Daniel DeptuĆa
2010-Jun-07 11:31 UTC
[Samba] I have a weird problem with PDC on samba 3.5.3 and I think I need developers' help :)
I'm sorry for the very long debug pasted below but I'm afraid lower debug levels would not give enough useful information about the problem. I've been investigating it for over two weeks with no result. Maybe developers can tell me where to search for the cause - browsing source code is very hard... I have a Samba PDC with LDAP backend. Configuration works fine on 3.0.x version but when I moved to 3.5.x (which I need in order to connect Win7 machines to domain), new machines (Win XP and Win 7) can't join the domain. I tried as well a configuration smbldap-tools (as machine add script) as well as configuration with idmap and winbind. Both don't work. When using the first one Windows returned an error "A device connected to the computer doesn't work" when trying to join the domain. When using idmap I get an error about wrong password. A record in LDAP directory is created for a moment and then deleted. In both situations logs seem similar - I think key information are (after them the record is deleted): * _netr_ServerAuthenticate: no challenge sent to client D_DEPTULA_VIRT * decode_pw_buffer: incorrect password length (some random number here) It seems to me that machine password is an empty string (but why?) Below parts of logs (debug level=10) which I think can be useful. I'm running out of ideas... please help me... I'm not even sure where to search for the problem... I'm able to browse shared drives, "net" and "smbclient" tools also work fine - I can add and delete users, grant rights etc. User Administrator is a member of "Domain Admins" group which has SeMachineAccountPrivilege. If you need more information don't hestitate to ask! PDC name = MYSMB workstation trying to join = D_DEPTULA_VIRT domain name = MYDOMAIN Debug (samba version 3.5.3): [2010/06/07 11:13:59.288214, 3] rpc_server/srv_pipe.c:2414(api_rpcTNP) api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE [2010/06/07 11:13:59.288249, 6] rpc_server/srv_pipe.c:2433(api_rpcTNP) api_rpc_cmds[4].fn == 0xb72b9e80 [2010/06/07 11:13:59.288302, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) netr_ServerReqChallenge: struct netr_ServerReqChallenge in: struct netr_ServerReqChallenge server_name : * server_name : '\\MYSMB' computer_name : * computer_name : 'D_DEPTULA_VIRT' credentials : * credentials: struct netr_Credential data : c1d4e6ab7380e9a3 [2010/06/07 11:13:59.288453, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) netr_ServerReqChallenge: struct netr_ServerReqChallenge out: struct netr_ServerReqChallenge return_credentials : * return_credentials: struct netr_Credential data : e7bb0cb2dc4a891a result : NT_STATUS_OK ........... [2010/06/07 11:13:59.306615, 3] rpc_server/srv_pipe.c:2414(api_rpcTNP) api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE [2010/06/07 11:13:59.306650, 6] rpc_server/srv_pipe.c:2433(api_rpcTNP) api_rpc_cmds[5].fn == 0xb72b9b50 [2010/06/07 11:13:59.306698, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) netr_ServerAuthenticate: struct netr_ServerAuthenticate in: struct netr_ServerAuthenticate server_name : * server_name : '\\MYSMB' account_name : * account_name : 'D_DEPTULA_VIRT$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : * computer_name : 'D_DEPTULA_VIRT' credentials : * credentials: struct netr_Credential data : ec0ace4aa0ec64ac [2010/06/07 11:13:59.306857, 0] rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3) _netr_ServerAuthenticate: no challenge sent to client D_DEPTULA_VIRT [2010/06/07 11:13:59.306890, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) netr_ServerAuthenticate: struct netr_ServerAuthenticate out: struct netr_ServerAuthenticate return_credentials : * return_credentials: struct netr_Credential data : 0000000000000000 result : NT_STATUS_ACCESS_DENIED ........... [2010/06/07 11:13:59.922829, 5] auth/auth.c:97(get_ntlm_challenge) auth_get_challenge: module guest did not want to specify a challenge [2010/06/07 11:13:59.922871, 5] auth/auth.c:97(get_ntlm_challenge) auth_get_challenge: module sam did not want to specify a challenge [2010/06/07 11:13:59.922919, 5] auth/auth.c:97(get_ntlm_challenge) auth_get_challenge: module winbind did not want to specify a challenge [2010/06/07 11:13:59.922985, 5] auth/auth.c:132(get_ntlm_challenge) auth_context challenge created by random [2010/06/07 11:13:59.923045, 5] auth/auth.c:133(get_ntlm_challenge) challenge is: [2010/06/07 11:13:59.923095, 5] ../lib/util/util.c:278(_dump_data) [0000] 24 CC C7 A1 CE FF 7E 4D $.....~M [2010/06/07 11:13:59.923641, 1] ../librpc/ndr/ndr.c:214(ndr_print_debug) &challenge: struct CHALLENGE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmChallenge (0x2) TargetNameLen : 0x000e (14) TargetNameMaxLen : 0x000e (14) TargetName : * TargetName : 'MYDOMAIN' NegotiateFlags : 0xe2898215 (3800662549) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 1: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 1: NTLMSSP_NEGOTIATE_TARGET_INFO 1: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 1: NTLMSSP_NEGOTIATE_56 ServerChallenge : 24ccc7a1ceff7e4d Reserved : 0000000000000000 TargetInfoLen : 0x0040 (64) TargetNameInfoMaxLen : 0x0040 (64) TargetInfo : * TargetInfo: struct AV_PAIR_LIST count : 0x00000005 (5) pair: ARRAY(5) pair: struct AV_PAIR AvId : MsvAvNbDomainName (0x2) AvLen : 0x000e (14) Value : union ntlmssp_AvValue(case 0x2) AvNbDomainName : 'MYDOMAIN' pair: struct AV_PAIR AvId : MsvAvNbComputerName (0x1) AvLen : 0x000c (12) Value : union ntlmssp_AvValue(case 0x1) AvNbComputerName : 'MYSMB' pair: struct AV_PAIR AvId : MsvAvDnsDomainName (0x4) AvLen : 0x0000 (0) Value : union ntlmssp_AvValue(case 0x4) AvDnsDomainName : '' pair: struct AV_PAIR AvId : MsvAvDnsComputerName (0x3) AvLen : 0x0012 (18) Value : union ntlmssp_AvValue(case 0x3) AvDnsComputerName : 'localhost' pair: struct AV_PAIR AvId : MsvAvEOL (0x0) AvLen : 0x0000 (0) Value : union ntlmssp_AvValue(case 0x0) Version: struct VERSION ProductMajorVersion : UNKNOWN_ENUM_VALUE (0x4B) ProductMinorVersion : NTLMSSP_WINDOWS_MINOR_VERSION_0 (0x0) ProductBuild : 0x004f (79) Reserved : 45004c NTLMRevisionCurrent : UNKNOWN_ENUM_VALUE (0x0) ........... [2010/06/07 11:14:00.475469, 10] lib/smbldap.c:647(smbldap_make_mod) smbldap_make_mod: adding attribute |uid| value |D_DEPTULA_VIRT$| [2010/06/07 11:14:00.475505, 2] passdb/pdb_ldap.c:1200(init_ldap_from_sam) init_ldap_from_sam: Setting entry for user: D_DEPTULA_VIRT$ ........... [2010/06/07 11:14:00.508208, 2] passdb/pdb_ldap.c:5472(ldapsam_create_user) ldapsam_create_user: added account [D_DEPTULA_VIRT$] in the LDAP database ........... [2010/06/07 11:14:00.546757, 5] rpc_server/srv_samr_nt.c:4801(set_user_info_pw) Attempting administrator password change for user D_DEPTULA_VIRT$ [2010/06/07 11:14:00.546794, 0] ../libcli/auth/smbencrypt.c:589(decode_pw_buffer) decode_pw_buffer: incorrect password length (-1578185159). [2010/06/07 11:14:00.546821, 0] ../libcli/auth/smbencrypt.c:590(decode_pw_buffer) decode_pw_buffer: check that 'encrypt passwords = yes' [2010/06/07 11:14:00.546869, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (22361, 513) - sec_ctx_stack_ndx = 0 [2010/06/07 11:14:00.546908, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) samr_SetUserInfo2: struct samr_SetUserInfo2 out: struct samr_SetUserInfo2 result : NT_STATUS_WRONG_PASSWORD ........... [2010/06/07 11:14:00.555929, 0] passdb/pdb_ldap.c:5489(ldapsam_delete_user) ldapsam_delete_user: Attempt to delete user [D_DEPTULA_VIRT$]