Stephen Vermeulen
2007-Dec-10 19:50 UTC
[Samba] Can not add a new NT Workstation to a new (vampired) samba domain
I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux server
(samba 3.0.24).
This was with a completely fresh install of debian.
My smb.conf is pretty simple:
[global]
workgroup = BUTLER
netbios name = STAR3
passdb backend = tdbsam
domain master = No
domain logons = Yes
os level = 33
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null
'%u'
# wins server = [IP of wins server]
[files]
comment = SAMBA File Server
path = /home/files
read only = No
In addition I have the following smbusers file:
star3:/etc/samba# cat smbusers
root = Administrator
testparm tells me this setup will give me a BDC.
I first added the samba server (star3) to the old NT4 PDC using the
server manager tool
and then did a:
net rpc join -S nova -UAdministrator%password
This worked and I was able to access the machine from the PDC.
I then did a vampire:
net rpc vampire -S nova -W BUTLER -UAdministrator%password
and this worked for most of the user accounts and machine accounts
(there were some that
had errors, but these were mostly for old users or machines that were
long since gone), these
errors look like:
Creating account: chris
[2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258)
Unable to modify passwd TDB! Error: Record does not exist occured
while storing the main record (USER_chris)
Creating account: ECLIPSE$
[2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258)
Unable to modify passwd TDB! Error: Record does not exist occured
while storing the main record (USER_eclipse$)
Creating account: GALAXY$
[2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258)
Unable to modify passwd TDB! Error: Record does not exist occured
while storing the main record (USER_galaxy$)
In the case of GALAXY$, this is a current machine and it did seem to
function afterwards, though maybe
its using stored credentials still?
After the vampiring I shut down the NT4 PDC (nova) and did various login
and file sharing tests
and the main accounts (including Administrator) all seemed to work. The
samba box was still
functioning in BDC role.
I then decided to try adding a new Windows XP Pro workstation to the
domain (it had previously
been a member, but I had removed it from the old domain to experiment
with moving user profiles between
domains).
When I told it to join the domain it returned an error telling me that
it could not find the domain.
So I thought "maybe a BDC cannot join new machines to the domain".
(The
NT4 PDC was switched
off at this time).
So then I stopped samba and set:
domain master = yes
wins support = yes
and restarted samba.
Then when I tried to add the machine I got a Windows error dialog saying:
The following error occurred while attempting to join the domain
"Butler":
The user name could not be found.
I was using the "Administrator" user name, and I was able to log into
the BUTLER domain on another Windows box as the Administrator and
access the file share on the samba box and create new files in the folder
owned by Administrator.
I googled this for a bit last night and found quite a few references to this
error, but nothing really conclusive.
Any suggestions?
Thanks
Stephen.
simo
2007-Dec-10 19:56 UTC
[Samba] Can not add a new NT Workstation to a new (vampired) samba domain
On Mon, 2007-12-10 at 07:17 -0700, Stephen Vermeulen wrote:> I was using the "Administrator" user name, and I was able to log into > the BUTLER domain on another Windows box as the Administrator and > access the file share on the samba box and create new files in the > folder > owned by Administrator. > > I googled this for a bit last night and found quite a few references > to this > error, but nothing really conclusive. > > Any suggestions?Raise your log level and make sure your machine add script is indeed working properly (also make sure you do not have nscd running, or make it so that add * script scrripts you have properly tell nscd to refresh their status as nscd do negative caching too). Simo. -- Simo Sorce Samba Team GPL Compliance Officer <simo@samba.org> Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com>
Stephen Vermeulen
2007-Dec-11 04:28 UTC
[Samba] Can not add a new NT Workstation to a new (vampired) samba domain
Stephen Vermeulen wrote:> I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux > server (samba 3.0.24). > > This was with a completely fresh install of debian. > > I first added the samba server (star3) to the old NT4 PDC using the > server manager tool > and then did a: > > net rpc join -S nova -UAdministrator%password > > This worked and I was able to access the machine from the PDC. > > I then did a vampire: > > net rpc vampire -S nova -W BUTLER -UAdministrator%password > > and this worked for most of the user accounts and machine accounts > (there were some that > had errors, but these were mostly for old users or machines that were > long since gone), these > errors look like:I checked the SIDs of the original NT4 PDC and the samba BDC (after net vampire had run) and they were different. Could this be causing problems? According to this microsoft article: http://www.microsoft.com/technet/sysinternals/Utilities/NewSid.mspx "... a BDC's relationship to a Domain is identified by it having the same computer SID as the other Domain Controllers (DCs)." Stephen
Stephen Vermeulen
2007-Dec-11 04:57 UTC
[Samba] Can not add a new NT Workstation to a new (vampired) samba domain
Stephen Vermeulen wrote:> I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux > server (samba 3.0.24). > > This was with a completely fresh install of debian. > >...> I then decided to try adding a new Windows XP Pro workstation to the > domain (it had previously > been a member, but I had removed it from the old domain to experiment > with moving user profiles between > domains). > > When I told it to join the domain it returned an error telling me that > it could not find the domain. > So I thought "maybe a BDC cannot join new machines to the domain". > (The NT4 PDC was switched > off at this time). > > So then I stopped samba and set: > > domain master = yes > wins support = yes > > and restarted samba. > > Then when I tried to add the machine I got a Windows error dialog saying: > > The following error occurred while attempting to join the domain > "Butler": > The user name could not be found. > > I was using the "Administrator" user name, and I was able to log into > the BUTLER domain on another Windows box as the Administrator and > access the file share on the samba box and create new files in the folder > owned by Administrator.Since the BDC SID was not the same as the PDC's SID I used the net command to fetch the SID from the PDC and write it to the BDC. Now a "net getlocalsid" reports the same SID. Shouldn't net vampire have made the BDC have the same SID as the PDC? After doing this the error changed to "Access is denied" I then redid the net vampire, but this did not change things. I have increased the log level to 2 and the following log file section is what happens when I try to add the new machine. Also, here is the current version of the smb.conf file: star4:/etc/samba# cat smb.conf [global] workgroup = BUTLER netbios name = STAR4 passdb backend = tdbsam domain master = Yes domain logons = Yes wins support = yes os level = 40 log level = 2 add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u' # wins server = [IP of wins server] [files] comment = SAMBA File Server path = /home/files read only = No star4:/etc/samba# And the log.smbd file: [2007/12/10 14:45:44, 2] smbd/reply.c:reply_special(496) netbios connect: name1=STAR4 name2=TULLY [2007/12/10 14:45:44, 2] smbd/reply.c:reply_special(503) netbios connect: local=star4 remote=tully, name type = 0 [2007/12/10 14:45:44, 0] lib/util_sock.c:write_data(562) write_data: write failure in writing to client 192.168.128.103. Error Connection reset by peer [2007/12/10 14:45:44, 0] lib/util_sock.c:send_smb(769) Error writing 4 bytes to client. -1. (Connection reset by peer) [2007/12/10 14:45:44, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/12/10 14:45:44, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/12/10 14:45:44, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [administrator] -> [administrator] -> [Administrator] succeeded [2007/12/10 14:45:44, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2007/12/10 14:45:45, 2] smbd/reply.c:reply_special(496) netbios connect: name1=STAR4 name2=TULLY [2007/12/10 14:45:45, 2] smbd/reply.c:reply_special(503) netbios connect: local=star4 remote=tully, name type = 0 [2007/12/10 14:45:45, 0] lib/util_sock.c:write_data(562) write_data: write failure in writing to client 192.168.128.103. Error Connection reset by peer [2007/12/10 14:45:45, 0] lib/util_sock.c:send_smb(769) Error writing 4 bytes to client. -1. (Connection reset by peer) [2007/12/10 14:45:45, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/12/10 14:45:45, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/12/10 14:45:45, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [administrator] -> [administrator] -> [Administrator] succeeded [2007/12/10 14:45:45, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root [2007/12/10 14:45:45, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797) Returning domain sid for domain BUTLER -> S-1-5-21-1965320917-1955335400-7473742 [2007/12/10 14:45:45, 0] passdb/pdb_tdb.c:tdbsam_open(818) tdbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] [2007/12/10 14:45:45, 0] passdb/pdb_tdb.c:tdb_update_sam(1335) tdbsam_getsampwnam: failed to open /var/lib/samba/passdb.tdb! You can see the the machine being added is called "TULLY" and the PDC is called "STAR4" and the problem seems to be right near the end with: tdbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] [2007/12/10 14:45:45, 0] passdb/pdb_tdb.c:tdb_update_sam(1335) tdbsam_getsampwnam: failed to open /var/lib/samba/passdb.tdb! Any ideas? Or should I increase the log level... Thanks, Stephen
Stephen Vermeulen
2007-Dec-11 14:51 UTC
[Samba] Can not add a new NT Workstation to a new (vampired) samba domain
Stephen Vermeulen wrote:> I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux > server (samba 3.0.24). > > This was with a completely fresh install of debian. > > My smb.conf is pretty simple: > > [global] > workgroup = BUTLER > netbios name = STAR3 > passdb backend = tdbsam > domain master = No > domain logons = Yes > os level = 33 > add user script = /usr/sbin/useradd -m '%u' > delete user script = /usr/sbin/userdel -r '%u' > add group script = /usr/sbin/groupadd '%g' > delete group script = /usr/sbin/groupdel '%g' > add user to group script = /usr/sbin/usermod -G '%g' '%u' > add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null > '%u' > # wins server = [IP of wins server] > > [files] > comment = SAMBA File Server > path = /home/files > read only = No > > In addition I have the following smbusers file: > > star3:/etc/samba# cat smbusers > root = Administrator > > > testparm tells me this setup will give me a BDC. > > I first added the samba server (star3) to the old NT4 PDC using the > server manager tool > and then did a: > > net rpc join -S nova -UAdministrator%password > > This worked and I was able to access the machine from the PDC. > > I then did a vampire: > > net rpc vampire -S nova -W BUTLER -UAdministrator%password > > and this worked for most of the user accounts and machine accounts > (there were some that > had errors, but these were mostly for old users or machines that were > long since gone), these > errors look like:What would be the best way (apart from reinstalling Linux) to clean up the system between tests of this? Deleting all the *.tdb files? What about the unix accounts that the vampire produces? What about the unix groups it creates? Thanks, Stephen
Stephen Vermeulen
2007-Dec-12 13:57 UTC
[Samba] Can not add a new NT Workstation to a new (vampired) samba domain
Stephen Vermeulen wrote:> I am replacing an old NT4.0 Server with a debian 4.0R1 etch Linux > server (samba 3.0.24). > > This was with a completely fresh install of debian. > > My smb.conf is pretty simple: > > [global] > workgroup = BUTLER > netbios name = STAR3 > passdb backend = tdbsam > domain master = No > domain logons = Yes > os level = 33 > add user script = /usr/sbin/useradd -m '%u' > delete user script = /usr/sbin/userdel -r '%u' > add group script = /usr/sbin/groupadd '%g' > delete group script = /usr/sbin/groupdel '%g' > add user to group script = /usr/sbin/usermod -G '%g' '%u' > add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null > '%u' > # wins server = [IP of wins server] > > [files] > comment = SAMBA File Server > path = /home/files > read only = No > > In addition I have the following smbusers file: > > star3:/etc/samba# cat smbusers > root = Administrator > > > testparm tells me this setup will give me a BDC. > > I first added the samba server (star3) to the old NT4 PDC using the > server manager tool > and then did a: > > net rpc join -S nova -UAdministrator%password > > This worked and I was able to access the machine from the PDC. > > I then did a vampire: > > net rpc vampire -S nova -W BUTLER -UAdministrator%password > > and this worked for most of the user accounts and machine accounts > (there were some that > had errors, but these were mostly for old users or machines that were > long since gone), these > errors look like: > > Creating account: chris > [2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258) > Unable to modify passwd TDB! Error: Record does not exist occured > while storing the main record (USER_chris) > Creating account: ECLIPSE$ > [2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258) > Unable to modify passwd TDB! Error: Record does not exist occured > while storing the main record (USER_eclipse$) > Creating account: GALAXY$ > [2007/12/08 21:03:36, 0] passdb/pdb_tdb.c:tdb_update_samacct_only(1258) > Unable to modify passwd TDB! Error: Record does not exist occured > while storing the main record (USER_galaxy$) > > In the case of GALAXY$, this is a current machine and it did seem to > function afterwards, though maybe > its using stored credentials still? > > After the vampiring I shut down the NT4 PDC (nova) and did various > login and file sharing tests > and the main accounts (including Administrator) all seemed to work. > The samba box was still > functioning in BDC role. > > I then decided to try adding a new Windows XP Pro workstation to the > domain (it had previously > been a member, but I had removed it from the old domain to experiment > with moving user profiles between > domains). > > When I told it to join the domain it returned an error telling me that > it could not find the domain. > So I thought "maybe a BDC cannot join new machines to the domain". > (The NT4 PDC was switched > off at this time). > > So then I stopped samba and set: > > domain master = yes > wins support = yes > > and restarted samba. > > Then when I tried to add the machine I got a Windows error dialog saying: > > The following error occurred while attempting to join the domain > "Butler": > The user name could not be found. > > I was using the "Administrator" user name, and I was able to log into > the BUTLER domain on another Windows box as the Administrator and > access the file share on the samba box and create new files in the folder > owned by Administrator. > > I googled this for a bit last night and found quite a few references > to this > error, but nothing really conclusive. > > Any suggestions? > > Thanks > > Stephen. >I believe I have this working now as I have been able to add new machines to my samba-based PDC in a couple of tests. I still need to do another pass through everything to make certain, but it appears that doing the following three commands on the Linux box as root was all that was needed: star4:/etc/samba# net rpc getsid -S nova -UAdministrator%password Storing SID S-1-5-21-1965320917-1955335400-7473742 for Domain BUTLER in secrets.tdb star4:/etc/samba# net setlocalsid S-1-5-21-1965320917-1955335400-7473742 star4:/etc/samba# smbpasswd Now if you review procedure 36.1 (in Chapter 36: Migration of NT4 PDC to Samba-3 PDC in the Official Samba 3.2.x HOWTO and Reference Guide) you'll see that it: 1. does not mention the need to set the "smbpasswd" 2. does not mention the need to copy the NT4 PDC SID into the BDC and to add to the confusion the "net rpc getsid" utility SAYS is is storing the domain's SID into the BDC's secrets.tdb, but when I did a "net getlocalsid" afterwards I found that the BDC's SID has NOT been changed and for this reason I needed to do the "net setlocalsid". Thinking about this I'm guessing that because the smbpasswd for root had not been set (as that was not in the migration guide steps) the "set rpc getsid" actually was not able to write to the secrets.tdb file and it should have written an error instead of the incorrect success message. Perhaps the "net rpc vampire" should have copied the domain SID into the BDC as well, and perhaps that had also silently failed because the smbpasswd had not been set? It could also be that vampiring intentionally does not copy the SID, so that if you are vampiring from several domains you don't get confused? The next step for me will be to repeat these tests with a fresh Linux install to see what is really missing from Procedure 36.1. I'm thinking that a: Step 0: smbpasswd is required, and then I'll check the BDC's SID after step 3 (net rpc vampire) to see if the domain SID was copied across, and if not, then I'll copy it across into the BDC as step 3.1. Thanks, Stephen