Yvan Vander Sanden
2008-Jun-04 17:46 UTC
[Samba] samba/ldap setup stopped working (might be a challenge)
Hi, two days ago my functioning samba/ldap server stopped working. I *think* the problem is somehow related to the fact i transfered everything to a new server, but that was two months ago. Trouble started yesterday morning after a power-outage. Configuration: ubuntu 8.04, with a standard samba, ldap and smbldap-tools installed via apt-get. When users tried to login, they got a message "a device connected to the system is not working". (All windows messages are roughly translated from Dutch.) After some research, i discovered that there was a conflict between the SID on my server and the ones users had in the ldap database. Obviously this is because of the server migration i did a few months ago. But why problems started only now, i do not really know. At any rate, things improved when i changed the sambaSID so that it contained the server SID. Now some users can login on machines they used before, but not on all machines. If they try to login on a machine where they did not work before, they get a message saying that their password is wrong. However, the samba logs show the following: [2008/06/04 19:20:43, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: yvan [2008/06/04 19:20:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162) init_group_from_ldap: Entry found for group: 1000 [2008/06/04 19:20:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2162) init_group_from_ldap: Entry found for group: 1000 [2008/06/04 19:20:43, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [yvan] -> [yvan] -> [yvan] succeeded Seems ok to me. I figured it might perhaps have something to do with the computer accounts themselves, which still have the wrong SID. But changing one manually didn't solve anything. The problem stays the same. I also took a machine from the domain, but cannot add it again. Windows gives me a "user unknown" reply when i do. The samba logs tell me this: [2008/06/04 17:49:13, 2] smbd/reply.c:reply_special(324) netbios connect: name1=OCTOPUS name2=CO114-PC12 [2008/06/04 17:49:13, 2] smbd/reply.c:reply_special(331) netbios connect: local=octopus remote=co114-pc12, name type = 0 [2008/06/04 17:49:13, 2] smbd/sesssetup.c:setup_new_vc_session(1209) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2008/06/04 17:49:13, 2] smbd/sesssetup.c:setup_new_vc_session(1209) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2008/06/04 17:49:13, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2008/06/04 17:49:13, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: root [2008/06/04 17:49:13, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] -> [root] -> [root] succeeded [2008/06/04 17:49:13, 0] groupdb/mapping.c:pdb_create_builtin_alias(739) pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS) [2008/06/04 17:49:13, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2008/06/04 17:49:13, 2] auth/auth_util.c:create_local_nt_token(914) create_local_nt_token: Failed to create BUILTIN\Administrators group! [2008/06/04 17:49:13, 0] groupdb/mapping.c:pdb_create_builtin_alias(739) pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS) [2008/06/04 17:49:13, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2008/06/04 17:49:13, 2] auth/auth_util.c:create_local_nt_token(941) create_local_nt_token: Failed to create BUILTIN\Users group! [2008/06/04 17:49:13, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2916) Returning domain sid for domain SCHOOL -> S-1-5-21-2448809205-3807961929-1645749690 The machine account is created, that much is sure. (I'll tell more about the "Failed to create ..." errors later on.) In the ldap database, the machine gets an entry like this: cn co114-pc12$ description Computer gecos Computer gidNumber 515 homeDirectory /dev/null loginShell /bin/false uid co114-pc12$ uidNumber 1008 while existing accounts look like this: cn co114-pc11$ description Computer displayName co114-pc11$ gidNumber 100 homeDirectory /dev/null loginShell /bin/false sambaAcctFlags [W ] sambaNTPassword 76B04CE668008AA41E9ED6829A71EE5E sambaPrimaryGroupSID S-1-5-21-474648322-3185173744-4186694333-1201 sambaPwdCanChange 1192187861 sambaPwdLastSet 1192187861 sambaPwdMustChange 2147483647 sambaSID S-1-5-21-474648322-3185173744-4186694333-7194 sn co114-pc11$ uid co114-pc11$ uidNumber 3097 I think the samba information is needed for the machine. Or should it get created when the machine contacts the domain for the first time? Anyway, that does not happen. The computer does not join the domain after it gets the SID from the server. Now about the other errors in the logs. From the moment the server is started, i get a lot of these: [2008/06/04 19:20:43, 0] groupdb/mapping.c:pdb_create_builtin_alias(739) pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_GROUP_EXISTS) [2008/06/04 19:20:43, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2008/06/04 19:20:43, 2] auth/auth_util.c:create_local_nt_token(914) create_local_nt_token: Failed to create BUILTIN\Administrators group! [2008/06/04 19:20:43, 0] groupdb/mapping.c:pdb_create_builtin_alias(739) pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_GROUP_EXISTS) [2008/06/04 19:20:43, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2008/06/04 19:20:43, 2] auth/auth_util.c:create_local_nt_token(941) create_local_nt_token: Failed to create BUILTIN\Users group! At first i thought this was the core of the problem. But i'm not sure about that anymore. All the things that were failed to create do exist and seem the have the correct SID's. I also deleted all those items (created by smbldap-populate), and ran smbldap-populate again. It neatly created everything again. But the errors above persist. One of the few talks about this on the web say it's not important, but of course that's just one... Well, thanks for reading all this. If any of you have a clue about what is going in, i would be very happy to hear from you. I have about 2000 accounts and 200 computers in this domain, so a fresh install is really not an option. Regards, yvan vander sanden -- Copyright only exists in the imagination of those who do not have any.