thr3ads.net - samba - [Samba] Workaround: 3.4.5->3.5.3 breaks domain logons [Jun 2010]

If this information is useful, please help other people find it:
Share via:
Thomas Burkholder
2010-Jun-01 11:28 UTC
[Samba] Workaround: 3.4.5->3.5.3 breaks domain logons

I turned off server signing, and domain logons work now.  On the server, I 
had set
   lanman auth = no
   ntlm auth = yes
and the clients have
   Digitally sign client communication (when possible)  Enabled
   Digitally sign server communication (when possible)  Enabled
   LAN Manager Authentication Level  Send NTLMv2 response only\refuse LM

So my guess is that the samba update changes the server signature so the 
clients no longer recognize it.  I'd rather have server signing enabled, 
but the server schannel works and is more important to me.

>On Monday 24/05/2010 at 5:38 am, Thomas Burkholder   wrote:
>>At 11:30 AM 5/23/2010, you wrote:
>>>
>>>On Sunday 23/05/2010 at 6:44 am, Thomas Burkholder wrote:
>>>>
>>>>I've been trying to upgrade from samba 3.4.5 to 3.5.x
(currently 3.5.3) on
>>>>a Ubuntu 9.10 system where I compile my own Samba. The server is
a PDC for
>>>>several win2000 clients and uses an LDAP backend hosted on the
same
>>>>machine. After the upgrade, clients can connect to shares but
can not
>>>>perform domain logons.
>>>
>>>So, when they log on to windows, they get "The domain does not
exist or
>>>trust account not found" message?
>>>
>>>If so, your machine accounts may be broken.  Try rejoining the
machine
>>>to the domain using the Windows network ID wizard.
>>
>>Sorry, I should have given the text of the windows error:
"Controller for
>>the domain could not be found." This is at odds with the Samba log
that
>>shows the client does find the controller, but then stops talking.
>>
>>Thanks for the suggestion.  Rejoining the domain does not help, and
Samba
>>still throws the "Scheduled cleanup brl and lock database after
unclean
>>shutdown" or "Cleaning up brl and lock database after unclean
shutdown"
>>messages.
>
>OK, this is going to sound a bit odd, but try this on the server:
>
>net rpc join <DOMAIN NAME> -U Administrator
>
>then, see if it is good
>
>net rpc testjoin.
>
>Also, since you might want to resave LDAP password
>
>passwd -w
>
>Often, when upgrading samba with an LDAP backend I've found it best to 
>blow out all the .tdb files and approach the upgrade like a replacement.
>
>Cheers,
>TMS III
>>
>>
>>
>>
>>
>>>
>>>>
>>>>3.5.3 does not build a browse list of other domains
>>>>on the subnet. Executing "net view /DOMAIN:mydomain"
on the client
>>>>produces an error 59 or error 64.
>>>>
>>>>Log-3 during the net view is basically the same between 3.4.5
and 3.5.3,
>>>>and I can see both successfully connect, negotiate sign/seal,
and
>>>>authenticate a guest session with LDAP. After that, the working
3.4.5 log
>>>>says:
>>>>
>>>>
>>>>[2010/05/23 08:33:34, 3]
smbd/service.c:1047(make_connection_snum)
>>>>CLIENT (x.x.x.x) connect to service IPC$ initially as user
nobody
>>>>(uid=65534, gid=65534) (pid 2454)
>>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:33:34, 3] smbd/reply.c:759(reply_tcon_and_X)
>>>>tconX service=IPC$
>>>>[2010/05/23 08:33:34, 3] smbd/process.c:1459(process_smb)
>>>>Transaction 4 of length 129 (0 toread)
>>>>[2010/05/23 08:33:34, 3] smbd/process.c:1273(switch_message)
>>>>switch message SMBtrans (pid 2454) conn 0xb9034f58
>>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (65534, 65534) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:33:34, 3] smbd/ipc.c:536(handle_trans)
>>>>trans <\PIPE\LANMAN> data=0 params=33 setup=0
>>>>[2010/05/23 08:33:34, 3] smbd/ipc.c:487(named_pipe)
>>>>named pipe command on <LANMAN> name
>>>>[2010/05/23 08:33:34, 3] smbd/lanman.c:4694(api_reply)
>>>>Got API command 104 of form <WrLehDz> <B16BBDz>
>>>>(tdscnt=0,tpscnt=33,mdrcnt=4200,mprcnt=8)
>>>>[2010/05/23 08:33:34, 3] smbd/lanman.c:4698(api_reply)
>>>>Doing NetServerEnum
>>>>[2010/05/23 08:33:34, 3] smbd/lanman.c:1511(api_RNetServerEnum)
>>>>NetServerEnum domain = mydomain uLevel=1 counted=1 total=1
>>>>[2010/05/23 08:33:34, 3] smbd/process.c:1459(process_smb)
>>>>Transaction 5 of length 43 (0 toread)
>>>>[2010/05/23 08:33:34, 3] smbd/process.c:1273(switch_message)
>>>>switch message SMBulogoffX (pid 2454) conn 0x0
>>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:33:34, 3] smbd/reply.c:1948(reply_ulogoffX)
>>>>ulogoffX vuid=100
>>>>[2010/05/23 08:33:34, 3] smbd/process.c:1459(process_smb)
>>>>Transaction 6 of length 39 (0 toread)
>>>>[2010/05/23 08:33:34, 3] smbd/process.c:1273(switch_message)
>>>>switch message SMBtdis (pid 2454) conn 0xb9034f58
>>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:33:34, 3] smbd/service.c:1226(close_cnum)
>>>>CLIENT (x.x.x.x) closed connection to service IPC$
>>>>[2010/05/23 08:33:34, 3] smbd/connection.c:31(yield_connection)
>>>>Yielding connection to IPC$
>>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:33:34, 3] smbd/connection.c:31(yield_connection)
>>>>Yielding connection to
>>>>[2010/05/23 08:33:34, 3] smbd/server.c:845(exit_server_common)
>>>>Server exit (failed to receive smb request)
>>>>
>>>>
>>>>where the not-working 3.5.3 says
>>>>
>>>>[2010/05/23 08:25:50.455781, 3]
smbd/service.c:1069(make_connection_snum)
>>>>CLIENT (x.x.x.x) connect to service IPC$ initially as user
nobody
>>>>(uid=65534, gid=65534) (pid 2128)
>>>>[2010/05/23 08:25:50.455844, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:25:50.455914, 3]
smbd/reply.c:846(reply_tcon_and_X)
>>>>tconX service=IPC$
>>>>[2010/05/23 08:25:50.458037, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:25:50.458221, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:25:50.458326, 3] smbd/service.c:1250(close_cnum)
>>>>CLIENT (x.x.x.x) closed connection to service IPC$
>>>>[2010/05/23 08:25:50.458394, 3]
smbd/connection.c:31(yield_connection)
>>>>Yielding connection to IPC$
>>>>[2010/05/23 08:25:50.458530, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>>setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>>[2010/05/23 08:25:50.458643, 3]
smbd/connection.c:31(yield_connection)
>>>>Yielding connection to
>>>>[2010/05/23 08:25:50.458869, 3]
smbd/server.c:902(exit_server_common)
>>>>Server exit (failed to receive smb request)
>>>>[2010/05/23 08:25:50.476063, 3]
smbd/server.c:259(remove_child_pid)
>>>>smbd/server.c:259 Unclean shutdown of pid 2128
>>>>[2010/05/23 08:25:50.476423, 1]
smbd/server.c:267(remove_child_pid)
>>>>Scheduled cleanup of brl and lock database after unclean
shutdown
>>>>
>>>>after which it logs a second sign/seal negotiation,
authentication, and
>>>>failed $IPC connection.
>>>>
>>>>
>>>>smb.conf is
>>>>[global]
>>>>unix charset = iso8859-1
>>>>workgroup = mydomain
>>>>server schannel = Yes
>>>>passdb backend = ldapsam:ldap://x.x.x.x
>>>>passwd program = /usr/sbin/smbldap-passwd %u
>>>>passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>>>>*all*authentication*tokens*updated*
>>>>client NTLMv2 auth = Yes
>>>>log level = 1
>>>>syslog = 0
>>>>log file = /var/log/samba/log.%U
>>>>name resolve order = hosts lmhosts wins bcast
>>>>time server = Yes
>>>>server signing = Yes
>>>>deadtime = 30
>>>>keepalive = 180
>>>>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>>printcap name = cups
>>>>add user script = /usr/sbin/smbldap-useradd -m "%u" -m
>>>>delete user script = /usr/sbin/smbldap-userdel "%u"
>>>>add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>>>delete group script = /usr/sbin/smbldap-groupdel "%g"
>>>>add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
>>>>delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
>>>>"%g"
>>>>set primary group script = /usr/sbin/smbldap-usermod -g
"%g" "%u"
>>>>add machine script = /usr/sbin/smbldap-useradd -w "%u"
>>>>logon script = scripts\logon.bat
>>>>logon path = \\%L\[path]
>>>>logon drive = z:
>>>>logon home = \\%L\[home]
>>>>domain logons = Yes
>>>>os level = 65
>>>>preferred master = Yes
>>>>domain master = Yes
>>>>wins support = Yes
>>>>kernel oplocks = No
>>>>ldap admin dn = "[----]"
>>>>ldap machine suffix = ou=machines
>>>>ldap passwd sync = yes
>>>>ldap suffix = [----]
>>>>ldap ssl = no
>>>>ldap user suffix = ou=People
>>>>eventlog list = syslog, apache2
>>>>idmap uid = 10000-15000
>>>>idmap gid = 10000-15000
>>>>winbind enum users = Yes
>>>>winbind enum groups = Yes
>>>>hosts allow = 127.0.0.0/16, x.x.x.x/25
>>>>hosts deny = all
>
>
Apparently Analagous Threads

Search for more maybe matching threads
samba - Jun 2010 - Workaround: 3.4.5->3.5.3 breaks domain logons

[Samba] Workaround: 3.4.5->3.5.3 breaks domain logons

Apparently Analagous Threads

Wisdom of the Ancients
