Chris Hellwig
2006-Dec-03 09:21 UTC
[Samba] can join a domain, but users are not able to log in
Hi, I have a samba server which should act as a domain controller. I did not set up the server by myself. I can "see" and use the servers shares with windows and linux clients. Everithing - including the security settings - for the shares works as expected. I can join a client to the domain, this works with manual adding the machine account as well as with the adduser script . I can remove the client from the domain an rejoin it again.... But if I try to login with a user account from a client it rejects me with a (german) message "Das System kann sie nicht bei dieser Dom?ne anmelden, da das Computerkonto des Systems in seiner prim?ren Dom?ne fehlt, oder das Kennwort f?r dieses Computerkonto falsch ist." That measns (more or less) "The system could not log on you the domain since the machine account of the system is missing in it's private domain or the password of the machine account is wrong." Here is what the clients says (loglevel 3) [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091) Transaction 1 of length 137 [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886) switch message SMBnegprot (pid 472) conn 0x0 [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) Requested protocol [PC NETWORK PROGRAM 1.0] [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) Requested protocol [LANMAN1.0] [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) Requested protocol [Windows for Workgroups 3.1a] [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) Requested protocol [LM1.2X002] [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) Requested protocol [LANMAN2.1] [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) Requested protocol [NT LM 0.12] [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_nt1(333) using SPNEGO [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(555) Selected protocol NT LM 0.12 [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091) Transaction 2 of length 202 [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886) switch message SMBsesssetupX (pid 472) conn 0x0 [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=12 flg2=0xc807 [2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) Doing spnego session setup [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[] [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 3 6 1 4 1 311 2 2 10 [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) Got secblob of size 32 [2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xe0008297 [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091) Transaction 3 of length 240 [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886) switch message SMBsesssetupX (pid 472) conn 0x0 [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=12 flg2=0xc807 [2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) Doing spnego session setup [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[] [2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[] domain=[] workstation=[POSEIDON] len1=1 len2=0 [2006/11/27 18:28:48, 3] smbd/sec_ctx.cush_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2006/11/27 18:28:48, 3] smbd/uid.cush_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2006/11/27 18:28:48, 3] smbd/sec_ctx.cop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user []\[]@[POSEIDON] with the new password interface [2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [xxx-xxxxxx]\[]@[POSEIDON] [2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(268) check_ntlm_password: guest authentication for user [] succeeded [2006/11/27 18:28:48, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) NTLMSSP Sign/Seal - Initialising with flags: [2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0x60008295 [2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(222) User name: nobody Real name: nobody [2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(241) UNIX uid 65534 is UNIX user nobody, and will be vuid 100 [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091) Transaction 4 of length 78 [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886) switch message SMBtconX (pid 472) conn 0x0 [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/27 18:28:48, 3] smbd/service.c:make_connection_snum(479) Connect path is '/tmp' for service [IPC$] [2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(251) [2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(252) se_access_check: user sid is S-1-5-21-500209785-908428947-3421464510-501 se_access_check: also S-1-5-21-500209785-908428947-3421464510-514 se_access_check: also S-1-1-0 se_access_check: also S-1-5-2 se_access_check: also S-1-5-32-546 se_access_check: also S-1-5-21-500209785-908428947-3421464510-132069 [2006/11/27 18:28:48, 3] smbd/vfs.c:vfs_init_default(206) Initialising default vfs hooks [2006/11/27 18:28:48, 2] smbd/uid.c:change_to_user(202) change_to_user: SMB user (unix user nobody, vuid 100) not permitted access to share IPC$. [2006/11/27 18:28:48, 0] smbd/service.c:make_connection_snum(577) Can't become connected user! [2006/11/27 18:28:48, 3] smbd/error.c:error_packet(129) error packet at smbd/reply.c(415) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE [2006/11/27 18:29:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/27 18:29:56, 3] smbd/process.crocess_smb(1091) Transaction 5 of length 43 [2006/11/27 18:29:56, 3] smbd/process.c:switch_message(886) switch message SMBulogoffX (pid 472) conn 0x0 [2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/27 18:29:56, 3] smbd/reply.c:reply_ulogoffX(1264) ulogoffX vuid=100 [2006/11/27 18:29:56, 3] smbd/process.c:timeout_processing(1334) timeout_processing: End of file from client (client has disconnected). [2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/27 18:29:56, 2] smbd/server.c:exit_server(609) Closing connections [2006/11/27 18:29:56, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2006/11/27 18:29:56, 3] smbd/server.c:exit_server(652) Server exit (normal exit) It looks to my like the client does not send ANY password to the server "Checking password for unmapped user []\[]@[POSEIDON] with the new password interface" Silly enough: I WAS able to login to the domain a few weeks ago.... But I don't know what happens since then. The sbm.conf: # Global parameters [global] log file = /var/log/samba/log.%m protocol = NT1 smb passwd file = /etc/samba/smbpasswd ldap ssl = no client signing = auto client schannel = auto username map = /etc/samba/user.map domain master = Yes time server = Yes encrypt passwords = yes keepalive = 0 passwd program = /usr/bin/passwd %u wins support = true netbios name = XXXX server string = XXXXXXXXXX writeable = yes logon script = logon.bat workgroup = XXX-XXXXX logon path = \\%L\profiles\%u os level = 34 server signing = off valid users = @users syslog = 5 security = user panic action = /usr/share/samba/panic-action %d add machine script = /usr/sbin/useradd -g computers -c Client -d /dev/null -s /bin/false %u server schannel = auto log level = 5 domain logons = Yes pam password change = Yes [netlogon] profile acls = Yes browseable = No writeable = no path = /etc/samba/netlogon write list = ntadmins comment = Logonscripte [profiles] path = /data/profiles write list = @users force group = users comment = Das Verzeichnis mit den Nutzerprofilen valid users = @users create mode = 0777 directory mode = 775 [homes] create mask = 0600 browseable = no comment = Nutzerverzeichnis path = /home/%u [printers] comment = Alle Drucker browseable = no printable = yes public = yes path = /home/guest use client driver = Yes Any help available? Chris
Chris Hellwig
2006-Dec-03 10:16 UTC
[Samba] can join a domain, but users are not able to log in
Imran K schrieb:> Seems to me like the machine is not sending any machine name to the > server.No, I don't think so - the attached log file is the clients log (log.clientname) - in that log-file one can find "Checking password for unmapped user []\[]@[POSEIDON] with the new password interface" where poseidon is the clients name. But there is nothing in the log-file which points to a users name. Chris> > On 12/3/06, *Chris Hellwig* <chris@hellwig-netz.de > <mailto:chris@hellwig-netz.de>> wrote: > > Hi, > > I have a samba server which should act as a domain controller. I > did not > set up the server by myself. > > I can "see" and use the servers shares with windows and linux clients. > Everithing - including the security settings - for the shares works as > expected. > > I can join a client to the domain, this works with manual adding the > machine account as well as with the adduser script . I can remove the > client from the domain an rejoin it again.... > > But if I try to login with a user account from a client it rejects me > with a (german) message > "Das System kann sie nicht bei dieser Dom?ne anmelden, da das > Computerkonto des Systems in seiner prim?ren Dom?ne fehlt, oder das > Kennwort f?r dieses Computerkonto falsch ist." > > That measns (more or less) "The system could not log on you the > domain > since the machine account of the system is missing in it's private > domain or the password of the machine account is wrong." > > Here is what the clients says (loglevel 3) > > [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091) > Transaction 1 of length 137 > [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886) > switch message SMBnegprot (pid 472) conn 0x0 > [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) > Requested protocol [PC NETWORK PROGRAM 1.0] > [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) > Requested protocol [LANMAN1.0] > [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) > Requested protocol [Windows for Workgroups 3.1a] > [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) > Requested protocol [LM1.2X002] > [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) > Requested protocol [ LANMAN2.1] > [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461) > Requested protocol [NT LM 0.12] > [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_nt1(333) > using SPNEGO > [2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(555) > Selected protocol NT LM 0.12 > [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091) > Transaction 2 of length 202 > [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886) > switch message SMBsesssetupX (pid 472) conn 0x0 > [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) > wct=12 flg2=0xc807 > [2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(608) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2006/11/27 18:28:48, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) > Doing spnego session setup > [2006/11/27 18:28:48, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) > NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] > PrimaryDomain=[] > [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) > Got OID 1 3 6 1 4 1 311 2 2 10 > [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) > Got secblob of size 32 > [2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) > Got NTLMSSP neg_flags=0xe0008297 > [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091) > Transaction 3 of length 240 > [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886) > switch message SMBsesssetupX (pid 472) conn 0x0 > [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) > wct=12 flg2=0xc807 > [2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(608) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2006/11/27 18:28:48, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) > Doing spnego session setup > [2006/11/27 18:28:48, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) > NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] > PrimaryDomain=[] > [2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) > Got user=[] domain=[] workstation=[POSEIDON] len1=1 len2=0 > [2006/11/27 18:28:48, 3] smbd/sec_ctx.cush_sec_ctx(256) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2006/11/27 18:28:48, 3] smbd/uid.cush_conn_ctx(365) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2006/11/27 18:28:48, 3] smbd/sec_ctx.cop_sec_ctx(386) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(219) > check_ntlm_password: Checking password for unmapped user > []\[]@[POSEIDON] with the new password interface > [2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(222) > check_ntlm_password: mapped user is: [xxx-xxxxxx]\[]@[POSEIDON] > [2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(268) > check_ntlm_password: guest authentication for user [] succeeded > [2006/11/27 18:28:48, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319) > NTLMSSP Sign/Seal - Initialising with flags: > [2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) > Got NTLMSSP neg_flags=0x60008295 > [2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(222) > User name: nobody Real name: nobody > [2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(241) > UNIX uid 65534 is UNIX user nobody, and will be vuid 100 > [2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091) > Transaction 4 of length 78 > [2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886) > switch message SMBtconX (pid 472) conn 0x0 > [2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2006/11/27 18:28:48, 3] smbd/service.c:make_connection_snum(479) > Connect path is '/tmp' for service [IPC$] > [2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(251) > [2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(252) > se_access_check: user sid is > S-1-5-21-500209785-908428947-3421464510-501 > se_access_check: also S-1-5-21-500209785-908428947-3421464510-514 > se_access_check: also S-1-1-0 > se_access_check: also S-1-5-2 > se_access_check: also S-1-5-32-546 > se_access_check: also S-1-5-21-500209785-908428947-3421464510-132069 > [2006/11/27 18:28:48, 3] smbd/vfs.c:vfs_init_default(206) > Initialising default vfs hooks > [2006/11/27 18:28:48, 2] smbd/uid.c:change_to_user(202) > change_to_user: SMB user (unix user nobody, vuid 100) not permitted > access to share IPC$. > [2006/11/27 18:28:48, 0] smbd/service.c:make_connection_snum(577) > Can't become connected user! > [2006/11/27 18:28:48, 3] smbd/error.c:error_packet(129) > error packet at smbd/reply.c(415) cmd=117 (SMBtconX) > NT_STATUS_LOGON_FAILURE > [2006/11/27 18:29:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2006/11/27 18:29:56, 3] smbd/process.crocess_smb(1091) > Transaction 5 of length 43 > [2006/11/27 18:29:56, 3] smbd/process.c:switch_message(886) > switch message SMBulogoffX (pid 472) conn 0x0 > [2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2006/11/27 18:29:56, 3] smbd/reply.c:reply_ulogoffX(1264) > ulogoffX vuid=100 > [2006/11/27 18:29:56, 3] smbd/process.c:timeout_processing(1334) > timeout_processing: End of file from client (client has disconnected). > [2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(288) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2006/11/27 18:29:56, 2] smbd/server.c:exit_server(609) > Closing connections > [2006/11/27 18:29:56, 3] smbd/connection.c:yield_connection(69) > Yielding connection to > [2006/11/27 18:29:56, 3] smbd/server.c:exit_server(652) > Server exit (normal exit) > > > It looks to my like the client does not send ANY password to the > server > "Checking password for unmapped user []\[]@[POSEIDON] with the new > password interface" > > > Silly enough: I WAS able to login to the domain a few weeks > ago.... But > I don't know what happens since then. > > > > The sbm.conf: > > # Global parameters > [global] > log file = /var/log/samba/log.%m > protocol = NT1 > smb passwd file = /etc/samba/smbpasswd > ldap ssl = no > client signing = auto > client schannel = auto > username map = /etc/samba/user.map > domain master = Yes > time server = Yes > encrypt passwords = yes > keepalive = 0 > passwd program = /usr/bin/passwd %u > wins support = true > netbios name = XXXX > server string = XXXXXXXXXX > writeable = yes > logon script = logon.bat > workgroup = XXX-XXXXX > logon path = \\%L\profiles\%u > os level = 34 > server signing = off > valid users = @users > syslog = 5 > security = user > panic action = /usr/share/samba/panic-action %d > add machine script = /usr/sbin/useradd -g computers -c Client -d > /dev/null -s /bin/false %u > server schannel = auto > log level = 5 > domain logons = Yes > pam password change = Yes > > [netlogon] > profile acls = Yes > browseable = No > writeable = no > path = /etc/samba/netlogon > write list = ntadmins > comment = Logonscripte > > [profiles] > path = /data/profiles > write list = @users > force group = users > comment = Das Verzeichnis mit den Nutzerprofilen > valid users = @users > create mode = 0777 > directory mode = 775 > > [homes] > create mask = 0600 > browseable = no > comment = Nutzerverzeichnis > path = /home/%u > > [printers] > comment = Alle Drucker > browseable = no > printable = yes > public = yes > path = /home/guest > use client driver = Yes > > Any help available? > > Chris > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > -- > IK