Dan
2006-Sep-18 22:41 UTC
[Samba] joining domain fails because of no samba entries with 3.0.23c
Hello All,
I am having a very strange problem with samba 3.0.23c. I upgraded
everything from 3.0.9 and I am able to smbclient to the samba 3.0.23c
PDC with the administrator user just fine. When I go to add a machine
to the domain, it adds the unix machine account to the ou=computers like
it is supposed to but none of the samba entries are added. I get an
error on the windows side of "The user name can not be found." but I
know the administrator user is there. The group mappings are correct
for both the windows and unix groups, both on the PDC machine and in my
openldap backend. I am using the idealx scripts with 'smbldap-useradd
-w '%u' . It was my understanding that the scripts are not supposed
to add the samba stuff anymore but either samba itself or the machine
does that, I am not sure. Is this correct? Has anyone else seen things
like this? I searched and found a bunch of simular things but no real
solutions. I see in the logs where it is searching for the name of the
machine and the sambaSamAccount objectclass and failing because it is
not there, but I can't figure out why it is not getting created. I have
put the relevant log section below and can supply more if needed. I
suspect I am missing something simple. Any help would be greatly
appreciated.
[2006/09/18 18:30:05, 4]
rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 ED 1D
0F 45 ........ ....?..E
[010] 8B 7A 00 00 .z..
[2006/09/18 18:30:05, 5]
rpc_server/srv_samr_nt.c:access_check_samr_function(222)
_samr_create_user: access check ((granted: 0x000d067b; required:
0x00000010)
[2006/09/18 18:30:05, 10] rpc_server/srv_samr_nt.c:can_create(2389)
Checking whether [MYCOMPUTER$] can be created
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 512) : sec_ctx_stack_ndx = 1
[2006/09/18 18:30:05, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/09/18 18:30:05, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2006/09/18 18:30:05, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/09/18 18:30:05, 10] passdb/lookup_sid.c:lookup_name(64)
lookup_name: MYCOMPUTER$ => (domain), MYCOMPUTER$ (name)
[2006/09/18 18:30:05, 10] passdb/util_wellknown.c:lookup_wellknown_name(154)
map_name_to_wellknown_sid: looking up MYCOMPUTER$
[2006/09/18 18:30:05, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(340)
secrets_fetch failed!
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2006/09/18 18:30:05, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(101) : conn_ctx_stack_ndx = 1
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2006/09/18 18:30:05, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2006/09/18 18:30:05, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/09/18 18:30:05, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base => [o=my.domain.com], filter =>
[(&(uid=MYCOMPUTER$)(objectclass=sambaSamAccount))], scope => [2]
[2006/09/18 18:30:05, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1396)
ldapsam_getsampwnam: Unable to locate user [MYCOMPUTER$] count=0
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2006/09/18 18:30:05, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(101) : conn_ctx_stack_ndx = 1
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2006/09/18 18:30:05, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2006/09/18 18:30:05, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/09/18 18:30:05, 5] lib/smbldap.c:smbldap_search_ext(1179)
smbldap_search_ext: base => [ou=groups,o=my.domain.com], filter =>
[(&(objectClass=sambaGroupMapping)(|(displayName=MYCOMPUTER$)(cn=MYCOMPUTER$)))],
scope => [2]
[2006/09/18 18:30:05, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2213)
ldapsam_getgroup: Did not find group
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 512) - sec_ctx_stack_ndx = 0
[2006/09/18 18:30:05, 10] rpc_server/srv_samr_nt.c:can_create(2399)
MYCOMPUTER$ does not exist, can create it
[2006/09/18 18:30:05, 5] rpc_server/srv_samr_nt.c:_samr_create_user(2501)
_samr_create_user: can add this account : True
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 512) : sec_ctx_stack_ndx = 1
[2006/09/18 18:30:05, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(101) : conn_ctx_stack_ndx = 0
[2006/09/18 18:30:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/09/18 18:30:05, 5] auth/auth_util.c:debug_nt_user_token(448)
NT user token: (NULL)
[2006/09/18 18:30:05, 5] auth/auth_util.c:debug_unix_user_token(474)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_alloc(131)
Finding user MYCOMPUTER$
[2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_internals(75)
Trying _Get_Pwnam(), username as lowercase is MYCOMPUTER$
[2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_internals(83)
Trying _Get_Pwnam(), username as given is MYCOMPUTER$
[2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_internals(102)
Checking combinations of 0 uppercase letters in MYCOMPUTER$
[2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_internals(108)
Get_Pwnam_internals didn't find user [MYCOMPUTER$]!
[2006/09/18 18:30:08, 0] passdb/pdb_interface.c:pdb_default_create_user(368)
_samr_create_user: Running the command
`/usr/local/sbin/smbldap-useradd -w 'MYCOMPUTER$'' gave 0
[2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_alloc(131)
Finding user MYCOMPUTER$
[2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_internals(75)
Trying _Get_Pwnam(), username as lowercase is MYCOMPUTER$
[2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_internals(83)
Trying _Get_Pwnam(), username as given is MYCOMPUTER$
[2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_internals(102)
Checking combinations of 0 uppercase letters in MYCOMPUTER$
[2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_internals(108)
Get_Pwnam_internals didn't find user [MYCOMPUTER$]!
[2006/09/18 18:30:08, 3] passdb/pdb_interface.c:pdb_default_create_user(381)
pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER
[2006/09/18 18:30:08, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 512) - sec_ctx_stack_ndx = 0
[2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_debug(84)
000000 samr_io_r_create_user
[2006/09/18 18:30:08, 6] rpc_parse/parse_prs.c:prs_debug(84)
000000 smb_io_pol_hnd user_pol
[2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint32(704)
0000 data1: 00000000
[2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint32(704)
0004 data2: 00000000
[2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint16(675)
0008 data3: 0000
[2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint16(675)
000a data4: 0000
[2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint8s(851)
000c data5: 00 00 00 00 00 00 00 00
[2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint32(704)
0014 access_granted: 00000000
[2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint32(704)
0018 user_rid : 00000000
[2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_ntstatus(763)
001c status: NT_STATUS_NO_SUCH_USER
[2006/09/18 18:30:08, 5] rpc_server/srv_pipe.c:api_rpcTNP(2305)
api_rpcTNP: called samr successfully
[2006/09/18 18:30:08, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(529)
free_pipe_context: destroying talloc pool of size 302
[2006/09/18 18:30:08, 10]
rpc_server/srv_pipe_hnd.c:write_to_internal_pipe(963)
write_to_pipe: data_used = 76
[2006/09/18 18:30:08, 6] rpc_server/srv_pipe_hnd.c:read_from_pipe(995)
read_from_pipe: 7763 name: samr len: 1024
Dan
2006-Sep-20 16:02 UTC
[Samba] joining domain fails because of no samba entries with 3.0.23c
It adds the computer just fine but still doesn't have any samba attributes like sambaSID etc. I thought I read the computer or the smbd daemon is supposed to populate the samba attributes now instead of the scripts. Is this not the case? Thanks. ryan punt wrote:> What happens when you run "smbldap-useradd -w MYCOMPUTER$" from the command line? I've found that useful for debugging machine-account-creation problems. > > Ryan > > >>>> Dan <samba@the-rusty-nail.com> 9/18/2006 5:41:21 PM >>> >>>> > Hello All, > I am having a very strange problem with samba 3.0.23c. I upgraded > everything from 3.0.9 and I am able to smbclient to the samba 3.0.23c > PDC with the administrator user just fine. When I go to add a machine > to the domain, it adds the unix machine account to the ou=computers like > it is supposed to but none of the samba entries are added. I get an > error on the windows side of "The user name can not be found." but I > know the administrator user is there. The group mappings are correct > for both the windows and unix groups, both on the PDC machine and in my > openldap backend. I am using the idealx scripts with 'smbldap-useradd > -w '%u' . It was my understanding that the scripts are not supposed > to add the samba stuff anymore but either samba itself or the machine > does that, I am not sure. Is this correct? Has anyone else seen things > like this? I searched and found a bunch of simular things but no real > solutions. I see in the logs where it is searching for the name of the > machine and the sambaSamAccount objectclass and failing because it is > not there, but I can't figure out why it is not getting created. I have > put the relevant log section below and can supply more if needed. I > suspect I am missing something simple. Any help would be greatly > appreciated. > > [2006/09/18 18:30:05, 4] > rpc_server/srv_lsa_hnd.c:find_policy_by_hnd_internal(162) > Found policy hnd[0] [000] 00 00 00 00 05 00 00 00 00 00 00 00 ED 1D > 0F 45 ........ ....?..E > [010] 8B 7A 00 00 .z.. > [2006/09/18 18:30:05, 5] > rpc_server/srv_samr_nt.c:access_check_samr_function(222) > _samr_create_user: access check ((granted: 0x000d067b; required: > 0x00000010) > [2006/09/18 18:30:05, 10] rpc_server/srv_samr_nt.c:can_create(2389) > Checking whether [MYCOMPUTER$] can be created > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > push_sec_ctx(0, 512) : sec_ctx_stack_ndx = 1 > [2006/09/18 18:30:05, 3] smbd/uid.c:push_conn_ctx(345) > push_conn_ctx(101) : conn_ctx_stack_ndx = 0 > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2006/09/18 18:30:05, 5] auth/auth_util.c:debug_nt_user_token(448) > NT user token: (NULL) > [2006/09/18 18:30:05, 5] auth/auth_util.c:debug_unix_user_token(474) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2006/09/18 18:30:05, 10] passdb/lookup_sid.c:lookup_name(64) > lookup_name: MYCOMPUTER$ => (domain), MYCOMPUTER$ (name) > [2006/09/18 18:30:05, 10] passdb/util_wellknown.c:lookup_wellknown_name(154) > map_name_to_wellknown_sid: looking up MYCOMPUTER$ > [2006/09/18 18:30:05, 5] > passdb/secrets.c:secrets_fetch_trusted_domain_password(340) > secrets_fetch failed! > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 > [2006/09/18 18:30:05, 3] smbd/uid.c:push_conn_ctx(345) > push_conn_ctx(101) : conn_ctx_stack_ndx = 1 > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 > [2006/09/18 18:30:05, 5] auth/auth_util.c:debug_nt_user_token(448) > NT user token: (NULL) > [2006/09/18 18:30:05, 5] auth/auth_util.c:debug_unix_user_token(474) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2006/09/18 18:30:05, 5] lib/smbldap.c:smbldap_search_ext(1179) > smbldap_search_ext: base => [o=my.domain.com], filter => > [(&(uid=MYCOMPUTER$)(objectclass=sambaSamAccount))], scope => [2] > [2006/09/18 18:30:05, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1396) > ldapsam_getsampwnam: Unable to locate user [MYCOMPUTER$] count=0 > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:pop_sec_ctx(339) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 > [2006/09/18 18:30:05, 3] smbd/uid.c:push_conn_ctx(345) > push_conn_ctx(101) : conn_ctx_stack_ndx = 1 > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 > [2006/09/18 18:30:05, 5] auth/auth_util.c:debug_nt_user_token(448) > NT user token: (NULL) > [2006/09/18 18:30:05, 5] auth/auth_util.c:debug_unix_user_token(474) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2006/09/18 18:30:05, 5] lib/smbldap.c:smbldap_search_ext(1179) > smbldap_search_ext: base => [ou=groups,o=my.domain.com], filter => > [(&(objectClass=sambaGroupMapping)(|(displayName=MYCOMPUTER$)(cn=MYCOMPUTER$)))], > scope => [2] > [2006/09/18 18:30:05, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2213) > ldapsam_getgroup: Did not find group > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:pop_sec_ctx(339) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:pop_sec_ctx(339) > pop_sec_ctx (0, 512) - sec_ctx_stack_ndx = 0 > [2006/09/18 18:30:05, 10] rpc_server/srv_samr_nt.c:can_create(2399) > MYCOMPUTER$ does not exist, can create it > [2006/09/18 18:30:05, 5] rpc_server/srv_samr_nt.c:_samr_create_user(2501) > _samr_create_user: can add this account : True > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:push_sec_ctx(208) > push_sec_ctx(0, 512) : sec_ctx_stack_ndx = 1 > [2006/09/18 18:30:05, 3] smbd/uid.c:push_conn_ctx(345) > push_conn_ctx(101) : conn_ctx_stack_ndx = 0 > [2006/09/18 18:30:05, 3] smbd/sec_ctx.c:set_sec_ctx(241) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2006/09/18 18:30:05, 5] auth/auth_util.c:debug_nt_user_token(448) > NT user token: (NULL) > [2006/09/18 18:30:05, 5] auth/auth_util.c:debug_unix_user_token(474) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_alloc(131) > Finding user MYCOMPUTER$ > [2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_internals(75) > Trying _Get_Pwnam(), username as lowercase is MYCOMPUTER$ > [2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_internals(83) > Trying _Get_Pwnam(), username as given is MYCOMPUTER$ > [2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_internals(102) > Checking combinations of 0 uppercase letters in MYCOMPUTER$ > [2006/09/18 18:30:05, 5] lib/username.c:Get_Pwnam_internals(108) > Get_Pwnam_internals didn't find user [MYCOMPUTER$]! > [2006/09/18 18:30:08, 0] passdb/pdb_interface.c:pdb_default_create_user(368) > _samr_create_user: Running the command > `/usr/local/sbin/smbldap-useradd -w 'MYCOMPUTER$'' gave 0 > [2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_alloc(131) > Finding user MYCOMPUTER$ > [2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_internals(75) > Trying _Get_Pwnam(), username as lowercase is MYCOMPUTER$ > [2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_internals(83) > Trying _Get_Pwnam(), username as given is MYCOMPUTER$ > [2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_internals(102) > Checking combinations of 0 uppercase letters in MYCOMPUTER$ > [2006/09/18 18:30:08, 5] lib/username.c:Get_Pwnam_internals(108) > Get_Pwnam_internals didn't find user [MYCOMPUTER$]! > [2006/09/18 18:30:08, 3] passdb/pdb_interface.c:pdb_default_create_user(381) > pdb_default_create_user: failed to create a new user structure: > NT_STATUS_NO_SUCH_USER > [2006/09/18 18:30:08, 3] smbd/sec_ctx.c:pop_sec_ctx(339) > pop_sec_ctx (0, 512) - sec_ctx_stack_ndx = 0 > [2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_debug(84) > 000000 samr_io_r_create_user > [2006/09/18 18:30:08, 6] rpc_parse/parse_prs.c:prs_debug(84) > 000000 smb_io_pol_hnd user_pol > [2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint32(704) > 0000 data1: 00000000 > [2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint32(704) > 0004 data2: 00000000 > [2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint16(675) > 0008 data3: 0000 > [2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint16(675) > 000a data4: 0000 > [2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint8s(851) > 000c data5: 00 00 00 00 00 00 00 00 > [2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint32(704) > 0014 access_granted: 00000000 > [2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_uint32(704) > 0018 user_rid : 00000000 > [2006/09/18 18:30:08, 5] rpc_parse/parse_prs.c:prs_ntstatus(763) > 001c status: NT_STATUS_NO_SUCH_USER > [2006/09/18 18:30:08, 5] rpc_server/srv_pipe.c:api_rpcTNP(2305) > api_rpcTNP: called samr successfully > [2006/09/18 18:30:08, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(529) > free_pipe_context: destroying talloc pool of size 302 > [2006/09/18 18:30:08, 10] > rpc_server/srv_pipe_hnd.c:write_to_internal_pipe(963) > write_to_pipe: data_used = 76 > [2006/09/18 18:30:08, 6] rpc_server/srv_pipe_hnd.c:read_from_pipe(995) > read_from_pipe: 7763 name: samr len: 1024 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > ------------------------------------------------------------------------ > > ------------------------------------------------- > > This email transmission and any documents, files or previous > > email messages attached to it may contain information that is > > confidential or legally privileged. If you are not the intended > > recipient, you are hereby notified that any disclosure, copying, > > printing, distributing or use of this transmission is strictly > > prohibited. If you have received this transmission in error, > > please immediately notify the sender by telephone or return > > email and delete the original transmission and its attachments > > without reading or saving in any manner. > > > > The Evangelical Lutheran Good Samaritan Society. > > --------------------------------------------------------- >