Alexander Födisch
2011-Nov-08 08:44 UTC
[Samba] Problem while log on: Windows Server 2008 R2 in samba domain
Hi, I have a strange problem with a Windows Server 2008 R2-System as a member of a samba domain (Samba-Version on PDC: 3.4.12). Join was successfully, but when I log on Windows I got an error "Unknown user name or bad password." (Event ID 4625). Here an abstract of logfile for Windows Server 2008 R2-System (log level 10). Maybe some of you has an idea: ------------------------------------------------------------------------------------ [2011/11/07 16:37:15, 9] passdb/passdb.c:2245(pdb_increment_bad_password_count) No lockout policy, don't track bad passwords [2011/11/07 16:37:15, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(999, 514) : sec_ctx_stack_ndx = 1 [2011/11/07 16:37:15, 3] smbd/uid.c:428(push_conn_ctx) push_conn_ctx(100) : conn_ctx_stack_ndx = 0 [2011/11/07 16:37:15, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/11/07 16:37:15, 5] auth/token_util.c:522(debug_nt_user_token) NT user token: (NULL) [2011/11/07 16:37:15, 5] auth/token_util.c:548(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2011/11/07 16:37:15, 4] passdb/pdb_ldap.c:2015(ldapsam_update_sam_account) ldapsam_update_sam_account: user foedisch to be modified has dn: uid=foedisch,dc=xxx,dc=xxx,dc=xx [2011/11/07 16:37:15, 2] passdb/pdb_ldap.c:1199(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: foedisch [2011/11/07 16:37:15, 4] passdb/pdb_ldap.c:2029(ldapsam_update_sam_account) ldapsam_update_sam_account: mods is empty: nothing to update for user: foedisch [2011/11/07 16:37:15, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (999, 514) - sec_ctx_stack_ndx = 0 [2011/11/07 16:37:15, 5] auth/auth.c:274(check_ntlm_password) check_ntlm_password: sam authentication for user [foedisch] FAILED with error NT_STATUS_WRONG_PASSWORD [....] [2011/11/07 16:37:15, 5] rpc_server/srv_netlog_nt.c:1041(_netr_LogonSamLogon) _netr_LogonSamLogon: check_password returned status NT_STATUS_WRONG_PASSWORD [2011/11/07 16:37:15, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) netr_LogonSamLogon: struct netr_LogonSamLogon out: struct netr_LogonSamLogon return_authenticator : * return_authenticator: struct netr_Authenticator cred: struct netr_Credential data : fafde2c3dc0af8fc timestamp : Mon Nov 7 16:38:40 2011 CET validation : * validation : union netr_Validation(case 3) sam3 : * sam3: struct netr_SamInfo3 base: struct netr_SamBaseInfo last_logon : NTTIME(0) last_logoff : NTTIME(0) acct_expiry : NTTIME(0) last_password_change : NTTIME(0) allow_password_change : NTTIME(0) force_password_change : NTTIME(0) account_name: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL full_name: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_count : 0x0000 (0) bad_password_count : 0x0000 (0) rid : 0x00000000 (0) primary_gid : 0x00000000 (0) groups: struct samr_RidWithAttributeArray count : 0x00000000 (0) rids : NULL user_flags : 0x00000000 (0) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 0: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 0: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key : 00000000000000000000000000000000 logon_server: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain: struct lsa_StringLarge length : 0x0000 (0) size : 0x0000 (0) string : NULL domain_sid : NULL LMSessKey: struct netr_LMSessionKey key : 0000000000000000 acct_flags : 0x00000000 (0) 0: ACB_DISABLED 0: ACB_HOMDIRREQ 0: ACB_PWNOTREQ 0: ACB_TEMPDUP 0: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 0: ACB_WSTRUST 0: ACB_SVRTRUST 0: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_NO_AUTH_DATA_REQD unknown: ARRAY(7) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) unknown : 0x00000000 (0) sidcount : 0x00000000 (0) sids : NULL authoritative : * authoritative : 0x01 (1) result : NT_STATUS_WRONG_PASSWORD ------------------------------------------------------------------------------------ ~ # ldapsearch -x -H ldaps://<pdc> -D uid=xxx,dc=xxx,dc=xxx,dc=xxx -W -LLL '(sambaDomainName=EVAN)' Enter LDAP Password: dn: sambaDomainName=EVAN,dc=xxx,dc=xxx,dc=xx objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: EVAN sambaSID: S-1-5-21-1042031166-387543594-2118856591 sambaMinPwdAge: 0 sambaMaxPwdAge: -1 sambaLockoutThreshold: 0 sambaMinPwdLength: 5 sambaLogonToChgPwd: 0 sambaForceLogoff: -1 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaRefuseMachinePwdChange: 0 sambaPwdHistoryLength: 0 gidNumber: 3616 sambaNextRid: 1183 uidNumber: 12704 Thank you! Best, Alex
Alexander Födisch
2011-Nov-14 07:39 UTC
[Samba] Problem while log on: Windows Server 2008 R2 in samba domain
an upgrade to Samba 3.5.12 on both domain controllers resolved this issue. Best Alex Am 08.11.2011 09:44, schrieb Alexander F?disch:> Hi, > > I have a strange problem with a Windows Server 2008 R2-System as a member of a samba domain (Samba-Version on PDC: > 3.4.12). > Join was successfully, but when I log on Windows I got an error "Unknown user name or bad password." (Event ID 4625). > > > > Here an abstract of logfile for Windows Server 2008 R2-System (log level 10). Maybe some of you has an idea: > ------------------------------------------------------------------------------------ > [2011/11/07 16:37:15, 9] passdb/passdb.c:2245(pdb_increment_bad_password_count) > No lockout policy, don't track bad passwords > [2011/11/07 16:37:15, 3] smbd/sec_ctx.c:210(push_sec_ctx) > push_sec_ctx(999, 514) : sec_ctx_stack_ndx = 1 > [2011/11/07 16:37:15, 3] smbd/uid.c:428(push_conn_ctx) > push_conn_ctx(100) : conn_ctx_stack_ndx = 0 > [2011/11/07 16:37:15, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2011/11/07 16:37:15, 5] auth/token_util.c:522(debug_nt_user_token) > NT user token: (NULL) > [2011/11/07 16:37:15, 5] auth/token_util.c:548(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2011/11/07 16:37:15, 4] passdb/pdb_ldap.c:2015(ldapsam_update_sam_account) > ldapsam_update_sam_account: user foedisch to be modified has dn: uid=foedisch,dc=xxx,dc=xxx,dc=xx > [2011/11/07 16:37:15, 2] passdb/pdb_ldap.c:1199(init_ldap_from_sam) > init_ldap_from_sam: Setting entry for user: foedisch > [2011/11/07 16:37:15, 4] passdb/pdb_ldap.c:2029(ldapsam_update_sam_account) > ldapsam_update_sam_account: mods is empty: nothing to update for user: foedisch > [2011/11/07 16:37:15, 3] smbd/sec_ctx.c:418(pop_sec_ctx) > pop_sec_ctx (999, 514) - sec_ctx_stack_ndx = 0 > [2011/11/07 16:37:15, 5] auth/auth.c:274(check_ntlm_password) > check_ntlm_password: sam authentication for user [foedisch] FAILED with error NT_STATUS_WRONG_PASSWORD > [....] > [2011/11/07 16:37:15, 5] rpc_server/srv_netlog_nt.c:1041(_netr_LogonSamLogon) > _netr_LogonSamLogon: check_password returned status NT_STATUS_WRONG_PASSWORD > [2011/11/07 16:37:15, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > netr_LogonSamLogon: struct netr_LogonSamLogon > out: struct netr_LogonSamLogon > return_authenticator : * > return_authenticator: struct netr_Authenticator > cred: struct netr_Credential > data : fafde2c3dc0af8fc > timestamp : Mon Nov 7 16:38:40 2011 CET > validation : * > validation : union netr_Validation(case 3) > sam3 : * > sam3: struct netr_SamInfo3 > base: struct netr_SamBaseInfo > last_logon : NTTIME(0) > last_logoff : NTTIME(0) > acct_expiry : NTTIME(0) > last_password_change : NTTIME(0) > allow_password_change : NTTIME(0) > force_password_change : NTTIME(0) > account_name: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > full_name: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > logon_script: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > profile_path: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > home_directory: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > home_drive: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > logon_count : 0x0000 (0) > bad_password_count : 0x0000 (0) > rid : 0x00000000 (0) > primary_gid : 0x00000000 (0) > groups: struct samr_RidWithAttributeArray > count : 0x00000000 (0) > rids : NULL > user_flags : 0x00000000 (0) > 0: NETLOGON_GUEST > 0: NETLOGON_NOENCRYPTION > 0: NETLOGON_CACHED_ACCOUNT > 0: NETLOGON_USED_LM_PASSWORD > 0: NETLOGON_EXTRA_SIDS > 0: NETLOGON_SUBAUTH_SESSION_KEY > 0: NETLOGON_SERVER_TRUST_ACCOUNT > 0: NETLOGON_NTLMV2_ENABLED > 0: NETLOGON_RESOURCE_GROUPS > 0: NETLOGON_PROFILE_PATH_RETURNED > 0: NETLOGON_GRACE_LOGON > key: struct netr_UserSessionKey > key : 00000000000000000000000000000000 > logon_server: struct lsa_StringLarge > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > domain: struct lsa_StringLarge > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > domain_sid : NULL > LMSessKey: struct netr_LMSessionKey > key : 0000000000000000 > acct_flags : 0x00000000 (0) > 0: ACB_DISABLED > 0: ACB_HOMDIRREQ > 0: ACB_PWNOTREQ > 0: ACB_TEMPDUP > 0: ACB_NORMAL > 0: ACB_MNS > 0: ACB_DOMTRUST > 0: ACB_WSTRUST > 0: ACB_SVRTRUST > 0: ACB_PWNOEXP > 0: ACB_AUTOLOCK > 0: ACB_ENC_TXT_PWD_ALLOWED > 0: ACB_SMARTCARD_REQUIRED > 0: ACB_TRUSTED_FOR_DELEGATION > 0: ACB_NOT_DELEGATED > 0: ACB_USE_DES_KEY_ONLY > 0: ACB_DONT_REQUIRE_PREAUTH > 0: ACB_PW_EXPIRED > 0: ACB_NO_AUTH_DATA_REQD > unknown: ARRAY(7) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > sidcount : 0x00000000 (0) > sids : NULL > authoritative : * > authoritative : 0x01 (1) > result : NT_STATUS_WRONG_PASSWORD > ------------------------------------------------------------------------------------ > > > > > ~ # ldapsearch -x -H ldaps://<pdc> -D uid=xxx,dc=xxx,dc=xxx,dc=xxx -W -LLL '(sambaDomainName=EVAN)' > Enter LDAP Password: > > dn: sambaDomainName=EVAN,dc=xxx,dc=xxx,dc=xx > objectClass: sambaDomain > objectClass: sambaUnixIdPool > sambaDomainName: EVAN > sambaSID: S-1-5-21-1042031166-387543594-2118856591 > sambaMinPwdAge: 0 > sambaMaxPwdAge: -1 > sambaLockoutThreshold: 0 > sambaMinPwdLength: 5 > sambaLogonToChgPwd: 0 > sambaForceLogoff: -1 > sambaLockoutDuration: 30 > sambaLockoutObservationWindow: 30 > sambaRefuseMachinePwdChange: 0 > sambaPwdHistoryLength: 0 > gidNumber: 3616 > sambaNextRid: 1183 > uidNumber: 12704 > > > > > Thank you! > > Best, > Alex > > > > > > > > > >
Reasonably Related Threads
- domain trust relationship with AD 2003 and user profile and home directory problems
- [Help] Samba Panic with Samba 3.0Beta3, LDAP
- reverse name resolving of winbind 3.4.x
- Problem with kerberos method attribut
- Samba 3.0.14 + W2K3 Terminal Services + terminal server profiles