Farhan Ahmad
2011-Jan-18 18:03 UTC
[Samba] LDAP & PDC: Can join domain, but cannot login afterwards.
Hi,
I am setting up a PDC with LDAP, but having no luck with it. Basically, the
Win XP computer successfully joins the domain, but after restarting when I
try to login it says "The system cannot log you on now because the domain
THEBITGURU.LAN is not available." I am running a Ubuntu 10.10 server with
Samba 3.5.4 and OpenLDAP 2.4.3 (slapd).
I have compressed all of the samba logs (/var/log/samba) files along with
the smb.conf:
http://www.thebitguru.com/site_media/uploads/samba_troubleshooting.tar.gz I
turned up the logging (log level = 4) and created a folder with the log
files after each step.
Below is what I have gathered so far about the different steps.
*Relevant Notes*
1. I installed ClearOS on another virtual machine and set it up as a PDC.
This same WinXP virtual machine successfully joined that domain and was
able to login without any issues. So, I am concluding that the client is
setup correctly.
1. I even tried comparing the smb.conf files and updating the one my
actual server, but no luck.
2. Another Windows 7 machine with the changes listed on
http://wiki.samba.org/index.php/Windows7 behaves similarly, i.e. cannot
login after joining the domain.
3. I can mount the share (\\visionary\shared) served by this server on
both WinXP and Windows 7 without any issues. This tells me that the
authentication with the LDAP server is working OK.
*
*
*Domain Join (log files in after_domain_join folder)*
1. Note how the sending machine correctly sent the user and domains in this
case.
[2011/01/18 10:24:35.521835, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
Got user=[root] domain=[THEBITGURU.LAN] workstation=[VIRTUALXP-32744]
len1=24 len2=24
2. Also, note that the user authentication and mapping seemed to work OK in
this case.
[2011/01/18 10:24:35.521954, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is:
[THEBITGURU.LAN]\[root]@[VIRTUALXP-32744]
.
.
.
[2011/01/18 10:24:35.523891, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: root
3. Even though the Win XP system says that it joined the domain OK, the
following output in the log file seems suspicious. This is at the end of
log.virtualxp-32744.
[2011/01/18 10:24:36.932921, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2011/01/18 10:24:36.933031, 3] smbd/server.c:906(exit_server_common)
Server exit (failed to receive smb request)
*First Failed Login** (log files in after_first_failed_login folder)*
1. Unlike #1 above, in this case we neither see the user nor the domain. I
think this is where the problem lies.
[2011/01/18 10:26:01.920055, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth)
Got user=[] domain=[] workstation=[VIRTUALXP-32744] len1=1 len2=0
2. The server still falls back to the domain, but still no user.
[2011/01/18 10:26:01.920172, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is:
[THEBITGURU.LAN]\[]@[VIRTUALXP-32744]
3. So it goes looking for the guest user.
[2011/01/18 10:26:01.922536, 3] auth/auth.c:265(check_ntlm_password)
check_ntlm_password: guest authentication for user [] succeeded
4. There might be other weird things, for instance, the "Server exit
(failed
to receive smb request)" message, but I can figure out the issue with #1
then I am thinking that the rest will be fixed.
I have tried a lot of stuff, but haven't had any luck. What should I do
next to fix this issue?
Thanks!
Farhan
Linux Addict
2011-Jan-25 21:52 UTC
[Samba] LDAP & PDC: Can join domain, but cannot login afterwards.
On Tue, Jan 18, 2011 at 1:03 PM, Farhan Ahmad <farhan at thebitguru.com> wrote:> Hi, > > I am setting up a PDC with LDAP, but having no luck with it. Basically, > the > Win XP computer successfully joins the domain, but after restarting when I > try to login it says "The system cannot log you on now because the domain > THEBITGURU.LAN is not available." I am running a Ubuntu 10.10 server with > Samba 3.5.4 and OpenLDAP 2.4.3 (slapd). > > I have compressed all of the samba logs (/var/log/samba) files along with > the smb.conf: > http://www.thebitguru.com/site_media/uploads/samba_troubleshooting.tar.gz I > turned up the logging (log level = 4) and created a folder with the log > files after each step. > > Below is what I have gathered so far about the different steps. > > *Relevant Notes* > > 1. I installed ClearOS on another virtual machine and set it up as a PDC. > This same WinXP virtual machine successfully joined that domain and was > able to login without any issues. So, I am concluding that the client is > setup correctly. > 1. I even tried comparing the smb.conf files and updating the one my > actual server, but no luck. > 2. Another Windows 7 machine with the changes listed on > http://wiki.samba.org/index.php/Windows7 behaves similarly, i.e. cannot > login after joining the domain. > 3. I can mount the share (\\visionary\shared) served by this server on > both WinXP and Windows 7 without any issues. This tells me that the > authentication with the LDAP server is working OK. > > * > * > *Domain Join (log files in after_domain_join folder)* > 1. Note how the sending machine correctly sent the user and domains in this > case. > [2011/01/18 10:24:35.521835, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth) > Got user=[root] domain=[THEBITGURU.LAN] workstation=[VIRTUALXP-32744] > len1=24 len2=24 > > 2. Also, note that the user authentication and mapping seemed to work OK in > this case. > [2011/01/18 10:24:35.521954, 3] auth/auth.c:219(check_ntlm_password) > check_ntlm_password: mapped user is: > [THEBITGURU.LAN]\[root]@[VIRTUALXP-32744] > . > . > . > [2011/01/18 10:24:35.523891, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: root > > > 3. Even though the Win XP system says that it joined the domain OK, the > following output in the log file seems suspicious. This is at the end of > log.virtualxp-32744. > [2011/01/18 10:24:36.932921, 3] smbd/connection.c:31(yield_connection) > Yielding connection to > [2011/01/18 10:24:36.933031, 3] smbd/server.c:906(exit_server_common) > Server exit (failed to receive smb request) > > > *First Failed Login** (log files in after_first_failed_login folder)* > 1. Unlike #1 above, in this case we neither see the user nor the domain. I > think this is where the problem lies. > [2011/01/18 10:26:01.920055, 3] libsmb/ntlmssp.c:747(ntlmssp_server_auth) > Got user=[] domain=[] workstation=[VIRTUALXP-32744] len1=1 len2=0 > > 2. The server still falls back to the domain, but still no user. > [2011/01/18 10:26:01.920172, 3] auth/auth.c:219(check_ntlm_password) > check_ntlm_password: mapped user is: > [THEBITGURU.LAN]\[]@[VIRTUALXP-32744] > > 3. So it goes looking for the guest user. > [2011/01/18 10:26:01.922536, 3] auth/auth.c:265(check_ntlm_password) > check_ntlm_password: guest authentication for user [] succeeded > > 4. There might be other weird things, for instance, the "Server exit > (failed > to receive smb request)" message, but I can figure out the issue with #1 > then I am thinking that the rest will be fixed. > > > > I have tried a lot of stuff, but haven't had any luck. What should I do > next to fix this issue? > > Thanks! > Farhan > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >It looks to me like communication issue. Put tcpdump and check for dropped packets. Is there a firewall between the systems? Does the kinit <username> works?