Roland Schwingel
2015-Jul-06 07:53 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
Good morning Rowland and samba list ... Rowland Penny wrote on 03.07.2015 18:36:32: > From: Rowland Penny <rowlandpenny241155 at gmail.com> > To: samba at lists.samba.org, > Date: 03.07.2015 18:40 > Subject: Re: [Samba] Migration Samba3 -> Samba4: Accessing domain > member server is not working > Sent by: samba-bounces at lists.samba.org > > On 03/07/15 16:31, Roland Schwingel wrote: > > Hi ... > > > > When trying to migrate from samba3 to samba 4.2.2 I am facing a severe > > problem that bugs me for hours now. I cannot get a samba 4.2.2 > > fileserver to work with a samba 4.2.2 PDC as a domain member. > > ... > Hi, there was some changes made when 4.2.0 came out, these changes may > be your problem, see here: > > https://www.samba.org/samba/history/samba-4.2.0.html > > Under the heading: Winbindd/Netlogon improvements Thanks for the hint. I read that and added "allow nt4 crypto = yes" to my 4.2.2 PDC. This changed this a little bit but still gives me no working 4.2.2 member server. Adding "require strong key = no" and "client NTLMv2 auth = no" to the member servers smb.conf but it did not change anything. Here is the log file on the dedicated member server of one client trying to connect my member server: SID for local machine OSUSE-TEST is: S-1-5-21-1853263269-3041869306-167322181 SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205 Join to 'MYDOM' is OK [2015/07/06 08:02:46.342573, 3] ../source3/smbd/oplock.c:1306(init_oplocks) init_oplocks: initializing messages. [2015/07/06 08:02:46.342706, 3] ../source3/smbd/process.c:1879(process_smb) Transaction 0 of length 159 (0 toread) [2015/07/06 08:02:46.342748, 3] ../source3/smbd/process.c:1489(switch_message) switch message SMBnegprot (pid 10895) conn 0x0 [2015/07/06 08:02:46.343225, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2015/07/06 08:02:46.343263, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [LANMAN1.0] [2015/07/06 08:02:46.343288, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [Windows for Workgroups 3.1a] [2015/07/06 08:02:46.343302, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [LM1.2X002] [2015/07/06 08:02:46.343313, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [LANMAN2.1] [2015/07/06 08:02:46.343329, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [NT LM 0.12] [2015/07/06 08:02:46.343344, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [SMB 2.002] [2015/07/06 08:02:46.343358, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [SMB 2.???] [2015/07/06 08:02:46.343571, 3] ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) Selected protocol SMB2_FF [2015/07/06 08:02:46.344934, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_spnego' registered [2015/07/06 08:02:46.344982, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_krb5' registered [2015/07/06 08:02:46.344996, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2015/07/06 08:02:46.356774, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'sasl-DIGEST-MD5' registered [2015/07/06 08:02:46.356804, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'spnego' registered [2015/07/06 08:02:46.356819, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'schannel' registered [2015/07/06 08:02:46.356831, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'naclrpc_as_system' registered [2015/07/06 08:02:46.356841, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2015/07/06 08:02:46.356852, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'ntlmssp' registered [2015/07/06 08:02:46.356862, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'http_basic' registered [2015/07/06 08:02:46.356872, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'http_ntlm' registered [2015/07/06 08:02:46.356883, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'krb5' registered [2015/07/06 08:02:46.356894, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'fake_gssapi_krb5' registered [2015/07/06 08:02:46.357284, 3] ../source3/smbd/negprot.c:683(reply_negprot) Selected protocol SMB 2.??? [2015/07/06 08:02:46.359312, 3] ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2015/07/06 08:02:46.990929, 3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2015/07/06 08:02:46.991652, 3] ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth) Got user=[roland] domain=[MYDOM] workstation=[DEVINTEL-100] len1=24 len2=314 [2015/07/06 08:02:46.991697, 3] ../source3/param/loadparm.c:3647(lp_load_ex) lp_load_ex: refreshing parameters [2015/07/06 08:02:46.991811, 3] ../source3/param/loadparm.c:564(init_globals) Initialising global parameters [2015/07/06 08:02:46.991927, 3] ../source3/param/loadparm.c:2597(lp_do_section) Processing section "[global]" [2015/07/06 08:02:46.992040, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[testshare]" [2015/07/06 08:02:46.992111, 3] ../source3/param/loadparm.c:1495(lp_add_ipc) adding IPC service [2015/07/06 08:02:46.994597, 3] ../source3/libsmb/namequery.c:3103(get_dc_list) get_dc_list: preferred server list: "PDCHOST, subnet-ldap" [2015/07/06 08:02:46.994804, 3] ../source3/libsmb/namequery.c:2323(resolve_hosts) resolve_hosts: Attempting host lookup for name subnet-ldap<0x20> [2015/07/06 08:02:47.022939, 3] ../source3/libsmb/namequery_dc.c:207(rpc_dc_name) rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM [2015/07/06 08:02:47.023024, 3] ../source3/lib/util_sock.c:617(open_socket_out_send) Connecting to 192.168.9.3 at port 445 [2015/07/06 08:02:47.083675, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [MYDOM]\[roland]@[DEVINTEL-100] with the new password interface [2015/07/06 08:02:47.083721, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [MYDOM]\[roland]@[DEVINTEL-100] [2015/07/06 08:02:47.083862, 3] ../source3/libsmb/namequery.c:3103(get_dc_list) get_dc_list: preferred server list: "PDCHOST, subnet-ldap" [2015/07/06 08:02:47.084734, 3] ../source3/libsmb/namequery_dc.c:207(rpc_dc_name) rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM [2015/07/06 08:02:47.084963, 3] ../source3/lib/util_sock.c:617(open_socket_out_send) Connecting to 192.168.9.3 at port 445 [2015/07/06 08:02:47.188335, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) domain_client_validate: unable to validate password for user roland in domain MYDOM to Domain controller PDCHOST. Error was NT_STATUS_LOCK_NOT_GRANTED. [2015/07/06 08:02:47.189817, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [roland] -> [roland] FAILED with error NT_STATUS_LOCK_NOT_GRANTED [2015/07/06 08:02:47.189854, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED [2015/07/06 08:02:47.190446, 3] ../source3/smbd/server_exit.c:246(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) So the problem is appearing here: [2015/07/06 08:02:47.188335, 0] ../source3/auth/auth_domain.c:302(domain_client_validate) domain_client_validate: unable to validate password for user roland in domain MYDOM to Domain controller PDCHOST. Error was NT_STATUS_LOCK_NOT_GRANTED. Why on earth is this happening? When my win7 testmachine is trying to access the 4.2.2 PDC directly everything is fine and easy. So I believe the setup of the PDC is correct. In the first 2 lines of the log I see the SIDs dumped. Both for my domain and for my member server. SID for local machine OSUSE-TEST is: S-1-5-21-1853263269-3041869306-167322181 SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205 Join to 'MYDOM' is OK According to my LDAP the sid for my test member server (OSUSE-TEST) should be S-1-5-21-290147797-1639656955-1287535205-61405 Is this maybe a problem? Or is this just the real local sid not the domain sid of this machine? Where shall I look on my 4.2.2 PDC to get more infos on the auth problem? The logfiles for the member server are empty on my PDC. Thanks for all your help! I hope this can be resolved soon! Roland
Rowland Penny
2015-Jul-06 08:03 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
On 06/07/15 08:53, Roland Schwingel wrote:> > Good morning Rowland and samba list ... > > Rowland Penny wrote on 03.07.2015 18:36:32: > > > From: Rowland Penny <rowlandpenny241155 at gmail.com> > > To: samba at lists.samba.org, > > Date: 03.07.2015 18:40 > > Subject: Re: [Samba] Migration Samba3 -> Samba4: Accessing domain > > member server is not working > > Sent by: samba-bounces at lists.samba.org > > > > On 03/07/15 16:31, Roland Schwingel wrote: > > > Hi ... > > > > > > When trying to migrate from samba3 to samba 4.2.2 I am facing a > severe > > > problem that bugs me for hours now. I cannot get a samba 4.2.2 > > > fileserver to work with a samba 4.2.2 PDC as a domain member. > > > > ... > > Hi, there was some changes made when 4.2.0 came out, these changes may > > be your problem, see here: > > > > https://www.samba.org/samba/history/samba-4.2.0.html > > > > Under the heading: Winbindd/Netlogon improvements > > Thanks for the hint. I read that and added "allow nt4 crypto = yes" to > my 4.2.2 PDC. This changed this a little bit but still gives me no > working 4.2.2 member server. Adding "require strong key = no" and > "client NTLMv2 auth = no" to the member servers smb.conf but it did > not change anything. > > Here is the log file on the dedicated member server of one client > trying to connect my member server: > > SID for local machine OSUSE-TEST is: > S-1-5-21-1853263269-3041869306-167322181 > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205 > Join to 'MYDOM' is OK > [2015/07/06 08:02:46.342573, 3] > ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/07/06 08:02:46.342706, 3] > ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 159 (0 toread) > [2015/07/06 08:02:46.342748, 3] > ../source3/smbd/process.c:1489(switch_message) > switch message SMBnegprot (pid 10895) conn 0x0 > [2015/07/06 08:02:46.343225, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [PC NETWORK PROGRAM 1.0] > [2015/07/06 08:02:46.343263, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LANMAN1.0] > [2015/07/06 08:02:46.343288, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [Windows for Workgroups 3.1a] > [2015/07/06 08:02:46.343302, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LM1.2X002] > [2015/07/06 08:02:46.343313, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LANMAN2.1] > [2015/07/06 08:02:46.343329, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [NT LM 0.12] > [2015/07/06 08:02:46.343344, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [SMB 2.002] > [2015/07/06 08:02:46.343358, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [SMB 2.???] > [2015/07/06 08:02:46.343571, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_FF > [2015/07/06 08:02:46.344934, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2015/07/06 08:02:46.344982, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2015/07/06 08:02:46.344996, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2015/07/06 08:02:46.356774, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-DIGEST-MD5' registered > [2015/07/06 08:02:46.356804, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'spnego' registered > [2015/07/06 08:02:46.356819, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'schannel' registered > [2015/07/06 08:02:46.356831, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'naclrpc_as_system' registered > [2015/07/06 08:02:46.356841, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-EXTERNAL' registered > [2015/07/06 08:02:46.356852, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'ntlmssp' registered > [2015/07/06 08:02:46.356862, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_basic' registered > [2015/07/06 08:02:46.356872, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_ntlm' registered > [2015/07/06 08:02:46.356883, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'krb5' registered > [2015/07/06 08:02:46.356894, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'fake_gssapi_krb5' registered > [2015/07/06 08:02:46.357284, 3] > ../source3/smbd/negprot.c:683(reply_negprot) > Selected protocol SMB 2.??? > [2015/07/06 08:02:46.359312, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > [2015/07/06 08:02:46.990929, 3] > ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0xe2088297 > [2015/07/06 08:02:46.991652, 3] > ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth) > Got user=[roland] domain=[MYDOM] workstation=[DEVINTEL-100] len1=24 > len2=314 > [2015/07/06 08:02:46.991697, 3] > ../source3/param/loadparm.c:3647(lp_load_ex) > lp_load_ex: refreshing parameters > [2015/07/06 08:02:46.991811, 3] > ../source3/param/loadparm.c:564(init_globals) > Initialising global parameters > [2015/07/06 08:02:46.991927, 3] > ../source3/param/loadparm.c:2597(lp_do_section) > Processing section "[global]" > [2015/07/06 08:02:46.992040, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[testshare]" > [2015/07/06 08:02:46.992111, 3] > ../source3/param/loadparm.c:1495(lp_add_ipc) > adding IPC service > [2015/07/06 08:02:46.994597, 3] > ../source3/libsmb/namequery.c:3103(get_dc_list) > get_dc_list: preferred server list: "PDCHOST, subnet-ldap" > [2015/07/06 08:02:46.994804, 3] > ../source3/libsmb/namequery.c:2323(resolve_hosts) > resolve_hosts: Attempting host lookup for name subnet-ldap<0x20> > [2015/07/06 08:02:47.022939, 3] > ../source3/libsmb/namequery_dc.c:207(rpc_dc_name) > rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM > [2015/07/06 08:02:47.023024, 3] > ../source3/lib/util_sock.c:617(open_socket_out_send) > Connecting to 192.168.9.3 at port 445 > [2015/07/06 08:02:47.083675, 3] > ../source3/auth/auth.c:178(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [MYDOM]\[roland]@[DEVINTEL-100] with the new password interface > [2015/07/06 08:02:47.083721, 3] > ../source3/auth/auth.c:181(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [MYDOM]\[roland]@[DEVINTEL-100] > [2015/07/06 08:02:47.083862, 3] > ../source3/libsmb/namequery.c:3103(get_dc_list) > get_dc_list: preferred server list: "PDCHOST, subnet-ldap" > [2015/07/06 08:02:47.084734, 3] > ../source3/libsmb/namequery_dc.c:207(rpc_dc_name) > rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM > [2015/07/06 08:02:47.084963, 3] > ../source3/lib/util_sock.c:617(open_socket_out_send) > Connecting to 192.168.9.3 at port 445 > [2015/07/06 08:02:47.188335, 0] > ../source3/auth/auth_domain.c:302(domain_client_validate) > domain_client_validate: unable to validate password for user roland > in domain MYDOM to Domain controller PDCHOST. Error was > NT_STATUS_LOCK_NOT_GRANTED. > [2015/07/06 08:02:47.189817, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [roland] -> [roland] > FAILED with error NT_STATUS_LOCK_NOT_GRANTED > [2015/07/06 08:02:47.189854, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED > [2015/07/06 08:02:47.190446, 3] > ../source3/smbd/server_exit.c:246(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > > So the problem is appearing here: > [2015/07/06 08:02:47.188335, 0] > ../source3/auth/auth_domain.c:302(domain_client_validate) > domain_client_validate: unable to validate password for user roland > in domain MYDOM to Domain controller PDCHOST. Error was > NT_STATUS_LOCK_NOT_GRANTED. > > Why on earth is this happening? When my win7 testmachine is trying > to access the 4.2.2 PDC directly everything is fine and easy. So I > believe the setup of the PDC is correct. > > In the first 2 lines of the log I see the SIDs dumped. > Both for my domain and for my member server. > > SID for local machine OSUSE-TEST is: > S-1-5-21-1853263269-3041869306-167322181 > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205 > Join to 'MYDOM' is OK > > According to my LDAP the sid for my test member server (OSUSE-TEST) > should be S-1-5-21-290147797-1639656955-1287535205-61405Just what do you mean by 'According to my LDAP' ? Have *you* set the SID somewhere?> > Is this maybe a problem? Or is this just the real local sid not the > domain sid of this machine?The local SID is *never* the domain SID, you should use the domain SID. Rowland> > Where shall I look on my 4.2.2 PDC to get more infos on the auth > problem? The logfiles for the member server are empty on my PDC. > > Thanks for all your help! I hope this can be resolved soon! > > Roland
Roland Schwingel
2015-Jul-06 10:33 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
Thanks for your reply, Rowland Penny <rowlandpenny241155 at gmail.com> wrote on 06.07.2015 10:03:20: > > In the first 2 lines of the log I see the SIDs dumped. > > Both for my domain and for my member server. > > > > SID for local machine OSUSE-TEST is: > > S-1-5-21-1853263269-3041869306-167322181 > > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205 > > Join to 'MYDOM' is OK > > > > According to my LDAP the sid for my test member server (OSUSE-TEST) > > should be S-1-5-21-290147797-1639656955-1287535205-61405 > > Just what do you mean by 'According to my LDAP' ? > Have *you* set the SID somewhere? We have a quite big LDAP and DNS setup. This is one reason why we can't switch to samba as AD right now. I made a little php script a decade ago which is hooked in as "add machine script" to my PDC. This script searches for a free domain sid and creates a machine account in LDAP. This works very fine for many years now. The sid for MYDOM is: S-1-5-21-290147797-1639656955-1287535205 The sid for my domain member server in this domain is therefore: S-1-5-21-290147797-1639656955-1287535205-61405 Here is the ldif for my still not working member server: # osuse-test$, computers, samba, mydom.com dn: uid=osuse-test$,ou=computers,ou=samba,dc=mydom,dc=com sambaPwdLastSet: 1436177562 sambaNTPassword: B404FFE84BE2F31569CF908B3F2B6020 sambaAcctFlags: [WX ] uid: osuse-test$ cn: osuse-test$ displayName: osuse-test$ gidNumber: 515 gecos: Computer description: Computer homeDirectory: /dev/null loginShell: /bin/false uidNumber: 61405 sambaSID: S-1-5-21-290147797-1639656955-1287535205-61405 sambaPrimaryGroupSID: S-1-5-21-290147797-1639656955-1287535205-515 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaKickoffTime: 2147483647 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaDomainName: MYDOM objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSAMAccount I have bootstrapped my samba member server before joining the domain with net setdomainsid S-1-5-21-290147797-1639656955-1287535205 during net rpc join the domainsid ending in -61405 was generated by my php script and written to ldap. On my memberserver I get the following output of these commands: net getlocalsid => S-1-5-21-1853263269-3041869306-167322181 net getdomainsid => S-1-5-21-290147797-1639656955-1287535205 Is there no way to detect on my PDC what is the problem. Why is my PDC Samba rejecting my samba member server...? Thanks for your help again, Roland
Roland Schwingel
2015-Jul-06 10:33 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
Thanks for your reply, Rowland Penny <rowlandpenny241155 at gmail.com> wrote on 06.07.2015 10:03:20: > > In the first 2 lines of the log I see the SIDs dumped. > > Both for my domain and for my member server. > > > > SID for local machine OSUSE-TEST is: > > S-1-5-21-1853263269-3041869306-167322181 > > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205 > > Join to 'MYDOM' is OK > > > > According to my LDAP the sid for my test member server (OSUSE-TEST) > > should be S-1-5-21-290147797-1639656955-1287535205-61405 > > Just what do you mean by 'According to my LDAP' ? > Have *you* set the SID somewhere? We have a quite big LDAP and DNS setup. This is one reason why we can't switch to samba as AD right now. I made a little php script a decade ago which is hooked in as "add machine script" to my PDC. This script searches for a free domain sid and creates a machine account in LDAP. This works very fine for many years now. The sid for MYDOM is: S-1-5-21-290147797-1639656955-1287535205 The sid for my domain member server in this domain is therefore: S-1-5-21-290147797-1639656955-1287535205-61405 Here is the ldif for my still not working member server: # osuse-test$, computers, samba, mydom.com dn: uid=osuse-test$,ou=computers,ou=samba,dc=mydom,dc=com sambaPwdLastSet: 1436177562 sambaNTPassword: B404FFE84BE2F31569CF908B3F2B6020 sambaAcctFlags: [WX ] uid: osuse-test$ cn: osuse-test$ displayName: osuse-test$ gidNumber: 515 gecos: Computer description: Computer homeDirectory: /dev/null loginShell: /bin/false uidNumber: 61405 sambaSID: S-1-5-21-290147797-1639656955-1287535205-61405 sambaPrimaryGroupSID: S-1-5-21-290147797-1639656955-1287535205-515 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaKickoffTime: 2147483647 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaDomainName: MYDOM objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSAMAccount I have bootstrapped my samba member server before joining the domain with net setdomainsid S-1-5-21-290147797-1639656955-1287535205 during net rpc join the domainsid ending in -61405 was generated by my php script and written to ldap. On my memberserver I get the following output of these commands: net getlocalsid => S-1-5-21-1853263269-3041869306-167322181 net getdomainsid => S-1-5-21-290147797-1639656955-1287535205 Is there no way to detect on my PDC what is the problem. Why is my PDC Samba rejecting my samba member server...? Thanks for your help again, Roland
Rowland Penny
2015-Jul-06 11:22 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
On 06/07/15 11:33, Roland Schwingel wrote:> > Thanks for your reply, > > Rowland Penny <rowlandpenny241155 at gmail.com> wrote on 06.07.2015 > 10:03:20: > > > > In the first 2 lines of the log I see the SIDs dumped. > > > Both for my domain and for my member server. > > > > > > SID for local machine OSUSE-TEST is: > > > S-1-5-21-1853263269-3041869306-167322181 > > > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205 > > > Join to 'MYDOM' is OK > > > > > > According to my LDAP the sid for my test member server (OSUSE-TEST) > > > should be S-1-5-21-290147797-1639656955-1287535205-61405 > > > > Just what do you mean by 'According to my LDAP' ? > > Have *you* set the SID somewhere? > We have a quite big LDAP and DNS setup. This is one reason why we > can't switch to samba as AD right now. I made a little php script a > decade ago which is hooked in as "add machine script" to my PDC. This > script searches for a free domain sid and creates a machine account in > LDAP. This works very fine for many years now. > > The sid for MYDOM is: > S-1-5-21-290147797-1639656955-1287535205 > The sid for my domain member server in this domain is therefore: > S-1-5-21-290147797-1639656955-1287535205-61405 > > Here is the ldif for my still not working member server: > # osuse-test$, computers, samba, mydom.com > dn: uid=osuse-test$,ou=computers,ou=samba,dc=mydom,dc=com > sambaPwdLastSet: 1436177562 > sambaNTPassword: B404FFE84BE2F31569CF908B3F2B6020 > sambaAcctFlags: [WX ] > uid: osuse-test$ > cn: osuse-test$ > displayName: osuse-test$ > gidNumber: 515 > gecos: Computer > description: Computer > homeDirectory: /dev/null > loginShell: /bin/false > uidNumber: 61405 > sambaSID: S-1-5-21-290147797-1639656955-1287535205-61405 > sambaPrimaryGroupSID: S-1-5-21-290147797-1639656955-1287535205-515 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > sambaKickoffTime: 2147483647 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaDomainName: MYDOM > objectClass: top > objectClass: account > objectClass: posixAccount > objectClass: sambaSAMAccountThere doesn't seem to be anything wrong with that ldif.> > I have bootstrapped my samba member server before joining the domain with > net setdomainsid S-1-5-21-290147797-1639656955-1287535205 > during net rpc join the domainsid ending in -61405 was generated by my > php script and written to ldap. > > On my memberserver I get the following output of these commands: > net getlocalsid => S-1-5-21-1853263269-3041869306-167322181 > net getdomainsid => S-1-5-21-290147797-1639656955-1287535205I take it that you ran 'net getdomainsid' on the PDC and this is the SID you are using.> > Is there no way to detect on my PDC what is the problem. Why is my PDC > Samba rejecting my samba member server...? >Permissions ?? Is the join correct ? It has been sometime since I did anything major with an LDAP PDC and even then I used smbldap tools. It seems strange that 3.6 works but 4.2.2 doesn't, have you looked into the bug report that was posted in this thread ? From my understanding, you should be able to use 4.2.x just like 3.6.x, but there are slight differences as I pointed out. What are the problems, reasons etc for not moving to AD, I ask this because you seem to be trying to set up a new domain and surely this is the very time to upgrade. Rowland> Thanks for your help again, > > Roland
Roel van Meer
2015-Jul-09 13:00 UTC
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
Roland Schwingel writes: [snip]> So the problem is appearing here: > [2015/07/06 08:02:47.188335, 0] ../source3/auth/auth_domain.c: > 302(domain_client_validate) > domain_client_validate: unable to validate password for user roland in > domain MYDOM to Domain controller PDCHOST. Error was > NT_STATUS_LOCK_NOT_GRANTED. > > Why on earth is this happening? When my win7 testmachine is trying > to access the 4.2.2 PDC directly everything is fine and easy. So I believe > the setup of the PDC is correct.Hi Roland, I had the exact same error, although my setup differed slightly. I tested different versions of Samba, and in my case the problem happened only with 4.2.[0-2]. Samba 4.1.13 does not have the problem, and a build from Git master doesn't have it either. So, you might want to try Samba 4.1.19 or wait for Samba 4.2.3. Hope this helps, Roel
Possibly Parallel Threads
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- Big problems with samba 4.17.7 with classic domain (NT4) and LDAP