[Samba] make_connection: connection to IPC$ denied due to security descriptor after upgrade

[Karol Makowski]

Hi All

I've been using samba for some time as a PDC in our company. Everything 
was alright till I upgraded samba
from 3.0.22 to 3.0.24 (and to 3.0.26 later). Now I can't log in to 
domain anymore. In samba logs there's a message:

[2007/11/21 10:17:29, 0] smbd/service.c:make_connection_snum(850)
 make_connection: connection to IPC$ denied due to security descriptor.

I was googling for it and found solution to delete share_info.tdb 
however that didn't helped. Do you have any ideas
what's wrong? After downgrading samba to 3.0.22 everything goes back to 
normal and I can log in into domain again.


I'm using:
k3 samba # uname -a
Linux k3 2.6.20-vs2.2.0-gentoo-ipmi-070618 #3 SMP Mon Jun 18 03:10:49 
CEST 2007 x86_64 Intel(R) Xeon(R) CPU 5160 @ 3.00GHz GenuineIntel GNU/Linux


k3 samba # smbd -V
Version 3.0.26a

Best Regards

--
Karol Makowski
KOELNER SA IT Department
mailto: [EMAIL PROTECTED]
[mobile: +48 661 94 00 57] [office: +48 71 32 09 287]
jid: [EMAIL PROTECTED]





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] make_connection: connection to ipc$ denied due to security descriptor.

[Marc-Henri PAMISEUX]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi everybody,

I'm a french sysadmin and i'm using Samba from a long date.
Since my first use, i've write some usefull documentation, and usually,
i've just to follow this documentation and Samba works by itself ;)

Now, i'm trying to install Samba as the usuall but on a Debian-Etch
AMD64 plateform. All my previous install were done on an Debian-i386
plateform, and certainly a woody distribution.

This Samba version is 3.0.24, and uname -an gives me:
Linux rhea 2.6.18-5-amd64 #1 SMP Tue Oct 2 20:37:02 UTC 2007 x86_64
GNU/Linux

In all the case, i've install OpenLDAP, build my directory, parameter
nsswitch and so on. When i type a getent passwd, all my LDAP record are
seen and Samba authenticate well on LDAP; As the usual ;)

But, when i'm trying to join some workstation to this Samba seen as a
PDC server, sometime it works, and sometime not. I've search, changed a
lot of things in my configuration, and now, most workstation well join
the PDC, but i can't explore the network neighborhood, i've got an error
message, and when i give \\MYSERVER in the url, i can see my Server
Share. Another strange things, when two workstation join the domain,
they can't explore themselves their shares or printers...

In all the case, the most frequent error log message is:
smbd/service.c:make_connection_snum(782)
make_connection: connection to ipc$ denied due to security descriptor.

For example, here is a portion of a log file:

[2007/11/08 08:40:16, 2] smbd/sesssetup.c:setup_new_vc_session(799)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/11/08 08:40:16, 2] smbd/sesssetup.c:setup_new_vc_session(799)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/11/08 08:40:16, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2007/11/08 08:40:16, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 514
[2007/11/08 08:40:16, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 514
[2007/11/08 08:40:17, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.1.212)
[2007/11/08 08:40:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2007/11/08 08:40:17, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2007/11/08 08:40:17, 0] smbd/service.c:make_connection_snum(782)
  make_connection: connection to ipc$ denied due to security descriptor.
[2007/11/08 08:43:21, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2007/11/08 08:43:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 514
[2007/11/08 08:43:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 514
[2007/11/08 08:43:21, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.1.212)
[2007/11/08 08:43:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2007/11/08 08:43:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2007/11/08 08:43:21, 0] smbd/service.c:make_connection_snum(782)
  make_connection: connection to ipc$ denied due to security descriptor.

I think you want to see my smb.conf ?
You've got it as smb.sample join to this message.
My server IP is 192.168.1.2 and i've got an LDAP server on 127.0.0.1 and
a replicat server on 192.168.1.3

I've define some group mapping, and all my users have for primary group
the group named SmbDomUsers (gid=513).
Sometime, when i'm using the pdbedit command i've got the following lines:

Unix username:loic
NT username:  loic
Account Flags:[UX ]
User SID: S-1-5-21-3280060803-927162377-3199414824-3006
Primary Group SID:S-1-5-21-3280060803-927162377-3199414824-513
Full Name:Compte de Loic
Home Directory:   \\RHEA\loic
HomeDir Drive:U:
Logon Script: logon.cmd
Profile Painit_sam_from_ldap: Entry found for user: ludovic
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
init_sam_from_ldap: Entry found for user: pascal
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
init_sam_from_ldap: Entry found for user: francois
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
init_sam_from_ldap: Entry found for user: jerome
init_group_from_ldap: Entry found for group: 513
init_group_from_ldap: Entry found for group: 513
th: \\RHEA\loic\.winprofile
Domain:   MYWORKGROUP
Account desc: Compte Utilisateur du domaine MYWORKGROUP
Workstations:
Munged dial:
Logon time:   0
Logoff