Re: [Samba] cannot login from some machines after upgrading from 2 to 3
Atrox wrote: Atrox wrote: Hi. I've got a strange issue here. Some time ago (in march ;) I upgraded my FreeBSD-6.0 Samba 2.2 to 3.0 (currently 3.0.24). After creating groupmaps and doing all the other upgrade tasks, everything seemed to be alright. However, it was not possible to login from some machines (getting error for the wrong password). After disjoining and rejoining domain with these machines, it was possible again. Does anybody know, what could be the problem? There are still some such machines left. One of these is a Windows 2000. When I try to login to domain from there, I see the according log-lines ending with: = [2007/06/21 11:40:27, 3] auth/auth.c:check_ntlm_password(270) check_ntlm_password: sam authentication for user [silver] succeeded [2007/06/21 11:40:27, 5] auth/auth.c:check_ntlm_password(296) check_ntlm_password: PAM Account for user [silver] succeeded [2007/06/21 11:40:27, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [silver] - [silver] - [silver] succeeded [2007/06/21 11:40:27, 5] auth/auth_util.c:free_user_info(1867) attempting to free (and zero) a user_info structure [2007/06/21 11:40:27, 10] auth/auth_util.c:free_user_info(1871) structure was created for silver = When checking some successful login's log, I see that information about user's groups should follow: = [2007/06/21 13:24:57, 10] auth/auth_util.c:free_user_info(1871) structure was created for silver [2007/06/21 13:24:57, 10] auth/auth_util.c:create_local_token(1023) Could not convert SID S-1-1-0 to gid, ignoring it [2007/06/21 13:24:57, 10] auth/auth_util.c:create_local_token(1023) Could not convert SID S-1-5-2 to gid, ignoring it [2007/06/21 13:24:57, 10] auth/auth_util.c:create_local_token(1023) Could not convert SID S-1-5-32-546 to gid, ignoring it [2007/06/21 13:24:57, 10] auth/auth_util.c:debug_nt_user_token(454) NT user token of user S-1-5-21-770051042-1162095659-2196661315-501 contains 4 SIDs SID[ 0]: S-1-5-21-770051042-1162095659-2196661315-501 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-5-32-546 = I checked the server schannel also and verified that this is not the case as this w2k's according security settings match server's settings. What else could cause this? Thanks in advance, Silver Hello. Update: some machines allow some users to login, but some users not to. Even though the user is in the users group and can login to Samba with smbclient, login from (at least some) machines fails. Hasn't anyone experienced smth like that? Silver I'm sorry to bother the list with this again, but I'm still sitting on this issue. Meanwhile a user wanted to change his password, but after doing that he couldn't login from his machine any more. If I changed his password to the old one, it was OK again. Now a new user was made, but he cannot login into domain.. Would anyone suggest me some debugging options? -- Silver -- View this message in context: http://www.nabble.com/cannot-login-from-some-machines-after-upgrading-from-2-to-3-tf3958124.html#a14151755 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba can't find its hostname via broadcast
Michael H. Warfield wrote: On Mon, 2007-10-22 at 23:16 -0700, Atrox wrote: Michael Lueck wrote: Atrox wrote: Michael Lueck wrote: So, how do you know Samba can not find itself? Well, server doesn't answer to nmblookup by broadcast: $ nmblookup -B 192.168.1.255 frontier querying frontier on 192.168.1.255 name_query failed to find name frontier If I query Samba via unicast, it answers OK: $ nmblookup -U frontier frontier querying frontier on 192.168.1.31 192.168.1.31 frontier00 For lo0 interface I get the error: Packet send failed to 127.255.255.255(137) ERRNO=Operation not permitted Should it be that way? What are you actually trying to do? I know nmblookup by name, but never have to use it. The error Operation not permitted occures when I nmblookup without any flag, ie. nmblookup frontier. Nmblookup queries lo0 as I have specified it in interfaces parameter. So, what happens if you DON'T specify lo in your interfaces? It should still work using your real interfaces. I don't really see what you are gaining by allowing the lo interface to begin with. I set it just to try whether it helps or not. If it's not specified, I just don't get the Operation not permitted error :) Nmblookup doesn't work nevertheless: $ nmblookup frontier added interface ip=192.168.1.31 bcast=192.168.1.255 nmask=255.255.255.0 querying frontier on 192.168.1.255 name_query failed to find name frontier -- View this message in context: http://www.nabble.com/Samba-can%27t-find-its-hostname-via-broadcast-tf4633404.html#a13439574 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba can't find its hostname via broadcast
Michael Lueck wrote: Atrox wrote: Michael Lueck wrote: So, how do you know Samba can not find itself? Well, server doesn't answer to nmblookup by broadcast: $ nmblookup -B 192.168.1.255 frontier querying frontier on 192.168.1.255 name_query failed to find name frontier If I query Samba via unicast, it answers OK: $ nmblookup -U frontier frontier querying frontier on 192.168.1.31 192.168.1.31 frontier00 For lo0 interface I get the error: Packet send failed to 127.255.255.255(137) ERRNO=Operation not permitted Should it be that way? What are you actually trying to do? I know nmblookup by name, but never have to use it. The error Operation not permitted occures when I nmblookup without any flag, ie. nmblookup frontier. Nmblookup queries lo0 as I have specified it in interfaces parameter. $ nmblookup frontier querying frontier on 192.168.1.255 querying frontier on 127.255.255.255 Packet send failed to 127.255.255.255(137) ERRNO=Operation not permitted name_query failed to find name frontier About logs, what is your smb.conf logging configuration? Ours is: log file = /var/log/samba/log.%m Yep, I have the same. which generates a separate log for each machine. First by IP address (log.IPADDR) until the computer name of the host is learned. Then it starts writing to log.machinename from then on. So I was asking do you get errors in the Samba logs that you are trying to understand? Yes, I understood. But I don't see anything unusual nor any errors there (in log.smbd, log.nmbd, log.frontier, log.192.168.1.31) when I do nmblookup.. -- View this message in context: http://www.nabble.com/Samba-can%27t-find-its-hostname-via-broadcast-tf4633404.html#a13358113 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba can't find its hostname via broadcast
Michael Lueck wrote: Atrox wrote: Ah, yes, it's plain-text :) ??? Should be binary, yet readable with cat. But there's only 1 IP for the server, but there are 8 lines for the server: Sounds good. Probably not the same problem as I had then. Yes, I recall multiple entries for the server. So, how do you know Samba can not find itself? Well, server doesn't answer to nmblookup by broadcast: $ nmblookup -B 192.168.1.255 frontier querying frontier on 192.168.1.255 name_query failed to find name frontier If I query Samba via unicast, it answers OK: $ nmblookup -U frontier frontier querying frontier on 192.168.1.31 192.168.1.31 frontier00 For lo0 interface I get the error: Packet send failed to 127.255.255.255(137) ERRNO=Operation not permitted Should it be that way? Are you seeing messages in the nmbd log? Nope. I can debug it a little with -d 5, but don't see anything intresting there either: ... Socket opened. querying frontier on 192.168.1.255 Sending a packet of len 50 to (192.168.1.255) on port 137 Sending a packet of len 50 to (192.168.1.255) on port 137 Sending a packet of len 50 to (192.168.1.255) on port 137 name_query failed to find name frontier -- Silver -- View this message in context: http://www.nabble.com/Samba-can%27t-find-its-hostname-via-broadcast-tf4633404.html#a13337205 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba can't find its hostname via broadcast
Michael Lueck wrote: Atrox wrote: Hmm, actually the machine runs OpenVPN too, so its (bridged) tap device has its own IP that falls into the same netmask /24. Is it possible that Samba may get confused about that? Should specifying only the internal interface (and lo0 maybe) in interfaces help in this case? I have no experience running OpenVPN on a Samba server box. We have separate firewall boxes and run OpenVPN on those boxes. I have such setup in several places and I've see no problem yet. But well, I just discovered the same issue at one other server ;) PS. I can't try deleting the wins cache right now as Samba is in active use. I suppose you could take a peek inside that file (cat wins.dat) and see if you see multiple IP addresses around the information for your server. Ah, yes, it's plain-text :) But there's only 1 IP for the server, but there are 8 lines for the server: MYDOMAIN#1b 1193031291 192.168.1.31 64R MYSERV#00 1193031291 192.168.1.31 66R MYDOMAIN#1c 1193031291 192.168.1.31 e4R MYSERV-ALIAS#03 1193031291 192.168.1.31 64R MYSERV#03 1193031291 192.168.1.31 66R MYSERV-ALIAS#20 1193031291 192.168.1.31 64R MYSERV#20 1193031291 192.168.1.31 66R MYSERV-ALIAS#00 1193031291 192.168.1.31 64R I tried deleting wins.dat this morning, but it didn't help :( I also set interfaces = xl1 lo0 (xl1 is my innter interface), but it didn't have any effect either. -- View this message in context: http://www.nabble.com/Samba-can%27t-find-its-hostname-via-broadcast-tf4633404.html#a13288815 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba can't find its hostname via broadcast
Atrox wrote: Hello. I'm using Samba 3.0.25a on FreeBSD-6.0. Samba is configured to be a PDC. Samba can't find its hostname via nmblookup: $ nmblookup -B 192.168.1.255 frontier querying frontier on 192.168.1.255 name_query failed to find name frontier If I query Samba via unicast, it answers OK: $ nmblookup -U frontier frontier querying frontier on 192.168.1.31 192.168.1.31 frontier00 Also, Samba cannot find domain's master, but I suspect it can't become the master because of this nmblookup failure. I've experienced the similar issue with other Samba-3.0.26a too. I've gone through Samba troubleshooting, but I didn't find anything. What could cause this issue? Thanks in advance, Silver Nothing on this? While googling I've seen questions about this issue asked several years ago, but not lately. And I haven't found any exhaustive answer to this :( More about the issue - if I nmblookup domain, I get quite a lot of answers, but not from the server itself (192.168.1.31): $ nmblookup mydomain querying mydomain on 192.168.1.255 192.168.1.200 mydomain00 192.168.1.145 mydomain00 192.168.1.147 mydomain00 192.168.1.131 mydomain00 192.168.1.130 mydomain00 192.168.1.138 mydomain00 192.168.1.140 mydomain00 192.168.1.149 mydomain00 192.168.1.143 mydomain00 192.168.1.139 mydomain00 192.168.1.141 mydomain00 192.168.1.110 mydomain00 192.168.1.100 mydomain00 192.168.1.118 mydomain00 192.168.1.111 mydomain00 192.168.1.106 mydomain00 192.168.1.108 mydomain00 192.168.1.126 mydomain00 192.168.1.105 mydomain00 The firewall is not the issue as I see from tcpdump that broadcast queries to port 137 reach the server. -- Silver -- View this message in context: http://www.nabble.com/Samba-can%27t-find-its-hostname-via-broadcast-tf4633404.html#a13250356 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba can't find its hostname via broadcast
Michael Lueck wrote: Atrox wrote: Samba can't find its hostname via nmblookup: $ nmblookup -B 192.168.1.255 frontier querying frontier on 192.168.1.255 name_query failed to find name frontier Have you ever had another (multiple) IP addresses on this particular installation? Long long ago I ran into issues with a test box that had been known by several IP addresses over the course of time. nmbd got confused and did not know the IP address of the server itself. I flushed the wins cache on the PDC and all was well. That is... stopped samba deleted /var/run/samba/wins.tdb started samba In my case, it tried the oldest two IP addresses the server had been known as, just not the current IP address. Flushing WINS resulted in WINS being rediscovered, and thus the current IP address of the server was detected, and samba could find itself again! Hmm, actually the machine runs OpenVPN too, so its (bridged) tap device has its own IP that falls into the same netmask /24. Is it possible that Samba may get confused about that? Should specifying only the internal interface (and lo0 maybe) in interfaces help in this case? PS. I can't try deleting the wins cache right now as Samba is in active use. -- View this message in context: http://www.nabble.com/Samba-can%27t-find-its-hostname-via-broadcast-tf4633404.html#a13268471 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba can't find its hostname via broadcast
Hello. I'm using Samba 3.0.25a on FreeBSD-6.0. Samba is configured to be a PDC. Samba can't find its hostname via nmblookup: $ nmblookup -B 192.168.1.255 frontier querying frontier on 192.168.1.255 name_query failed to find name frontier If I query Samba via unicast, it answers OK: $ nmblookup -U frontier frontier querying frontier on 192.168.1.31 192.168.1.31 frontier00 Also, Samba cannot find domain's master, but I suspect it can't become the master because of this nmblookup failure. I've experienced the similar issue with other Samba-3.0.26a too. I've gone through Samba troubleshooting, but I didn't find anything. What could cause this issue? Thanks in advance, Silver -- View this message in context: http://www.nabble.com/Samba-can%27t-find-its-hostname-via-broadcast-tf4633404.html#a13230734 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain migration from 2.2.x to 3.0.x
Atrox wrote:
Logan Shaw wrote:
4) Make sure the new server has the same SID as the old.
There are lots of ways of doing this, but I believe the
one I used was to run rpcclient's lookupsids command
against the domain itself to get the old SID on 2.2.x, then
I used net setlocalsid to set it on the new 3.0.22 system.
Or something along those lines. :-)
5) This might or might not be necessary, but make sure the
machine accounts have the same SID as before as well.
Hi.
I did an upgrade a half of year ago. I'm still experiencing some weird
login (ie. authentication) problems, so I started to guess that maybe the
new domain's SID isn't the same as the old domain's was. But well, I guess
I didn't read the instructions carefully, so I didn't check it in right
time.
Fortunately I still have backups of the old system (of /var and conf). Can
I just check some file for what the old SID was?
Thanks in advance,
Silver
Hm, I took a look at secrets.tdb found from backup. The first lines are:
{
key(19) = SECRETS/SID/MYDOMAIN
data(68) = \01\04\00\00\00\00\00\05\15\00\00\...\00
}
And this differs from the current one (found from secrets.tdb) indeed. So
how can I convert the sid found from secrets.tdb (\01\04\...) to form of
S-1-...? And would it be a good idea? :)
Silver
--
View this message in context:
http://www.nabble.com/Domain-migration-from-2.2.x-to-3.0.x-tf2091210.html#a12423211
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain migration from 2.2.x to 3.0.x
Logan Shaw wrote: 4) Make sure the new server has the same SID as the old. There are lots of ways of doing this, but I believe the one I used was to run rpcclient's lookupsids command against the domain itself to get the old SID on 2.2.x, then I used net setlocalsid to set it on the new 3.0.22 system. Or something along those lines. :-) 5) This might or might not be necessary, but make sure the machine accounts have the same SID as before as well. Hi. I did an upgrade a half of year ago. I'm still experiencing some weird login (ie. authentication) problems, so I started to guess that maybe the new domain's SID isn't the same as the old domain's was. But well, I guess I didn't read the instructions carefully, so I didn't check it in right time. Fortunately I still have backups of the old system (of /var and conf). Can I just check some file for what the old SID was? Thanks in advance, Silver -- View this message in context: http://www.nabble.com/Domain-migration-from-2.2.x-to-3.0.x-tf2091210.html#a12408448 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] cannot login from some machines after upgrading from 2 to 3
Atrox wrote: Hi. I've got a strange issue here. Some time ago (in march ;) I upgraded my FreeBSD-6.0 Samba 2.2 to 3.0 (currently 3.0.24). After creating groupmaps and doing all the other upgrade tasks, everything seemed to be alright. However, it was not possible to login from some machines (getting error for the wrong password). After disjoining and rejoining domain with these machines, it was possible again. Does anybody know, what could be the problem? There are still some such machines left. One of these is a Windows 2000. When I try to login to domain from there, I see the according log-lines ending with: = [2007/06/21 11:40:27, 3] auth/auth.c:check_ntlm_password(270) check_ntlm_password: sam authentication for user [silver] succeeded [2007/06/21 11:40:27, 5] auth/auth.c:check_ntlm_password(296) check_ntlm_password: PAM Account for user [silver] succeeded [2007/06/21 11:40:27, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [silver] - [silver] - [silver] succeeded [2007/06/21 11:40:27, 5] auth/auth_util.c:free_user_info(1867) attempting to free (and zero) a user_info structure [2007/06/21 11:40:27, 10] auth/auth_util.c:free_user_info(1871) structure was created for silver = When checking some successful login's log, I see that information about user's groups should follow: = [2007/06/21 13:24:57, 10] auth/auth_util.c:free_user_info(1871) structure was created for silver [2007/06/21 13:24:57, 10] auth/auth_util.c:create_local_token(1023) Could not convert SID S-1-1-0 to gid, ignoring it [2007/06/21 13:24:57, 10] auth/auth_util.c:create_local_token(1023) Could not convert SID S-1-5-2 to gid, ignoring it [2007/06/21 13:24:57, 10] auth/auth_util.c:create_local_token(1023) Could not convert SID S-1-5-32-546 to gid, ignoring it [2007/06/21 13:24:57, 10] auth/auth_util.c:debug_nt_user_token(454) NT user token of user S-1-5-21-770051042-1162095659-2196661315-501 contains 4 SIDs SID[ 0]: S-1-5-21-770051042-1162095659-2196661315-501 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-5-32-546 = I checked the server schannel also and verified that this is not the case as this w2k's according security settings match server's settings. What else could cause this? Thanks in advance, Silver Hello. Update: some machines allow some users to login, but some users not to. Even though the user is in the users group and can login to Samba with smbclient, login from (at least some) machines fails. Hasn't anyone experienced smth like that? Silver -- View this message in context: http://www.nabble.com/cannot-login-from-some-machines-after-upgrading-from-2-to-3-tf3958124.html#a12145332 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] cannot login from some machines after upgrading from 2 to 3
Hi. I've got a strange issue here. Some time ago (in march ;) I upgraded my FreeBSD-6.0 Samba 2.2 to 3.0 (currently 3.0.24). After creating groupmaps and doing all the other upgrade tasks, everything seemed to be alright. However, it was not possible to login from some machines (getting error for the wrong password). After disjoining and rejoining domain with these machines, it was possible again. Does anybody know, what could be the problem? There are still some such machines left. One of these is a Windows 2000. When I try to login to domain from there, I see the according log-lines ending with: = [2007/06/21 11:40:27, 3] auth/auth.c:check_ntlm_password(270) check_ntlm_password: sam authentication for user [silver] succeeded [2007/06/21 11:40:27, 5] auth/auth.c:check_ntlm_password(296) check_ntlm_password: PAM Account for user [silver] succeeded [2007/06/21 11:40:27, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [silver] - [silver] - [silver] succeeded [2007/06/21 11:40:27, 5] auth/auth_util.c:free_user_info(1867) attempting to free (and zero) a user_info structure [2007/06/21 11:40:27, 10] auth/auth_util.c:free_user_info(1871) structure was created for silver = When checking some successful login's log, I see that information about user's groups should follow: = [2007/06/21 13:24:57, 10] auth/auth_util.c:free_user_info(1871) structure was created for silver [2007/06/21 13:24:57, 10] auth/auth_util.c:create_local_token(1023) Could not convert SID S-1-1-0 to gid, ignoring it [2007/06/21 13:24:57, 10] auth/auth_util.c:create_local_token(1023) Could not convert SID S-1-5-2 to gid, ignoring it [2007/06/21 13:24:57, 10] auth/auth_util.c:create_local_token(1023) Could not convert SID S-1-5-32-546 to gid, ignoring it [2007/06/21 13:24:57, 10] auth/auth_util.c:debug_nt_user_token(454) NT user token of user S-1-5-21-770051042-1162095659-2196661315-501 contains 4 SIDs SID[ 0]: S-1-5-21-770051042-1162095659-2196661315-501 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-5-32-546 = I checked the server schannel also and verified that this is not the case as this w2k's according security settings match server's settings. What else could cause this? Thanks in advance, Silver -- View this message in context: http://www.nabble.com/cannot-login-from-some-machines-after-upgrading-from-2-to-3-tf3958124.html#a11231169 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
