samba - Sep 2006 - Failed to setup guest info

I've been trying for the past week to get Samba and LDAP to work 
together as a PDC on my Gentoo box and allow some XP boxes to get in.

I've read and followed the how-to's (emerged and unmergred more then a 
few times)

My LDAP accounts all seem to work when I do the ssh test into them.

Changing the domain in XP fails with the "network path not found
error"
even after all the registry tweaks. While tring to work through this 
issue I discoved that smbd is not starting correctly.

Code:
thebird # tail /var/log/samba/log.smbd
[2006/08/24 20:28:01, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/08/24 20:28:01, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/08/24 20:28:01, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/08/24 20:28:01, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(979)
  fetch sid from gid cache 65534 -> S-1-22-2-65534
[2006/08/24 20:28:01, 0] smbd/server.c:main(960)
  ERROR: failed to setup guest info.


I'm thinking that the failed to setup guest info needs to be the first 
thing fixed. I thought I had disabled guest accounts in my smb.conf so 
don't understand why it fails.

I have samba-3.0.23a installed. Here is my smb.conf. I don't have 
networked printers so I commented out all the printer calls.

Code:
#======================= Global Settings 
====================================[global]

# 1. Server Naming Options:
   workgroup = CRAWFORD_HOUSE
   netbios name = TheBird
   server string = LDAP PDC on Samba Server %v

# 2. Printing Options:
;   printcap name = cups
;   load printers = yes
;   printing = cups
;   printer admin = @adm
;   printer admin = @"Domain Admins"

# 3. Logging Options:
   time server = yes
   log file = /var/log/samba/log.%m
   max log size = 50
   log level = 3

# 4. Security and Domain Membership Options:
   hosts allow = 192.168.1. 192.168.6. 127.0.0.1
#  guest account = smbguest
#  map to guest = bad user
   security = user
;  password level = 8
;  username level = 8
  encrypt passwords = yes
;  unix password sync = Yes
  pam password change = yes
;  username map = /etc/samba/smbusers

# 5. Browser Control and Networking Options:
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   interfaces = lo eth0
   bind interfaces only = yes
;  interfaces = 192.168.12.2/24 192.168.13.2/24
   local master = yes
   os level = 65
   domain master = yes
;  preferred master = yes

# 6. Domain Control Options:
   domain logons = yes
;  logon script = %m.bat
;  logon script = %U.bat
   logon path = \\%L\profiles\%U
   logon drive = Z:
   logon home = \\%L\%U
   add user script = /usr/sbin/smbldap-useradd -m "%u"

# Scripts for LDAP backend (assumes nss_ldap is in use on the domain 
controller.
   add user script = /usr/sbin/smbldap-useradd -m "%u"
   delete user script = /usr/sbin/userdel -r "%u"
   add machine script = /usr/sbin/smbldap-useradd -w "%u"
   add group script = /usr/sbin/smbldap-groupadd -p "%g"
   delete group script = /usr/sbin/groupdel "%g"
   add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
   delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
   set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"

# Domain groups:
# Domain groups are now configured by using the 'net groupmap' tool

# Samba Password Database configuration:
# Enable SSL by using an ldaps url, or enable tls with 'ldap ssl' below.
   passdb backend = ldapsam:ldap://127.0.0.1
   ldap delete dn = Yes
;  idmap uid = 10000-20000
;  idmap gid = 10000-20000

# LDAP configuration for Domain Controlling:
   ldap admin dn = cn=Manager,dc=CRAWFORD_HOUSE,dc=NET
   ldap ssl = no

# start_tls should run on 389, but samba defaults incorrectly to 636
;  ldap port = 389
   ldap suffix = dc=CRAWFORD_HOUSE,dc=NET
;  ldap server = ldap.mydomain.com

# Seperate suffixes are available for machines, users, groups, and idmap, if
   ldap machine suffix = ou=Hosts
   ldap user suffix = ou=People
   ldap group suffix = ou=Group
   ldap idmap suffix = ou=Idmap

# 7. Name Resolution Options:
# Windows Internet Name Serving Support Section:
   wins support = yes
   name resolve order = wins lmhosts host bcast

# WINS Proxy - Tells Samba to answer name resolution queries on
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
   dns proxy = no

# 8. File Naming Options:
;   preserve case = no
;   short preserve case = no
# Default case is normally upper case for all DOS files
;   default case = lower
# Be very careful with case sensitivity - it can break things!
;   case sensitive = no

#============================ Share Definitions 
=============================[homes]
   comment = Home Directories
   path = /home/%U
   browseable = no
   valid users = %S
   read only = no
   create mask = 0664
   directory mask = 0775

# Un-comment the following and create the netlogon directory for Domain 
Logons
[netlogon]
   comment = Network Logon Service
   path = /var/lib/samba/netlogon
#  guest ok = no
   path = /var/lib/samba/netlogon
   browseable = no
   write list = root

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
 [profiles]
   path = /var/lib/samba/profiles
   writable = yes
   browsable = no
   create mode = 0644
   directory mode = 0755
   guest ok = no

;[printers]
;   comment = All Printers
;   path = /var/spool/samba
;   browseable = no
# to allow user 'guest account' to print.
#   guest ok = yes
;   writable = no
;   printable = yes
    create mode = 0700
# ====================================# print command: see above for details.
# ====================================;   print command = lpr-cups -P %p -o raw
%s -r   # using client side
printer drivers.
;   print command = lpr-cups -P %p %s # using cups own drivers (use 
generic PostScript on clients).
# The following two commands are the samba defaults for printing=cups
# change them only if you need different options:
;   lpq command = lpq -P %p
;   lprm command = cancel %p-%j

;[print$]
;   path = /var/lib/samba/printers
;   browseable = yes
;   read only = yes
;   write list = @adm root
#   guest ok = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
 [public]
    comment = Public Stuff
    path = /public
    public = yes
    browseable = yes
    write list = @users

testparm seems to indicate no error

Code:
thebird # testparm -v
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Processing section "[public]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC

Both getent passwd and getent group show nobody listed.


When I stop samba smbd comes up with [!!]

My wife would really appreciate any help in pointing me in the correct 
direction so I can again spend time with her again.

Thanks

Dean Crawford

Reading some of the other threads I've also pulled this further 
information in a hope someone can point me in the right direction to get 
this working.

Extract from pdbedit -Lv nobody

Opening cache file at /var/cache/samba/login_cache.tdb
Looking up login cache for user nobody
No cache entry found
No cache entry, bad count = 0, bad time = 0
Unix username:        nobody
NT username:          nobody
Account Flags:        [NDU        ]
User SID:             S-1-5-21-3036719436-1097781103-347993853-2998
smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], filter 
=> [(&(objectClass=sambaGroupMapping)(gidNumber=65534))], scope => [2]
Primary Group SID:    S-1-5-21-3036719436-1097781103-347993853-513
Full Name:            nobody
Home Directory:       \\PDC-SRV\nobody
HomeDir Drive:        H:
Logon Script:
Profile Path:         \\PDC-SRV\profiles\nobody
Domain:               CRAWFORD_HOUSE

/var/log/samba/log.smbd with  log level = 9
[2006/09/05 22:24:13, 6] passdb/pdb_interface.c:pdb_getsampwsid(320)
 pdb_getsampwsid: Building guest account
[2006/09/05 22:24:13, 5] lib/smbldap.c:smbldap_search_ext(1179)
 smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], filter 
=> [(&(objectClass=sambaGroupMapping)(gidNumber=65534))], scope => [2]
[2006/09/05 22:24:13, 3] passdb/lookup_sid.c:store_gid_sid_cache(1038)
 store_gid_sid_cache: gid 65534 in cache -> S-1-22-2-65534
[2006/09/05 22:24:13, 3] passdb/lookup_sid.c:fetch_gid_from_cache(999)
 fetch gid from cache 65534 -> S-1-22-2-65534
[2006/09/05 22:24:13, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/05 22:24:13, 3] smbd/sec_ctx.c:push_sec_ctx(208)
 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/09/05 22:24:13, 3] smbd/uid.c:push_conn_ctx(345)
 push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/09/05 22:24:13, 3] smbd/sec_ctx.c:set_sec_ctx(241)
 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/09/05 22:24:13, 5] auth/auth_util.c:debug_nt_user_token(449)
 NT user token: (NULL)
[2006/09/05 22:24:13, 5] auth/auth_util.c:debug_unix_user_token(475)
 UNIX token of user 0
 Primary group is 0 and contains 0 supplementary groups
[2006/09/05 22:24:13, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/09/05 22:24:13, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache(979)
 fetch sid from gid cache 65534 -> S-1-22-2-65534
[2006/09/05 22:24:13, 5] auth/auth_util.c:make_server_info_sam(603)
 make_server_info_sam: made server info for user nobody -> nobody
[2006/09/05 22:24:13, 5] lib/smbldap.c:smbldap_search_ext(1179)
 smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], filter 
=> [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))], scope
=>
[2]
[2006/09/05 22:24:13, 5] lib/smbldap.c:smbldap_search_ext(1179)
 smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], filter 
=> [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))], scope
=>
[2]
[2006/09/05 22:24:13, 5] lib/smbldap.c:smbldap_search_ext(1179)
  smbldap_search_ext: base => [ou=Group,dc=CRAWFORD_HOUSE,dc=NET], 
filter => 
[(&(|(objectclass=sambaGroupMapping)(sambaGroupType=4))(|(sambaSIDList=S-1-5-21-3036719436-1097781103-347993853-501)(sambaSIDList=S-1-22-2-65534)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)(sambaSIDList=S-1-5-32-546)))],
scope => [2]
[2006/09/05 22:24:13, 0] smbd/server.c:main(960)
 ERROR: failed to setup guest info.

Thanks

Dean Crawford



Dean Crawford wrote:
> I've been trying for the past week to get Samba and LDAP to work 
> together as a PDC on my Gentoo box and allow some XP boxes to get in.
>
> I've read and followed the how-to's (emerged and unmergred more
then a
> few times)
>
> My LDAP accounts all seem to work when I do the ssh test into them.
>
> Changing the domain in XP fails with the "network path not found 
> error" even after all the registry tweaks. While tring to work through
> this issue I discoved that smbd is not starting correctly.
>
> Code:
> thebird # tail /var/log/samba/log.smbd
> [2006/08/24 20:28:01, 3] smbd/uid.c:push_conn_ctx(345)
>  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2006/08/24 20:28:01, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2006/08/24 20:28:01, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2006/08/24 20:28:01, 3] 
> passdb/lookup_sid.c:fetch_sid_from_gid_cache(979)
>  fetch sid from gid cache 65534 -> S-1-22-2-65534
> [2006/08/24 20:28:01, 0] smbd/server.c:main(960)
>  ERROR: failed to setup guest info.
>
>
> I'm thinking that the failed to setup guest info needs to be the first 
> thing fixed. I thought I had disabled guest accounts in my smb.conf so 
> don't understand why it fails.
>
> I have samba-3.0.23a installed. Here is my smb.conf. I don't have 
> networked printers so I commented out all the printer calls.
>
> Code:
> #======================= Global Settings 
> ====================================> [global]
>
> # 1. Server Naming Options:
>   workgroup = CRAWFORD_HOUSE
>   netbios name = TheBird
>   server string = LDAP PDC on Samba Server %v
>
> # 2. Printing Options:
> ;   printcap name = cups
> ;   load printers = yes
> ;   printing = cups
> ;   printer admin = @adm
> ;   printer admin = @"Domain Admins"
>
> # 3. Logging Options:
>   time server = yes
>   log file = /var/log/samba/log.%m
>   max log size = 50
>   log level = 3
>
> # 4. Security and Domain Membership Options:
>   hosts allow = 192.168.1. 192.168.6. 127.0.0.1
> #  guest account = smbguest
> #  map to guest = bad user
>   security = user
> ;  password level = 8
> ;  username level = 8
>  encrypt passwords = yes
> ;  unix password sync = Yes
>  pam password change = yes
> ;  username map = /etc/samba/smbusers
>
> # 5. Browser Control and Networking Options:
>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>   interfaces = lo eth0
>   bind interfaces only = yes
> ;  interfaces = 192.168.12.2/24 192.168.13.2/24
>   local master = yes
>   os level = 65
>   domain master = yes
> ;  preferred master = yes
>
> # 6. Domain Control Options:
>   domain logons = yes
> ;  logon script = %m.bat
> ;  logon script = %U.bat
>   logon path = \\%L\profiles\%U
>   logon drive = Z:
>   logon home = \\%L\%U
>   add user script = /usr/sbin/smbldap-useradd -m "%u"
>
> # Scripts for LDAP backend (assumes nss_ldap is in use on the domain 
> controller.
>   add user script = /usr/sbin/smbldap-useradd -m "%u"
>   delete user script = /usr/sbin/userdel -r "%u"
>   add machine script = /usr/sbin/smbldap-useradd -w "%u"
>   add group script = /usr/sbin/smbldap-groupadd -p "%g"
>   delete group script = /usr/sbin/groupdel "%g"
>   add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
>   delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
>   set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
>
> # Domain groups:
> # Domain groups are now configured by using the 'net groupmap' tool
>
> # Samba Password Database configuration:
> # Enable SSL by using an ldaps url, or enable tls with 'ldap ssl'
below.
>   passdb backend = ldapsam:ldap://127.0.0.1
>   ldap delete dn = Yes
> ;  idmap uid = 10000-20000
> ;  idmap gid = 10000-20000
>
> # LDAP configuration for Domain Controlling:
>   ldap admin dn = cn=Manager,dc=CRAWFORD_HOUSE,dc=NET
>   ldap ssl = no
>
> # start_tls should run on 389, but samba defaults incorrectly to 636
> ;  ldap port = 389
>   ldap suffix = dc=CRAWFORD_HOUSE,dc=NET
> ;  ldap server = ldap.mydomain.com
>
> # Seperate suffixes are available for machines, users, groups, and 
> idmap, if
>   ldap machine suffix = ou=Hosts
>   ldap user suffix = ou=People
>   ldap group suffix = ou=Group
>   ldap idmap suffix = ou=Idmap
>
> # 7. Name Resolution Options:
> # Windows Internet Name Serving Support Section:
>   wins support = yes
>   name resolve order = wins lmhosts host bcast
>
> # WINS Proxy - Tells Samba to answer name resolution queries on
> ;   wins proxy = yes
>
> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
>   dns proxy = no
>
> # 8. File Naming Options:
> ;   preserve case = no
> ;   short preserve case = no
> # Default case is normally upper case for all DOS files
> ;   default case = lower
> # Be very careful with case sensitivity - it can break things!
> ;   case sensitive = no
>
> #============================ Share Definitions 
> =============================> [homes]
>   comment = Home Directories
>   path = /home/%U
>   browseable = no
>   valid users = %S
>   read only = no
>   create mask = 0664
>   directory mask = 0775
>
> # Un-comment the following and create the netlogon directory for 
> Domain Logons
> [netlogon]
>   comment = Network Logon Service
>   path = /var/lib/samba/netlogon
> #  guest ok = no
>   path = /var/lib/samba/netlogon
>   browseable = no
>   write list = root
>
> # Un-comment the following to provide a specific roving profile share
> # the default is to use the user's home directory
> [profiles]
>   path = /var/lib/samba/profiles
>   writable = yes
>   browsable = no
>   create mode = 0644
>   directory mode = 0755
>   guest ok = no
>
> ;[printers]
> ;   comment = All Printers
> ;   path = /var/spool/samba
> ;   browseable = no
> # to allow user 'guest account' to print.
> #   guest ok = yes
> ;   writable = no
> ;   printable = yes
>    create mode = 0700
> # ====================================> # print command: see above for
details.
> # ====================================> ;   print command = lpr-cups -P
%p -o raw %s -r   # using client side
> printer drivers.
> ;   print command = lpr-cups -P %p %s # using cups own drivers (use 
> generic PostScript on clients).
> # The following two commands are the samba defaults for printing=cups
> # change them only if you need different options:
> ;   lpq command = lpq -P %p
> ;   lprm command = cancel %p-%j
>
> ;[print$]
> ;   path = /var/lib/samba/printers
> ;   browseable = yes
> ;   read only = yes
> ;   write list = @adm root
> #   guest ok = yes
>
> # A publicly accessible directory, but read only, except for people in
> # the "staff" group
> [public]
>    comment = Public Stuff
>    path = /public
>    public = yes
>    browseable = yes
>    write list = @users
>
> testparm seems to indicate no error
>
> Code:
> thebird # testparm -v
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[netlogon]"
> Processing section "[profiles]"
> Processing section "[public]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
>
> Both getent passwd and getent group show nobody listed.
>
>
> When I stop samba smbd comes up with [!!]
>
> My wife would really appreciate any help in pointing me in the correct 
> direction so I can again spend time with her again.
>
> Thanks
>
> Dean Crawford

Hi Jerry

Yes when I set winbind nested groups = no everything loads correctly.

Can I assume this means then that there is something screwy with my groups?

Dean
 
> Try setting 'winbind nested groups = no' as a temporary
> workaround and let me know what happens.
> 
>