[Samba] SambaSID

Printable View

10-07-2007, 12:41 PM
unix

[Samba] SambaSID

I have a samba server configured that is member of a samba domain called
PRODESAN.COM.BR. After we had to reinstall the domain controller some samba
shares stopped working on the member server. I get this when I try to use
the share:

[2007/05/29 17:26:28, 3] auth/auth.c:check_ntlm_password(219)
* check_ntlm_password: *Checking password for unmapped user
[WORKGROUP]\[USER1]@[HOST6] with the new password interface
[2007/05/29 17:26:28, 3] auth/auth.c:check_ntlm_password(222)
* check_ntlm_password: *mapped user is: [PRODESAN.COM.BR]\[USER1]@[HOST6]
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:push_sec_ctx(256)
* push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/05/29 17:26:28, 3] smbd/uid.c:push_conn_ctx(365)
* push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:set_sec_ctx(288)
* setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
* pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:push_sec_ctx(256)
* push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/05/29 17:26:28, 3] smbd/uid.c:push_conn_ctx(365)
* push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:set_sec_ctx(288)
* setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/05/29 17:26:28, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
* pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/05/29 17:26:28, 2] auth/auth.c:check_ntlm_password(312)
* check_ntlm_password: *Authentication for user [USER1] -> [USER1] FAILED
with error NT_STATUS_NO_SUCH_USER

However when I try to use the same user on the domain controller things work
perfectly:

[2007/05/29 17:32:39, 2] lib/smbldap.c:smbldap_open_connection(788)
* smbldap_open_connection: connection opened
[2007/05/29 17:32:39, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
* init_sam_from_ldap: Entry found for user: pr907899
[2007/05/29 17:32:39, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
* init_group_from_ldap: Entry found for group: 513
[2007/05/29 17:32:39, 2] auth/auth.c:check_ntlm_password(309)
* check_ntlm_password: *authentication for user [USER1] -> [USER1] ->
[pr907899] succeeded

I can see the domain users using wbinfo -u on the member server and
we have kept the domain SID setting from the original Samba PDC (using net
rpc getsid at the old server) and we still can't authenticate the users.

We have tried to delete the old machine account from our server in order to
try to rejoin it, but now we can't. Here is what happens at the server:

# net join -U root
root's password:
[2007/05/30 14:58:44, 0] utils/net_ads.c:ads_startup(191)
* ads_connect: No results returned
Creation of workstation account failed
Unable to join domain PRODESAN.COM.BR.

And here are the logs for that machine on the PDC:

[2007/05/30 14:58:55, 2] lib/smbldap.c:smbldap_open_connection(788)
* smbldap_open_connection: connection opened
[2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
* init_sam_from_ldap: Entry found for user: root
[2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
* init_group_from_ldap: Entry found for group: 513
[2007/05/30 14:58:55, 2] auth/auth.c:check_ntlm_password(309)
* check_ntlm_password: *authentication for user [root] -> [root] -> [root]
succeeded
[2007/05/30 14:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
* init_sam_from_ldap: Entry found for user: root
[2007/05/30 14:58:55, 2] smbd/reply.c:reply_tcon_and_X(711)
* Serving IPC$ as a Dfs root

There doesn't seem to be any visible errors, so I went to check the LDAP
logs and I only thought this looked a bit strange:

May 30 15:02:42 servsso slapd[22129]: conn=79 op=6 SRCH
base="ou=grupos,dc=prodesan,dc=com,dc=br" scope=2 deref=0 filter="(&(|
(objectClass=sambaGroupMapping)(sambaGroupType=4))(|
(sambaSIDList=s-1-5-21-3756370324-611414431-635963119-501)
(sambaSIDList=s-1-1-0)(sambaSIDList=s-1-5-2)(sambaSIDList=s-1-5-32-546)))"
May 30 15:02:42 servsso slapd[22129]: conn=79 op=6 SRCH attr=sambaSID
May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates:
(sambaGroupType) index_param failed (18)
May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates:
(sambaSIDList) index_param failed (18)
May 30 15:02:42 servsso last message repeated 3 times
May 30 15:02:42 servsso slapd[22129]: conn=79 op=6 SEARCH RESULT tag=101
err=0
nentries=0 text=
May 30 15:02:42 servsso slapd[22129]: conn=79 op=7 SRCH
base="ou=grupos,dc=prodesan,dc=com,dc=br" scope=2 deref=0 filter="(&(|
(objectClass=sambaGroupMapping)(sambaGroupType=4))(|
(sambaSIDList=s-1-5-21-3756370324-611414431-635963119-501)
(sambaSIDList=s-1-1-0)(sambaSIDList=s-1-5-2)(sambaSIDList=s-1-5-32-546)))"
May 30 15:02:42 servsso slapd[22129]: conn=79 op=7 SRCH attr=sambaSID
May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates:
(sambaGroupType) index_param failed (18)
May 30 15:02:42 servsso slapd[22129]: <= bdb_equality_candidates:
(sambaSIDList) index_param failed (18)
May 30 15:02:42 servsso last message repeated 3 times

When I check the LDAP I can see that the
entry "uid=servproducao$,ou=computadores,dc=prodesan,dc=com,dc=br" was
created but it doesn't have the sambaSamAccount objectclass attribute, and
therefore no samba attributes set.

Simply importing the old account from the old PDC doesn't seem to work, as I
get some access denied when the server tries to connect to LDAP.
=============================================================

Just adding some more information:

I am currently unable to join any new machines to the domain. Whenever I try
to join the domain I get this message on the clients:

$ sudo net join -U root
Password:
Creation of workstation account failed
Unable to join domain PRODESAN.COM.BR.

On the PDC side I get this:

[2007/05/30 17:11:15, 2] lib/smbldap.c:smbldap_open_connection(788)
* smbldap_open_connection: connection opened
[2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
* init_sam_from_ldap: Entry found for user: root
[2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
* init_group_from_ldap: Entry found for group: 513
[2007/05/30 17:11:15, 2] auth/auth.c:check_ntlm_password(309)
* check_ntlm_password: *authentication for user [root] -> [root] -> [root]
succeeded
[2007/05/30 17:11:15, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
* init_sam_from_ldap: Entry found for user: root
[2007/05/30 17:11:15, 2] smbd/reply.c:reply_tcon_and_X(711)
* Serving IPC$ as a Dfs root

On my LDAP backend I have this entry:

dn: sambaDomainName=PRODESAN.COM.BR,dc=prodesan,dc=com,dc=br
sambaAlgorithmicRidBase: 1000
sambaNextUserRid: 41000
sambaNextGroupRid: 41001
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaSID: S-1-5-21-3756370324-611414431-635963119
sambaDomainName: prodesan.com.br
gidNumber: 1055
uidNumber: 1454

The sambaSID is the same that was before the migration. Do I need to set
this
SID somewhere else?

--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.

--
To unsubscribe from this list go to the following URL and read the
instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]
10-07-2007, 12:41 PM
unix

Re: [Samba] Unable to join new machines to the domain

I have a samba server configured that is the domain controller of a samba
domain called PRODESAN.COM.BR. After we had to reinstall the domain
controller, we are currently unable to join any new machines to the domain.
Whenever I try to join the domain I get this message on the clients:

# net join -U root
root's password:
[2007/06/19 14:27:41, 0] utils/net_ads.c:ads_startup(191)
ads_connect: No results returned
Creation of workstation account failed
Unable to join domain PRODESAN.COM.BR.

On the PDC side I get this:

[2007/06/19 14:25:27, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2007/06/19 14:25:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: root
[2007/06/19 14:25:27, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
init_group_from_ldap: Entry found for group: 513
[2007/06/19 14:25:27, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] -> [root]
succeeded
[2007/06/19 14:25:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
init_sam_from_ldap: Entry found for user: root
[2007/06/19 14:25:27, 2] smbd/reply.c:reply_tcon_and_X(711)
Serving IPC$ as a Dfs root
[2007/06/19 14:25:28, 0] passdb/pdb_interface.c:pdb_default_create_user(368)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -
w "servproducao$"' gave 9

On my LDAP backend I have this entry:

gidNumber 1058
objectClass sambaDomain
objectClass sambaUnixIdPool
sambaAlgorithmicRidBase 1000
sambaDomainName prodesan.com.br
sambaNextGroupRid 41001
sambaNextUserRid 41000
sambaSID S-1-5-21-3756370324-611414431-635963119
uidNumber 1519

The sambaSID is the same that was before the migration. Do I need to set
this SID somewhere else?

--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.

--
To unsubscribe from this list go to the following URL and read the
instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]
10-07-2007, 12:41 PM
unix

Re: [Samba] Unable to join new machines to the domain

On Tuesday 19 June 2007, Sandra wrote:[color=blue]
> [2007/06/19 14:27:41, 0] utils/net_ads.c:ads_startup(191)
> * ads_connect: No results returned
> Creation of workstation account failed
> Unable to join domain PRODESAN.COM.BR.[/color]

Correct me if I'm wrong as I have no experience with ldap setups but AFAIK
Samba domains are NetBIOS domains which are flat, not hierarchical. If so
your domain name should be something more like PRODESAN and not
PRODESAN.COM.BR.

Also you didn't post your smb.conf but I'm curious about the use of
ads_connect, which seems like you're trying to work with an AD domain instead
of a NetBIOS (Samba) domain. So I'm wondering if you have something other
than "security - user" in the PDC's smb.conf and "security - domain" in the
member servers smb.conf.

Chris
--
To unsubscribe from this list go to the following URL and read the
instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]
10-07-2007, 12:41 PM
unix

Re: [Samba] Unable to join new machines to the domain

Here is the PDC's smb.conf:

[global]
netbios name = servsso
workgroup = prodesan.com.br
log file = /var/log/samba/%m.log
max log size = 500
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %
n\n *passwd:*all*authentication*tokens*updated*successfully*
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

domain logons = yes
os level = 180
preferred master = yes
domain master = yes
security = user
guest ok = no
invalid users = bin daemon sys man postfix mail ftp
admin users = root
encrypt passwords = yes
logon script = scripts\logon.bat
ldap ssl = no
printing = lprng
hide dot files = yes
time server = yes
log level = 2

passdb backend = ldapsam:ldap://127.0.0.1
ldap passwd sync = yes
ldap delete dn = Yes
ldap admin dn = cn=admin,dc=prodesan,dc=com,dc=br
ldap suffix = dc=prodesan,dc=com,dc=br
ldap machine suffix = ou=computadores
ldap user suffix = ou=pessoas
ldap group suffix = ou=grupos
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = \
winbind enum users = yes
winbind enum groups = yes

add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%
g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"

And here is the member server's smb.conf:

[global]
workgroup = prodesan.com.br
realm = PRODESAN.COM.BR
preferred master = no
netbios name = Servproducao
server string = Servproducao
security = domain
encrypt passwords = true
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
printcap name = cups
printing = cups
idmap uid = 10000-20000
idmap gid = 10000-20000

passdb backend = ldapsam:ldap://192.168.131.104
ldap passwd sync = yes
ldap delete dn = Yes
ldap admin dn = cn=admin,dc=prodesan,dc=com,dc=br
ldap suffix = dc=prodesan,dc=com,dc=br
ldap machine suffix = ou=computadores
ldap user suffix = ou=pessoas
ldap group suffix = ou=grupos
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://192.168.131.104
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = \
winbind enum users = yes
winbind enum groups = yes

add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"

On Tue, 19 Jun 2007 14:18:58 -0400, Chris Smith wrote[color=blue]
> On Tuesday 19 June 2007, Sandra wrote:[color=green]
> > [2007/06/19 14:27:41, 0] utils/net_ads.c:ads_startup(191)
> > * ads_connect: No results returned
> > Creation of workstation account failed
> > Unable to join domain PRODESAN.COM.BR.[/color]
>
> Correct me if I'm wrong as I have no experience with ldap setups but
> AFAIK Samba domains are NetBIOS domains which are flat, not
> hierarchical. If so your domain name should be something more like
> PRODESAN and not PRODESAN.COM.BR.
>
> Also you didn't post your smb.conf but I'm curious about the use of
> ads_connect, which seems like you're trying to work with an AD
> domain instead of a NetBIOS (Samba) domain. So I'm wondering if you
> have something other than "security - user" in the PDC's smb.conf
> and "security - domain" in the member servers smb.conf.
>
> Chris
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]
>
> --
> Esta mensagem foi verificada pelo sistema de antivírus e
> acredita-se estar livre de perigo.[/color]

Sandra Nascimento
Analista de Suporte
[email]sandra-nascimento@prodesan.com.br[/email]
(13)3229.8000 Ramal 135/176
--
Prefeitura Municipal de Santos ([url]http://www.santos.sp.gov.br[/url])

--
Esta mensagem foi verificada pelo sistema de antivírus e
acredita-se estar livre de perigo.

--
To unsubscribe from this list go to the following URL and read the
instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]
10-07-2007, 12:41 PM
unix

Re: [Samba] Unable to join new machines to the domain

On Tuesday 19 June 2007, Sandra wrote:[color=blue]
> ********workgroup***************= prodesan.com.br[/color]

I thought this should read:

workgroup = PRODESAN

...in both smb.conf files.

But apparently it is OK as is and I can't seem to find any docs that support
my thought, prodesan.com.br does meet the max 15 character limit and
apparently .'s are an allowed character in NetBIOS names (although i
personally never use them). It also seems, in general, that NetBIOS names are
by convention capitalized in the smb.conf file.

Sorry to lead you down a false trail.

Chris

--
To unsubscribe from this list go to the following URL and read the
instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]