We recently upgraded our PDC from Debian 4 to Debian 5. That entailed an upgrade of Samba from 3.0.24 to 3.2.5. Since the upgrade we've had a very specific problem connecting to shares on a commercial NAS running Samba 3.0.34.
The problem happens when users try to connect to shares from standalone servers--e.g., Windows XP Pro boxes that we use for testing. From those boxes users should be able to expand the domain in My Network Places\Entire Network\Microsoft Windows Network, navigate to the NAS, click on it and then get a login dialog where they can supply domain credentials. What instead happens is that they're told "There are currently no logon servers available…". I have run across problems connecting one version of Samba to another in the past. In those cases I've been able to track down a bug report. In this case I haven't been able to find a report that matches my test case so I'm looking for a possible mis-configuration that may have lain dormant until the PDC was upgraded. (Of course, it's possible that I just missed a bug report; I'm still looking.) In order to investigate this problem I configured two Debian boxes as domain member servers--one with Debian 4 (Samba 3.0.24) and one with Debian 5 (Samba 3.2.5). On each box I installed nothing but samba and winbind. I copied the smb.conf [global] section from the NAS and just did the essential configuration: smbpsswd -a root, net rpc join, winbind in nsswitch.conf. (Actually, I'm not sure winbind has anything to do with this--but I was trying to replicate the NAS setup.) After those steps I selected both boxes in Explorer from a standalone server. The Debian 4 box showed the same problem as the NAS while the Debian 5 box worked as expected. (In both cases the PDC was the newly upgraded box running Samba 3.2.5.) Everything I've tried seems to indicate that things are properly configured--with the exception of "wbinfo --getdcname HQ" which returns "Could not get dc name for HQ" and "wbinfo -a ..." which also fails. Those two things are probably related--but as you can see below all other wbinfo commands work correctly. Is this a known issue that I missed? Any thoughts on where to look further? Thanks. === smb.conf from Debian 5 domain controller (partial): [global] security = user workgroup = HQ domain logons = yes domain master = yes local master = yes preferred master = yes os level = 65 wins support = yes dns proxy = no name resolve order = lmhosts wins host bcast smb ports = 139 time server = yes panic action = /usr/share/samba/panic-action %d log file = /var/log/samba/log.%m log level = 2 passdb backend = ldapsam:ldap://srv.... ldapsam:trusted = yes ldap ssl = start_tls ldap suffix = ... ... username map = /etc/samba/smbusers ...scripts... logon path = logon drive = H: logon home = \\nas\%U logon script = logon.bat encrypt passwords = yes admin users = root guest account = Guest map to guest = bad user ...printing... idmap alloc backend = ldap ... idmap config HQ:default = yes idmap config HQ:backend = ldap ... winbind enum groups = yes winbind enum users = yes winbind use default domain = yes [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon browseable = no read only = yes guest ok = yes [printers] ... === smb.conf from Debian 4 domain member server: [global] allow trusted domains = 1 delete readonly = 1 delete veto files = 1 dos charset = CP437 encrypt passwords = 1 follow symlinks = 1 force unknown acl user = 1 force writeback = 1 guest account = nobody hostname lookups = 1 idmap gid = 35000-65000 idmap uid = 35000-65000 level2 oplocks = 0 load printers = 1 log level = 2 auth:10 lanman:10 smb:10 rpc_parse_:10 rpc_srv:10 rpc_cli:10 passdb:10 sam: 10 winbind:10 idmap:10 map acl inherit = 1 max log size = 256 name resolve order = lmhosts host wins bcast null passwords = 1 obey pam restrictions = 1 oplocks = 0 orgunit = passwd program = "/usr/bin/passwd %u" password server = 192.168.10.10 preserve case = 1 security = domain server string = %h short preserve case = 1 store dos attributes = 1 syslog = 0 syslog only = 0 template homedir = /c/home/%D/%U unix charset = UTF-8 unix password sync = 1 veto files = "/.AppleDouble/.AppleDB/.AppleDesktop/:2eDS_Store/:2eTemporaryItem winbind enum groups = 1 winbind enum users = 1 winbind use default domain = 1 wins server = 192.168.10.10 workgroup = HQ === tests run from Debian 4 domain member server: # wbinfo --getdcname=HQ Could not get dc name for HQ # wbinfo -t checking the trust secret via RPC calls succeeded # wbinfo --own-domain HQ # wbinfo --trusted-domains # wbinfo --all-domains HQ # wbinfo -u michaell ... # wbinfo -g BUILTIN\administrators BUILTIN\users domain admins domain users domain guests domain computers ... # wbinfo -N srv 192.168.10.10 srv # wbinfo -I 192.168.10.10 192.168.10.10 SRV # wbinfo -n michaell S-1-5-21-675904651-409210946-1000085797-1004 User (1) # wbinfo -s S-1-5-21-675904651-409210946-1000085797-1004 HQ\michaell 1 # wbinfo -i michaell michaell:*:6004:5513:...:/c/home/HQ/michaell:/bin/false # wbinfo -S S-1-5-21-675904651-409210946-1000085797-1004 6004 # wbinfo -U 6004 S-1-5-21-675904651-409210946-1000085797-1004 # wbinfo -r michaell 5513 10001 10003 35001 # wbinfo -G 5513 S-1-5-21-675904651-409210946-1000085797-513 # wbinfo -Y S-1-5-21-675904651-409210946-1000085797-513 5513 # net lookup dc 192.168.10.10 # net lookup master 192.168.10.10 # net lookup srv 192.168.10.10 # net cache list Key: SAF/DOMAIN/HQ Timeout: 10:19:31 Value: SRV Key: NBT/HQ#1D Timeout: 10:23:12 Value: 192.168.10.10:0 Key: NBT/SRV#20 Timeout: 10:13:04 Value: 192.168.10.10:0 (expired) Key: NBT/HQ#1C Timeout: 10:23:03 Value: 192.168.10.10:0 Key: NBT/HQ#1B Timeout: 10:23:03 Value: 192.168.10.10:0 # nmblookup -M HQ added interface ip=192.168.10.120 bcast=192.168.10.255 nmask=255.255.255.0 querying HQ on 192.168.10.255 Got a positive name query response from 192.168.10.10 ( 192.168.10.10 ) 192.168.10.10 HQ<1d> # nmblookup -A 192.168.10.10 added interface ip=192.168.10.120 bcast=192.168.10.255 nmask=255.255.255.0 Looking up status of 192.168.10.10 SRV <00> - H <ACTIVE> SRV <03> - H <ACTIVE> SRV <20> - H <ACTIVE> ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> HQ <1d> - H <ACTIVE> HQ <1b> - H <ACTIVE> HQ <1c> - <GROUP> H <ACTIVE> HQ <1e> - <GROUP> H <ACTIVE> HQ <00> - <GROUP> H <ACTIVE> MAC Address = 00-00-00-00-00-00 # nmblookup -S SRV added interface ip=192.168.10.120 bcast=192.168.10.255 nmask=255.255.255.0 querying SRV on 192.168.10.255 Got a positive name query response from 192.168.10.10 ( 192.168.10.10 ) 192.168.10.10 SRV<00> Looking up status of 192.168.10.10 SRV <00> - H <ACTIVE> SRV <03> - H <ACTIVE> SRV <20> - H <ACTIVE> ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> HQ <1d> - H <ACTIVE> HQ <1b> - H <ACTIVE> HQ <1c> - <GROUP> H <ACTIVE> HQ <1e> - <GROUP> H <ACTIVE> HQ <00> - <GROUP> H <ACTIVE> MAC Address = 00-00-00-00-00-00 === selected log excerpts from Debian 4 domain member server when user selects the box in Explorer: ==> log.smbd <== [2010/01/24 10:50:23, 2] smbd/reply.c:reply_special(496) netbios connect: name1=DEBIAN4TEST name2=ML-WINXP ... [2010/01/24 10:50:23, 5] auth/auth_util.c:make_user_info_map(161) make_user_info_map: Mapping user [ML-WINXP]\[Administrator] from workstation [ML-WINXP] ... [2010/01/24 10:50:23, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user [ml-winxp]\[administrat...@[ml-winxp] with the new password interface [2010/01/24 10:50:23, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [hq]\[administrat...@[ml-winxp] [2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(233) check_ntlm_password: auth_context challenge created by NTLMSSP callback (NTLM2) [2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(235) challenge is: [2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(261) check_ntlm_password: guest had nothing to say [2010/01/24 10:50:23, 6] auth/auth_sam.c:check_samstrict_security(414) check_samstrict_security: HQ is not one of my local names (ROLE_DOMAIN_MEMBER) [2010/01/24 10:50:23, 10] auth/auth.c:check_ntlm_password(261) check_ntlm_password: sam had nothing to say [2010/01/24 10:50:23, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: winbind authentication for user [Administrator] FAILED with error NT_STATUS_NO_LOGON_SERVERS [2010/01/24 10:50:23, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_LOGON_SERVERS *** Note: The above login *should* fail, but it's failing for the wrong reason. I'm logged into a non-domain member server as Administrator. That account has a different password than the Administrator on the domain. Presumably the failure should be an invalid password, which would then bring up the login dialog on the client; instead NT_STATUS_NO_LOGON_SERVERS is being passed to the client, preventing any login attempt. *** === # wbinfo -a HQ\\michaell%... plaintext password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error messsage was: No logon servers Could not authenticate user HQ\michaell%... with plaintext password challenge/response password authentication failed error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e) error messsage was: No logon servers Could not authenticate user HQ\michaell with challenge/response log for above: [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357) add_schannel_auth_footer: SCHANNEL seq_num=41 [2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 304 at offset 0 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned 472 bytes. [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357) add_schannel_auth_footer: SCHANNEL seq_num=43 [2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 304 at offset 0 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned 472 bytes. [2010/01/24 11:10:57, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth(1290) Plain-text authentication for user HQ\michaell returned NT_STATUS_NO_LOGON_SERVERS (PAM: 4) [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357) add_schannel_auth_footer: SCHANNEL seq_num=45 [2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 304 at offset 0 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned 472 bytes. [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:add_schannel_auth_footer(1357) add_schannel_auth_footer: SCHANNEL seq_num=47 [2010/01/24 11:10:57, 5] rpc_client/cli_pipe.c:rpc_api_pipe(770) rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(577) cli_pipe_validate_current_pdu: got pdu len 304, data_len 236, ss_len 4 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(843) rpc_api_pipe: got PDU len of 304 at offset 0 [2010/01/24 11:10:57, 10] rpc_client/cli_pipe.c:rpc_api_pipe(894) rpc_api_pipe: Remote machine SRV pipe \NETLOGON fnum 0x72b4 returned 472 bytes. [2010/01/24 11:10:57, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1635) NTLM CRAP authentication for user [HQ]\[michaell] returned NT_STATUS_NO_LOGON_SERVERS (PAM: 4) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
