samba - Mar 2018 - Fwd: Migrating server

Hi Harry,

sadmin and tadmin are both admin logins. I was trying to domain join with
both. sadmin is in ldap

The  olcdbindex.ldif gave this error

SASL/EXTERNAL authentication started SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config" ldap_modify: Other
(e.g.,
implementation specific) error (80) additional info: index attribute
"dhcpClassData" undefined


I did the indexing and also the log level

Here is what I got with tail -f /var/log/syslog|sed -nre 's/^.*(
slapd.*$)/\1/p' net getlocasid

slapd[2332]: <= bdb_equality_candidates: (uid) not indexed slapd[2332]:
conn=1090 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2332]:
conn=1090 op=11 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
slapd[2332]:
conn=1090 op=11 SRCH attr=sambaSID slapd[2332]: <= bdb_equality_candidates:
(gidNumber) not indexed slapd[2332]: conn=1090 op=11 SEARCH RESULT tag=101
err=0 nentries=0 text= slapd[2332]: conn=1090 op=12 SRCH
base="dc=mydomain"
scope=2 deref=0
filter="(&(uid=dozer15$)(objectClass=sambaSamAccount))"
slapd[2332]: conn=1090 op=12 SRCH attr=uid uidNumber gidNumber
homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates:
(uid) not indexed slapd[2332]: conn=1090 op=12 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1090 op=13 SRCH base="dc=mydomain"
scope=2 deref=0
filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
slapd[2332]: conn=1090 op=13 SRCH attr=sambaSID slapd[2332]:
<bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1090
op=13 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[2332]: conn=1090
op=14 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(uid=dozer15$)(objectClass=sambaSamAccount))"
slapd[2332]:
conn=1090 op=14 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates:
(uid) not indexed slapd[2332]: conn=1090 op=14 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1090 op=15 SRCH base="dc=mydomain"
scope=2 deref=0
filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
slapd[2332]: conn=1090 op=15 SRCH attr=sambaSID slapd[2332]:
<bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1090
op=15 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[2332]: conn=1090
fd=20 closed (connection lost) slapd[2332]: conn=1091 fd=20 ACCEPT from
IP=[::1]:38914 (IP=[::]:389) slapd[2332]: conn=1091 op=0 BIND
dn="cn=admin,dc=mydomain" method=128 slapd[2332]: conn=1091 op=0 BIND
dn="cn=admin,dc=mydomain" mech=SIMPLE ssf=0 slapd[2332]: conn=1091
op=0
RESULT tag=97 err=0 text= slapd[2332]: conn=1091 op=1 SRCH base=""
scope=0
deref=0 filter="(objectClass=*)" slapd[2332]: conn=1091 op=1 SRCH
attr=supportedControl slapd[2332]: conn=1091 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text= slapd[2332]: conn=1091 op=2 SRCH
base="dc=mydomain"
scope=2 deref=0
filter="(&(objectClass=sambaDomain)(sambaDomainName=mydomain))"
slapd[2332]: conn=1091 op=2 SRCH attr=sambaDomainName sambaNextRid
sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
objectClass slapd[2332]: conn=1091 op=2 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1091 fd=20 closed (connection lost)

Joining the machine to the domain

slapd[2332]: conn=1120 op=9 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(uid=sadmin)(objectClass=sambaSamAccount))" slapd[2332]:
conn=1120 op=9 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates:
(uid) not indexed slapd[2332]: conn=1120 op=9 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1120 op=10 SRCH base="dc=mydomain"
scope=2 deref=0
filter="(&(gidNumber=1359)(objectClass=sambaGroupMapping))"
slapd[2332]: conn=1120 op=10 SRCH attr=sambaSID slapd[2332]:
<bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1120
op=10 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[2332]: conn=1120
op=11 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(objectClass=posixGroup)(|(memberUid=sadmin)(gidNumber=1359)))"
slapd[2332]: conn=1120 op=11 SRCH attr=gidNumber sambaSID slapd[2332]:
<bdb_equality_candidates: (memberUid) not indexed slapd[2332]:
<bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1120
op=11 SEARCH RESULT tag=101 err=0 nentries=1 text

The two ways I can join a machine to teh domain is
- Change to TDBSAM
- Remove both the lines from smb.conf
ldapsam:editposix = yes ldapsam:trusted = yes

The strange thing is that Win7 joins to the domain, reboots then gives the
domain trust failed message. Windows10 joins and works. That might be an
issue with the machine password

My question is that are we loosing anything by not using the editposix and
trusted option. I understand that smbdlap is not supported but it seems to
work in my testing









On Wed, Mar 7, 2018 at 10:10 PM, Harry Jede <walk2sun at arcor.de> wrote:
> Hi Rob,
>
>
>
> > olcDbIndex: ou eq
>
> > olcDbIndex: mail eq
>
> > olcDbIndex: surname eq
>
> > olcDbIndex: givenname eq
>
> > olcDbIndex: loginShell eq
>
> > olcDbIndex: uniqueMember eq,pres
>
> > olcDbIndex: sambaSID eq
>
> > olcDbIndex: sambaPrimaryGroupSID eq
>
> > olcDbIndex: sambaGroupType eq
>
> > olcDbIndex: sambaSIDList eq
>
> > olcDbIndex: sambaDomainName eq
>
> > olcDbIndex: default sub
>
> > olcDbIndex: nisMapName eq
>
> > olcDbIndex: nisMapEntry eq
>
> Dont looks good.
>
>
>
> replace the indices
>
> # ldapmodify -Y external -H ldapi:/// -f olcdbindex.ldif
>
>
>
> stop slapd
>
> # /etc/init.d/slapd stop
>
>
>
> re-index
>
> # slapindex -v -n 1
>
>
>
> start slapd
>
> # /etc/init.d/slapd start
>
>
>
> We want to watch the communication between samba and ldap:
>
>
>
> First, we set another loglevel
>
> # ldapmodify -Y external -H ldapi:/// -f olcloglevel.ldif
>
>
>
> and then run in an extra terminal:
>
>
>
> tail -f /var/log/syslog|sed -nre 's/^.*( slapd.*$)/\1/p'
>
>
>
> You will see the communication between samba and slapd.
>
> This is the output from: *net getdomainsid*
>
>
>
> slapd[18826]: conn=1000 fd=13 ACCEPT from IP=127.0.0.1:33707 (IP>
0.0.0.0:389)
>
> slapd[18826]: conn=1000 op=0 BIND dn="cn=admin,dc=afrika,dc=xx"
method=128
>
> slapd[18826]: conn=1000 op=0 BIND dn="cn=admin,dc=afrika,dc=xx"
> mech=SIMPLE ssf=0
>
> slapd[18826]: conn=1000 op=0 RESULT tag=97 err=0 text>
> # the bind from smbd
>
>
>
> slapd[18826]: conn=1000 op=1 SRCH base="" scope=0 deref=0
> filter="(objectClass=*)"
>
> slapd[18826]: conn=1000 op=1 SRCH attr=supportedControl
>
> slapd[18826]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1
text>
> # the search from smbd for supportedControls
>
>
>
> slapd[18826]: conn=1000 op=2 SRCH base="dc=afrika,dc=xx" scope=2
deref=0
> filter="(&(objectClass=sambaDomain)(sambaDomainName=schule))"
>
> slapd[18826]: conn=1000 op=2 SRCH attr=sambaDomainName sambaNextRid
> sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
> objectClass
>
> slapd[18826]: conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1
text>
> slapd[18826]: conn=1000 fd=13 closed (connection lost)
>
> # and finaly the search for "sambaDomainName and sambaSID"
>
> # samba do not search for single attributes,
>
> # instead all attributes from an objectclass
>
>
>
> ###
>
> $ cat olcloglevel.ldif
>
> dn: cn=config
>
> changetype: modify
>
> replace: olcloglevel
>
> olcloglevel: 256
>
> -
>
>
>
> $ cat olcdbindex.ldif
>
> dn: olcDatabase={1}hdb,cn=config
>
> changetype: modify
>
> replace: olcDbIndex
>
> olcDbIndex: cn eq,sub
>
> olcDbIndex: dc eq
>
> olcDbIndex: default eq
>
> olcDbIndex: dhcpClassData eq
>
> olcDbIndex: dhcpHWAddress eq
>
> olcDbIndex: displayName eq,sub
>
> olcDbIndex: gidNumber eq
>
> olcDbIndex: givenName eq,sub
>
> olcDbIndex: loginShell eq
>
> olcDbIndex: mail eq,sub,approx
>
> olcDbIndex: memberUid eq,sub
>
> olcDbIndex: objectClass eq
>
> olcDbIndex: ou eq
>
> olcDbIndex: sambaDomainName eq
>
> olcDbIndex: sambaGroupType eq
>
> olcDbIndex: sambaPrimaryGroupSID eq
>
> olcDbIndex: sambaSID eq
>
> olcDbIndex: sambaSIDList eq
>
> olcDbIndex: sn eq,sub
>
> olcDbIndex: uid eq,sub
>
> olcDbIndex: uidNumber eq
>
> olcDbIndex: uniqueMember eq
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>

Hi Rob,
> Hi Harry,
> 
> sadmin and tadmin are both admin logins. I was trying to domain join
> with both. sadmin is in ldap
> 
> The  olcdbindex.ldif gave this error
> 
> SASL/EXTERNAL authentication started SASL username:
> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL 
SSF: 0
> modifying entry "olcDatabase={1}hdb,cn=config" ldap_modify: Other
> (e.g., implementation specific) error (80) additional info: index
> attribute "dhcpClassData" undefined
This attribute belongs to an objectclass you have not installed. Sorry.
In the attached ldif I have cleared this. Try again:

replace the indices
# ldapmodify -Y external -H ldapi:///  -f olcdbindex.ldif 

stop slapd
# /etc/init.d/slapd stop 

re-index
# slapindex -v -n 1 

start slapd
# /etc/init.d/slapd start
> 
> 
> I did the indexing
No, on error slapd wont modify!
> and also the log level
Yes, it is working. But, when you paste the lines in your mail composer you 
must turn of "line wrapping". Otherwise it is really hard to read.
 
> Here is what I got with tail -f /var/log/syslog|sed -nre 's/^.*(
> slapd.*$)/\1/p' net getlocasid
> 
> slapd[2332]: <= bdb_equality_candidates: (uid) not indexed
> slapd[2332]: conn=1090 op=10 SEARCH RESULT tag=101 err=0 
nentries=1
> text= slapd[2332]: conn=1090 op=11 SRCH base="dc=mydomain" 
scope=2
> deref=0
> filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
> slapd[2332]: conn=1090 op=11 SRCH attr=sambaSID slapd[2332]: <>
bdb_equality_candidates: (gidNumber) not indexed slapd[2332]:
> conn=1090 op=11 SEARCH RESULT tag=101 err=0 nentries=0 text>
slapd[2332]: conn=1090 op=12 SRCH base="dc=mydomain" scope=2
deref=0
> filter="(&(uid=dozer15$)(objectClass=sambaSamAccount))" 
slapd[2332]:
> conn=1090 op=12 SRCH attr=uid uidNumber gidNumber homeDirectory
> sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange 
sambaLogonTime
> sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
> sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID 
sambaLMPassword
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags
> sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
> sambaPasswordHistory modifyTimestamp sambaLogonHours 
modifyTimestamp
> uidNumber gidNumber homeDirectory loginShell gecos slapd[2332]: <>
bdb_equality_candidates: (uid) not indexed slapd[2332]: conn=1090
> op=12 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2332]:
> conn=1090 op=13 SRCH base="dc=mydomain" scope=2 deref=0
> filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
> slapd[2332]: conn=1090 op=13 SRCH attr=sambaSID slapd[2332]: <>
bdb_equality_candidates: (gidNumber) not indexed slapd[2332]:
> conn=1090 op=13 SEARCH RESULT tag=101 err=0 nentries=0 text>
slapd[2332]: conn=1090 op=14 SRCH base="dc=mydomain" scope=2
deref=0
> filter="(&(uid=dozer15$)(objectClass=sambaSamAccount))" 
slapd[2332]:
> conn=1090 op=14 SRCH attr=uid uidNumber gidNumber homeDirectory
> sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange 
sambaLogonTime
> sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
> sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID 
sambaLMPassword
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags
> sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
> sambaPasswordHistory modifyTimestamp sambaLogonHours 
modifyTimestamp
> uidNumber gidNumber homeDirectory loginShell gecos slapd[2332]: <>
bdb_equality_candidates: (uid) not indexed slapd[2332]: conn=1090
> op=14 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2332]:
> conn=1090 op=15 SRCH base="dc=mydomain" scope=2 deref=0
> filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
> slapd[2332]: conn=1090 op=15 SRCH attr=sambaSID slapd[2332]: <>
bdb_equality_candidates: (gidNumber) not indexed slapd[2332]:
> conn=1090 op=15 SEARCH RESULT tag=101 err=0 nentries=0 text>
slapd[2332]: conn=1090 fd=20 closed (connection lost) slapd[2332]:
> conn=1091 fd=20 ACCEPT from IP=[::1]:38914 (IP=[::]:389) slapd[2332]:
> conn=1091 op=0 BIND dn="cn=admin,dc=mydomain" method=128 
slapd[2332]:
> conn=1091 op=0 BIND dn="cn=admin,dc=mydomain" mech=SIMPLE 
ssf=0
> slapd[2332]: conn=1091 op=0 RESULT tag=97 err=0 text= slapd[2332]:
> conn=1091 op=1 SRCH base="" scope=0 deref=0 
filter="(objectClass=*)"
> slapd[2332]: conn=1091 op=1 SRCH attr=supportedControl 
slapd[2332]:
> conn=1091 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text> slapd[2332]:
conn=1091 op=2 SRCH base="dc=mydomain" scope=2
deref=0
>
filter="(&(objectClass=sambaDomain)(sambaDomainName=mydomain))"
> slapd[2332]: conn=1091 op=2 SRCH attr=sambaDomainName 
sambaNextRid
> sambaNextUserRid sambaNextGroupRid sambaSID 
sambaAlgorithmicRidBase
> objectClass slapd[2332]: conn=1091 op=2 SEARCH RESULT tag=101 
err=0
> nentries=1 text= slapd[2332]: conn=1091 fd=20 closed (connection 
lost)
"slapd[2332]: conn=1091" was the "net getlocalsid" command.

Please post also the output  of:
# net getlocalsid
and
# net getdomainsid
> Joining the machine to the domain
> 
> slapd[2332]: conn=1120 op=9 SRCH base="dc=mydomain" scope=2 
deref=0
> filter="(&(uid=sadmin)(objectClass=sambaSamAccount))"
slapd[2332]:
> conn=1120 op=9 SRCH attr=uid uidNumber gidNumber homeDirectory
> sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange 
sambaLogonTime
> sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
> sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID 
sambaLMPassword
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags
> sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
> sambaPasswordHistory modifyTimestamp sambaLogonHours 
modifyTimestamp

Hi Rob,
> Joining the machine to the domain
> 
> slapd[2332]: conn=1120 op=9 SRCH base="dc=mydomain" scope=2 
deref=0
> filter="(&(uid=sadmin)(objectClass=sambaSamAccount))"
slapd[2332]:
> conn=1120 op=9 SRCH attr=uid uidNumber gidNumber homeDirectory
> sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange 
sambaLogonTime
> sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
> sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID 
sambaLMPassword
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags
> sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
> sambaPasswordHistory modifyTimestamp sambaLogonHours 
modifyTimestamp
> uidNumber gidNumber homeDirectory loginShell gecos slapd[2332]: <>
bdb_equality_candidates: (uid) not indexed slapd[2332]: conn=1120
> op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2332]:
> conn=1120 op=10 SRCH base="dc=mydomain" scope=2 deref=0
> filter="(&(gidNumber=1359)(objectClass=sambaGroupMapping))"
> slapd[2332]: conn=1120 op=10 SRCH attr=sambaSID slapd[2332]: <>
bdb_equality_candidates: (gidNumber) not indexed slapd[2332]:
> conn=1120 op=10 SEARCH RESULT tag=101 err=0 nentries=0 text>
slapd[2332]: conn=1120 op=11 SRCH base="dc=mydomain" scope=2
deref=0
> filter="(&(objectClass=posixGroup)(|(memberUid=sadmin)
(gidNumber=1359)
> ))" slapd[2332]: conn=1120 op=11 SRCH attr=gidNumber sambaSID
> slapd[2332]: <= bdb_equality_candidates: (memberUid) not indexed
> slapd[2332]: <= bdb_equality_candidates: (gidNumber) not indexed
> slapd[2332]: conn=1120 op=11 SEARCH RESULT tag=101 err=0 
nentries=1
> textThis is *not* a join. It is just samba's try to verify that sadmin
has the rights
(aka are in the right groups) to join. And he failed!

so post the output of

getent passwd sadmin
getent passwd hadmin

getent group 512
getent group 1359

After verifying group membership samba evaluates the privileges. This is 
not seen here. We set them, when we have solved the group problem.
> The two ways I can join a machine to teh domain is
> - Change to TDBSAM
> - Remove both the lines from smb.conf
> ldapsam:editposix = yes ldapsam:trusted = yes
> 
> The strange thing is that Win7 joins to the domain, reboots then gives
> the domain trust failed message. Windows10 joins and works. That
> might be an issue with the machine password
> 
> My question is that are we loosing anything by not using the editposix
> and trusted option. I understand that smbdlap is not supported but it
> seems to work in my testing
Once we have fixed the errors in your configuration and your data, I'm 
pretty sure that both, smbldap and sameditposix, will work. Then you must 
decide which route you will follow in the future.

Be patient, their are other errors.

PS
your output of the slapd logs are hard to read. Would be much easier if 
you turn of the line wrapping in your mail composer.

-- 

Gruss
	Harry Jede

Hi Harry,


Here are the outputs. I've attached them as logs with this email too.

root at sam3dc:/tmp/ldifs-gr# ldapmodify -Y external -H ldapi:///  -f
olcdbindex.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"


root at sam3dc:/tmp/ldifs-gr# service slapd stop
 * Stopping OpenLDAP slapd
                                                                          [
OK ]
root at sam3dc:/tmp/ldifs-gr# slapindex -v -n 1

WARNING!
Runnig as root!
There's a fair chance slapd will fail to start.
Check file permissions!

indexing id=00000001
indexing id=00000002
indexing id=00000003
indexing id=00000004
indexing id=00000005
indexing id=00000006
It goes on and completes the indexing



root at sam3dc:/tmp/ldifs-gr# service slapd start
 * Starting OpenLDAP slapd
                                                                          [
OK ]


net getdomainsid
SID for local machine sam3dc is: S-1-5-21-286905455-3929894668-3957719032
SID for domain mydomain is: S-1-5-21-3936576374-1604348213-1812465911

net getlocalsid
SID for local machine sam3dc is: S-1-5-21-286905455-3929894668-3957719032


getent passwd sadmin
sadmin:x:1359:1359::/home/sadmin:/bin/sh

getent passwd tadmin
tadmin:x:1262:1150:Temp Admin,,,:/home/tadmin:/bin/bash

root at sam3dc:/# getent group 512
root at sam3dc:/#
root at sam3dc:/# getent group 1359
sadmin:x:1359:

SYSLOG during the netdomainsid and getlocalsid

tail -f /var/log/syslog|sed -nre 's/^.*( slapd.*$)/\1/p'
 slapd[4698]: conn=1015 op=11 SEARCH RESULT tag=101 err=0 nentries=0 text
slapd[4698]: conn=1015 op=12 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
 slapd[4698]: conn=1015 op=12 SRCH attr=supportedExtension
 slapd[4698]: conn=1015 op=12 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1015 op=13 EXT oid=1.3.6.1.4.1.4203.1.11.1
 slapd[4698]: conn=1015 op=13 PASSMOD
id="uid=sadmin,ou=users,dc=mydomain"
new
 slapd[4698]: conn=1015 op=13 RESULT oid= err=0 text slapd[4698]: conn=1015
op=14 MOD dn="uid=sadmin,ou=users,dc=mydomain"
 slapd[4698]: conn=1015 op=14 MOD attr=sambaPwdLastSet sambaPwdLastSet
 slapd[4698]: conn=1015 op=14 RESULT tag=103 err=0 text slapd[4698]: conn=1016
fd=25 ACCEPT from IP=[::1]:39024 (IP=[::]:389)
 slapd[4698]: conn=1016 op=0 BIND dn="cn=admin,dc=mydomain" method=128
 slapd[4698]: conn=1016 op=0 BIND dn="cn=admin,dc=mydomain"
mech=SIMPLE
ssf=0
 slapd[4698]: conn=1016 op=0 RESULT tag=97 err=0 text slapd[4698]: conn=1016
op=1 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
 slapd[4698]: conn=1016 op=1 SRCH attr=supportedControl
 slapd[4698]: conn=1016 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1016 op=2 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(objectClass=sambaDomain)(sambaDomainName=mydomain))"
 slapd[4698]: conn=1016 op=2 SRCH attr=sambaDomainName sambaNextRid
sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
objectClass
 slapd[4698]: conn=1016 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1016 fd=25 closed (connection lost)

/var/log/syslog during domain join (WIndows 7)

root at sam3dc:/# tail -f /var/log/syslog|sed -nre 's/^.*(
slapd.*$)/\1/p'
 slapd[4698]: conn=1024 fd=24 ACCEPT from IP=[::1]:39034 (IP=[::]:389)
 slapd[4698]: conn=1024 op=0 BIND dn="cn=admin,dc=mydomain" method=128
 slapd[4698]: conn=1024 op=0 BIND dn="cn=admin,dc=mydomain"
mech=SIMPLE
ssf=0
 slapd[4698]: conn=1024 op=0 RESULT tag=97 err=0 text slapd[4698]: conn=1024
op=1 SRCH base="" scope=0 deref=0
filter="(objectClass=*


)"
 slapd[4698]: conn=1024 op=1 SRCH attr=supportedControl
 slapd[4698]: conn=1024 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=2 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&


(uid=sadmin)(objectClass=sambaSamAccount))"
 slapd[4698]: conn=1024 op=2 SRCH attr=uid uidNumber gidNumber
homeDirectory sam


baPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime


sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath
sambaLogonScrip
                 t

sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupS
                   ID

sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags
sa


mbaMungedDial sambaBadPasswordCount sambaBadPasswordTime
sambaPasswordHistory mo


difyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory


loginShell gecos
 slapd[4698]: conn=1024 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=3 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&


(gidNumber=1359)(objectClass=sambaGroupMapping))"
 slapd[4698]: conn=1024 op=3 SRCH attr=sambaSID
 slapd[4698]: conn=1024 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text
slapd[4698]: conn=1024 op=4 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&


(gidNumber=1359)(objectClass=sambaGroupMapping))"
 slapd[4698]: conn=1024 op=4 SRCH attr=sambaSID
 slapd[4698]: conn=1024 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text
slapd[4698]: conn=1024 op=5 SRCH
base="sambaDomainName=mydomain,dc=mydomain"


scope=0 deref=0 filter="(objectClass=sambaDomain)"
 slapd[4698]: conn=1024 op=5 SRCH attr=sambaMaxPwdAge
 slapd[4698]: conn=1024 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=6 SRCH
base="sambaDomainName=mydomain,dc=mydomain"


scope=0 deref=0 filter="(objectClass=sambaDomain)"
 slapd[4698]: conn=1024 op=6 SRCH attr=sambaMinPwdAge
 slapd[4698]: conn=1024 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=7 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&


(objectClass=posixGroup)(|(memberUid=sadmin)(gidNumber=1359)))"
 slapd[4698]: conn=1024 op=7 SRCH attr=gidNumber sambaSID
 slapd[4698]: conn=1024 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=8 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&


(uid=sadmin)(objectClass=sambaSamAccount))"
 slapd[4698]: conn=1024 op=8 SRCH attr=uid uidNumber gidNumber
homeDirectory sam


baPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime


sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath
sambaLogonScrip
                 t

sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupS
                   ID

sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags
sa


mbaMungedDial sambaBadPasswordCount sambaBadPasswordTime
sambaPasswordHistory mo


difyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory


loginShell gecos
 slapd[4698]: conn=1024 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=9 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&


(gidNumber=1359)(objectClass=sambaGroupMapping))"
 slapd[4698]: conn=1024 op=9 SRCH attr=sambaSID
 slapd[4698]: conn=1024 op=9 SEARCH RESULT tag=101 err=0 nentries=0 text
slapd[4698]: conn=1024 op=10 SRCH base="dc=mydomain" scope=2 deref=0
filter="(


&(objectClass=posixGroup)(|(memberUid=sadmin)(gidNumber=1359)))"
 slapd[4698]: conn=1024 op=10 SRCH attr=gidNumber sambaSID
 slapd[4698]: conn=1024 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text





On Thu, Mar 8, 2018 at 8:52 PM, Harry Jede <walk2sun at arcor.de> wrote:
> Hi Rob,
>
>
>
> > Joining the machine to the domain
>
> >
>
> > slapd[2332]: conn=1120 op=9 SRCH base="dc=mydomain" scope=2
deref=0
>
> > filter="(&(uid=sadmin)(objectClass=sambaSamAccount))"
slapd[2332]:
>
> > conn=1120 op=9 SRCH attr=uid uidNumber gidNumber homeDirectory
>
> > sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
>
> > sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
>
> > sambaHomePath sambaLogonScript sambaProfilePath description
>
> > sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
>
> > sambaNTPassword sambaDomainName objectClass sambaAcctFlags
>
> > sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
>
> > sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
>
> > uidNumber gidNumber homeDirectory loginShell gecos slapd[2332]:
<>
> > bdb_equality_candidates: (uid) not indexed slapd[2332]: conn=1120
>
> > op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2332]:
>
> > conn=1120 op=10 SRCH base="dc=mydomain" scope=2 deref=0
>
> >
filter="(&(gidNumber=1359)(objectClass=sambaGroupMapping))"
>
> > slapd[2332]: conn=1120 op=10 SRCH attr=sambaSID slapd[2332]: <>
> > bdb_equality_candidates: (gidNumber) not indexed slapd[2332]:
>
> > conn=1120 op=10 SEARCH RESULT tag=101 err=0 nentries=0 text>
> > slapd[2332]: conn=1120 op=11 SRCH base="dc=mydomain" scope=2
deref=0
>
> >
filter="(&(objectClass=posixGroup)(|(memberUid=sadmin)(gidNumber=1359)
>
> > ))" slapd[2332]: conn=1120 op=11 SRCH attr=gidNumber sambaSID
>
> > slapd[2332]: <= bdb_equality_candidates: (memberUid) not indexed
>
> > slapd[2332]: <= bdb_equality_candidates: (gidNumber) not indexed
>
> > slapd[2332]: conn=1120 op=11 SEARCH RESULT tag=101 err=0 nentries=1
>
> > text>
> This is *not* a join. It is just samba's try to verify that sadmin has
the
> rights (aka are in the right groups) to join. And he failed!
>
>
>
> so post the output of
>
>
>
> getent passwd sadmin
>
> getent passwd hadmin
>
>
>
> getent group 512
>
> getent group 1359
>
>
>
> After verifying group membership samba evaluates the privileges. This is
> not seen here. We set them, when we have solved the group problem.
>
>
>
> > The two ways I can join a machine to teh domain is
>
> > - Change to TDBSAM
>
> > - Remove both the lines from smb.conf
>
> > ldapsam:editposix = yes ldapsam:trusted = yes
>
> >
>
> > The strange thing is that Win7 joins to the domain, reboots then gives
>
> > the domain trust failed message. Windows10 joins and works. That
>
> > might be an issue with the machine password
>
> >
>
> > My question is that are we loosing anything by not using the editposix
>
> > and trusted option. I understand that smbdlap is not supported but it
>
> > seems to work in my testing
>
> Once we have fixed the errors in your configuration and your data, I'm
> pretty sure that both, smbldap and sameditposix, will work. Then you must
> decide which route you will follow in the future.
>
>
>
> Be patient, their are other errors.
>
>
>
> PS
>
> your output of the slapd logs are hard to read. Would be much easier if
> you turn of the line wrapping in your mail composer.
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>
-------------- next part --------------
root at sam3dc:/tmp/ldifs-gr# ldapmodify -Y external -H ldapi:///  -f
olcdbindex.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"


root at sam3dc:/tmp/ldifs-gr# service slapd stop
 * Stopping OpenLDAP slapd                                                      
[ OK ]
root at sam3dc:/tmp/ldifs-gr# slapindex -v -n 1

WARNING!
Runnig as root!
There's a fair chance slapd will fail to start.
Check file permissions!

indexing id=00000001
indexing id=00000002
indexing id=00000003
indexing id=00000004
indexing id=00000005
indexing id=00000006
It goes on and completes the indexing



root at sam3dc:/tmp/ldifs-gr# service slapd start
 * Starting OpenLDAP slapd                                                      
[ OK ]


net getdomainsid
SID for local machine sam3dc is: S-1-5-21-286905455-3929894668-3957719032
SID for domain mydomain is: S-1-5-21-3936576374-1604348213-1812465911


tail -f /var/log/syslog|sed -nre 's/^.*( slapd.*$)/\1/p'
[sudo] password for sadmin:
 slapd[4698]: conn=1015 op=11 SEARCH RESULT tag=101 err=0 nentries=0 text
slapd[4698]: conn=1015 op=12 SRCH base="" scope=0 deref=0
filter="(objectClass=*)"
 slapd[4698]: conn=1015 op=12 SRCH attr=supportedExtension
 slapd[4698]: conn=1015 op=12 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1015 op=13 EXT oid=1.3.6.1.4.1.4203.1.11.1
 slapd[4698]: conn=1015 op=13 PASSMOD
id="uid=sadmin,ou=users,dc=mydomain" new
 slapd[4698]: conn=1015 op=13 RESULT oid= err=0 text slapd[4698]: conn=1015
op=14 MOD dn="uid=sadmin,ou=users,dc=mydomain"
 slapd[4698]: conn=1015 op=14 MOD attr=sambaPwdLastSet sambaPwdLastSet
 slapd[4698]: conn=1015 op=14 RESULT tag=103 err=0 text slapd[4698]: conn=1016
fd=25 ACCEPT from IP=[::1]:39024 (IP=[::]:389)
 slapd[4698]: conn=1016 op=0 BIND dn="cn=admin,dc=mydomain" method=128
 slapd[4698]: conn=1016 op=0 BIND dn="cn=admin,dc=mydomain"
mech=SIMPLE ssf=0
 slapd[4698]: conn=1016 op=0 RESULT tag=97 err=0 text slapd[4698]: conn=1016
op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
 slapd[4698]: conn=1016 op=1 SRCH attr=supportedControl
 slapd[4698]: conn=1016 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1016 op=2 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(objectClass=sambaDomain)(sambaDomainName=mydomain))"
 slapd[4698]: conn=1016 op=2 SRCH attr=sambaDomainName sambaNextRid
sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
 slapd[4698]: conn=1016 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1016 fd=25 closed (connection lost)

getent passwd sadmin
sadmin:x:1359:1359::/home/sadmin:/bin/sh

getent passwd tadmin
tadmin:x:1262:1150:Temp Admin,,,:/home/tadmin:/bin/bash

root at sam3dc:/# getent group 512
root at sam3dc:/#
root at sam3dc:/# getent group 1359
sadmin:x:1359:


DOMAIN JOIN: SYSLOG

root at sam3dc:/# tail -f /var/log/syslog|sed -nre 's/^.*(
slapd.*$)/\1/p'
 slapd[4698]: conn=1024 fd=24 ACCEPT from IP=[::1]:39034 (IP=[::]:389)
 slapd[4698]: conn=1024 op=0 BIND dn="cn=admin,dc=mydomain" method=128
 slapd[4698]: conn=1024 op=0 BIND dn="cn=admin,dc=mydomain"
mech=SIMPLE ssf=0
 slapd[4698]: conn=1024 op=0 RESULT tag=97 err=0 text slapd[4698]: conn=1024
op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*         
)"
 slapd[4698]: conn=1024 op=1 SRCH attr=supportedControl
 slapd[4698]: conn=1024 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=2 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&                                                             
(uid=sadmin)(objectClass=sambaSamAccount))"
 slapd[4698]: conn=1024 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sam
baPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime
sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScrip 
t sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupS
ID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sa
mbaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory mo
difyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory 
loginShell gecos
 slapd[4698]: conn=1024 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=3 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&                                                             
(gidNumber=1359)(objectClass=sambaGroupMapping))"
 slapd[4698]: conn=1024 op=3 SRCH attr=sambaSID
 slapd[4698]: conn=1024 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text
slapd[4698]: conn=1024 op=4 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&                                                             
(gidNumber=1359)(objectClass=sambaGroupMapping))"
 slapd[4698]: conn=1024 op=4 SRCH attr=sambaSID
 slapd[4698]: conn=1024 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text
slapd[4698]: conn=1024 op=5 SRCH
base="sambaDomainName=mydomain,dc=mydomain"                           
scope=0 deref=0 filter="(objectClass=sambaDomain)"
 slapd[4698]: conn=1024 op=5 SRCH attr=sambaMaxPwdAge
 slapd[4698]: conn=1024 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=6 SRCH
base="sambaDomainName=mydomain,dc=mydomain"                           
scope=0 deref=0 filter="(objectClass=sambaDomain)"
 slapd[4698]: conn=1024 op=6 SRCH attr=sambaMinPwdAge
 slapd[4698]: conn=1024 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=7 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&                                                             
(objectClass=posixGroup)(|(memberUid=sadmin)(gidNumber=1359)))"
 slapd[4698]: conn=1024 op=7 SRCH attr=gidNumber sambaSID
 slapd[4698]: conn=1024 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=8 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&                                                             
(uid=sadmin)(objectClass=sambaSamAccount))"
 slapd[4698]: conn=1024 op=8 SRCH attr=uid uidNumber gidNumber homeDirectory sam
baPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime
sambaKickoffTime cn sn displayName sambaHomeDrive sambaHomePath sambaLogonScrip 
t sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupS
ID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sa
mbaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory mo
difyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory 
loginShell gecos
 slapd[4698]: conn=1024 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text
slapd[4698]: conn=1024 op=9 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&                                                             
(gidNumber=1359)(objectClass=sambaGroupMapping))"
 slapd[4698]: conn=1024 op=9 SRCH attr=sambaSID
 slapd[4698]: conn=1024 op=9 SEARCH RESULT tag=101 err=0 nentries=0 text
slapd[4698]: conn=1024 op=10 SRCH base="dc=mydomain" scope=2 deref=0
filter="(                                                                  
&(objectClass=posixGroup)(|(memberUid=sadmin)(gidNumber=1359)))"
 slapd[4698]: conn=1024 op=10 SRCH attr=gidNumber sambaSID
 slapd[4698]: conn=1024 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text

DOMAIN JOIN SAMBA LOGS

root at sam3dc:/var/log/samba# cat log.ldap7-01
[2018/03/07 06:25:59.630907,  5] auth/auth_util.c:111(make_user_info_map)
  Mapping user [mydomain]\[sadmin] from workstation [LDAP7-01]
[2018/03/07 06:25:59.630969,  5] auth/user_info.c:59(make_user_info)
  attempting to make a user_info for sadmin (sadmin)
[2018/03/07 06:25:59.631010,  5] auth/user_info.c:70(make_user_info)
  making strings for sadmin's user_info struct
[2018/03/07 06:25:59.631047,  5] auth/user_info.c:87(make_user_info)
  making blobs for sadmin's user_info struct
[2018/03/07 06:25:59.631086,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[mydomain]\[sadmin]@[LDAP7-01] with the new password interface
[2018/03/07 06:25:59.631124,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [mydomain]\[sadmin]@[LDAP7-01]
[2018/03/07 06:25:59.631296,  2] lib/smbldap.c:1018(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2018/03/07 06:25:59.633188,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: sadmin
[2018/03/07 06:25:59.635084,  4] auth/check_samsec.c:183(sam_account_ok)
  sam_account_ok: Checking SMB password for user sadmin
[2018/03/07 06:25:59.635143,  5] auth/check_samsec.c:165(logon_hours_ok)
  logon_hours_ok: user sadmin allowed to logon at this time (Tue Mar  6 20:25:59
2018
  )
[2018/03/07 06:25:59.636377,  1] auth/server_info.c:447(samu_to_SamInfo3)
  Failed to get groups from sam account.
[2018/03/07 06:25:59.636447,  0] auth/check_samsec.c:492(check_sam_security)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_INTERNAL_DB_CORRUPTION'
[2018/03/07 06:25:59.636504,  5] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: sam authentication for user [sadmin] FAILED with error
NT_STATUS_INTERNAL_DB_CORRUPTION
[2018/03/07 06:25:59.636549,  3] auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [mydomain] was for
this SAM.
[2018/03/07 06:25:59.636586,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [sadmin] -> [sadmin] FAILED
with error NT_STATUS_INTERNAL_DB_CORRUPTION
[2018/03/07 06:26:00.004182,  2] smbd/sesssetup.c:1291(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2018/03/07 06:26:00.004329,  5] auth/auth.c:489(make_auth_context_subsystem)
  Making default auth method list for DC, security=user, encrypt passwords = yes
[2018/03/07 06:26:00.004377,  5] auth/auth.c:385(load_auth_module)
  load_auth_module: Attempting to find an auth method to match guest
[2018/03/07 06:26:00.004416,  5] auth/auth.c:410(load_auth_module)
  load_auth_module: auth method guest has a valid init
[2018/03/07 06:26:00.004453,  5] auth/auth.c:385(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2018/03/07 06:26:00.004491,  5] auth/auth.c:410(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2018/03/07 06:26:00.004527,  5] auth/auth.c:385(load_auth_module)
  load_auth_module: Attempting to find an auth method to match
winbind:trustdomain
[2018/03/07 06:26:00.004564,  5] auth/auth.c:385(load_auth_module)
  load_auth_module: Attempting to find an auth method to match trustdomain
[2018/03/07 06:26:00.004601,  5] auth/auth.c:410(load_auth_module)
  load_auth_module: auth method trustdomain has a valid init
[2018/03/07 06:26:00.004637,  5] auth/auth.c:410(load_auth_module)
  load_auth_module: auth method winbind has a valid init
[2018/03/07 06:26:00.004678,  5] auth/auth.c:99(get_ntlm_challenge)
  auth_get_challenge: module guest did not want to specify a challenge
[2018/03/07 06:26:00.004716,  5] auth/auth.c:99(get_ntlm_challenge)
  auth_get_challenge: module sam did not want to specify a challenge
[2018/03/07 06:26:00.004752,  5] auth/auth.c:99(get_ntlm_challenge)
  auth_get_challenge: module winbind did not want to specify a challenge
[2018/03/07 06:26:00.004795,  5] auth/auth.c:134(get_ntlm_challenge)
  auth_context challenge created by random
[2018/03/07 06:26:00.004846,  5] auth/auth.c:135(get_ntlm_challenge)
  challenge is:
[2018/03/07 06:26:00.005231,  2] smbd/sesssetup.c:1291(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2018/03/07 06:26:00.005340,  5] auth/auth_util.c:111(make_user_info_map)
  Mapping user [mydomain]\[sadmin] from workstation [LDAP7-01]
[2018/03/07 06:26:00.005386,  5] auth/user_info.c:59(make_user_info)
  attempting to make a user_info for sadmin (sadmin)
[2018/03/07 06:26:00.005426,  5] auth/user_info.c:70(make_user_info)
  making strings for sadmin's user_info struct
[2018/03/07 06:26:00.005463,  5] auth/user_info.c:87(make_user_info)
  making blobs for sadmin's user_info struct
[2018/03/07 06:26:00.005501,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[mydomain]\[sadmin]@[LDAP7-01] with the new password interface
[2018/03/07 06:26:00.005540,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [mydomain]\[sadmin]@[LDAP7-01]
[2018/03/07 06:26:00.006595,  2] passdb/pdb_ldap.c:553(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: sadmin
[2018/03/07 06:26:00.007471,  4] auth/check_samsec.c:183(sam_account_ok)
  sam_account_ok: Checking SMB password for user sadmin
[2018/03/07 06:26:00.007529,  5] auth/check_samsec.c:165(logon_hours_ok)
  logon_hours_ok: user sadmin allowed to logon at this time (Tue Mar  6 20:26:00
2018
  )
[2018/03/07 06:26:00.008194,  1] auth/server_info.c:447(samu_to_SamInfo3)
  Failed to get groups from sam account.
[2018/03/07 06:26:00.008273,  0] auth/check_samsec.c:492(check_sam_security)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_INTERNAL_DB_CORRUPTION'
[2018/03/07 06:26:00.008322,  5] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: sam authentication for user [sadmin] FAILED with error
NT_STATUS_INTERNAL_DB_CORRUPTION
[2018/03/07 06:26:00.008365,  3] auth/auth_winbind.c:60(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [mydomain] was for
this SAM.
[2018/03/07 06:26:00.008403,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [sadmin] -> [sadmin] FAILED
with error NT_STATUS_INTERNAL_DB_CORRUPTION
[2018/03/07 06:26:11.922227,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 192.168.17.196 read error =
NT_STATUS_CONNECTION_RESET.