Daniel Bramkamp
2006-Oct-05 10:08 UTC
[Samba] Issues after Samba updating a Samba PDC to 3.0.23c
Hi, last Saturday we reinstalled our fileserver to setup redundancy using DRBD and Heartbeat. We also upgraded Samba to 3.0.23c, which is acting as a PDC. We are using OpenLDAP to store accounts. I populated the OpenLDAP database using a LDIF file that I created on the old server before shutting it down. I also transfered all Samba tdb files to the new server. Everything went pretty smooth. I could logon to the domain on different terminalservers and workstations. To make sure things are not coming from some cache I logged on users that never logged on to a particular terminalserver. The terminalserver created a user profile and accessing files was possible. However, on Monday a user called me up because he could not logon to his workstation. I removed his computer from the domain. I renamed the workstation and joined it up to the domain again, which worked flawlessly as far as I can tell. However, it did not solve the problem. Yesterday the problem happened again on a different workstation. I tried the same procedure, again without success. I have no idea why, but the user, which had the problem a day earlier could log on to the domain again. A bit later the other user was able to login as well. I had a look through the logfiles and found 2 messages that may be a problem : "ldapsam_getgroup: Did not find group" "smbldap_open: cannot access LDAP when not root" Also, when running "pdbedit -L -v username" I get a message about a SID, that cannot be found. That also happens if username is a machine account. The error message did not appear on the old server. --- Output pdbedit -L -v administrator --- WARNING: The "printer admin" option is deprecated Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend NDS_ldapsam_compat Successfully added passdb backend 'NDS_ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to find an passdb backend to match ldapsam:ldap://localhost:389 (ldapsam) Found pdb backend ldapsam smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server pdb backend ldapsam:ldap://localhost:389 has a valid init Attempting to find an passdb backend to match ldapsam:ldap://localhost:389 (ldapsam) Found pdb backend ldapsam smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server pdb backend ldapsam:ldap://localhost:389 has a valid init init_sam_from_ldap: Entry found for user: administrator Opening cache file at /var/cache/samba/login_cache.tdb Unix username: administrator NT username: administrator Account Flags: [U ] User SID: S-1-5-21-3718409077-3004042761-2237186970-21000 init_group_from_ldap: Entry found for group: 512 lookup_global_sam_rid: looking up RID 512. ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-3718409077-3004042761-2237186970-512] count=0 init_group_from_ldap: Entry found for group: 512 lookup_rids: Domain Admins:2 Primary Group SID: S-1-5-21-3718409077-3004042761-2237186970-512 Full Name: Administrator Home Directory: HomeDir Drive: H: Logon Script: administrator.bat Profile Path: Domain: STW-GMH Account desc: administrator Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 04:14:07 CET Kickoff time: Tue, 19 Jan 2038 04:14:07 CET Password last set: Mon, 02 Oct 2006 17:53:12 CEST Password can change: Tue, 04 Jul 2006 17:05:04 CEST Password must change: Tue, 19 Jan 2038 04:14:07 CET Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --- Output pdbedit -L -v stw-031$ --- WARNING: The "printer admin" option is deprecated Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend NDS_ldapsam Successfully added passdb backend 'NDS_ldapsam' Attempting to register passdb backend NDS_ldapsam_compat Successfully added passdb backend 'NDS_ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to find an passdb backend to match ldapsam:ldap://localhost:389 (ldapsam) Found pdb backend ldapsam smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server pdb backend ldapsam:ldap://localhost:389 has a valid init Attempting to find an passdb backend to match ldapsam:ldap://localhost:389 (ldapsam) Found pdb backend ldapsam smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=STW-GMH))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server pdb backend ldapsam:ldap://localhost:389 has a valid init init_sam_from_ldap: Entry found for user: stw-031$ Opening cache file at /var/cache/samba/login_cache.tdb Unix username: stw-031$ NT username: stw-031$ Account Flags: [W ] User SID: S-1-5-21-3718409077-3004042761-2237186970-1005 init_group_from_ldap: Entry found for group: 515 lookup_global_sam_rid: looking up RID 515. ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-3718409077-3004042761-2237186970-515] count=0 init_group_from_ldap: Entry found for group: 515 lookup_rids: Domain Computers:2 Primary Group SID: S-1-5-21-3718409077-3004042761-2237186970-515 Full Name: STW-031$ Home Directory: HomeDir Drive: Logon Script: stw-031_.bat Profile Path: Domain: STW-GMH Account desc: Computer Workstations: Munged dial: Logon time: 0 Logoff time: Tue, 19 Jan 2038 04:14:07 CET Kickoff time: Tue, 19 Jan 2038 04:14:07 CET Password last set: Wed, 04 Oct 2006 08:56:17 CEST Password can change: Wed, 04 Oct 2006 08:56:17 CEST Password must change: Tue, 19 Jan 2038 04:14:07 CET Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF --- --- AFAIK the group mappings should be OK: Domain Admins (S-1-5-21-3718409077-3004042761-2237186970-512) -> Domain Admins Domain Users (S-1-5-21-3718409077-3004042761-2237186970-513) -> Domain Users Domain Guests (S-1-5-21-3718409077-3004042761-2237186970-514) -> Domain Guests Domain Computers (S-1-5-21-3718409077-3004042761-2237186970-515) -> Domain Computers Administrators (S-1-5-32-544) -> Administrators Account Operators (S-1-5-32-548) -> Account Operators Print Operators (S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) -> Backup Operators Replicators (S-1-5-32-552) -> Replicators According the the Release Notes, changes were made in regards to group mappings. However, that should only affect access rights to shares, right ? Any help solving this issue would be much appreciated. Thanks in advance. -- Daniel Bramkamp
Daniel Bramkamp
2006-Oct-06 12:25 UTC
[Samba] Re: Issues after Samba updating a Samba PDC to 3.0.23c
Hi again, while the problem is gone now, I am still not sure it won't happen again. I will try to give some more information about the particular setup, maybe that will make it easier/possible for you guys to help me out. First of all here's my smb.conf : --- smb.conf --- [global] workgroup = stw-gmh admin users = @"Domain Admins" netbios name = stw1 server string = STW1 printcap name = cups load printers = yes printing = cups printer admin = @"Domain Admins" log file = /var/log/samba/log.%m max log size = 500 log level = 3 passdb:5 auth:10 winbind:2 hosts allow = 192.168. 127. map to guest = bad user security = user encrypt passwords = yes ; unix password sync = Yes ; pam password change = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = 192.168.1.1 local master = yes os level = 33 domain master = yes preferred master = yes domain logons = yes logon script = %U.bat logon path logon home add user script = /usr/sbin/smbldap-useradd '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add group script = /usr/sbin/smbldap-groupadd '%g' && /usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}' delete group script = /usr/sbin/smbldap-userdel '%g' add machine script = /usr/sbin/smbldap-useradd -w %m passdb backend = ldapsam:ldap://localhost:389 ldap admin dn = cn=root,dc=stw-gmh,dc=lan ldap suffix = dc=stw-gmh,dc=lan ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap password sync = Yes name resolve order = wins lmhosts bcast wins support = yes wins proxy = yes dns proxy = no dos charset = 850 unix charset = ISO8859-1 [EDV] comment = EDV path = /shared/data/edv valid users = @edv read list = @edv write list = @edv_write force user = root force group = edv create mode = 660 force create mode = 660 directory mode = 770 force directory mode = 770 --- smb.conf --- There are more shares. They are all defined as the example above, just with different access rights. May the "ldapsam_getgroup: Did not find group" message appear because there are no group mappings for the UNIX groups other than "Domain Admins", "Domain Users, "Domain Computers" ? Access rights to the shares are working as intended (as described in the release notes for 3.0.23). Why it reports "smbldap_open: cannot access LDAP when not root" is beyond me. Google returns some results for this message. Apparently it was a bug in 2003 which has been fixed but was reopened by some guy in Aug. 2005. Not even sure if I should have to worry about this message at all. Another thing I have found is this message : "string_to_sid: Sid @Domain Admins does not start with 'S-'." This happens with different groups. After reading the release notes for various samba versions, I found that I have to add "index sambaSID sub" to my slapd.conf. Since I haven't done that (shame on me), could it be responsible for some of the issues I am experiencing ? Regarding the domain logon problems I only got reports from 2 users who are still using fat clients. Both of them are in a branch office connected through a 2 MBit fiber line (bridged). The problem has not happened on the terminalservers or any fat client on the main site, where the servers are located. The branch office had a Samba BDC running which I disabled after updating the PDC. Could it be a network issue that did not show because the clients logged on to the BDC before ? Browsing shares / accessing files after a local logon and general network connectivity are ok though. As mentioned in my original post, the tdb files are from an old installation. Would it be a good idea to delete them and start afresh ? Unfortunately I am unable to experiement a lot since this is a production system. Also, I am a bit afraid to make changes for testing purposes because I am not sure if things are going to get worse. Thanks. -- Daniel Bramkamp
Daniel Bramkamp
2006-Oct-06 15:17 UTC
[Samba] Re: Issues after Samba updating a Samba PDC to 3.0.23c
Hi again, *sigh*, I am an idiot. Forget everything about the domain logon problems, I figured out why those 2 users on the workstations in the branch office were not able to logon. For some reason there was still a smbd and nmbd process running on the server, which used to be the BDC *blushes*. The OpenLDAP slave instance was stopped on that server though :) I would still like to know if I have to worry about the strange messages I posted and how I can possibly get rid of them though. Thanks. -- Daniel Bramkamp
Reasonably Related Threads
- Issue when migrating samba domain server to new hardware and samba version
- pdb_getsampwnam (TDB): error fetching database.
- Samba will not start
- Winbind in Win2003 ADS: wbinfo -u works, wbinfo -g does not
- CentOS 5.3 samba: getent does not return data from the active directory (ads)