Rubin Bennett
2007-Jun-12 01:29 UTC
[Samba] Windows member servers have lost their minds...
Hello all...
I'm having a serious problem after a Samba upgrade from 3.0.20 to
3.0.23c.
A bit of background: I have a network with a Samba PDC and several
member servers running Windows 2000 server.
I upgraded my PDC from Mandrivalinux to RHEL5, which (obviously)
included a Samba upgrade.
I renamed the old server to a different hostname and IP address, and
disabled Samba on it, then I copied my configs and tdb files over to the
new server.
Everything appeared to work fine; domain logons worked, the 50+ client
machines appear to be completely happy (i.e. didn't notice a change at
all), life was good. Until...
I noticed that administering shares on the member servers wasn't
working. Nor were Backup Exec, or SQL*Server. All died with
"insufficient privileges" when the services started. In addition, if
I
logged in as DOMAIN\Administrator, then I was running as a non
administrator. I couldn't change anything on the server, or go into
privileges areas (most, anyway), or shut down. I could restart some
services but not all, and any service that used the DOMAIN\Administrator
account (backup exec) didn't start, and I couldn't change the password
or user account. All of my SQL resources are offline, and refuse to
start, because they appear to be tied in somehow to the domain model.
I have 'unjoined' the servers from the domain (joined WORKGROUP), and
removed their accounts from both the PAM subsystem:
userdel machinename and
net rpc user delete machinename
I added the server back into the domain, and it's all exactly the same.
These servers were running throughout the upgrade process, if that makes
a difference.
Finally, the output of pdbedit -L is quite different than what I'm used
to:
[root@PDC ~]# pdbedit -L MEMBERSERVER$
WARNING: The "printer admin" option is deprecated
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
doing parameter security = user
doing parameter encrypt passwords = yes
doing parameter pam password change = yes
doing parameter username map = /etc/samba/smbusers
doing parameter winbind uid = 10000-20000
doing parameter winbind gid = 10000-20000
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
doing parameter os level = 133
doing parameter domain master = yes
doing parameter preferred master = yes
doing parameter domain logons = yes
doing parameter logon script = login.bat
doing parameter logon path = \\%L\profiles\%U
doing parameter logon home = \\%L\%U
doing parameter profile acls = yes
doing parameter logon drive = H:
doing parameter passdb backend = tdbsam
doing parameter name resolve order = wins lmhosts bcast
doing parameter wins support = yes
doing parameter dns proxy = no
doing parameter add user script = /usr/sbin/useradd -s /bin/false '%u'
doing parameter delete user script = /usr/sbin/userdel '%s'
doing parameter add user to group script = /usr/bin/gpasswd -a '%u'
'%g'
doing parameter delete user from group script = /usr/bin/gpasswd -d '%u'
'%g'
doing parameter set primary group script = /usr/sbin/usermod -g '%g'
'%
u'
doing parameter add group script = /usr/sbin/groupadd %g && getent group
'%g'|awk -F: '{print $3}'
doing parameter delete group script = /usr/sbin/groupdel '%g'
doing parameter add machine script = /usr/sbin/useradd -d /dev/null -g
machines -c 'Machine Account' -s /bin/false -M %u
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_PDC
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
Netbios name list:-
my_netbios_names[0]="PDC"
Attempting to find an passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
tdbsam_open: successfully opened /etc/samba/passdb.tdb
pdb_set_username: setting username MEMBERSERVER$, was
pdb_set_domain: setting domain DOMAIN, was
pdb_set_nt_username: setting nt username , was
pdb_set_full_name: setting full name MEMBERSERVER$, was
pdb_set_homedir: setting home dir \\PDC\MEMBERSERVER_, was
pdb_set_dir_drive: setting dir drive H:, was NULL
pdb_set_logon_script: setting logon script login.bat, was
pdb_set_profile_path: setting profile path \\PDC\profiles\MEMBERSERVER_,
was
pdb_set_workstations: setting workstations , was
grant_privilege: S-1-1-0
original privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-548
original privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-549
original privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-550
original privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-551
original privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV 0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-544
original privilege mask:
SE_PRIV 0xff0 0x0 0x0 0x0
new privilege mask:
SE_PRIV 0xff0 0x0 0x0 0x0
account_policy_get: name: password history, val: 0
pdb_set_user_sid: setting user sid
S-1-5-21-217398797-1463318779-1850952788-2106
pdb_set_user_sid_from_rid:
setting user sid S-1-5-21-217398797-1463318779-1850952788-2106
from rid 2106
lookup_global_sam_rid: looking up RID 513.
tdbsam_open: Incrementing open reference count. Ref count is now 2
pdb_getsampwrid (TDB): error looking up RID 513 by key RID_00000201.
Error: Record does not exist
tdbsam_close: Reference count is now 1.
sid_to_gid: S-1-5-21-217398797-1463318779-1850952788-513 -> 100
store_gid_sid_cache: gid 100 in cache ->
S-1-5-21-217398797-1463318779-1850952788-513
pdb_set_group_sid: setting group sid
S-1-5-21-217398797-1463318779-1850952788-513
pdb_set_group_sid_from_rid:
setting group sid S-1-5-21-217398797-1463318779-1850952788-513
from rid 513
tdbsam_close: Reference count is now 0.
MEMBERSERVER$:553:memberserver$
Any help would be appreciated... I performed this upgrade on Friday
night, and so I haven't been able to back my systems up (with the
exception of the PDC...) since Thursday night.
I've googled extensively and have thus far come up with very little of
relevance. Thank you in advance for any light you may be able to shed,
and my apologies for the long post...
Rubin
Rubin Bennett
High Commander and Janitor
RB Technologies
http://thatitguy.com
rbennett@thatitguy.com
(802)223-4448
"They that can give up essential liberty to obtain a little temporary
security deserve neither liberty nor safety" --Benjamin Franklin,
Historical Review of Pennsylvania, 1759
Gerald (Jerry) Carter
2007-Jun-12 12:22 UTC
[Samba] Windows member servers have lost their minds...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rubin,> I'm having a serious problem after a Samba upgrade from 3.0.20 to > 3.0.23c.You read the release notes regarding the SID changes in 3.0.23 right ? The next step is to look at a level 10 debug log frmo smbd when you are receiving the ACCESS_DENIED error. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGbpAKIR7qMdg1EfYRAio0AKDvRRdkhSYIky9oUeHn9E+LKnPuVQCfVC8P UXKxYSA6IKWcIwrzBMxi/eM=G7eQ -----END PGP SIGNATURE-----
Rubin Bennett
2007-Jun-12 15:29 UTC
[Samba] Windows member servers have lost their minds...
----- Original Message ----- From: Gerald (Jerry) Carter <jerry@samba.org> Sent: Tue, 6/12/2007 8:22am To: Rubin Bennett <rbennett@thatitguy.com> Cc: samba@lists.samba.org Subject: Re: [Samba] Windows member servers have lost their minds... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1>Rubin,>> I'm having a serious problem after a Samba upgrade from 3.0.20 to >> 3.0.23c.>You read the release notes regarding the SID changes in >3.0.23 right ? The next step is to look at a level 10 >debug log frmo smbd when you are receiving the ACCESS_DENIED >error.Hi, Jerry- Thanks for your reply! I did read the release notes, and the RID/ SID mappings were one of the first things I looked at, along with the output from net groupmap list. What I'm seeing is that the domain authentication is working just fine, but that I don't have administrative rights on the member servers when I log in as DOMAIN\root. If I go to the Event log, I can read everything but hte Security log, which errors out with: Unable to complete the operation on "Security". A required privilege is not held by the client If I try to set services to run as the domain adminsitrator, they won't start. I've unjoined and rejoined the machines to the domain several times, I've removed the machine accounts from the Linux and Samba databases, I've double and triple checked profiles and net groupmap listings etc. etc. etc. and get no joy. For a brief moment last night, things appeared to be almost working correctly on one of the servers (i.e. I could shut the server down etc. when logged in as the domain administrator and could get into the Security event log), but this morning, after no changes were made, things weren't happy again. The SQL server was not running and the file shares were unaccessible from the network. There are no errors on the Samba box and log level = 10. On the Windows server, the only error that I can find is a 3210, "Failed to authenticate with \\PDC, a Windows NT or 2000 domain controller for domain DOMAIN. *head bloody from banging on wall*... Rubin