samba - Jan 2005 - Log on problems since update from 2.2.12 to 3.0.10

Hi,

I want to move from Samba 2.2.12 to 3.0.10. I downloade the 3.0.10
sources and compiled them (Solaris 8). Everything went fine. After the
install, I tested the new 3.0.10 Samba with the old smb.conf from 2.2.12
(the docs say this should work). I could not log in anymore.

I switched back to 2.2.12 and tried the 3.0.10 install on a Suse Linux
8.0 - with the same results. I used most parts from the solaris
smb.conf.

This is the Samba config of the Linux sytem. It acts as samba server,
and later for testing as client too.

[global]
workgroup = ERS
netbios name = sambaserver
os level = 0
name  resolve order = host lmhost wins
encrypt passwords = Yes
guest account = Nobody
map to guest = Bad User
hide dot files = yes
unix extensions = yes
username map = /etc/samba/smbusers
log file = /var/log/samba/%m
log level = 3
security = server
password server = passwordserver
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
local master = No
wins support = No
wins server = winsserver
character set = ISO8859-15
client code page = 850
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
...

The server is not member in our company domain EMEA. At the moment it is
not possible to use 'security = domain', so we use 'security =
server'.
The server is in the workgroup ERS (no DC!), witch is the name of our
department.
Authentication happens against the EMEA password server with the
UID/PASS users have in the EMEA domain. Mapping between the unix UIDs
and domain UIDs is done with the option 'username map'. This worked fine
with 2.2.12.

I did the tests on the linux system (both client and server!).
ralfgro is my EMEA domain account, rg the local unix account.

smbclient //sambaserver/ralfgro -U ralfgro -W emea

[2005/01/11 09:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(789)
  Domain=[EMEA]  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2005/01/11 09:14:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(804)
  sesssetupX:name=[EMEA]\[RALFGRO]@[sambaserver]
[2005/01/11 09:14:57, 3] lib/username.c:map_username(173)
  Mapped user RALFGRO to rg
[2005/01/11 09:14:57, 3] libsmb/trusts_util.c:enumerate_domain_trusts(149)
  enumerate_domain_trusts: can't locate a DC for domain ERS
[2005/01/11 09:14:57, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
  [EMEA]\[RALFGRO]@[sambaserver] with the new password interface
[2005/01/11 09:14:57, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [ERS]\[rg]@[sambaserver]
[2005/01/11 09:15:03, 1] auth/auth_server.c:check_smbserver_security(363)
  password server passwordserver rejected the password
[2005/01/11 09:15:03, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [RALFGRO]
  -> [rg] FAILED with error NT_STATUS_LOGON_FAILURE
[2005/01/11 09:15:03, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(887) cmd=115 (SMBsesssetupX)
  NT_STATUS_LOGON_FAILURE
[2005/01/11 09:15:03, 3] smbd/process.c:timeout_processing(1336)
  timeout_processing: End of file from client (client has disconnected).

Some more debug output from smbd, this time from remote client contacting
the 3.0.10 sambaserver:
$ sbin/smbd -i -d 3 -s /etc/samba/smb.conf
get_current_groups: user is in 10 groups: 0, 1, 14, 15, 16, 17, 65533,
65534, 65533, 65534smbd version 3.0.10 started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
uid=0 gid=0 euid=0 egid=0
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
Unknown parameter encountered: "character set"
Ignoring unknown parameter "character set"
Unknown parameter encountered: "client code page"
Ignoring unknown parameter "client code page"
Processing section "[homes]"
adding IPC service
adding IPC service
added interface ip=$myip bcast=$mybroadcast nmask=255.255.0.0
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
loaded services
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
start_background_queue: Starting background LPQ thread
waiting for a connection
open_oplock_ipc: opening loopback UDP socket.
Linux kernel oplocks enabled
open_oplock ipc: pid = 22539, global_oplock_port = 39739
Transaction 0 of length 72
netbios connect: name1=sambaserver        name2=client
netbios connect: local=sambaserver remote=client, name type = 0
Transaction 1 of length 168
switch message SMBnegprot (pid 22539) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [MICROSOFT NETWORKS 1.03]
Requested protocol [MICROSOFT NETWORKS 3.0]
Requested protocol [LANMAN1.0]
Requested protocol [LM1.2X002]
Requested protocol [Samba]
Connecting to passwordserverIP at port 445
error connecting to passwordserverIP:445 (Verbindungsaufbau abgelehnt)
Connecting to passwordserverIP at port 139
connected to password server passwordserver
got session
password server OK
using password server validation
not using SPNEGO
Selected protocol NT LANMAN 1.0
Transaction 2 of length 162
switch message SMBsesssetupX (pid 22539) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=13 flg2=0xc001
Domain=[EMEA]  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
sesssetupX:name=[EMEA]\[RALFGRO]@[client]
Mapped user RALFGRO to rg
enumerate_domain_trusts: can't locate a DC for domain ERS
check_ntlm_password:  Checking password for unmapped user
[EMEA]\[RALFGRO]@[client] with the new password interfacecheck_ntlm_password: 
mapped user is: [ERS]\[rg]@[client]
password server passwordserver rejected the password
check_ntlm_password:  Authentication for user [RALFGRO] -> [rg] FAILED
with error NT_STATUS_LOGON_FAILUREerror packet at smbd/sesssetup.c(887) cmd=115
(SMBsesssetupX)
NT_STATUS_LOGON_FAILUREtimeout_processing: End of file from client (client has
disconnected).
tallocs left:
global talloc allocations in pid: 22539
...

I also did a trace with ethereal:

---> Samba 2.2.12
Session Setup AndX Request, User: EMEA\RALFGRO
..
Account: RALFGRO
Primary Domain: EMEA
..

---> Samba 3.0.10
Session Setup AndX Request, User: ERS\RALFGRO
..
Account: RALFGRO
Primary Domain: ERS
..

Why does samba 3.0.10 turn over the wrong workgroup/domain parameter (ERS)
to the password server?

If I change the workgroup in the smb.conf file to EMEA it works. But the  
                                       server should stay in the ERS
workgroup. Users always set the                                           
      workgroup/domain name during the login process. Most of the
windowsstandard clients are in the EMEA domain, so this is no problem.

This worked fine in 2.2.12. Have there been any changes in Samba 3.x.x
that could be important in this case? I know that Samba 3 comes with
winbind, but since the server is not member of the EMEA domain, I can't
use it (or am I wrong in this?).

I'm a bit lost...

Ralf