Bruno Ferreira
2005-Oct-03 17:27 UTC
[Samba] 2.2 to 3.0.x PDC upgrade: an XP box no longer authenticates domain users with the Samba PDC
Hi! I've recently been upgrading a Samba 2.2 installation to 3.0 (on a SuSE 9.3 machine, specific version is 3.0.13-1.1-SuSE). Everything went more or less okay, but I'm stumped on the following problem... here's the general setup: * Samba acting as a PDC (named "servidor"). Was upgraded from 2.2 to 3.0. I copied the smb.conf file, and the passwd/shadow/smbpasswd files. I edited the smb.conf to match 3.0's configuration changes. * XP workstations, no problems there. * XP box running some windows-specific stuff (named "servidor_xp") that authenticates people connecting to it through the PDC. Had no problems in the 2.2 days. Here's what happens: the XP box no longer auths users. I checked the Samba log and I see this: [2005/10/03 18:01:04, 2] lib/access.c:check_access(324) Allowed connection from servidor_xp.domain.lan (192.168.0.220) [2005/10/03 18:01:04, 2] rpc_parse/parse_prs.c:netsec_decode(1594) netsec_decode: FAILED: packet sequence number: [2005/10/03 18:01:04, 2] lib/util.c:dump_data(1995) [000] 24 32 D2 AB 6B 37 A4 DA $2..k7.. [2005/10/03 18:01:04, 2] rpc_parse/parse_prs.c:netsec_decode(1596) should be: [2005/10/03 18:01:04, 2] lib/util.c:dump_data(1995) [000] 00 00 00 00 80 00 00 00 ........ [2005/10/03 18:01:04, 2] lib/access.c:check_access(324) Allowed connection from servidor_xp.domain.lan (192.168.0.220) [2005/10/03 18:01:04, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [joe] -> [joe] -> [joe] succeeded So basically, even though Samba authenticates the user just fine, something wrong seems to happen with that "netsec_decode FAILED [...]" part, which is most likely causing the authentication not to succeed. I googled around in mailing lists for similar stuff and I found that this usually relates to mismatching SIDs, but even though I know what a SID is, more than that goes over my head (and it might not even be related at all). Just for kicks, I deleted all .tdb files in /var/lib/samba so that Samba would recreate them (thinking that old stale SIDs were somehow stored there), but to no avail. Anyone knows what the problem is and how to solve it? -- Bruno Ferreira
Bruno Ferreira
2005-Oct-04 23:27 UTC
[Samba] 2.2 to 3.0.x PDC upgrade: an XP box no longer authenticates domain users with the Samba PDC
Craig White wrote:>On Mon, 2005-10-03 at 18:34 +0100, Bruno Ferreira wrote: > > >>[snip] >> >> >---- >just guessing - does >net getlocalsid >match the SID for your domain according to the WindowsXP box? > >Craig > > >Well I eventually solved the problem by removing the XP box from the domain and then having it re-join. However, I still don't quite understand the details of what went on. "net getlocalsid" gave me a specific SID for the domain. I didn't know how to obtain the domain SID in the Windows box, but I tried sysinternals.com's NewSID. It showed me the same SID before and after rejoining the domain, so I really didn't understand what went on :( -- Bruno Ferreira