by at least two of us!
> 
> You need to join the domain as root (as specified in the Samba-PDC-HOWTO.
Thanks for the reply.  I have re-read the Samba-PDC-HOWTO twice more and cannot
find
any reference to needing root to join a client to a domain!  My copy is that 
supplied with 2.2.2 and is dated Jul 31 2001.  I created the machine trust
account
manually and was logged in as root to do that.

When trying to join the client I used a username which is listed in my
"domain admin
group" list.  Surely the point of this parameter is to provide non-root
access in
just this situation.  The last thing I want to have to do is use my Unix root 
password to join a client to the domain!

Phil.
---------------------------------------
Phil Chambers (postmaster@exeter.ac.uk)
University of Exeter

At 12:05 PM 12/10/01 +0000, Phil Chambers wrote:
>When trying to join the client I used a username which is listed in my 
>"domain admin
>group" list.  Surely the point of this parameter is to provide non-root
>access in
>just this situation.  The last thing I want to have to do is use my Unix
root
>password to join a client to the domain!
Which is exactly what you need to do with NT (Administrator / Domain 
admin).  You need to be able to read and write the smb password file so you 
need to be root, or at least someone who has access to do that.  I agree, 
having root as an smb valid username is a security risk, but that's just 
the way these things work.

Martyn Ranyard

>Thanks for the reply.  I have re-read the Samba-PDC-HOWTO twice more and
canno
>t find 
>any reference to needing root to join a client to a domain!  My copy is that
>supplied with 2.2.2 and is dated Jul 31 2001.  I created the machine trust
acc
>ount 
>manually and was logged in as root to do that.
>
>When trying to join the client I used a username which is listed in my
"domain
> admin 
>group" list.  Surely the point of this parameter is to provide non-root
access
> in 
>just this situation.  The last thing I want to have to do is use my Unix
root
>password to join a client to the domain!
Unfortunately, it looks like an impelementation issue in the samba server
that is fairly deeply coupled to the unix security model.  The unix requirement
of being root to setuid to the user logging in, the smbpasswd being owned by 
root and the need to change the machine trust account password when logging
in for the first time.  If there was a split between the samba file
server and the samba account authorization, authenication server, it
might be possible to address this issue.  (Would also provide a more
"clean" security impelementation)  In theory this could be done via
some
type of "pam" system and a non-root daemon.  Although given the need
for
a /etc/passwd entry for a machine trust account, some root access will always
be needed for adding a new machine.  

At any rate, we should look at updating the howto to be more clear on
the root requirement.







--- jerry@fc.net
Freeside Orbitial Construction Corps