Hi Harry, When I install slapd , I didn't get the option to use MDB, so used hdb I went through your suggestions and cleaned up the smb.conf. Also added the unixidpool ldif dn: sambaDomainName=mydomain,dc=mydomain sambaDomainName: mydomain sambaSID: S-1-5-21-3936576374-1604348213-1812434911 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain objectClass: sambaUnixIdPool sambaNextUserRid: 1000 sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 sambaNextRid: 1001 uidNumber: 10000 gidNumber: 10000 When I tried to add a Windows 7 machine to the domain I get " Unknown user or wrong password". I was using the "sadmin" login who is in the "sudo". I dumped the user's details into a ldif file and imported it into ldap. I see the following in the /var/log/samba/log.win7ldap check_ntlm_password: Checking password for unmapped user [mydomain]\[sadmin]@[WIN7LDAP] with the new password interface [2018/03/04 11:04:05.007209, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [mydomain]\[sadmin]@[WIN7-LDAP] [2018/03/04 11:04:05.007372, 2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened [2018/03/04 11:04:05.008805, 3] auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'sadmin' in passdb. [2018/03/04 11:04:05.008857, 5] auth/auth.c:271(check_ntlm_password) check_ntlm_password: sam authentication for user [sadmin] FAILED with error NT_STATUS_NO_SUCH_USER [2018/03/04 11:04:05.008898, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [mydomain] was for this SAM. [2018/03/04 11:04:05.008932, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [sadmin] -> [sadmin] FAILED with error NT_STATUS_NO_SUCH_USER [2018/03/04 11:04:19.544336, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.17.199 read error NT_STATUS_CONNECTION_RESET. After a few retries it comes up with "The security database is corrupted" message in Window7 The following in /var/log/syslog sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (uid) not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not indexed [2018/03/04 11:12:23.780636, 0] auth/check_samsec.c:492(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INTERNAL_DB_CORRUPTION' [2018/03/04 11:12:23.780675, 5] auth/auth.c:271(check_ntlm_password) check_ntlm_password: sam authentication for user [sadmin] FAILED with error NT_STATUS_INTERNAL_DB_CORRUPTION [2018/03/04 11:12:23.780713, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [mydomain] was for this SAM. [2018/03/04 11:12:23.780746, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [sadmin] -> [sadmin] FAILED with error NT_STATUS_INTERNAL_DB_CORRUPTION [2018/03/04 11:12:37.544463, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.17.199 read error NT_STATUS_CONNECTION_RESET. Any thoughts? On Sat, Mar 3, 2018 at 4:58 AM, Harry Jede <walk2sun at arcor.de> wrote:> Hi Rob, > > please stay on list. Otherwise I will charge you :-) > > By the way I have no problem to get payed. > > > > > Hi Harry, > > > > > > The one very obvious difference is the result of this command: # > > > ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D > > > cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*' > > > dn: sambaDomainName=SCHULE,dc=afrika,dc=xx > > > > > > I get dn: sambaDomainName=MYDOMAIN, dc=mydomain which is different , > > > should it be MYDOMAIN dc=sam3dc? > > I hope you have got the first line, the second will never work: > > dn: sambaDomainName=MYDOMAIN,dc=mydomain > > dn: sambaDomainName=MYDOMAIN, dc=mydomain > > > > The difference is just one space. Remember ldap is white space sensitive!!! > > > > You may get trouble with some dns resolver libs, because you use only one > "domain component". Search for ndots... > > You may also get trouble with certificate name validation for SSL/TLS > hosts. > > > > > sambaDomainName: MYDOMAIN > > > sambaSID: S-1-5-21-3936576374-1604338294-181246221 > > > sambaAlgorithmicRidBase: 1000 > > > objectClass: sambaDomain > > I prefer to add here an auxiliary objectclass: sambaUnixIdPool > > More later on > > > > > sambaNextUserRid: 1000 > > > sambaMinPwdLength: 5 > > > sambaPwdHistoryLength: 0 > > > sambaLogonToChgPwd: 0 > > > sambaMaxPwdAge: -1 > > > sambaMinPwdAge: 0 > > > sambaLockoutDuration: 30 > > > sambaLockoutObservationWindow: 30 > > > sambaLockoutThreshold: 0 > > > sambaForceLogoff: -1 > > > sambaRefuseMachinePwdChange: 0 > > > sambaNextRid: 1002 > > > > > > > > > > > > > > > ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config > > > 'olcAttributeTypes=*' dn > > > SASL/EXTERNAL authentication started > > > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > > > SASL SSF: 0 > > > dn: cn=schema,cn=config > > > > > > dn: cn={0}core,cn=schema,cn=config > > > > > > dn: cn={1}cosine,cn=schema,cn=config > > > > > > dn: cn={2}nis,cn=schema,cn=config > > > > > > dn: cn={3}inetorgperson,cn=schema,cn=config > > > > > > dn: cn={4}samba,cn=schema,cn=config > > That is the minimum you need. So it is OK. > > > > > > > > ldapsearch -xLLL -s base -b dc=mydomain > > > dn: dc=mydomain > > > objectClass: top > > > objectClass: dcObject > > > objectClass: organization > > > o: mydomain > > > dc: mydomain > > OK > > > > > > > > > > > > > > The one thing I found is that when I tried to add a new Win10 machine > > > to the domain, I got wrong password. The login details I entered is > > > for a admin account. I then changed the password using smbpasswd and > > > then I got the machine was joined with another account error message > > OK. But what error message? What command? > > Please post the resulting machine account. > > > > You should first try a win 7 machine. From win 7 to current win 10 > > the default settings for smb protocol has changed. Thanks to wanna cry. > > Maybe "max protocol = NT1" will help. But read man smb.conf section: > > client max protocol. Depending on the used clients you should go with > > the highest protocol level!!! > > > > > The other bits are similar to yours. Here is the smb.conf > > > > > > > > > [global] > > > workgroup = MYDOMAIN > > > bind interfaces only = Yes > > > netbios name = sam3DC > > > security = USER > > > dns forwarder = 8.8.8.8 > > "dns forwarder" is not required, *but* if you set this entry, > > it should point to a local DNS server. > > Google is not always the best choice. > > > > > passdb backend = ldapsam:ldap://127.0.0.1/ > > > obey pam restrictions = no > > That I would change to yes. If yes, pam can create the > > home directorys if you add users from windows tools or > > samba tools. The user dir is created at first logon. > > The template directory is /etc/skel. > > > > > ldap admin dn = cn=admin,dc=mydomain > > > ldap suffix = dc=mydomain > > > ldap group suffix = ou=Group > > > ldap user suffix = ou=People > > > ldap machine suffix = ou=Computers > > > ldap idmap suffix = ou=People > > > ldap passwd sync = No > > > unix password sync = Yes > > > passwd program = /usr/sbin/smbldap-passwd -u %u > > > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > > > ldap ssl= no > > > > > > encrypt passwords = true > > > password server = sam3dc > > What sould be the benefit ??? > > At first you setup this host as a PDC and then you delegate > > to an other password server? > > > > > check password script = /usr/local/sbin/crackcheck -d > > > /var/cache/cracklib/cracklib_dict > > > > > > unix password sync = No > > You should add: > > ldap passwd sync = yes > > pam password change = yes > > to sync windows and unix passwords. > > > > > log level = 10 auth:5 > > tooooooooooooo high > > log level = 1 auth:5 > > makes more sense > > > > > syslog = 0 > > > log file = /var/log/samba/log.%m > > > max log size = 1000 > > > > > > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE > > > SO_SNDBUF=8192 SO_RCVBUF=8192 > > Please remove this line. Do not ask me or any other. > > Just do it. It is mystic. > > > > > local master = No > > > domain master = No > > > preferred master = No > > If this host should be a domain controler ( primary or secondary ) > > change all to yes > > > > Test it with nmblookup i.e. > > # nmblookup SCHULE > > querying SCHULE on 127.255.255.255 > > 10.100.0.1 SCHULE<00> > > > > # nmblookup -M SCHULE > > querying SCHULE on 127.255.255.255 > > 10.100.0.1 SCHULE<1d> > > > > # nmblookup ALIX > > querying ALIX on 127.255.255.255 > > 10.100.0.1 ALIX<00> > > > > # nmblookup -M ALIX > > querying ALIX on 127.255.255.255 > > querying ALIX on 10.100.255.255 > > name_query failed to find name ALIX#1d > > > > Where SCHULE is the netbios domain name and > > ALIX is the PDC name. > > > > > invalid users > > > hosts deny = ALL > > Fine, you deny all hosts on your network. What are you doing here? > > > > > load printers = Yes > > > printcap name = cups > > > printing = cups > > > add machine script = /usr/sbin/useradd -d /dev/null -g > > > machines -s /bin/false %u > > This will *not* add windows hosts to the ldap backend. So do not > > expect working windows machines. > > > > A common script is: > > add machine script = /usr/sbin/smbldap-useradd -w "%u" > > > > > # Logon Options > > > logon script = %U.bat > > > logon drive = n: > > > domain logons = Yes > > > > > > logon home = \\%L\%u\%a\.profiles > > > logon home = \\%L\%U\profile > > Overwriting entrys in this way seems bad practice, surely it works. > > > > > logon path > > > > > > # Browse Options > > > os level = 65 > > > preferred master = Yes > > > local master = Yes > > > domain master = Yes > > Fine you will setup the Netbios stuff. Please remove the > > other lines. This one wins, because they comes later in this file. > > > > > # WINS Options > > > dns proxy = No > > > wins proxy = No > > > wins support = Yes > > > > > > > > > # Getting symlinks working for the OCEs > > > unix extensions = no > > > > > > # Audit settings > > > full_audit:prefix = %u|%I|%S > > > full_audit:failure = none > > > full_audit:success = mkdir rmdir read pread write pwrite > > > rename unlink > > > full_audit:facility = local5 > > > full_audit:priority = notice > > > > > > [homes] > > > comment = Home Directories > > > create mask = 0700 > > > directory mask = 0700 > > > browseable = No > > > read only = No > > > path = %H/samba > > unusual, but if it works for you > > > > > vfs objects = full_audit > > you have silently disabled acl handling! > > vfs objects = acl_xattr full_audit > > > > > follow symlinks = yes > > risky. Remove it if possible. Otherwise change symlinks to real dirs > > and remove then. > > > > > > > > > > Check if you have a machine account for your server: > > # ldapsearch -xLLL 'uid=hostname$' > > I assume you have none. > > > > Now, the unixidpool: > > > > Add the attached ldif with: > > ldapmodify -x -D cn=admin,dc=mydomain -W -f unixidpool.ldif > > > > check if it is OK > > # ldapsearch -xLLL objectclass=sambaunixidpool > > > > Restart samba and reapply the admin password. This should add the machine > account: > > smbpasswd -w <ldap admin password> > > > > If the machine account is not their, restart both samba and winbind and > wait some seconds. > > > > The next useable uidnumber in smabaDomainName should change from 10000 to > 10001. > > # ldapsearch -xLLL uidnumber=10001 > > dn: sambaDomainName=SCHULE,dc=afrika,dc=xx > > objectClass: top > > objectClass: sambaDomain > > objectClass: sambaUnixIdPool > > sambaDomainName: SCHULE > > sambaSID: S-1-5-21-1507708399-2130971284-2230424465 > > sambaAlgorithmicRidBase: 1000 > > sambaNextRid: 100000 > > sambaNextUserRid: 2000 > > sambaNextGroupRid: 100000 > > uidNumber: 10001 > > gidNumber: 2000 > > sambaPwdHistoryLength: 0 > > sambaLogonToChgPwd: 0 > > sambaMaxPwdAge: -1 > > sambaMinPwdAge: 0 > > sambaLockoutDuration: 30 > > sambaLockoutObservationWindow: 30 > > sambaLockoutThreshold: 0 > > sambaForceLogoff: -1 > > > > have fun > > > > # cat unixidpool.ldif > > dn: sambaDomainName=MYDOMAIN,dc=mydomain > > changetype: modify > > add: objectclass > > objectclass: sambaUnixIdPool > > - > > add: uidnumber > > uidnumber: 10000 > > - > > add: gidnumber > > gidnumber: 10000 > > - > > > > -- > > > > Gruss > > Harry Jede >
Am Montag, 5. März 2018, 16:51:41 CET schrieb Rob Thoman:> Hi Harry, > > When I install slapd , I didn't get the option to use MDB, so used hdbOK, I have reread the thread. Some questions: Is your old server still running? Ubuntu, openldap, samba versions on old and new server I assume your old server use tdbsam and your new server ldapsam.> I went through your suggestions and cleaned up the smb.conf. Also > added the unixidpool ldif > > dn: sambaDomainName=mydomain,dc=mydomain > sambaDomainName: mydomain > sambaSID: S-1-5-21-3936576374-1604348213-1812434911 > sambaAlgorithmicRidBase: 1000 > objectClass: sambaDomain > objectClass: sambaUnixIdPool > sambaNextUserRid: 1000 > sambaMinPwdLength: 5 > sambaPwdHistoryLength: 0 > sambaLogonToChgPwd: 0 > sambaMaxPwdAge: -1 > sambaMinPwdAge: 0 > sambaLockoutDuration: 30 > sambaLockoutObservationWindow: 30 > sambaLockoutThreshold: 0 > sambaForceLogoff: -1 > sambaRefuseMachinePwdChange: 0 > sambaNextRid: 1001 > uidNumber: 10000 > gidNumber: 10000Fine. Are the names mydomain your real and wished names, or are they coming from samdb migration?> > When I tried to add a Windows 7 machine to the domain I get " Unknown > user or wrong password". I was using the "sadmin" login who is in the > "sudo". I dumped the user's details into a ldif file and imported it > into ldap. I see the following in the /var/log/samba/log.win7ldap > > check_ntlm_password: Checking password for unmapped user > [mydomain]\[sadmin]@[WIN7LDAP] with the new password interface > [2018/03/04 11:04:05.007209, 3] auth/auth.c:222(check_ntlm_password)Indicates that you dont have a valid samba provision. Normal state after migration. Dont worry, we will fix this. ...> auth/auth_winbind.c:60(check_winbind_security) > check_winbind_security: Not using winbind, requested domain > [mydomain] was for this SAM. > [2018/03/04 11:04:05.008932, 2] auth/auth.c:319(check_ntlm_password) > check_ntlm_password: Authentication for user [sadmin] -> [sadmin] > FAILED with error NT_STATUS_NO_SUCH_USERAs you can see, no winbind operation with a valid admin account, so no join.> After a few retries it comes up with "The security database is > corrupted" message in Window7Same as above> The following in /var/log/syslog > > sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not > indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) > not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (uid) > not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: > (gidNumber) not indexedYour ldap db is not well indexed. This gives you bad response times, but ldap should work.> [2018/03/04 11:12:23.780636, 0] > auth/check_samsec.c:492(check_sam_security) check_sam_security: > make_server_info_sam() failed with > 'NT_STATUS_INTERNAL_DB_CORRUPTION'The DB may be corrupt or not. Until you have a valid admin account, any error is possible.> > > > > Any thoughts?1. check your SIDs on both servers # net getdomainsid SID for local machine ALIX is: S-1-5-21-1507708399-2130971284-2230424465 SID for domain SCHULE is: S-1-5-21-1507708399-2130971284-2230424465 2. Check on your new server some entrys become root!! $ sudo su - # export SID=S-1-5-21-3936576374-1604348213-1812434911 2.1 check admin # ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=mydomain -s sub "sambasid=$SID-500" objectclass cn sn uidnumber gidnumber sambaPrimaryGroupSID sambaSID 2>/dev/null 2.2 check domain admins, users and computers # for s in 512 513 515 ;do ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=mydomain -s sub "sambasid=$SID-$s" 2>/dev/null;done -- Gruss Harry Jede
Hi Gruss,
At this stage there is only one server, running 3.6.25 on Ubuntu12.04. The
plan to get LDAP to work on this one. Then add the second server 4.x and
the promote it to BDC and then demote this one. Just a side info, we
didn't want to go tdbsam in both as I read it breaks the domain trust.
The domain names are real ones.
I ran the commands you suggested, nothing in reply. I tried ldapi:// and
ldap://sam3dc.mydomain .
Let me run through what I did ,
/etc/ldap/ldap.conf:
BASE dc=mydomain
URI ldap://sam3dc.mydomain
TLS_CACERT /etc/ldap/ca_certs.pem
Imported the samba.ldif from the 3.6.25 binaries.
Imported the indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: ou eq
olcDbIndex: mail eq
olcDbIndex: surname eq
olcDbIndex: givenname eq
olcDbIndex: loginShell eq
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: nisMapName eq
olcDbIndex: nisMapEntry eq
add: olcAccess
olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by
self
write by * read
olcAccess: to
attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by
dn="cn=admin,dc=mydomain" write by self write by * none
Did the certificates, confirmed working
Added the following
dn: ou=users,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: groups
dn: ou=idmap,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: idmap
dn: ou=computers,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: computers
Added the unixdipool as per your email
cat unixidpool.ldif
dn: sambaDomainName=MYDOMAIN,dc=mydomain
changetype: modify
add: objectclass
objectclass: sambaUnixIdPool
-
add: uidnumber
uidnumber: 10000
-
add: gidnumber
gidnumber: 10000
Then smbpasswd -a '' bit.
Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with entries
from tdb. Then exported the /etc/passwd and /etc/group and imported using
the migration tool scripts
here is smb.conf
workgroup = MYDOMAIN
netbios name = sam3dc
security = USER
obey pam restrictions = Yes
encrypt passwords = true
preferred master = Yes
local master = Yes
domain master = Yes
domain logons = yes
max protocol = NT1
map untrusted to domain = Yes
os level = 65
time server = yes
passdb backend = ldapsam
ldapsam:editposix = yes
ldapsam:trusted = yes
ldap admin dn = cn=admin,dc=mydomain
ldap suffix = dc=mydomain
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
idmap config *: backend = ldap
idmap config *: range = 10000-19999
idmap config *: ldap_url = ldap://sam3dc.mydomain/
idmap config *: ldap_base_dn = ou=idmap,dc=example,dc=com
idmap config *: ldap_user_dn = cn=admin,dc=example,dc=com
ldap delete dn = yes
ldap password sync = yes
wins support = yes
ldap ssl= no
add user script = /usr/bin/smbldap-useradd -m '%u'
delete user script = /usr/bin/smbldap-userdel '%u'
add group script = /usr/bin/smbldap-groupadd -p '%g'
delete group script = /usr/bin/smbldap-groupdel '%g'
add user to group script = /usr/bin/smbldap-groupmod -m '%g'
'%u'
delete user from group script = /usr/bin/smbldap-groupmod -x
'%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
set primary group script = /usr/bin/smbldap-usermod -g '%g'
'%u'
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict
add machine script = /usr/sbin/smbldap-useradd -w "%u"
I then did some tests:
- Reverted smb.conf back to use tdbsam
- Was able to join the win7 machine to the domain, ofcourse
- Removed the win7 machine from the domain
- Changed the smb.conf back to ldapsam
- Changed the ldapsam:trusted to no from yes
- I was able to add Win7 machine back to the domain, possibly because the
computer account was already in place
- Then tried to add a new Windows 10 machine , with ldapsam:trusted=yes ,
same issue with db corruption
- Then changed ldapsam:trusted=no, different error message. "The specified
computer account could not be found"
- The following in the samba logs
[2018/03/04 16:37:59.448745, 2]
rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
Returning domain sid for domain MYDOMAIN ->
S-1-5-21-3936576374-1604348213-1812465911
Use of qw(...) as parentheses is deprecated at /usr/share/perl5/
smbldap_tools.pm line 1423, <DATA> line 522.
Unable to open /etc/smbldap-tools/smbldap.conf for reading !
Compilation failed in require at /usr/sbin/smbldap-useradd line 29.
BEGIN failed--compilation aborted at /usr/sbin/smbldap-useradd line 29.
[2018/03/04 16:37:59.579160, 0]
passdb/pdb_interface.c:476(pdb_default_create_user)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
"win10-split$"' gave 2
[2018/03/04 16:38:12.723642, 4] auth/pampass.c:483(smb_pam_start)
smb_pam_start: PAM: Init user: tadmin
[2018/03/04 16:38:12.725997, 4] auth/pampass.c:492(smb_pam_start)
smb_pam_start: PAM: setting rhost to: 192.168.14.191
[2018/03/04 16:38:12.726044, 4] auth/pampass.c:501(smb_pam_start)
smb_pam_start: PAM: setting tty
[2018/03/04 16:38:12.726080, 4] auth/pampass.c:509(smb_pam_start)
smb_pam_start: PAM: Init passed for user: tadmin
[2018/03/04 16:38:12.726114, 4]
auth/pampass.c:646(smb_internal_pam_session)
smb_internal_pam_session: PAM: tty set to: smb/2471/100
[2018/03/04 16:38:12.726451, 4] auth/pampass.c:465(smb_pam_end)
smb_pam_end: PAM: PAM_END OK.
[2018/03/04 16:38:12.726853, 1] smbd/process.c:457(receive_smb_talloc)
receive_smb_raw_talloc failed for client 192.168.17.191 read error
NT_STATUS_CONNECTION_RESET.
On Mon, Mar 5, 2018 at 9:38 PM, Harry Jede <walk2sun at arcor.de> wrote:
> Am Montag, 5. März 2018, 16:51:41 CET schrieb Rob Thoman:
>
> > Hi Harry,
>
> >
>
> > When I install slapd , I didn't get the option to use MDB, so used
hdb
>
> OK,
>
> I have reread the thread. Some questions:
>
> Is your old server still running?
>
> Ubuntu, openldap, samba versions on old and new server
>
>
>
> I assume your old server use tdbsam and your new server ldapsam.
>
>
>
> > I went through your suggestions and cleaned up the smb.conf. Also
>
> > added the unixidpool ldif
>
> >
>
> > dn: sambaDomainName=mydomain,dc=mydomain
>
> > sambaDomainName: mydomain
>
> > sambaSID: S-1-5-21-3936576374-1604348213-1812434911
>
> > sambaAlgorithmicRidBase: 1000
>
> > objectClass: sambaDomain
>
> > objectClass: sambaUnixIdPool
>
> > sambaNextUserRid: 1000
>
> > sambaMinPwdLength: 5
>
> > sambaPwdHistoryLength: 0
>
> > sambaLogonToChgPwd: 0
>
> > sambaMaxPwdAge: -1
>
> > sambaMinPwdAge: 0
>
> > sambaLockoutDuration: 30
>
> > sambaLockoutObservationWindow: 30
>
> > sambaLockoutThreshold: 0
>
> > sambaForceLogoff: -1
>
> > sambaRefuseMachinePwdChange: 0
>
> > sambaNextRid: 1001
>
> > uidNumber: 10000
>
> > gidNumber: 10000
>
>
>
> Fine.
>
> Are the names mydomain your real and wished names,
>
> or are they coming from samdb migration?
>
>
>
> >
>
> > When I tried to add a Windows 7 machine to the domain I get "
Unknown
>
> > user or wrong password". I was using the "sadmin" login
who is in the
>
> > "sudo". I dumped the user's details into a ldif file and
imported it
>
> > into ldap. I see the following in the /var/log/samba/log.win7ldap
>
> >
>
> > check_ntlm_password: Checking password for unmapped user
>
> > [mydomain]\[sadmin]@[WIN7LDAP] with the new password interface
>
> > [2018/03/04 11:04:05.007209, 3] auth/auth.c:222(check_ntlm_password)
>
> Indicates that you dont have a valid samba provision. Normal state
>
> after migration. Dont worry, we will fix this.
>
>
>
> ...
>
>
>
> > auth/auth_winbind.c:60(check_winbind_security)
>
> > check_winbind_security: Not using winbind, requested domain
>
> > [mydomain] was for this SAM.
>
> > [2018/03/04 11:04:05.008932, 2] auth/auth.c:319(check_ntlm_password)
>
> > check_ntlm_password: Authentication for user [sadmin] -> [sadmin]
>
> > FAILED with error NT_STATUS_NO_SUCH_USER
>
> As you can see, no winbind operation with a valid admin account,
>
> so no join.
>
>
>
> > After a few retries it comes up with "The security database is
>
> > corrupted" message in Window7
>
> Same as above
>
> > The following in /var/log/syslog
>
> >
>
> > sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not
>
> > indexed sam3dom slapd[2600]: <= bdb_equality_candidates:
(gidNumber)
>
> > not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (uid)
>
> > not indexed sam3dom slapd[2600]: <= bdb_equality_candidates:
>
> > (gidNumber) not indexed
>
> Your ldap db is not well indexed. This gives you bad response times,
>
> but ldap should work.
>
> > [2018/03/04 11:12:23.780636, 0]
>
> > auth/check_samsec.c:492(check_sam_security) check_sam_security:
>
> > make_server_info_sam() failed with
>
> > 'NT_STATUS_INTERNAL_DB_CORRUPTION'
>
> The DB may be corrupt or not. Until you have a valid admin account,
>
> any error is possible.
>
>
>
> >
>
> >
>
> >
>
> >
>
> > Any thoughts?
>
> 1. check your SIDs on both servers
>
> # net getdomainsid
>
> SID for local machine ALIX is: S-1-5-21-1507708399-2130971284-2230424465
>
> SID for domain SCHULE is: S-1-5-21-1507708399-2130971284-2230424465
>
>
>
> 2. Check on your new server some entrys
>
> become root!!
>
> $ sudo su -
>
> # export SID=S-1-5-21-3936576374-1604348213-1812434911
>
>
>
> 2.1 check admin
>
> # ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=mydomain -s sub
> "sambasid=$SID-500" objectclass cn sn uidnumber gidnumber
> sambaPrimaryGroupSID sambaSID 2>/dev/null
>
>
>
> 2.2 check domain admins, users and computers
>
> # for s in 512 513 515 ;do ldapsearch -LLLY EXTERNAL -H ldapi:/// -b
> dc=mydomain -s sub "sambasid=$SID-$s" 2>/dev/null;done
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>