Ralf Gross
2005-Jan-12 16:47 UTC
[Samba] Log on problems since update from 2.2.12 to 3.0.10
Hi, I want to move from Samba 2.2.12 to 3.0.10. I downloade the 3.0.10 sources and compiled them (Solaris 8). Everything went fine. After the install, I tested the new 3.0.10 Samba with the old smb.conf from 2.2.12 (the docs say this should work). I could not log in anymore. I switched back to 2.2.12 and tried the 3.0.10 install on a Suse Linux 8.0 - with the same results. I used most parts from the solaris smb.conf. This is the Samba config of the Linux sytem. It acts as samba server, and later for testing as client too. [global] workgroup = ERS netbios name = sambaserver os level = 0 name resolve order = host lmhost wins encrypt passwords = Yes guest account = Nobody map to guest = Bad User hide dot files = yes unix extensions = yes username map = /etc/samba/smbusers log file = /var/log/samba/%m log level = 3 security = server password server = passwordserver socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY local master = No wins support = No wins server = winsserver character set = ISO8859-15 client code page = 850 veto files = /*.eml/*.nws/riched20.dll/*.{*}/ ... The server is not member in our company domain EMEA. At the moment it is not possible to use 'security = domain', so we use 'security = server'. The server is in the workgroup ERS (no DC!), witch is the name of our department. Authentication happens against the EMEA password server with the UID/PASS users have in the EMEA domain. Mapping between the unix UIDs and domain UIDs is done with the option 'username map'. This worked fine with 2.2.12. I did the tests on the linux system (both client and server!). ralfgro is my EMEA domain account, rg the local unix account. smbclient //sambaserver/ralfgro -U ralfgro -W emea [2005/01/11 09:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(789) Domain=[EMEA] NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] [2005/01/11 09:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(804) sesssetupX:name=[EMEA]\[RALFGRO]@[sambaserver] [2005/01/11 09:14:57, 3] lib/username.c:map_username(173) Mapped user RALFGRO to rg [2005/01/11 09:14:57, 3] libsmb/trusts_util.c:enumerate_domain_trusts(149) enumerate_domain_trusts: can't locate a DC for domain ERS [2005/01/11 09:14:57, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [EMEA]\[RALFGRO]@[sambaserver] with the new password interface [2005/01/11 09:14:57, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [ERS]\[rg]@[sambaserver] [2005/01/11 09:15:03, 1] auth/auth_server.c:check_smbserver_security(363) password server passwordserver rejected the password [2005/01/11 09:15:03, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [RALFGRO] -> [rg] FAILED with error NT_STATUS_LOGON_FAILURE [2005/01/11 09:15:03, 3] smbd/error.c:error_packet(129) error packet at smbd/sesssetup.c(887) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2005/01/11 09:15:03, 3] smbd/process.c:timeout_processing(1336) timeout_processing: End of file from client (client has disconnected). Some more debug output from smbd, this time from remote client contacting the 3.0.10 sambaserver: $ sbin/smbd -i -d 3 -s /etc/samba/smb.conf get_current_groups: user is in 10 groups: 0, 1, 14, 15, 16, 17, 65533, 65534, 65533, 65534smbd version 3.0.10 started. Copyright Andrew Tridgell and the Samba Team 1992-2004 uid=0 gid=0 euid=0 egid=0 lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" Unknown parameter encountered: "character set" Ignoring unknown parameter "character set" Unknown parameter encountered: "client code page" Ignoring unknown parameter "client code page" Processing section "[homes]" adding IPC service adding IPC service added interface ip=$myip bcast=$mybroadcast nmask=255.255.0.0 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 loaded services Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED start_background_queue: Starting background LPQ thread waiting for a connection open_oplock_ipc: opening loopback UDP socket. Linux kernel oplocks enabled open_oplock ipc: pid = 22539, global_oplock_port = 39739 Transaction 0 of length 72 netbios connect: name1=sambaserver name2=client netbios connect: local=sambaserver remote=client, name type = 0 Transaction 1 of length 168 switch message SMBnegprot (pid 22539) conn 0x0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [MICROSOFT NETWORKS 3.0] Requested protocol [LANMAN1.0] Requested protocol [LM1.2X002] Requested protocol [Samba] Connecting to passwordserverIP at port 445 error connecting to passwordserverIP:445 (Verbindungsaufbau abgelehnt) Connecting to passwordserverIP at port 139 connected to password server passwordserver got session password server OK using password server validation not using SPNEGO Selected protocol NT LANMAN 1.0 Transaction 2 of length 162 switch message SMBsesssetupX (pid 22539) conn 0x0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 wct=13 flg2=0xc001 Domain=[EMEA] NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] sesssetupX:name=[EMEA]\[RALFGRO]@[client] Mapped user RALFGRO to rg enumerate_domain_trusts: can't locate a DC for domain ERS check_ntlm_password: Checking password for unmapped user [EMEA]\[RALFGRO]@[client] with the new password interfacecheck_ntlm_password: mapped user is: [ERS]\[rg]@[client] password server passwordserver rejected the password check_ntlm_password: Authentication for user [RALFGRO] -> [rg] FAILED with error NT_STATUS_LOGON_FAILUREerror packet at smbd/sesssetup.c(887) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILUREtimeout_processing: End of file from client (client has disconnected). tallocs left: global talloc allocations in pid: 22539 ... I also did a trace with ethereal: ---> Samba 2.2.12 Session Setup AndX Request, User: EMEA\RALFGRO .. Account: RALFGRO Primary Domain: EMEA .. ---> Samba 3.0.10 Session Setup AndX Request, User: ERS\RALFGRO .. Account: RALFGRO Primary Domain: ERS .. Why does samba 3.0.10 turn over the wrong workgroup/domain parameter (ERS) to the password server? If I change the workgroup in the smb.conf file to EMEA it works. But the server should stay in the ERS workgroup. Users always set the workgroup/domain name during the login process. Most of the windowsstandard clients are in the EMEA domain, so this is no problem. This worked fine in 2.2.12. Have there been any changes in Samba 3.x.x that could be important in this case? I know that Samba 3 comes with winbind, but since the server is not member of the EMEA domain, I can't use it (or am I wrong in this?). I'm a bit lost... Ralf
Possibly Parallel Threads
- security = server, username map, different domain -> no login
- winbind - timeouts in domain with >100000 domain users
- domain/unix groups and valid users parameter
- Again: restriction on workgroup name length ?
- 3.0.23 - different errors on solaris 8 (Error in dskattr...)