Daniel DeptuĆa
2010-Jun-07 11:31 UTC
[Samba] I have a weird problem with PDC on samba 3.5.3 and I think I need developers' help :)
I'm sorry for the very long debug pasted below but I'm afraid lower
debug levels would not give enough useful information about the
problem. I've been investigating it for over two weeks with no result.
Maybe developers can tell me where to search for the cause - browsing
source code is very hard...
I have a Samba PDC with LDAP backend. Configuration works fine on
3.0.x version but when I moved to 3.5.x (which I need in order to
connect Win7 machines to domain), new machines (Win XP and Win 7)
can't join the domain.
I tried as well a configuration smbldap-tools (as machine add script)
as well as configuration with idmap and winbind. Both don't work.
When using the first one Windows returned an error "A device connected
to the computer doesn't work" when trying to join the domain.
When using idmap I get an error about wrong password.
A record in LDAP directory is created for a moment and then deleted.
In both situations logs seem similar - I think key information are
(after them the record is deleted):
* _netr_ServerAuthenticate: no challenge sent to client D_DEPTULA_VIRT
* decode_pw_buffer: incorrect password length (some random number here)
It seems to me that machine password is an empty string (but why?)
Below parts of logs (debug level=10) which I think can be useful. I'm
running out of ideas... please help me... I'm not even sure where to
search for the problem...
I'm able to browse shared drives, "net" and "smbclient"
tools also
work fine - I can add and delete users, grant rights etc.
User Administrator is a member of "Domain Admins" group which has
SeMachineAccountPrivilege.
If you need more information don't hestitate to ask!
PDC name = MYSMB
workstation trying to join = D_DEPTULA_VIRT
domain name = MYDOMAIN
Debug (samba version 3.5.3):
[2010/06/07 11:13:59.288214, 3] rpc_server/srv_pipe.c:2414(api_rpcTNP)
api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE
[2010/06/07 11:13:59.288249, 6] rpc_server/srv_pipe.c:2433(api_rpcTNP)
api_rpc_cmds[4].fn == 0xb72b9e80
[2010/06/07 11:13:59.288302, 1]
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
netr_ServerReqChallenge: struct netr_ServerReqChallenge
in: struct netr_ServerReqChallenge
server_name : *
server_name : '\\MYSMB'
computer_name : *
computer_name : 'D_DEPTULA_VIRT'
credentials : *
credentials: struct netr_Credential
data : c1d4e6ab7380e9a3
[2010/06/07 11:13:59.288453, 1]
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
netr_ServerReqChallenge: struct netr_ServerReqChallenge
out: struct netr_ServerReqChallenge
return_credentials : *
return_credentials: struct netr_Credential
data : e7bb0cb2dc4a891a
result : NT_STATUS_OK
...........
[2010/06/07 11:13:59.306615, 3] rpc_server/srv_pipe.c:2414(api_rpcTNP)
api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE
[2010/06/07 11:13:59.306650, 6] rpc_server/srv_pipe.c:2433(api_rpcTNP)
api_rpc_cmds[5].fn == 0xb72b9b50
[2010/06/07 11:13:59.306698, 1]
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
netr_ServerAuthenticate: struct netr_ServerAuthenticate
in: struct netr_ServerAuthenticate
server_name : *
server_name : '\\MYSMB'
account_name : *
account_name : 'D_DEPTULA_VIRT$'
secure_channel_type : SEC_CHAN_WKSTA (2)
computer_name : *
computer_name : 'D_DEPTULA_VIRT'
credentials : *
credentials: struct netr_Credential
data : ec0ace4aa0ec64ac
[2010/06/07 11:13:59.306857, 0]
rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate: no challenge sent to client D_DEPTULA_VIRT
[2010/06/07 11:13:59.306890, 1]
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
netr_ServerAuthenticate: struct netr_ServerAuthenticate
out: struct netr_ServerAuthenticate
return_credentials : *
return_credentials: struct netr_Credential
data : 0000000000000000
result : NT_STATUS_ACCESS_DENIED
...........
[2010/06/07 11:13:59.922829, 5] auth/auth.c:97(get_ntlm_challenge)
auth_get_challenge: module guest did not want to specify a challenge
[2010/06/07 11:13:59.922871, 5] auth/auth.c:97(get_ntlm_challenge)
auth_get_challenge: module sam did not want to specify a challenge
[2010/06/07 11:13:59.922919, 5] auth/auth.c:97(get_ntlm_challenge)
auth_get_challenge: module winbind did not want to specify a challenge
[2010/06/07 11:13:59.922985, 5] auth/auth.c:132(get_ntlm_challenge)
auth_context challenge created by random
[2010/06/07 11:13:59.923045, 5] auth/auth.c:133(get_ntlm_challenge)
challenge is:
[2010/06/07 11:13:59.923095, 5] ../lib/util/util.c:278(_dump_data)
[0000] 24 CC C7 A1 CE FF 7E 4D $.....~M
[2010/06/07 11:13:59.923641, 1] ../librpc/ndr/ndr.c:214(ndr_print_debug)
&challenge: struct CHALLENGE_MESSAGE
Signature : 'NTLMSSP'
MessageType : NtLmChallenge (0x2)
TargetNameLen : 0x000e (14)
TargetNameMaxLen : 0x000e (14)
TargetName : *
TargetName : 'MYDOMAIN'
NegotiateFlags : 0xe2898215 (3800662549)
1: NTLMSSP_NEGOTIATE_UNICODE
0: NTLMSSP_NEGOTIATE_OEM
1: NTLMSSP_REQUEST_TARGET
1: NTLMSSP_NEGOTIATE_SIGN
0: NTLMSSP_NEGOTIATE_SEAL
0: NTLMSSP_NEGOTIATE_DATAGRAM
0: NTLMSSP_NEGOTIATE_LM_KEY
0: NTLMSSP_NEGOTIATE_NETWARE
1: NTLMSSP_NEGOTIATE_NTLM
0: NTLMSSP_NEGOTIATE_NT_ONLY
0: NTLMSSP_ANONYMOUS
0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED
0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED
0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL
1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN
1: NTLMSSP_TARGET_TYPE_DOMAIN
0: NTLMSSP_TARGET_TYPE_SERVER
0: NTLMSSP_TARGET_TYPE_SHARE
1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
0: NTLMSSP_NEGOTIATE_IDENTIFY
0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY
1: NTLMSSP_NEGOTIATE_TARGET_INFO
1: NTLMSSP_NEGOTIATE_VERSION
1: NTLMSSP_NEGOTIATE_128
1: NTLMSSP_NEGOTIATE_KEY_EXCH
1: NTLMSSP_NEGOTIATE_56
ServerChallenge : 24ccc7a1ceff7e4d
Reserved : 0000000000000000
TargetInfoLen : 0x0040 (64)
TargetNameInfoMaxLen : 0x0040 (64)
TargetInfo : *
TargetInfo: struct AV_PAIR_LIST
count : 0x00000005 (5)
pair: ARRAY(5)
pair: struct AV_PAIR
AvId : MsvAvNbDomainName (0x2)
AvLen : 0x000e (14)
Value : union
ntlmssp_AvValue(case 0x2)
AvNbDomainName : 'MYDOMAIN'
pair: struct AV_PAIR
AvId : MsvAvNbComputerName (0x1)
AvLen : 0x000c (12)
Value : union
ntlmssp_AvValue(case 0x1)
AvNbComputerName : 'MYSMB'
pair: struct AV_PAIR
AvId : MsvAvDnsDomainName (0x4)
AvLen : 0x0000 (0)
Value : union
ntlmssp_AvValue(case 0x4)
AvDnsDomainName : ''
pair: struct AV_PAIR
AvId : MsvAvDnsComputerName (0x3)
AvLen : 0x0012 (18)
Value : union
ntlmssp_AvValue(case 0x3)
AvDnsComputerName : 'localhost'
pair: struct AV_PAIR
AvId : MsvAvEOL (0x0)
AvLen : 0x0000 (0)
Value : union
ntlmssp_AvValue(case 0x0)
Version: struct VERSION
ProductMajorVersion : UNKNOWN_ENUM_VALUE (0x4B)
ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0)
ProductBuild : 0x004f (79)
Reserved : 45004c
NTLMRevisionCurrent : UNKNOWN_ENUM_VALUE (0x0)
...........
[2010/06/07 11:14:00.475469, 10] lib/smbldap.c:647(smbldap_make_mod)
smbldap_make_mod: adding attribute |uid| value |D_DEPTULA_VIRT$|
[2010/06/07 11:14:00.475505, 2] passdb/pdb_ldap.c:1200(init_ldap_from_sam)
init_ldap_from_sam: Setting entry for user: D_DEPTULA_VIRT$
...........
[2010/06/07 11:14:00.508208, 2] passdb/pdb_ldap.c:5472(ldapsam_create_user)
ldapsam_create_user: added account [D_DEPTULA_VIRT$] in the LDAP database
...........
[2010/06/07 11:14:00.546757, 5] rpc_server/srv_samr_nt.c:4801(set_user_info_pw)
Attempting administrator password change for user D_DEPTULA_VIRT$
[2010/06/07 11:14:00.546794, 0]
../libcli/auth/smbencrypt.c:589(decode_pw_buffer)
decode_pw_buffer: incorrect password length (-1578185159).
[2010/06/07 11:14:00.546821, 0]
../libcli/auth/smbencrypt.c:590(decode_pw_buffer)
decode_pw_buffer: check that 'encrypt passwords = yes'
[2010/06/07 11:14:00.546869, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (22361, 513) - sec_ctx_stack_ndx = 0
[2010/06/07 11:14:00.546908, 1]
../librpc/ndr/ndr.c:251(ndr_print_function_debug)
samr_SetUserInfo2: struct samr_SetUserInfo2
out: struct samr_SetUserInfo2
result : NT_STATUS_WRONG_PASSWORD
...........
[2010/06/07 11:14:00.555929, 0] passdb/pdb_ldap.c:5489(ldapsam_delete_user)
ldapsam_delete_user: Attempt to delete user [D_DEPTULA_VIRT$]
Possibly Parallel Threads
Wisdom of the Ancients
