I too have this very same problem. I've searched my Samba List mail
folder and there are 64 emails on this very subject - all seemingly
unanswered. Perhaps we could put a wooden steak through the heart of
this beast once and for all.
I'm not sure what the cone of silence is about but, once again, for
posterity...
Apply fixes from the samba wiki:
http://wiki.samba.org/index.php/Windows7
*Registry hacks (attached)
*kb2171571 hotfixes
$ smbd -V
Version 3.3.8-0.52.el5_5.2
cat /etc/redhat-release
CentOS release 5.5 (Final) (though this seems not to be platform-specific)
Client: Win7 Pro (registered and fully patched)
1) Right-click on Computer > Properties > Change Settings
2) Enter workgroup value > OK; authenticate to add Windows 7 client to
the domain
3) tail -f /var/log/messages for relevant entries:
...
(A full log of all transactions is attached)
Nov 22 10:06:15 mail smbd[28796]: [2010/11/22 10:06:15, 2]
lib/smbldap.c:smbldap_open_connection(856)
Nov 22 10:06:15 mail smbd[28796]: smbldap_open_connection: connection
opened
...
Nov 22 10:06:15 mail smbd[28796]: [2010/11/22 10:06:15, 2]
auth/auth.c:check_ntlm_password(308)
Nov 22 10:06:15 mail smbd[28796]: check_ntlm_password: authentication
for user [admin] -> [root] -> [root] succeeded
...
Nov 22 10:06:16 mail smbd[28796]: [2010/11/22 10:06:16, 2]
lib/smbldap_util.c:smbldap_search_domain_info(277)
Nov 22 10:06:16 mail smbd[28796]: smbldap_search_domain_info:
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE))]
Nov 22 10:06:16 mail smbd[28796]: [2010/11/22 10:06:16, 2]
passdb/pdb_ldap.c:init_ldap_from_sam(1128)
Nov 22 10:06:16 mail smbd[28796]: init_ldap_from_sam: Setting entry
for user: 7TEST1$
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17, 2]
passdb/pdb_ldap.c:ldapsam_add_sam_account(2303)
Nov 22 10:06:17 mail smbd[28796]: ldapsam_add_sam_account: added: uid
== 7TEST1$ in the LDAP database
...
Strangely, this happens 12 times
Nov 22 10:06:17 mail smbd[28796]: init_sam_from_ldap: Entry found for
user: 7TEST1$
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17, 2]
passdb/pdb_ldap.c:init_sam_from_ldap(571)
And this, another 5 times:
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17, 2]
passdb/pdb_ldap.c:init_ldap_from_sam(1128)
Nov 22 10:06:17 mail smbd[28796]: init_ldap_from_sam: Setting entry
for user: 7TEST1$
maybe this is normal for setting flags, passwords, sids, et al(?).
---
Nov 22 10:07:34 mail smbd[28796]: [2010/11/22 10:07:34, 2]
passdb/pdb_ldap.c:ldapsam_update_sam_account(1979)
Nov 22 10:07:34 mail smbd[28796]: ldapsam_update_sam_account:
successfully modified uid = 7TEST1$ in the LDAP database
...
Nov 22 10:07:37 mail smbd[28796]: [2010/11/22 10:07:37, 0]
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555)
Nov 22 10:07:37 mail smbd[28796]: _netr_ServerAuthenticate2:
netlogon_creds_server_check failed. Rejecting auth request from client
7TEST1 machine account 7TEST1$
4) Reboot anyway...
5) Login as user thomas
Nov 22 10:07:45 mail smbd[28796]: [2010/11/22 10:07:45, 2]
auth/auth.c:check_ntlm_password(318)
Nov 22 10:07:45 mail smbd[28796]: check_ntlm_password: Authentication
for user [7TEST1] -> [7TEST1] FAILED with error NT_STATUS_NO_SUCH_USER
...
Nov 22 10:38:00 mail smbd[19317]: [2010/11/22 10:38:00, 2]
auth/auth.c:check_ntlm_password(308)
Nov 22 10:38:00 mail smbd[19317]: check_ntlm_password: authentication
for user [thomas] -> [thomas] -> [thomas] succeeded
6) Desktop loads as it should. Brief permissions check on mapped drives
from logon script seem to be solid. Workstation account still fails to auth.
7) Double checked for CentOS AVC Denials: none.
---
The workstation account can be verified from a few different angles:
$ getent passwd
...
7test1$:x:10013:100:Workstation (7test1$):/nohome:/sbin/nologin
...
$ pdbedit -Lv 7TEST1$
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: 7TEST1$
Unix username: 7TEST1$
NT username: 7TEST1$
Account Flags: [W ]
User SID: S-1-5-21-1521813849-199949043-3839498338-1005
Primary Group SID: S-1-5-21-1521813849-199949043-3839498338-513
Full Name: Workstation (7test1$)
Home Directory:
HomeDir Drive: H:
Logon Script: users.vbs
Profile Path:
Domain: OFFICE
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Mon, 22 Nov 2010 10:07:34 CST
Password can change: Mon, 22 Nov 2010 10:07:34 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
$ ldapsearch -x -H ldap://${FQDNAME} -b "${LDAPBASEDN}"
"(&(uid=7TEST1$)(objectClass=sambaSamAccount))" -D cn=config -w
${LDAPPASSWD}
# extended LDIF
#
# LDAPv3
# base <dc=ptest,dc=us> with scope subtree
# filter: (&(uid=7TEST1$)(objectClass=sambaSamAccount))
# requesting: ALL
#
# 7TEST1$, machines, ptest.us
dn: uid=7TEST1$,ou=machines,dc=ptest,dc=us
uid: 7TEST1$
sambaSID: S-1-5-21-1521813849-199949043-3839498338-1005
displayName: Workstation (7test1$)
objectClass: sambaSamAccount
objectClass: account
sambaAcctFlags: [W ]
sambaNTPassword: B801FD816E64791F0AA328E8FD7586BE
sambaPwdLastSet: 1290442054
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This looks identical to the WinXP workstations I've added except for the
errors:
Nov 22 10:07:37 mail smbd[28796]: [2010/11/22 10:07:37, 0]
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555)
Nov 22 10:07:37 mail smbd[28796]: _netr_ServerAuthenticate2:
netlogon_creds_server_check failed. Rejecting auth request from client
7TEST1
&
Nov 22 10:07:45 mail smbd[28796]: [2010/11/22 10:07:45, 2]
auth/auth.c:check_ntlm_password(318)
Nov 22 10:07:45 mail smbd[28796]: check_ntlm_password: Authentication
for user [7TEST1] -> [7TEST1] FAILED with error NT_STATUS_NO_SUCH_USER
--
Thanks in advance :)
Todd E Thomas
"It's a frail music knits the world together."
-Robert Dana
On 10/25/2010 01:41 AM, Pascal Legrand wrote:
Hello,
i'm using Samba Version : 2:3.5.5~dfsg-1~bpo50+2 from backports
Patch applied :
http://support.microsoft.com/kb/2171571
Key modified :
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001
--------------------------------------------------------------------------------------
When i include windows7 station into samba domain, everything works fine, but
i've got a lot of error message :
[2010/10/25 08:19:53.174725, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2010/10/25 08:19:53.177153, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2010/10/25 08:19:53.177843, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [root] -> [root] -> [root]
succeeded
[2010/10/25 08:19:55.607701, 2]
rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
Returning domain sid for domain TEST-SAMBA ->
S-1-5-21-3551297527-875676932-1423664221
[2010/10/25 08:19:59.095642, 2]
../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal)
credentials check failed
[2010/10/25 08:19:59.095692, 0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth
request from client WINDOWS7 machine account WINDOWS7$
[2010/10/25 08:20:06.623691, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [WINDOWS7] -> [WINDOWS7]
FAILED
with error NT_STATUS_NO_SUCH_USER
pdbedit -v WINDOWS7$ :
-----------------------
Unix username: WINDOWS7$
NT username:
Account Flags: [W ]
User SID: S-1-5-21-3551297527-875676932-1423664221-1005
Primary Group SID: S-1-5-21-3551297527-875676932-1423664221-513
Full Name: WINDOWS7$
Home Directory: \\test\windows7_
HomeDir Drive: m:
Logon Script:
Profile Path:
Domain: TEST-SAMBA
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: lun, 25 oct 2010 08:19:55 CEST
Password can change: lun, 25 oct 2010 08:19:55 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
pdbedit -L WINDOWS7$ :
-----------------------
WINDOWS7$:4294967295:WINDOWS7$
What's means "4294967295" ???
After that when i connect on the windows 7 station with "tiptop" user, i've got
also some error messages :
[2010/10/25 08:32:58.833370, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [tiptop] -> [tiptop] ->
[tiptop]
succeeded
[2010/10/25 08:32:58.860904, 1] auth/auth_util.c:580(make_server_info_sam)
User WINDOWS7$ in passdb, but getpwnam() fails!
[2010/10/25 08:32:58.860939, 0] auth/auth_sam.c:493(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2010/10/25 08:32:58.861009, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [WINDOWS7$] -> [WINDOWS7$]
FAILED with error NT_STATUS_NO_SUCH_USER
[2010/10/25 08:33:00.510068, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [tiptop] -> [tiptop] ->
[tiptop]
succeeded
[2010/10/25 08:33:00.544211, 1] smbd/service.c:1070(make_connection_snum)
windows7 (192.168.151.73) connect to service tiptop initially as user tiptop
(uid=1002, gid=1002) (pid 2098)
but everything works fine.
the station exist in the domain, the user can connect on it
is it normal?
this samba version doesnt well support windows 7 station yet ?
Thanks for your help
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
