Hi Again,

I finally tracked this down to the "obey pam restrictions = yes"
directive. With no other changes to the system whatsoever removing this
line from the config makes the new version run.

I've looked through the change logs as carefully as I can and I can't
see any mention of a change in the behaviour of this directive. The PAM
setup is the default RHEL setup apart from having ldap authentication
setup using authconfig but I don't believe this will have touched the
Samba PAM configuration.

Anyway hope this helps someone else.

Regards,

Mark Redding.

-----Original Message-----
From: samba-bounces+mark.redding=linuxit.com@lists.samba.org
[mailto:samba-bounces+mark.redding=linuxit.com@lists.samba.org] On
Behalf Of Mark Redding
Sent: 26 March 2007 15:43
To: samba@samba.org
Subject: [Samba] Upgrade 3.0.10 to 3.0.24 on RHEL4 -
NT_STATUS_LOGON_FAILURE


Hi all,

I'm having a problem with an upgrade of Samba running on a Redhat4
Update 4 system. The default installation provides only 3.0.10 which
doesn't include the privilege model or a number of fixes including some
in 3.0.21a and 3.0.23 which it looks like we'll need.

The system runs in PDC mode with user accounts in an ldap database. On a
test system which I'm using to replicate the problem I've stripped all
the ldap security stuff back on the principle that simple is best at
least for troubleshooting.

We are using the 3.0.24 rpms from
http://ftp.sernet.de/pub/samba/rhel/rhel4-i386/ although a compiled from
source version of 3.0.24 exhibits the same problems.

After the upgrade the services start fine however I can't connect to the
domain from a client machine. To test I've been using smbclient like so:

[root@eddie ~]# smbclient -L localhost
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
[root@eddie ~]#

I've been through the changelog a couple of times and I believe my
settings (see group mapping below) should be alright. The set up works
fine with 3.0.10 it works fine but as soon as I upgrade I lose the
domain.

Many Thanks for your help and apologies for the long email.

Regards


Mark

Debug information -

My configuration file:

[global]
workgroup = KCS
server string = KCS Domain Controller
netbios name = eddie
netbios aliases = george
time server = yes
log level = 2 passdb:5 auth:10 winbind:2
printcap name = /etc/printcap
load printers = yes
cups options = raw
log file = /var/log/samba/%m.log
max log size = 5000
security = user
encrypt passwords = yes
passdb backend = ldapsam:"ldap://localhost
ldap://harry.kcs.cambs.sch.uk"
ldap admin dn = cn=Directory Manager
ldap suffix = dc=kcs,dc=cambs,dc=sch,dc=uk
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups
# ldap ssl = start_tls
ldap delete dn = yes
obey pam restrictions = yes
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%m"
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u"
"%g%"
delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g"
"%u"
ldap passwd sync = yes
username map = /etc/samba/smbusers
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 65
domain master = yes
preferred master = yes
domain logons = yes
logon script = logon.bat
logon path = \\%L\netlogon
logon drive = S:
logon home = \\eddie\%U
browseable = no
strict locking = yes
wins support = yes
dns proxy = no
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no

My samba log file:

[2007/03/26 15:30:46, 5] auth/auth_util.c:make_user_info_map(161)
make_user_info_map: Mapping user [KCS]\[root] from workstation [EDDIE]
[2007/03/26 15:30:46, 5] auth/auth_util.c:is_trusted_domain(2020)
is_trusted_domain: Checking for domain trust with [KCS]
[2007/03/26 15:30:46, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(34 0)
secrets_fetch failed!
[2007/03/26 15:30:46, 5] auth/auth_util.c:make_user_info(75)
attempting to make a user_info for root (root)
[2007/03/26 15:30:46, 5] auth/auth_util.c:make_user_info(85)
making strings for root's user_info struct
[2007/03/26 15:30:46, 5] auth/auth_util.c:make_user_info(117)
making blobs for root's user_info struct
[2007/03/26 15:30:46, 10] auth/auth_util.c:make_user_info(135)
made an encrypted user_info for root (root)
[2007/03/26 15:30:46, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user
[KCS]\[root]@[EDDIE] with the new password interface
[2007/03/26 15:30:46, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [KCS]\[root]@[EDDIE]
[2007/03/26 15:30:46, 10] auth/auth.c:check_ntlm_password(233)
check_ntlm_password: auth_context challenge created by NTLMSSP
callback (NTLM2)
[2007/03/26 15:30:46, 10] auth/auth.c:check_ntlm_password(235)
challenge is:
[2007/03/26 15:30:46, 10] auth/auth.c:check_ntlm_password(261)
check_ntlm_password: guest had nothing to say
[2007/03/26 15:30:46, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2007/03/26 15:30:46, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: root
[2007/03/26 15:30:46, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/03/26 15:30:46, 5]
passdb/pdb_interface.c:lookup_global_sam_rid(1480)
lookup_global_sam_rid: looking up RID 513.
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1491)
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-3942376556-572954482-4204431875-513] count=0
[2007/03/26 15:30:46, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/03/26 15:30:46, 5]
passdb/pdb_interface.cdb_default_lookup_rids(1601)
lookup_rids: Domain Users:2
[2007/03/26 15:30:46, 4] libsmb/ntlm_check.c:ntlm_password_check(326)
ntlm_password_check: Checking NT MD4 password
[2007/03/26 15:30:46, 4] auth/auth_sam.c:sam_account_ok(138)
sam_account_ok: Checking SMB password for user root
[2007/03/26 15:30:46, 5] auth/auth_sam.c:logon_hours_ok(120)
logon_hours_ok: user root allowed to logon at this time (Mon Mar 26
14:30:46 2007
)
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 5] auth/auth_util.c:make_server_info_sam(625)
make_server_info_sam: made server info for user root -> root
[2007/03/26 15:30:46, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: sam authentication for user [root] succeeded
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(459)
smb_pam_start: PAM: Init user: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(476)
smb_pam_start: PAM: setting rhost to: 127.0.0.1
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(485)
smb_pam_start: PAM: setting tty
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(493)
smb_pam_start: PAM: Init passed for user: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_account(551)
smb_pam_account: PAM: Account Management for User: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_account(570)
smb_pam_account: PAM: Account OK for User: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_end(440)
smb_pam_end: PAM: PAM_END OK.
[2007/03/26 15:30:46, 5] auth/auth.c:check_ntlm_password(296)
check_ntlm_password: PAM Account for user [root] succeeded
[2007/03/26 15:30:46, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] ->
[root] succeeded
[2007/03/26 15:30:46, 5] auth/auth_util.c:free_user_info(1867)
attempting to free (and zero) a user_info structure
[2007/03/26 15:30:46, 10] auth/auth_util.c:free_user_info(1871)
structure was created for root
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 10] auth/auth_util.c:create_local_token(1023)
Could not convert SID S-1-1-0 to gid, ignoring it
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 10] auth/auth_util.c:create_local_token(1023)
Could not convert SID S-1-5-2 to gid, ignoring it
[2007/03/26 15:30:46, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2217)
ldapsam_getgroup: Did not find group
[2007/03/26 15:30:46, 10] auth/auth_util.c:create_local_token(1023)
Could not convert SID S-1-5-11 to gid, ignoring it
[2007/03/26 15:30:46, 10] auth/auth_util.c:debug_nt_user_token(454)
NT user token of user S-1-5-21-3942376556-572954482-4204431875-1000
contains 13 SIDs
SID[ 0]: S-1-5-21-3942376556-572954482-4204431875-1000
SID[ 1]: S-1-5-21-3942376556-572954482-4204431875-513
SID[ 2]: S-1-1-0
SID[ 3]: S-1-5-2
SID[ 4]: S-1-5-11
SID[ 5]: S-1-22-2-0
SID[ 6]: S-1-22-2-1
SID[ 7]: S-1-22-2-2
SID[ 8]: S-1-22-2-3
SID[ 9]: S-1-22-2-4
SID[ 10]: S-1-22-2-6
SID[ 11]: S-1-22-2-10
SID[ 12]: S-1-22-2-513
SE_PRIV 0x0 0x0 0x0 0x0
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(459)
smb_pam_start: PAM: Init user: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(476)
smb_pam_start: PAM: setting rhost to: 127.0.0.1
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(485)
smb_pam_start: PAM: setting tty
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_start(493)
smb_pam_start: PAM: Init passed for user: root
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_internal_pam_session(630)
smb_internal_pam_session: PAM: tty set to: smb/5302/101
[2007/03/26 15:30:46, 0] auth/pampass.c:smb_pam_error_handler(73)
smb_pam_error_handler: PAM: session setup failed : System error
[2007/03/26 15:30:46, 4] auth/pampass.c:smb_pam_end(440)
smb_pam_end: PAM: PAM_END OK.
[2007/03/26 15:30:46, 1] smbd/session.c:session_claim(134)
pam_session rejected the session for root [smb/5302/101]
[2007/03/26 15:30:46, 1] smbd/password.c:register_vuid(310)
Failed to claim session for vuid=101

Group mapping :

[root@eddie ~]# net groupmap list
Domain Computers (S-1-5-21-3942376556-572954482-4204431875-515) ->
Domain Computers Administrators (S-1-5-32-544) -> Administrators Account
Operators (S-1-5-32-548) -> Account Operators Print Operators
(S-1-5-32-550) -> Print Operators Backup Operators (S-1-5-32-551) ->
Backup Operators Replicators (S-1-5-32-552) -> Replicators pupils
(S-1-5-21-3942376556-572954482-4204431875-3003) -> pupils rec
(S-1-5-21-3942376556-572954482-4204431875-3005) -> rec staff
(S-1-5-21-3942376556-572954482-4204431875-3011) -> staff Domain Admins
(S-1-5-21-3942376556-572954482-4204431875-512) -> Domain Admins Domain
Users (S-1-5-21-3942376556-572954482-4204431875-513) -> Domain Users
Domain Guests (S-1-5-21-3942376556-572954482-4204431875-514) -> Domain
Guests

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba