Wojciech Giel
2009-May-31 12:18 UTC
[Samba] Smbd startup failure caused by a failure to create an NT token for the guest account
Binary package hint: samba
Hi
I've just intalled Ubuntu Server 8.04 LTS in order to run Samba/Ldap PDC but
I,ve encountered an error which looks like a bug 3905 that was fixed in samba
3.0.23 according to changelog. I tried two different configuration both ends
in the same moment with an error. first one is exact copy of solution from
chapter 5 from "Samba3 by example". Second one based on SAMBA-LDAP
Howto from
smbldap-tools. Slapd is empty but working gives correct DSE responses. but
when I lunch samba smbd crashes with this information in logs:
[2009/05/30 20:44:57, 10] lib/smbldap.c:smbldap_search_ext(1246)
Failed search for base: ou=Groups,dc=dil,dc=edu, error: 32 (No such object)
(unknown)
[2009/05/30 20:44:57, 10] auth/auth_util.c:add_aliases(656)
pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL
[2009/05/30 20:44:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/05/30 20:44:57, 10] auth/auth_util.c:make_new_server_info_guest(1508)
create_local_token failed: NT_STATUS_NO_SUCH_USER
[2009/05/30 20:44:57, 0] smbd/server.c:main(1059)
ERROR: failed to setup guest info.
if I run: smbd -d 10 -i
Primary group is 0 and contains 0 supplementary groups
smbldap_search_ext: base => [ou=Groups,dc=dil,dc=edu], filter =>
[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))], scope => [2]
Failed search for base: ou=Groups,dc=dil,dc=edu, error: 32 (No such object)
(unknown)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
LEGACY: mapping failed for sid S-1-5-32-545
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
smbldap_search_ext: base => [ou=Groups,dc=dil,dc=edu], filter => [(&(|
(objectclass=sambaGroupMapping)(sambaGroupType=4))(|
(sambaSIDList=S-1-5-21-1900305026-286758470-1266315604-501)
(sambaSIDList=S-1-22-2-65534)(sambaSIDList=S-1-1-0)(sambaSIDList=S-1-5-2)
(sambaSIDList=S-1-5-32-546)))], scope => [2]
Failed search for base: ou=Groups,dc=dil,dc=edu, error: 32 (No such object)
(unknown)
pdb_enum_alias_memberships failed: NT_STATUS_UNSUCCESSFUL
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
create_local_token failed: NT_STATUS_NO_SUCH_USER
ERROR: failed to setup guest info.
talloc report on 'null_context' (total 4427 bytes in 228 blocks)
auth_serversupplied_info contains 219 bytes in 3 blocks (ref 0) 0xa8dde0
struct passwd * contains 117 bytes in 7 blocks (ref 0) 0xa8ebd0
struct samu contains 582 bytes in 14 blocks (ref 0) 0xa8f8c0
main loop talloc (mainly parse_misc) contains 573 bytes in 7 blocks (ref
0) 0xa8e100
SORTED_TREE contains 915 bytes in 44 blocks (ref 0) 0xa8bb60
struct pdb_methods contains 704 bytes in 5 blocks (ref 0) 0xa81a30
lp_talloc contains 1317 bytes in 147 blocks (ref 0) 0x9da440
if I add
winbind nested groups = no
I can start smbd daemon but it is workaround not proper solution for server.
The same configuration on US 9.04 works without problems. Does anybody meet
this error.
-------------- next part --------------
############
## Global ##
############
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/autofs.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 256
modulepath /usr/lib/ldap
moduleload back_hdb
backend hdb
############################
## Database Configuration ##
############################
database hdb
suffix "dc=dil,dc=edu"
rootdn "cn=admin,dc=dil,dc=edu"
rootpw {SSHA}0cp6jXILNJnHBSYUAaLH5nfLk/QKm+KV
directory "/var/lib/ldap"
############################################################################
# DB Settings #
# The dbconfig settings are used to generate a DB_CONFIG file the first #
# time slapd starts. They do NOT override existing an existing DB_CONFIG #
# file. You should therefore change these settings in DB_CONFIG directly #
# or remove DB_CONFIG and restart slapd for changes to take effect. #
# For the Debian package we use 2MB as default but be sure to update this #
# value if you have plenty of RAM #
dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high #
# to get slapd running at all. See http://bugs.debian.org/303057 for more #
# information. #
# Number of objects that can be locked at the same time. #
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted) #
dbconfig set_lk_max_locks 1500
# Number of lockers #
dbconfig set_lk_max_lockers 1500
############################################################################
index objectClass eq
index cn pres,sub,eq
index ou pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
###########
### ACL ###
###########
access to attrs=userPassword,shadowLastChange
by anonymous auth
by self write
by * none
access to *
by self write
by * read
-------------- next part --------------
[global]
workgroup = DIL_
netbios name = RAVENFIELD
server string = Samba PDC Version %v
enable privileges = yes
username map = /etc/samba/smbusers
use spnego = yes
log file = /var/log/samba/%m.log
max log size = 50
syslog = 0
log level = 10
utmp = Yes
bind interfaces only = yes
interfaces = eth*, lo
hosts allow = 127. 192.168.15. 192.168.45. 192.168.55. 192.168.155.
192.168.165. 192.168.175. 192.168.185. 192.168.195. 192.168.245. 192.168.255.
192.168.235. 0.0.0.0
wins support = yes
dns proxy = yes
security = server
encrypt passwords = yes
os level = 255
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = H:
passdb backend = ldapsam:ldap://ravenfield.dil.edu
ldap suffix = dc=dil,dc=edu
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=dil,dc=edu
idmap backend = ldap:ldap://ravenfield.dil.edu
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = yes
pam password change = yes
passwd program = /usr/sbin/smbldap-passwd -u %u
ldap passwd sync = yes
unix password sync = no
# For Windows (passwd chat)
passwd chat = *New*password* %n *Retype*new*password* %n
#passwd chat = *EntersnewsUNIXspassword:* %n\n
*RetypesnewsUNIXspassword:* %n\n
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m -a "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
unix charset = LOCALE
display charset = LOCALE
printing = cups
printcap name = CUPS
printer admin = root
show add printer wizard = no
time server = yes
[homes]
comment = Home Directories
valid users = %S
read only = no
browsable = no
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
browseable = no
read only = yes
guest ok = yes
locking = no
[profile]
comment = Profile Share
path = /var/lib/samba/profiles
read only = no
profile acls = yes
[programs]
comment = Useful programs
path = /var/lib/samba/executables
guest ok = yes
read only = yes
Possibly Parallel Threads
Wisdom of the Ancients
