samba - Oct 2006 - Issues after Samba updating a Samba PDC to 3.0.23c

Hi,

last Saturday we reinstalled our fileserver to setup redundancy using  
DRBD and Heartbeat. We also upgraded Samba to 3.0.23c, which is acting  
as a PDC. We are using OpenLDAP to store accounts.

I populated the OpenLDAP database using a LDIF file that I created on  
the old server before shutting it down. I also transfered all Samba  
tdb files to the new server. Everything went pretty smooth. I could  
logon to the domain on different terminalservers and workstations. To  
make sure things are not coming from some cache I logged on users that  
never logged on to a particular terminalserver. The terminalserver  
created a user profile and accessing files was possible. However, on  
Monday a user called me up because he could not logon to his  
workstation. I removed his computer from the domain. I renamed the  
workstation and joined it up to the domain again, which worked  
flawlessly as far as I can tell. However, it did not solve the  
problem. Yesterday the problem happened again on a different  
workstation. I tried the same procedure, again without success. I have  
no idea why, but the user, which had the problem a day earlier could  
log on to the domain again. A bit later the other user was able to  
login as well.

I had a look through the logfiles and found 2 messages that may be a problem :

"ldapsam_getgroup: Did not find group"
"smbldap_open: cannot access LDAP when not root"

Also, when running "pdbedit -L -v username" I get a message about a  
SID, that cannot be found. That also happens if username is a machine  
account. The error message did not appear on the old server.

--- Output pdbedit -L -v administrator ---
WARNING: The "printer admin" option is deprecated
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match  
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching  
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
Attempting to find an passdb backend to match  
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching  
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
init_sam_from_ldap: Entry found for user: administrator
Opening cache file at /var/cache/samba/login_cache.tdb
Unix username:        administrator
NT username:          administrator
Account Flags:        [U          ]
User SID:             S-1-5-21-3718409077-3004042761-2237186970-21000
init_group_from_ldap: Entry found for group: 512
lookup_global_sam_rid: looking up RID 512.
ldapsam_getsampwsid: Unable to locate SID  
[S-1-5-21-3718409077-3004042761-2237186970-512] count=0
init_group_from_ldap: Entry found for group: 512
lookup_rids: Domain Admins:2
Primary Group SID:    S-1-5-21-3718409077-3004042761-2237186970-512
Full Name:            Administrator
Home Directory:
HomeDir Drive:        H:
Logon Script:         administrator.bat
Profile Path:
Domain:               STW-GMH
Account desc:         administrator
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Mon, 02 Oct 2006 17:53:12 CEST
Password can change:  Tue, 04 Jul 2006 17:05:04 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

--- Output pdbedit -L -v stw-031$ ---
WARNING: The "printer admin" option is deprecated
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to find an passdb backend to match  
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching  
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
Attempting to find an passdb backend to match  
ldapsam:ldap://localhost:389 (ldapsam)
Found pdb backend ldapsam
smbldap_search_domain_info: Searching  
for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost:389 has a valid init
init_sam_from_ldap: Entry found for user: stw-031$
Opening cache file at /var/cache/samba/login_cache.tdb
Unix username:        stw-031$
NT username:          stw-031$
Account Flags:        [W          ]
User SID:             S-1-5-21-3718409077-3004042761-2237186970-1005
init_group_from_ldap: Entry found for group: 515
lookup_global_sam_rid: looking up RID 515.
ldapsam_getsampwsid: Unable to locate SID  
[S-1-5-21-3718409077-3004042761-2237186970-515] count=0
init_group_from_ldap: Entry found for group: 515
lookup_rids: Domain Computers:2
Primary Group SID:    S-1-5-21-3718409077-3004042761-2237186970-515
Full Name:            STW-031$
Home Directory:
HomeDir Drive:
Logon Script:         stw-031_.bat
Profile Path:
Domain:               STW-GMH
Account desc:         Computer
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Tue, 19 Jan 2038 04:14:07 CET
Kickoff time:         Tue, 19 Jan 2038 04:14:07 CET
Password last set:    Wed, 04 Oct 2006 08:56:17 CEST
Password can change:  Wed, 04 Oct 2006 08:56:17 CEST
Password must change: Tue, 19 Jan 2038 04:14:07 CET
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

--- ---

AFAIK the group mappings should be OK:

Domain Admins (S-1-5-21-3718409077-3004042761-2237186970-512) -> Domain
Admins
Domain Users (S-1-5-21-3718409077-3004042761-2237186970-513) -> Domain Users
Domain Guests (S-1-5-21-3718409077-3004042761-2237186970-514) -> Domain
Guests
Domain Computers (S-1-5-21-3718409077-3004042761-2237186970-515) ->  
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators

According the the Release Notes, changes were made in regards to group  
mappings. However, that should only affect access rights to shares,  
right ?

Any help solving this issue would be much appreciated.

Thanks in advance.
-- 
Daniel Bramkamp

Hi again,

while the problem is gone now, I am still not sure it won't happen  
again. I will try to give some more information about the particular  
setup, maybe that will make it easier/possible for you guys to help me  
out.

First of all here's my smb.conf :

--- smb.conf ---
[global]
    workgroup = stw-gmh
    admin users = @"Domain Admins"
    netbios name = stw1
    server string = STW1
    printcap name = cups
    load printers = yes
    printing = cups
    printer admin = @"Domain Admins"
    log file = /var/log/samba/log.%m
    max log size = 500
    log level = 3 passdb:5 auth:10 winbind:2
    hosts allow = 192.168. 127.
    map to guest = bad user
    security = user
    encrypt passwords = yes
;  unix password sync = Yes
;  pam password change = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    interfaces = 192.168.1.1
    local master = yes
    os level = 33
    domain master = yes
    preferred master = yes
    domain logons = yes
    logon script = %U.bat
    logon path     logon home     add user script = /usr/sbin/smbldap-useradd
'%u'
    delete user script = /usr/sbin/smbldap-userdel '%u'
    add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
    delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
    set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
    add group script = /usr/sbin/smbldap-groupadd '%g' &&  
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
    delete group script = /usr/sbin/smbldap-userdel '%g'
    add machine script = /usr/sbin/smbldap-useradd -w %m
    passdb backend = ldapsam:ldap://localhost:389
    ldap admin dn = cn=root,dc=stw-gmh,dc=lan
    ldap suffix = dc=stw-gmh,dc=lan
    ldap machine suffix = ou=Computers
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap password sync = Yes
    name resolve order = wins lmhosts bcast
    wins support = yes
    wins proxy = yes
    dns proxy = no

    dos charset = 850
    unix charset = ISO8859-1

[EDV]
         comment = EDV
         path = /shared/data/edv
         valid users = @edv
         read list = @edv
         write list = @edv_write
         force user = root
         force group = edv
         create mode = 660
         force create mode = 660
         directory mode = 770
         force directory mode = 770

--- smb.conf ---

There are more shares. They are all defined as the example above, just  
with different access rights. May the "ldapsam_getgroup: Did not find  
group" message appear because there are no group mappings for the UNIX  
groups other than "Domain Admins", "Domain Users, "Domain
Computers" ?
Access rights to the shares are working as intended (as described in  
the release notes for 3.0.23).

Why it reports "smbldap_open: cannot access LDAP when not root" is  
beyond me. Google returns some results for this message. Apparently it  
was a bug in 2003 which has been fixed but was reopened by some guy in  
Aug. 2005. Not even sure if I should have to worry about this message  
at all.

Another thing I have found is this message :

"string_to_sid: Sid @Domain Admins does not start with 'S-'."

This happens with different groups.

After reading the release notes for various samba versions, I found  
that I have to add "index sambaSID sub" to my slapd.conf. Since I  
haven't done that (shame on me), could it be responsible for some of  
the issues I am experiencing ?

Regarding the domain logon problems I only got reports from 2 users  
who are still using fat clients. Both of them are in a branch office  
connected through a 2 MBit fiber line (bridged). The problem has not  
happened on the terminalservers or any fat client on the main site,  
where the servers are located. The branch office had a Samba BDC  
running which I disabled after updating the PDC. Could it be a network  
issue that did not show because the clients logged on to the BDC  
before ? Browsing shares / accessing files after a local logon and  
general network connectivity are ok though.

As mentioned in my original post, the tdb files are from an old  
installation. Would it be a good idea to delete them and start afresh ?

Unfortunately I am unable to experiement a lot since this is a  
production system. Also, I am a bit afraid to make changes for testing  
purposes because I am not sure if things are going to get worse.

Thanks.
-- 
Daniel Bramkamp

Hi again,

*sigh*, I am an idiot. Forget everything about the domain logon  
problems, I figured out why those 2 users on the workstations in the  
branch office were not able to logon. For some reason there was still  
a smbd and nmbd process running on the server, which used to be the  
BDC *blushes*. The OpenLDAP slave instance was stopped on that server  
though :)

I would still like to know if I have to worry about the strange  
messages I posted and how I can possibly get rid of them though.

Thanks.
-- 
Daniel Bramkamp