Diego Alencar Alves de Lima
2007-May-29 20:41 UTC
[Samba] Authentication Failure in member server
I have a samba server configured that is member of a samba domain called=20 PRODESAN.COM.BR. After we had to reinstall the domain controller some samba=20 shares stopped working on the member server. I get this when I try to use the=20 share: [2007/05/29 17:26:28, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user=20 [WORKGROUP]\[USER1]@[HOST6] with the new password interface [2007/05/29 17:26:28, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [PRODESAN.COM.BR]\[USER1]@[HOST6] [2007/05/29 17:26:28, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx =3D 1 [2007/05/29 17:26:28, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx =3D 0 [2007/05/29 17:26:28, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx =3D 1 [2007/05/29 17:26:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx =3D 0 [2007/05/29 17:26:28, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx =3D 1 [2007/05/29 17:26:28, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx =3D 0 [2007/05/29 17:26:28, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx =3D 1 [2007/05/29 17:26:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx =3D 0 [2007/05/29 17:26:28, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [USER1] -> [USER1] FAILED with=20 error NT_STATUS_NO_SUCH_USER However when I try to use the same user on the domain controller things work=20 perfectly: [2007/05/29 17:32:39, 2] lib/smbldap.c:smbldap_open_connection(788) smbldap_open_connection: connection opened [2007/05/29 17:32:39, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) init_sam_from_ldap: Entry found for user: pr907899 [2007/05/29 17:32:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) init_group_from_ldap: Entry found for group: 513 [2007/05/29 17:32:39, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [USER1] -> [USER1] ->=20 [pr907899] succeeded I can see the domain users using wbinfo -u on the member server and I have=20 (re)joined the domain using net rpc join: net rpc join -U root Password: Joined domain PRODESAN.COM.BR. Any ideas why the server isn't being able to authenticate the user? --=20 Diego Alencar Alves de Lima Departamento de Inform=C3=A1tica - DINF www.prodesan.com.br --=20 Esta mensagem foi verificada pelo sistema de antiv=EDrus e acredita-se estar livre de perigo.
Diego Alencar Alves de Lima
2007-May-29 20:56 UTC
[Samba] Authentication Failure in member server
Adding some more information to my previous post: I can see all domain users when I use "getent passwd" from the member server=20 and this is the log I get from the LDAP server that at the domain controller: --------------------------------------------------------------------------------------------------------------------------------------------------------- May 29 17:53:07 servsso slapd[5036]: conn=3D814 op=3D10 SRCH=20 base=3D"dc=3Dprodesan,dc=3Dcom,dc=3Dbr" scope=3D2 deref=3D0 filter=3D"(&(uid=3DUSER1) (objectClass=3DsambaSamAccount))" May 29 17:53:07 servsso slapd[5036]: conn=3D814 op=3D10 SRCH attr=3Duid uidNumber=20 gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange=20 sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName=20 sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description=20 sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword=20 sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial=20 sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory=20 modifyTimestamp sambaLogonHours modifyTimestamp uidNumber May 29 17:53:07 servsso slapd[5036]: conn=3D814 op=3D10 SEARCH RESULT tag=3D101=20 err=3D0 nentries=3D1 text=3D May 29 17:53:07 servsso slapd[5036]: conn=3D814 op=3D11 SRCH=20 base=3D"ou=3Dgrupos,dc=3Dprodesan,dc=3Dcom,dc=3Dbr" scope=3D2 deref=3D0=20 filter=3D"(&(objectClass=3DsambaGroupMapping)(gidNumber=3D100))" May 29 17:53:07 servsso slapd[5036]: conn=3D814 op=3D11 SRCH attr=3DgidNumber=20 sambaSID sambaGroupType sambaSIDList description displayName cn objectClass May 29 17:53:07 servsso slapd[5036]: conn=3D814 op=3D11 SEARCH RESULT tag=3D101=20 err=3D0 nentries=3D0 text=3D May 29 17:53:07 servsso slapd[5036]: conn=3D814 op=3D12 SRCH=20 base=3D"ou=3Dgrupos,dc=3Dprodesan,dc=3Dcom,dc=3Dbr" scope=3D2 deref=3D0=20 filter=3D"(&(objectClass=3DsambaGroupMapping)(gidNumber=3D100))" May 29 17:53:07 servsso slapd[5036]: conn=3D814 op=3D12 SRCH attr=3DgidNumber=20 sambaSID sambaGroupType sambaSIDList description displayName cn objectClass May 29 17:53:07 servsso slapd[5036]: conn=3D814 op=3D12 SEARCH RESULT tag=3D101=20 err=3D0 nentries=3D0 text=3D --------------------------------------------------------------------------------------------------------------------------------------------------------- --=20 Diego Alencar Alves de Lima Departamento de Inform=C3=A1tica - DINF www.prodesan.com.br --=20 Esta mensagem foi verificada pelo sistema de antiv=EDrus e acredita-se estar livre de perigo.
Gerald (Jerry) Carter
2007-May-30 12:37 UTC
[Samba] Authentication Failure in member server
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Diego Alencar Alves de Lima wrote:> I have a samba server configured that is member of a samba > domain called PRODESAN.COM.BR. After we had to reinstall > the domain controller some samba shares stopped working > on the member server. I get this when I try to use the > share:Did you make sure to keep the domain SID setting from the original Samba PDC? cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGXXAYIR7qMdg1EfYRAgs4AKCrGPMYcOGMbmlxafg0zMYWfDBcMwCgo0/c TQLThwEhpHlVNby0c4muTy8=xXXv -----END PGP SIGNATURE-----
Diego Alencar Alves de Lima
2007-May-30 20:15 UTC
[Samba] Authentication Failure in member server
Just adding some more information: I am currently unable to join any new machines to the domain. Whenever I try=20 to join the domain I get this message on the clients: $ sudo net join -U root Password: Creation of workstation account failed Unable to join domain PRODESAN.COM.BR. On the PDC side I get this: [2007/05/30 17:11:15, 2] lib/smbldap.c:smbldap_open_connection(788) smbldap_open_connection: connection opened [2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) init_sam_from_ldap: Entry found for user: root [2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140) init_group_from_ldap: Entry found for group: 513 [2007/05/30 17:11:15, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] -> [root] -> [root]=20 succeeded [2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541) init_sam_from_ldap: Entry found for user: root [2007/05/30 17:11:15, 2] smbd/reply.c:reply_tcon_and_X(711) Serving IPC$ as a Dfs root On my LDAP backend I have this entry: dn: sambaDomainName=3DPRODESAN.COM.BR,dc=3Dprodesan,dc=3Dcom,dc=3Dbr sambaAlgorithmicRidBase: 1000 sambaNextUserRid: 41000 sambaNextGroupRid: 41001 objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-3756370324-611414431-635963119 sambaDomainName: prodesan.com.br gidNumber: 1055 uidNumber: 1454 The sambaSID is the same that was before the migration. Do I need to set this=20 SID somewhere else? --=20 Diego Alencar Alves de Lima Departamento de Inform=C3=A1tica - DINF www.prodesan.com.br --=20 Esta mensagem foi verificada pelo sistema de antiv=EDrus e acredita-se estar livre de perigo.