Re: [Samba] Workaround: 3.4.5->3.5.3 breaks domain logons

Tue, 01 Jun 2010 04:28:33 -0700

I turned off server signing, and domain logons work now. On the server, I had set 
  lanman auth = no
  ntlm auth = yes
and the clients have
  Digitally sign client communication (when possible)  Enabled
  Digitally sign server communication (when possible)  Enabled
  LAN Manager Authentication Level  Send NTLMv2 response only\refuse LM
So my guess is that the samba update changes the server signature so the clients no longer recognize it. I'd rather have server signing enabled, but the server schannel works and is more important to me. 



On Monday 24/05/2010 at 5:38 am, Thomas Burkholder   wrote:

At 11:30 AM 5/23/2010, you wrote:


On Sunday 23/05/2010 at 6:44 am, Thomas Burkholder wrote:


I've been trying to upgrade from samba 3.4.5 to 3.5.x (currently 3.5.3) on
a Ubuntu 9.10 system where I compile my own Samba. The server is a PDC for
several win2000 clients and uses an LDAP backend hosted on the same
machine. After the upgrade, clients can connect to shares but can not
perform domain logons.
So, when they log on to windows, they get "The domain does not exist or trust account not found" message?
If so, your machine accounts may be broken. Try rejoining the machine to the domain using the Windows network ID wizard.
Sorry, I should have given the text of the windows error: "Controller for the domain could not be found." This is at odds with the Samba log that shows the client does find the controller, but then stops talking.
Thanks for the suggestion. Rejoining the domain does not help, and Samba still throws the "Scheduled cleanup brl and lock database after unclean shutdown" or "Cleaning up brl and lock database after unclean shutdown" messages. 

OK, this is going to sound a bit odd, but try this on the server:

net rpc join <DOMAIN NAME> -U Administrator

then, see if it is good

net rpc testjoin.

Also, since you might want to resave LDAP password

passwd -w
Often, when upgrading samba with an LDAP backend I've found it best to blow out all the .tdb files and approach the upgrade like a replacement. 

Cheers,
TMS III










3.5.3 does not build a browse list of other domains
on the subnet. Executing "net view /DOMAIN:mydomain" on the client
produces an error 59 or error 64.

Log-3 during the net view is basically the same between 3.4.5 and 3.5.3,
and I can see both successfully connect, negotiate sign/seal, and
authenticate a guest session with LDAP. After that, the working 3.4.5 log
says:


[2010/05/23 08:33:34, 3] smbd/service.c:1047(make_connection_snum)
CLIENT (x.x.x.x) connect to service IPC$ initially as user nobody
(uid=65534, gid=65534) (pid 2454)
[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:33:34, 3] smbd/reply.c:759(reply_tcon_and_X)
tconX service=IPC$
[2010/05/23 08:33:34, 3] smbd/process.c:1459(process_smb)
Transaction 4 of length 129 (0 toread)
[2010/05/23 08:33:34, 3] smbd/process.c:1273(switch_message)
switch message SMBtrans (pid 2454) conn 0xb9034f58
[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2010/05/23 08:33:34, 3] smbd/ipc.c:536(handle_trans)
trans <\PIPE\LANMAN> data=0 params=33 setup=0
[2010/05/23 08:33:34, 3] smbd/ipc.c:487(named_pipe)
named pipe command on <LANMAN> name
[2010/05/23 08:33:34, 3] smbd/lanman.c:4694(api_reply)
Got API command 104 of form <WrLehDz> <B16BBDz>
(tdscnt=0,tpscnt=33,mdrcnt=4200,mprcnt=8)
[2010/05/23 08:33:34, 3] smbd/lanman.c:4698(api_reply)
Doing NetServerEnum
[2010/05/23 08:33:34, 3] smbd/lanman.c:1511(api_RNetServerEnum)
NetServerEnum domain = mydomain uLevel=1 counted=1 total=1
[2010/05/23 08:33:34, 3] smbd/process.c:1459(process_smb)
Transaction 5 of length 43 (0 toread)
[2010/05/23 08:33:34, 3] smbd/process.c:1273(switch_message)
switch message SMBulogoffX (pid 2454) conn 0x0
[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:33:34, 3] smbd/reply.c:1948(reply_ulogoffX)
ulogoffX vuid=100
[2010/05/23 08:33:34, 3] smbd/process.c:1459(process_smb)
Transaction 6 of length 39 (0 toread)
[2010/05/23 08:33:34, 3] smbd/process.c:1273(switch_message)
switch message SMBtdis (pid 2454) conn 0xb9034f58
[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:33:34, 3] smbd/service.c:1226(close_cnum)
CLIENT (x.x.x.x) closed connection to service IPC$
[2010/05/23 08:33:34, 3] smbd/connection.c:31(yield_connection)
Yielding connection to IPC$
[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:33:34, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:33:34, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2010/05/23 08:33:34, 3] smbd/server.c:845(exit_server_common)
Server exit (failed to receive smb request)


where the not-working 3.5.3 says

[2010/05/23 08:25:50.455781, 3] smbd/service.c:1069(make_connection_snum)
CLIENT (x.x.x.x) connect to service IPC$ initially as user nobody
(uid=65534, gid=65534) (pid 2128)
[2010/05/23 08:25:50.455844, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:25:50.455914, 3] smbd/reply.c:846(reply_tcon_and_X)
tconX service=IPC$
[2010/05/23 08:25:50.458037, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:25:50.458221, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:25:50.458326, 3] smbd/service.c:1250(close_cnum)
CLIENT (x.x.x.x) closed connection to service IPC$
[2010/05/23 08:25:50.458394, 3] smbd/connection.c:31(yield_connection)
Yielding connection to IPC$
[2010/05/23 08:25:50.458530, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/23 08:25:50.458643, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2010/05/23 08:25:50.458869, 3] smbd/server.c:902(exit_server_common)
Server exit (failed to receive smb request)
[2010/05/23 08:25:50.476063, 3] smbd/server.c:259(remove_child_pid)
smbd/server.c:259 Unclean shutdown of pid 2128
[2010/05/23 08:25:50.476423, 1] smbd/server.c:267(remove_child_pid)
Scheduled cleanup of brl and lock database after unclean shutdown

after which it logs a second sign/seal negotiation, authentication, and
failed $IPC connection.


smb.conf is
[global]
unix charset = iso8859-1
workgroup = mydomain
server schannel = Yes
passdb backend = ldapsam:ldap://x.x.x.x
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
client NTLMv2 auth = Yes
log level = 1
syslog = 0
log file = /var/log/samba/log.%U
name resolve order = hosts lmhosts wins bcast
time server = Yes
server signing = Yes
deadtime = 30
keepalive = 180
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m "%u" -m
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = scripts\logon.bat
logon path = \\%L\[path]
logon drive = z:
logon home = \\%L\[home]
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
kernel oplocks = No
ldap admin dn = "[----]"
ldap machine suffix = ou=machines
ldap passwd sync = yes
ldap suffix = [----]
ldap ssl = no
ldap user suffix = ou=People
eventlog list = syslog, apache2
idmap uid = 10000-15000
idmap gid = 10000-15000
winbind enum users = Yes
winbind enum groups = Yes
hosts allow = 127.0.0.0/16, x.x.x.x/25
hosts deny = all





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to