Thomas Burkholder
2010-Jun-01 11:28 UTC
[Samba] Workaround: 3.4.5->3.5.3 breaks domain logons
I turned off server signing, and domain logons work now. On the server, I had set lanman auth = no ntlm auth = yes and the clients have Digitally sign client communication (when possible) Enabled Digitally sign server communication (when possible) Enabled LAN Manager Authentication Level Send NTLMv2 response only\refuse LM So my guess is that the samba update changes the server signature so the clients no longer recognize it. I'd rather have server signing enabled, but the server schannel works and is more important to me.>On Monday 24/05/2010 at 5:38 am, Thomas Burkholder wrote: >>At 11:30 AM 5/23/2010, you wrote: >>> >>>On Sunday 23/05/2010 at 6:44 am, Thomas Burkholder wrote: >>>> >>>>I've been trying to upgrade from samba 3.4.5 to 3.5.x (currently 3.5.3) on >>>>a Ubuntu 9.10 system where I compile my own Samba. The server is a PDC for >>>>several win2000 clients and uses an LDAP backend hosted on the same >>>>machine. After the upgrade, clients can connect to shares but can not >>>>perform domain logons. >>> >>>So, when they log on to windows, they get "The domain does not exist or >>>trust account not found" message? >>> >>>If so, your machine accounts may be broken. Try rejoining the machine >>>to the domain using the Windows network ID wizard. >> >>Sorry, I should have given the text of the windows error: "Controller for >>the domain could not be found." This is at odds with the Samba log that >>shows the client does find the controller, but then stops talking. >> >>Thanks for the suggestion. Rejoining the domain does not help, and Samba >>still throws the "Scheduled cleanup brl and lock database after unclean >>shutdown" or "Cleaning up brl and lock database after unclean shutdown" >>messages. > >OK, this is going to sound a bit odd, but try this on the server: > >net rpc join <DOMAIN NAME> -U Administrator > >then, see if it is good > >net rpc testjoin. > >Also, since you might want to resave LDAP password > >passwd -w > >Often, when upgrading samba with an LDAP backend I've found it best to >blow out all the .tdb files and approach the upgrade like a replacement. > >Cheers, >TMS III >> >> >> >> >> >>> >>>> >>>>3.5.3 does not build a browse list of other domains >>>>on the subnet. Executing "net view /DOMAIN:mydomain" on the client >>>>produces an error 59 or error 64. >>>> >>>>Log-3 during the net view is basically the same between 3.4.5 and 3.5.3, >>>>and I can see both successfully connect, negotiate sign/seal, and >>>>authenticate a guest session with LDAP. After that, the working 3.4.5 log >>>>says: >>>> >>>> >>>>[2010/05/23 08:33:34, 3] smbd/service.c:1047(make_connection_snum) >>>>CLIENT (x.x.x.x) connect to service IPC$ initially as user nobody >>>>(uid=65534, gid=65534) (pid 2454) >>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:33:34, 3] smbd/reply.c:759(reply_tcon_and_X) >>>>tconX service=IPC$ >>>>[2010/05/23 08:33:34, 3] smbd/process.c:1459(process_smb) >>>>Transaction 4 of length 129 (0 toread) >>>>[2010/05/23 08:33:34, 3] smbd/process.c:1273(switch_message) >>>>switch message SMBtrans (pid 2454) conn 0xb9034f58 >>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (65534, 65534) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:33:34, 3] smbd/ipc.c:536(handle_trans) >>>>trans <\PIPE\LANMAN> data=0 params=33 setup=0 >>>>[2010/05/23 08:33:34, 3] smbd/ipc.c:487(named_pipe) >>>>named pipe command on <LANMAN> name >>>>[2010/05/23 08:33:34, 3] smbd/lanman.c:4694(api_reply) >>>>Got API command 104 of form <WrLehDz> <B16BBDz> >>>>(tdscnt=0,tpscnt=33,mdrcnt=4200,mprcnt=8) >>>>[2010/05/23 08:33:34, 3] smbd/lanman.c:4698(api_reply) >>>>Doing NetServerEnum >>>>[2010/05/23 08:33:34, 3] smbd/lanman.c:1511(api_RNetServerEnum) >>>>NetServerEnum domain = mydomain uLevel=1 counted=1 total=1 >>>>[2010/05/23 08:33:34, 3] smbd/process.c:1459(process_smb) >>>>Transaction 5 of length 43 (0 toread) >>>>[2010/05/23 08:33:34, 3] smbd/process.c:1273(switch_message) >>>>switch message SMBulogoffX (pid 2454) conn 0x0 >>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:33:34, 3] smbd/reply.c:1948(reply_ulogoffX) >>>>ulogoffX vuid=100 >>>>[2010/05/23 08:33:34, 3] smbd/process.c:1459(process_smb) >>>>Transaction 6 of length 39 (0 toread) >>>>[2010/05/23 08:33:34, 3] smbd/process.c:1273(switch_message) >>>>switch message SMBtdis (pid 2454) conn 0xb9034f58 >>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:33:34, 3] smbd/service.c:1226(close_cnum) >>>>CLIENT (x.x.x.x) closed connection to service IPC$ >>>>[2010/05/23 08:33:34, 3] smbd/connection.c:31(yield_connection) >>>>Yielding connection to IPC$ >>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:33:34, 3] smbd/connection.c:31(yield_connection) >>>>Yielding connection to >>>>[2010/05/23 08:33:34, 3] smbd/server.c:845(exit_server_common) >>>>Server exit (failed to receive smb request) >>>> >>>> >>>>where the not-working 3.5.3 says >>>> >>>>[2010/05/23 08:25:50.455781, 3] smbd/service.c:1069(make_connection_snum) >>>>CLIENT (x.x.x.x) connect to service IPC$ initially as user nobody >>>>(uid=65534, gid=65534) (pid 2128) >>>>[2010/05/23 08:25:50.455844, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:25:50.455914, 3] smbd/reply.c:846(reply_tcon_and_X) >>>>tconX service=IPC$ >>>>[2010/05/23 08:25:50.458037, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:25:50.458221, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:25:50.458326, 3] smbd/service.c:1250(close_cnum) >>>>CLIENT (x.x.x.x) closed connection to service IPC$ >>>>[2010/05/23 08:25:50.458394, 3] smbd/connection.c:31(yield_connection) >>>>Yielding connection to IPC$ >>>>[2010/05/23 08:25:50.458530, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>>>[2010/05/23 08:25:50.458643, 3] smbd/connection.c:31(yield_connection) >>>>Yielding connection to >>>>[2010/05/23 08:25:50.458869, 3] smbd/server.c:902(exit_server_common) >>>>Server exit (failed to receive smb request) >>>>[2010/05/23 08:25:50.476063, 3] smbd/server.c:259(remove_child_pid) >>>>smbd/server.c:259 Unclean shutdown of pid 2128 >>>>[2010/05/23 08:25:50.476423, 1] smbd/server.c:267(remove_child_pid) >>>>Scheduled cleanup of brl and lock database after unclean shutdown >>>> >>>>after which it logs a second sign/seal negotiation, authentication, and >>>>failed $IPC connection. >>>> >>>> >>>>smb.conf is >>>>[global] >>>>unix charset = iso8859-1 >>>>workgroup = mydomain >>>>server schannel = Yes >>>>passdb backend = ldapsam:ldap://x.x.x.x >>>>passwd program = /usr/sbin/smbldap-passwd %u >>>>passwd chat = *New*password* %n\n *Retype*new*password* %n\n >>>>*all*authentication*tokens*updated* >>>>client NTLMv2 auth = Yes >>>>log level = 1 >>>>syslog = 0 >>>>log file = /var/log/samba/log.%U >>>>name resolve order = hosts lmhosts wins bcast >>>>time server = Yes >>>>server signing = Yes >>>>deadtime = 30 >>>>keepalive = 180 >>>>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>>>printcap name = cups >>>>add user script = /usr/sbin/smbldap-useradd -m "%u" -m >>>>delete user script = /usr/sbin/smbldap-userdel "%u" >>>>add group script = /usr/sbin/smbldap-groupadd -p "%g" >>>>delete group script = /usr/sbin/smbldap-groupdel "%g" >>>>add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" >>>>delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" >>>>"%g" >>>>set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" >>>>add machine script = /usr/sbin/smbldap-useradd -w "%u" >>>>logon script = scripts\logon.bat >>>>logon path = \\%L\[path] >>>>logon drive = z: >>>>logon home = \\%L\[home] >>>>domain logons = Yes >>>>os level = 65 >>>>preferred master = Yes >>>>domain master = Yes >>>>wins support = Yes >>>>kernel oplocks = No >>>>ldap admin dn = "[----]" >>>>ldap machine suffix = ou=machines >>>>ldap passwd sync = yes >>>>ldap suffix = [----] >>>>ldap ssl = no >>>>ldap user suffix = ou=People >>>>eventlog list = syslog, apache2 >>>>idmap uid = 10000-15000 >>>>idmap gid = 10000-15000 >>>>winbind enum users = Yes >>>>winbind enum groups = Yes >>>>hosts allow = 127.0.0.0/16, x.x.x.x/25 >>>>hosts deny = all > >