[Samba] Samba upgrade problem with ADS

[Nitin Thakur]

hi gurus

My samba upgrade woes: -

I have to run 2 instances of samba one for dev and one for UAT. both the instances are giving me hard time after the upgrade.

One instance keeps giving me following error: -

connect_to_domain_password_server: unable to open the domain client session to machine xxxxx.xxxxx.xxxxx.xxxxxxx.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2012/09/04 16:19:36.993000, 0] auth/auth_domain.c:292(domain_client_validate)

It returns this error for all the password servers. I deleted the server from ad and tried to rejoin the domain. it did join the domain but returned the error: -


# /opt/local/samba/bin/net -s /opt/local/samba/lib/smb.conf.dev ads join -U admin
Enter admin's password:
Using short domain name -- XXXX
Joined 'XXXX' to realm 'xxxx.xxxx.xxxx.com'
DNS Update for xxxxx.xxxx.xx.xxxxxxx.com failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!

since then it keeps giving me error: -
[2012/09/04 21:43:10.299657, 0] smbd/server.c:1109(main)
standard input is not a socket, assuming -D option
[2012/09/04 21:43:10.606915, 0] libads/kerberos_util.c:101(ads_kinit_password)
kerberos_kinit_password XXXXX$@XXX.XX.XXXXXX.COM failed: Preauthentication failed
[2012/09/04 21:43:10.608476, 0] printing/nt_printing.c:102(nt_printing_init)
nt_printing_init: error checking published printers: WERR_ACCESS_DENIED


moving on to other instance: -

[2012/09/04 15:51:47.207600, 5] rpc_client/cli_pipe.c:738(rpc_api_pipe_send)
rpc_api_pipe: host XXXXXX.XXXXX.XXXXX.XXXXXX.COM
[2012/09/04 15:51:47.209191, 5] rpc_client/cli_pipe.c:97(rpc_read_send)
rpc_read_send: data_to_read: 52
[2012/09/04 15:51:47.209422, 5] rpc_client/cli_pipe.c:1521(check_bind_response)
check_bind_response: accepted!
[2012/09/04 15:51:47.209687, 5] passdb/passdb.c:2365(get_trust_pw_clear)
get_trust_pw_clear: could not fetch clear text trust account password for domain XXXXXX
[2012/09/04 15:51:47.209844, 5] passdb/machine_account_secrets.c:267(secrets_fetch_trust_account_password_legacy)
secrets_fetch failed!
[2012/09/04 15:51:47.209998, 5] passdb/passdb.c:2403(get_trust_pw_hash)
get_trust_pw_hash: could not fetch trust account password for domain XXXXXXX
[2012/09/04 15:51:47.210109, 0] rpc_client/cli_pipe_schannel.c:54(get_schannel_session_key_common)
get_schannel_session_key: could not fetch trust account password for domain 'XXXXX'
[2012/09/04 15:51:47.211665, 0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
cli_rpc_pipe_open_schannel: failed to get schannel session key from server XXXXXXX.XXXXXXXXX.XXXXXXX.XXXXXX.COM for domain XXXXXX.
[2012/09/04 15:51:47.211845, 0] auth/auth_domain.c:193(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client session to machine XXXXXXXX.XXXXXXXX.XXXX.XXXXXXXX.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
[2012/09/04 15:51:47.213484, 0] auth/auth_domain.c:292(domain_client_validate)
domain_client_validate: Domain password server not available.
[2012/09/04 15:51:47.213654, 5] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: winbind authentication for user [XXXX] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2012/09/04 15:51:47.213779, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [XXXXX] -> [XXXXXX] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2012/09/04 15:51:47.213950, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX) NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Here is the smbd.conf for 1st instance
#======================= Global Settings =====================================
[global]

socket options = TCP_NODELAY IPTOS_LOWDELAY
netbios name = XXXXX
workgroup = XXXXX
server string = XXXX Samba Server ver %v
security = ADS
log file = /opt/local/samba/dev/logs/log.%m
max log size = 50
password server = xxxxxx.xxxx.xxxx.xxxxxxx.com, xxxx.xxxx.xxxx.xxxxxxx.com
encrypt passwords = yes
realm = XXXXXXX.XXXX.XXXXXXXXX.COM
local master = no
domain master = no
domain logons = no
dns proxy = no
smb passwd file = /opt/local/samba/dev/private
private dir = /opt/local/samba/dev/private
username map = /opt/local/samba/dev/users.map
pid directory = /opt/local/samba/dev
bind interfaces only = yes
wins support = no
domain master = no
allow trusted domains = yes
locking = yes
lock directory = /opt/local/samba/var/dev/locks
preserve case = yes
short preserve case = yes
name resolve order = host bcast
load printers = no
printcap name = /dev/null
deadtime = 15
preferred master = no
guest account = nobody
guest ok = yes
syslog = 0
interfaces = xxx.xxx.xxx.xxx
socket address = xxx.xxx.xxx.xxx

[share]
comment = share
path = /share
read only = No
create mask = 0774
browseable = yes
preserve case = yes


and smb.conf.uat for second instance
[global]

socket options = TCP_NODELAY IPTOS_LOWDELAY
netbios name = XXXXX-UAT
workgroup = XXXXX
server string = XXXX-UAT Samba Server ver %v
security = ADS
map untrusted to domain = Yes
log file = /opt/local/samba/uat/logs/log.%m
log level = 5
max log size = 50
password server = xxx.xxx.xxx.xxxx.xxx xxxx.xxxx.xxxx.xxxx.com
encrypt passwords = yes
realm = XXXXX.XXXX.XXXX.COM
local master = no
domain master = no
domain logons = no
dns proxy = no
smb passwd file = /opt/local/samba/uat/private
private dir = /opt/local/samba/uat/private
username map = /opt/local/samba/uat/users.map
pid directory = /opt/local/samba/uat
bind interfaces only = yes
wins support = no
domain master = no
allow trusted domains = yes
locking = yes
lock directory = /opt/local/samba/uat/var/locks
preserve case = yes
short preserve case = yes
name resolve order = host bcast
load printers = no
printcap name = /dev/null
deadtime = 15
preferred master = no
guest account = nobody
guest ok = yes
syslog = 0
interfaces = xxx.xxx.xxx.xxx
socket address = xxx.xxx.xxx.xxx

[uat-share]
comment = uat-share
path = /uat-share
read only = No
create mask = 0774
browseable = yes


-------------------------------------------------------------------------------------------------------

I am using: -
krb5-1.10.3
openldap-2.4.31
samba-3.6.7


The same config files work fine with: -
krb5-1.7
openldap-2.4.16
samba-3.3.5


Any pointers?

Thanks

Nitin

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Andrew Bartlett]

On Tue, 2012-09-04 at 22:10 -0400, Nitin Thakur wrote:
> hi gurus
>
> My samba upgrade woes: -
>
> I have to run 2 instances of samba one for dev and one for UAT. both the instances are giving me hard time after the upgrade.
>
> One instance keeps giving me following error: -
>
> connect_to_domain_password_server: unable to open the domain client session to machine xxxxx.xxxxx.xxxxx.xxxxxxx.COM. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
> [2012/09/04 16:19:36.993000, 0] auth/auth_domain.c:292(domain_client_validate)

that means it could not find the domain password in secrets.tdb. When
you upgraded, did you either copy the secrets.tdb to the new prefix, or
use the same prefix?

This doesn't explain the re-join issues, unless you are mixing up a
'net' binary from one release (and prefix) with smbd/winbindd from the
other however.

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org

[Nitin Thakur]

how about i get rid of secrets file all together?

Nitin Thakur

[Andrew Bartlett]

On Wed, 2012-09-05 at 12:07 +0000, Nitin Thakur wrote:
> how about i get rid of secrets file all together?

You can delete secrets.tdb and secrets.ldb if either exists.

[Nitin Thakur]

is it possible to run samba with ad without winbind?

Nitin Thakur


---Original Message---
From: "Andrew Bartlett" <abar...@samba.org>
Sent: 6/9/2012 20:42
To: nitin...@hotmail.com
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Samba upgrade problem with ADS

[Andrew Bartlett]

On Fri, 2012-09-07 at 01:41 +0000, Nitin Thakur wrote:
> is it possible to run samba with ad without winbind?

It isn't recommended, and won't help the issue you are having.