Alexander Födisch
2011-Nov-08 08:44 UTC
[Samba] Problem while log on: Windows Server 2008 R2 in samba domain
Hi,
I have a strange problem with a Windows Server 2008 R2-System as a member of a
samba domain (Samba-Version on PDC: 3.4.12).
Join was successfully, but when I log on Windows I got an error "Unknown
user name or bad password." (Event ID 4625).
Here an abstract of logfile for Windows Server 2008 R2-System (log level 10).
Maybe some of you has an idea:
------------------------------------------------------------------------------------
[2011/11/07 16:37:15, 9] passdb/passdb.c:2245(pdb_increment_bad_password_count)
No lockout policy, don't track bad passwords
[2011/11/07 16:37:15, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(999, 514) : sec_ctx_stack_ndx = 1
[2011/11/07 16:37:15, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2011/11/07 16:37:15, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/11/07 16:37:15, 5] auth/token_util.c:522(debug_nt_user_token)
NT user token: (NULL)
[2011/11/07 16:37:15, 5] auth/token_util.c:548(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2011/11/07 16:37:15, 4] passdb/pdb_ldap.c:2015(ldapsam_update_sam_account)
ldapsam_update_sam_account: user foedisch to be modified has dn:
uid=foedisch,dc=xxx,dc=xxx,dc=xx
[2011/11/07 16:37:15, 2] passdb/pdb_ldap.c:1199(init_ldap_from_sam)
init_ldap_from_sam: Setting entry for user: foedisch
[2011/11/07 16:37:15, 4] passdb/pdb_ldap.c:2029(ldapsam_update_sam_account)
ldapsam_update_sam_account: mods is empty: nothing to update for user:
foedisch
[2011/11/07 16:37:15, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (999, 514) - sec_ctx_stack_ndx = 0
[2011/11/07 16:37:15, 5] auth/auth.c:274(check_ntlm_password)
check_ntlm_password: sam authentication for user [foedisch] FAILED with error
NT_STATUS_WRONG_PASSWORD
[....]
[2011/11/07 16:37:15, 5] rpc_server/srv_netlog_nt.c:1041(_netr_LogonSamLogon)
_netr_LogonSamLogon: check_password returned status NT_STATUS_WRONG_PASSWORD
[2011/11/07 16:37:15, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
netr_LogonSamLogon: struct netr_LogonSamLogon
out: struct netr_LogonSamLogon
return_authenticator : *
return_authenticator: struct netr_Authenticator
cred: struct netr_Credential
data : fafde2c3dc0af8fc
timestamp : Mon Nov 7 16:38:40 2011 CET
validation : *
validation : union netr_Validation(case 3)
sam3 : *
sam3: struct netr_SamInfo3
base: struct netr_SamBaseInfo
last_logon : NTTIME(0)
last_logoff : NTTIME(0)
acct_expiry : NTTIME(0)
last_password_change : NTTIME(0)
allow_password_change : NTTIME(0)
force_password_change : NTTIME(0)
account_name: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
full_name: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
logon_script: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
profile_path: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
home_directory: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
home_drive: struct lsa_String
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
logon_count : 0x0000 (0)
bad_password_count : 0x0000 (0)
rid : 0x00000000 (0)
primary_gid : 0x00000000 (0)
groups: struct samr_RidWithAttributeArray
count : 0x00000000 (0)
rids : NULL
user_flags : 0x00000000 (0)
0: NETLOGON_GUEST
0: NETLOGON_NOENCRYPTION
0: NETLOGON_CACHED_ACCOUNT
0: NETLOGON_USED_LM_PASSWORD
0: NETLOGON_EXTRA_SIDS
0: NETLOGON_SUBAUTH_SESSION_KEY
0: NETLOGON_SERVER_TRUST_ACCOUNT
0: NETLOGON_NTLMV2_ENABLED
0: NETLOGON_RESOURCE_GROUPS
0: NETLOGON_PROFILE_PATH_RETURNED
0: NETLOGON_GRACE_LOGON
key: struct netr_UserSessionKey
key :
00000000000000000000000000000000
logon_server: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : NULL
domain_sid : NULL
LMSessKey: struct netr_LMSessionKey
key : 0000000000000000
acct_flags : 0x00000000 (0)
0: ACB_DISABLED
0: ACB_HOMDIRREQ
0: ACB_PWNOTREQ
0: ACB_TEMPDUP
0: ACB_NORMAL
0: ACB_MNS
0: ACB_DOMTRUST
0: ACB_WSTRUST
0: ACB_SVRTRUST
0: ACB_PWNOEXP
0: ACB_AUTOLOCK
0: ACB_ENC_TXT_PWD_ALLOWED
0: ACB_SMARTCARD_REQUIRED
0: ACB_TRUSTED_FOR_DELEGATION
0: ACB_NOT_DELEGATED
0: ACB_USE_DES_KEY_ONLY
0: ACB_DONT_REQUIRE_PREAUTH
0: ACB_PW_EXPIRED
0: ACB_NO_AUTH_DATA_REQD
unknown: ARRAY(7)
unknown : 0x00000000 (0)
unknown : 0x00000000 (0)
unknown : 0x00000000 (0)
unknown : 0x00000000 (0)
unknown : 0x00000000 (0)
unknown : 0x00000000 (0)
unknown : 0x00000000 (0)
sidcount : 0x00000000 (0)
sids : NULL
authoritative : *
authoritative : 0x01 (1)
result : NT_STATUS_WRONG_PASSWORD
------------------------------------------------------------------------------------
~ # ldapsearch -x -H ldaps://<pdc> -D uid=xxx,dc=xxx,dc=xxx,dc=xxx -W -LLL
'(sambaDomainName=EVAN)'
Enter LDAP Password:
dn: sambaDomainName=EVAN,dc=xxx,dc=xxx,dc=xx
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: EVAN
sambaSID: S-1-5-21-1042031166-387543594-2118856591
sambaMinPwdAge: 0
sambaMaxPwdAge: -1
sambaLockoutThreshold: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaForceLogoff: -1
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaRefuseMachinePwdChange: 0
sambaPwdHistoryLength: 0
gidNumber: 3616
sambaNextRid: 1183
uidNumber: 12704
Thank you!
Best,
Alex
Alexander Födisch
2011-Nov-14 07:39 UTC
[Samba] Problem while log on: Windows Server 2008 R2 in samba domain
an upgrade to Samba 3.5.12 on both domain controllers resolved this issue. Best Alex Am 08.11.2011 09:44, schrieb Alexander F?disch:> Hi, > > I have a strange problem with a Windows Server 2008 R2-System as a member of a samba domain (Samba-Version on PDC: > 3.4.12). > Join was successfully, but when I log on Windows I got an error "Unknown user name or bad password." (Event ID 4625). > > > > Here an abstract of logfile for Windows Server 2008 R2-System (log level 10). Maybe some of you has an idea: > ------------------------------------------------------------------------------------ > [2011/11/07 16:37:15, 9] passdb/passdb.c:2245(pdb_increment_bad_password_count) > No lockout policy, don't track bad passwords > [2011/11/07 16:37:15, 3] smbd/sec_ctx.c:210(push_sec_ctx) > push_sec_ctx(999, 514) : sec_ctx_stack_ndx = 1 > [2011/11/07 16:37:15, 3] smbd/uid.c:428(push_conn_ctx) > push_conn_ctx(100) : conn_ctx_stack_ndx = 0 > [2011/11/07 16:37:15, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2011/11/07 16:37:15, 5] auth/token_util.c:522(debug_nt_user_token) > NT user token: (NULL) > [2011/11/07 16:37:15, 5] auth/token_util.c:548(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2011/11/07 16:37:15, 4] passdb/pdb_ldap.c:2015(ldapsam_update_sam_account) > ldapsam_update_sam_account: user foedisch to be modified has dn: uid=foedisch,dc=xxx,dc=xxx,dc=xx > [2011/11/07 16:37:15, 2] passdb/pdb_ldap.c:1199(init_ldap_from_sam) > init_ldap_from_sam: Setting entry for user: foedisch > [2011/11/07 16:37:15, 4] passdb/pdb_ldap.c:2029(ldapsam_update_sam_account) > ldapsam_update_sam_account: mods is empty: nothing to update for user: foedisch > [2011/11/07 16:37:15, 3] smbd/sec_ctx.c:418(pop_sec_ctx) > pop_sec_ctx (999, 514) - sec_ctx_stack_ndx = 0 > [2011/11/07 16:37:15, 5] auth/auth.c:274(check_ntlm_password) > check_ntlm_password: sam authentication for user [foedisch] FAILED with error NT_STATUS_WRONG_PASSWORD > [....] > [2011/11/07 16:37:15, 5] rpc_server/srv_netlog_nt.c:1041(_netr_LogonSamLogon) > _netr_LogonSamLogon: check_password returned status NT_STATUS_WRONG_PASSWORD > [2011/11/07 16:37:15, 1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug) > netr_LogonSamLogon: struct netr_LogonSamLogon > out: struct netr_LogonSamLogon > return_authenticator : * > return_authenticator: struct netr_Authenticator > cred: struct netr_Credential > data : fafde2c3dc0af8fc > timestamp : Mon Nov 7 16:38:40 2011 CET > validation : * > validation : union netr_Validation(case 3) > sam3 : * > sam3: struct netr_SamInfo3 > base: struct netr_SamBaseInfo > last_logon : NTTIME(0) > last_logoff : NTTIME(0) > acct_expiry : NTTIME(0) > last_password_change : NTTIME(0) > allow_password_change : NTTIME(0) > force_password_change : NTTIME(0) > account_name: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > full_name: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > logon_script: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > profile_path: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > home_directory: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > home_drive: struct lsa_String > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > logon_count : 0x0000 (0) > bad_password_count : 0x0000 (0) > rid : 0x00000000 (0) > primary_gid : 0x00000000 (0) > groups: struct samr_RidWithAttributeArray > count : 0x00000000 (0) > rids : NULL > user_flags : 0x00000000 (0) > 0: NETLOGON_GUEST > 0: NETLOGON_NOENCRYPTION > 0: NETLOGON_CACHED_ACCOUNT > 0: NETLOGON_USED_LM_PASSWORD > 0: NETLOGON_EXTRA_SIDS > 0: NETLOGON_SUBAUTH_SESSION_KEY > 0: NETLOGON_SERVER_TRUST_ACCOUNT > 0: NETLOGON_NTLMV2_ENABLED > 0: NETLOGON_RESOURCE_GROUPS > 0: NETLOGON_PROFILE_PATH_RETURNED > 0: NETLOGON_GRACE_LOGON > key: struct netr_UserSessionKey > key : 00000000000000000000000000000000 > logon_server: struct lsa_StringLarge > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > domain: struct lsa_StringLarge > length : 0x0000 (0) > size : 0x0000 (0) > string : NULL > domain_sid : NULL > LMSessKey: struct netr_LMSessionKey > key : 0000000000000000 > acct_flags : 0x00000000 (0) > 0: ACB_DISABLED > 0: ACB_HOMDIRREQ > 0: ACB_PWNOTREQ > 0: ACB_TEMPDUP > 0: ACB_NORMAL > 0: ACB_MNS > 0: ACB_DOMTRUST > 0: ACB_WSTRUST > 0: ACB_SVRTRUST > 0: ACB_PWNOEXP > 0: ACB_AUTOLOCK > 0: ACB_ENC_TXT_PWD_ALLOWED > 0: ACB_SMARTCARD_REQUIRED > 0: ACB_TRUSTED_FOR_DELEGATION > 0: ACB_NOT_DELEGATED > 0: ACB_USE_DES_KEY_ONLY > 0: ACB_DONT_REQUIRE_PREAUTH > 0: ACB_PW_EXPIRED > 0: ACB_NO_AUTH_DATA_REQD > unknown: ARRAY(7) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > unknown : 0x00000000 (0) > sidcount : 0x00000000 (0) > sids : NULL > authoritative : * > authoritative : 0x01 (1) > result : NT_STATUS_WRONG_PASSWORD > ------------------------------------------------------------------------------------ > > > > > ~ # ldapsearch -x -H ldaps://<pdc> -D uid=xxx,dc=xxx,dc=xxx,dc=xxx -W -LLL '(sambaDomainName=EVAN)' > Enter LDAP Password: > > dn: sambaDomainName=EVAN,dc=xxx,dc=xxx,dc=xx > objectClass: sambaDomain > objectClass: sambaUnixIdPool > sambaDomainName: EVAN > sambaSID: S-1-5-21-1042031166-387543594-2118856591 > sambaMinPwdAge: 0 > sambaMaxPwdAge: -1 > sambaLockoutThreshold: 0 > sambaMinPwdLength: 5 > sambaLogonToChgPwd: 0 > sambaForceLogoff: -1 > sambaLockoutDuration: 30 > sambaLockoutObservationWindow: 30 > sambaRefuseMachinePwdChange: 0 > sambaPwdHistoryLength: 0 > gidNumber: 3616 > sambaNextRid: 1183 > uidNumber: 12704 > > > > > Thank you! > > Best, > Alex > > > > > > > > > >
Apparently Analagous Threads
- domain trust relationship with AD 2003 and user profile and home directory problems
- [Help] Samba Panic with Samba 3.0Beta3, LDAP
- reverse name resolving of winbind 3.4.x
- Problem with kerberos method attribut
- Samba 3.0.14 + W2K3 Terminal Services + terminal server profiles