info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Migration Samba3 -> Samba4: Accessing domain member server is not working
50 views
Skip to first unread message
Roland Schwingel
Jul 3, 2015, 11:43:52 AM7/3/15
to
Hi ...
When trying to migrate from samba3 to samba 4.2.2 I am facing a severe
problem that bugs me for hours now. I cannot get a samba 4.2.2
fileserver to work with a samba 4.2.2 PDC as a domain member.
My scenario:
Samba 3 network. PDC and fileserver where Samba 3.6.25. LDAP backend.
We can't move to AD right now so I wanted to move to the current 4.2.2
at least to do this step but to still keep NT-4 style domains.
Yesterday I migrated one PDC in a certain network to samba 4.2.2.
After some tweaking of smb.conf it works now. And I believe without
any trouble. Login/logout from Win2003,Win7,8.1 etc work fine.
Also printing and joining machines to the domain works as before. So far
so good.
Here is the smb.conf of the PDC:
[global]
unix charset = UTF-8
workgroup = MYDOM
server string = domaincontroller
passdb backend = ldapsam:"ldap://localhost"
log file = /usr/local/samba/var/log.%m
max log size = 500
large readwrite = No
name resolve order = host bcast
time server = Yes
add machine script =
/usr/local/samba/bin/createSambaMachineAccount.php "%u"
logon script = logonscripts/%U/logon.bat
logon path = \\%N\profiles\%U
logon home =
domain logons = Yes
os level = 66
preferred master = Yes
domain master = Yes
dns proxy = No
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap,ou=samba
ldap machine suffix = ou=computers,ou=samba
ldap passwd sync = yes
ldap suffix = dc=MYDOM,dc=com
ldap user suffix = ou=people
idmap config * : range =
idmap config * : backend = tdb
create mask = 0755
hide dot files = No
map hidden = Yes
csc policy = disable
strict locking = No
So I did setup a test machine with samba 4.2.2 as fileserver. Working as
domain member. Here is the smb.conf of the fileserver machine:
[global]
unix charset = UTF-8
workgroup = MYDOM
server string = Fileserver
security = DOMAIN
log level = 2
log file = /usr/local/samba/var/log.%m
max log size = 500
name resolve order = host bcast
unix extensions = No
hide dot files = No
csc policy = disable
strict locking = No
wide links = Yes
[testshare]
comment = test
path = /testshare
read only = No
inherit permissions = Yes
I joined the machine (osuse-test) to the network using this call. I
tried a couple of other but this is the only one that produced a join:
osuse-test:/usr/local/samba/var # ../bin/net rpc join -v -S PDCHOST -Uroland
No realm has been specified! Do you really want to join an Active
Directory server?
Enter roland's password:
No realm has been specified! Do you really want to join an Active
Directory server?
Using short domain name -- MYDOM
Joined 'OSUSE-TEST' to domain 'MYDOM'
When I try to access osuse-test by trying to open \\osuse-test from
windows 7 after few seconds windows presents me a panel with a locking
error.
On osuse-test I see these errors in the log file for the win7 client:
[2015/07/03 17:23:30.718802, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:30.892601, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_ACCESS_DENIED.
[2015/07/03 17:23:30.893802, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.893837, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.939343, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:31.110024, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.111246, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.111278, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.131118, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:31.296986, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.298164, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.298195, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.318922, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:31.485074, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.486119, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.486162, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
So there seems to be an auth error with the user. The user is fully
working and correct. Passwords are correct.
Has anyone any clue whats going on here?
Thanks for your help,
Roland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
When trying to migrate from samba3 to samba 4.2.2 I am facing a severe
problem that bugs me for hours now. I cannot get a samba 4.2.2
fileserver to work with a samba 4.2.2 PDC as a domain member.
My scenario:
Samba 3 network. PDC and fileserver where Samba 3.6.25. LDAP backend.
We can't move to AD right now so I wanted to move to the current 4.2.2
at least to do this step but to still keep NT-4 style domains.
Yesterday I migrated one PDC in a certain network to samba 4.2.2.
After some tweaking of smb.conf it works now. And I believe without
any trouble. Login/logout from Win2003,Win7,8.1 etc work fine.
Also printing and joining machines to the domain works as before. So far
so good.
Here is the smb.conf of the PDC:
[global]
unix charset = UTF-8
workgroup = MYDOM
server string = domaincontroller
passdb backend = ldapsam:"ldap://localhost"
log file = /usr/local/samba/var/log.%m
max log size = 500
large readwrite = No
name resolve order = host bcast
time server = Yes
add machine script =
/usr/local/samba/bin/createSambaMachineAccount.php "%u"
logon script = logonscripts/%U/logon.bat
logon path = \\%N\profiles\%U
logon home =
domain logons = Yes
os level = 66
preferred master = Yes
domain master = Yes
dns proxy = No
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap,ou=samba
ldap machine suffix = ou=computers,ou=samba
ldap passwd sync = yes
ldap suffix = dc=MYDOM,dc=com
ldap user suffix = ou=people
idmap config * : range =
idmap config * : backend = tdb
create mask = 0755
hide dot files = No
map hidden = Yes
csc policy = disable
strict locking = No
So I did setup a test machine with samba 4.2.2 as fileserver. Working as
domain member. Here is the smb.conf of the fileserver machine:
[global]
unix charset = UTF-8
workgroup = MYDOM
server string = Fileserver
security = DOMAIN
log level = 2
log file = /usr/local/samba/var/log.%m
max log size = 500
name resolve order = host bcast
unix extensions = No
hide dot files = No
csc policy = disable
strict locking = No
wide links = Yes
[testshare]
comment = test
path = /testshare
read only = No
inherit permissions = Yes
I joined the machine (osuse-test) to the network using this call. I
tried a couple of other but this is the only one that produced a join:
osuse-test:/usr/local/samba/var # ../bin/net rpc join -v -S PDCHOST -Uroland
No realm has been specified! Do you really want to join an Active
Directory server?
Enter roland's password:
No realm has been specified! Do you really want to join an Active
Directory server?
Using short domain name -- MYDOM
Joined 'OSUSE-TEST' to domain 'MYDOM'
When I try to access osuse-test by trying to open \\osuse-test from
windows 7 after few seconds windows presents me a panel with a locking
error.
On osuse-test I see these errors in the log file for the win7 client:
[2015/07/03 17:23:30.718802, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:30.892601, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_ACCESS_DENIED.
[2015/07/03 17:23:30.893802, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.893837, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_ACCESS_DENIED
[2015/07/03 17:23:30.939343, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:31.110024, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.111246, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.111278, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.131118, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:31.296986, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.298164, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.298195, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.318922, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/03 17:23:31.485074, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/03 17:23:31.486119, 2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/03 17:23:31.486162, 2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
So there seems to be an auth error with the user. The user is fully
working and correct. Passwords are correct.
Has anyone any clue whats going on here?
Thanks for your help,
Roland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
Jul 3, 2015, 12:38:28 PM7/3/15
to
be your problem, see here:
https://www.samba.org/samba/history/samba-4.2.0.html
Under the heading: Winbindd/Netlogon improvements
Rowland
Trever L. Adams
Jul 3, 2015, 2:56:27 PM7/3/15
to
If the Rowland Penny's recommendations don't work, the logs seem similar
to a problem I was having.
https://bugzilla.samba.org/show_bug.cgi?id=10991#c9 Run the command
listed and suddenly ldap and kerberos start.
May be the answer to your problem.
Trever
to a problem I was having.
https://bugzilla.samba.org/show_bug.cgi?id=10991#c9 Run the command
listed and suddenly ldap and kerberos start.
May be the answer to your problem.
Trever
Roland Schwingel
Jul 6, 2015, 3:55:28 AM7/6/15
to
Good morning Rowland and samba list ...
Rowland Penny wrote on 03.07.2015 18:36:32:
> From: Rowland Penny <rowlandpe...@gmail.com>
> To: sa...@lists.samba.org,
> Date: 03.07.2015 18:40
> Subject: Re: [Samba] Migration Samba3 -> Samba4: Accessing domain
> member server is not working
> Sent by: samba-...@lists.samba.org
>
> On 03/07/15 16:31, Roland Schwingel wrote:
> > Hi ...
> >
> > When trying to migrate from samba3 to samba 4.2.2 I am facing a severe
> > problem that bugs me for hours now. I cannot get a samba 4.2.2
> > fileserver to work with a samba 4.2.2 PDC as a domain member.
> >
> Hi, there was some changes made when 4.2.0 came out, these changes may
> be your problem, see here:
>
> https://www.samba.org/samba/history/samba-4.2.0.html
>
> Under the heading: Winbindd/Netlogon improvements
Thanks for the hint. I read that and added "allow nt4 crypto = yes" to
> be your problem, see here:
>
> https://www.samba.org/samba/history/samba-4.2.0.html
>
> Under the heading: Winbindd/Netlogon improvements
my 4.2.2 PDC. This changed this a little bit but still gives me no
working 4.2.2 member server. Adding "require strong key = no" and
"client NTLMv2 auth = no" to the member servers smb.conf but it did not
change anything.
Here is the log file on the dedicated member server of one client trying
to connect my member server:
SID for local machine OSUSE-TEST is:
S-1-5-21-1853263269-3041869306-167322181
SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
Join to 'MYDOM' is OK
[2015/07/06 08:02:46.342573, 3] ../source3/smbd/oplock.c:1306(init_oplocks)
init_oplocks: initializing messages.
[2015/07/06 08:02:46.342706, 3] ../source3/smbd/process.c:1879(process_smb)
Transaction 0 of length 159 (0 toread)
[2015/07/06 08:02:46.342748, 3]
../source3/smbd/process.c:1489(switch_message)
switch message SMBnegprot (pid 10895) conn 0x0
[2015/07/06 08:02:46.343225, 3]
../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2015/07/06 08:02:46.343263, 3]
../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [LANMAN1.0]
[2015/07/06 08:02:46.343288, 3]
../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [Windows for Workgroups 3.1a]
[2015/07/06 08:02:46.343302, 3]
../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [LM1.2X002]
[2015/07/06 08:02:46.343313, 3]
../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [LANMAN2.1]
[2015/07/06 08:02:46.343329, 3]
../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [NT LM 0.12]
[2015/07/06 08:02:46.343344, 3]
../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [SMB 2.002]
[2015/07/06 08:02:46.343358, 3]
../source3/smbd/negprot.c:575(reply_negprot)
Requested protocol [SMB 2.???]
[2015/07/06 08:02:46.343571, 3]
../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2015/07/06 08:02:46.344934, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2015/07/06 08:02:46.344982, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2015/07/06 08:02:46.344996, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2015/07/06 08:02:46.356774, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'sasl-DIGEST-MD5' registered
[2015/07/06 08:02:46.356804, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'spnego' registered
[2015/07/06 08:02:46.356819, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'schannel' registered
[2015/07/06 08:02:46.356831, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2015/07/06 08:02:46.356841, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2015/07/06 08:02:46.356852, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'ntlmssp' registered
[2015/07/06 08:02:46.356862, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'http_basic' registered
[2015/07/06 08:02:46.356872, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'http_ntlm' registered
[2015/07/06 08:02:46.356883, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'krb5' registered
[2015/07/06 08:02:46.356894, 3]
../auth/gensec/gensec_start.c:885(gensec_register)
GENSEC backend 'fake_gssapi_krb5' registered
[2015/07/06 08:02:46.357284, 3]
../source3/smbd/negprot.c:683(reply_negprot)
Selected protocol SMB 2.???
[2015/07/06 08:02:46.359312, 3]
../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2015/07/06 08:02:46.990929, 3]
../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
[2015/07/06 08:02:46.991652, 3]
../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth)
Got user=[roland] domain=[MYDOM] workstation=[DEVINTEL-100] len1=24
len2=314
[2015/07/06 08:02:46.991697, 3]
../source3/param/loadparm.c:3647(lp_load_ex)
lp_load_ex: refreshing parameters
[2015/07/06 08:02:46.991811, 3]
../source3/param/loadparm.c:564(init_globals)
Initialising global parameters
[2015/07/06 08:02:46.991927, 3]
../source3/param/loadparm.c:2597(lp_do_section)
Processing section "[global]"
[2015/07/06 08:02:46.992040, 2]
../source3/param/loadparm.c:2614(lp_do_section)
Processing section "[testshare]"
[2015/07/06 08:02:46.992111, 3]
Processing section "[testshare]"
../source3/param/loadparm.c:1495(lp_add_ipc)
adding IPC service
[2015/07/06 08:02:46.994597, 3]
../source3/libsmb/namequery.c:3103(get_dc_list)
get_dc_list: preferred server list: "PDCHOST, subnet-ldap"
[2015/07/06 08:02:46.994804, 3]
../source3/libsmb/namequery.c:2323(resolve_hosts)
resolve_hosts: Attempting host lookup for name subnet-ldap<0x20>
[2015/07/06 08:02:47.022939, 3]
../source3/libsmb/namequery_dc.c:207(rpc_dc_name)
rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM
[2015/07/06 08:02:47.023024, 3]
../source3/lib/util_sock.c:617(open_socket_out_send)
Connecting to 192.168.9.3 at port 445
[2015/07/06 08:02:47.083675, 3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[MYDOM]\[roland]@[DEVINTEL-100] with the new password interface
[2015/07/06 08:02:47.083721, 3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [MYDOM]\[roland]@[DEVINTEL-100]
[2015/07/06 08:02:47.083862, 3]
../source3/libsmb/namequery.c:3103(get_dc_list)
get_dc_list: preferred server list: "PDCHOST, subnet-ldap"
[2015/07/06 08:02:47.084734, 3]
../source3/libsmb/namequery_dc.c:207(rpc_dc_name)
rpc_dc_name: Returning DC PDCHOST (192.168.9.3) for domain MYDOM
[2015/07/06 08:02:47.084963, 3]
../source3/lib/util_sock.c:617(open_socket_out_send)
Connecting to 192.168.9.3 at port 445
[2015/07/06 08:02:47.188335, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
[2015/07/06 08:02:47.189817, 2]
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
[2015/07/06 08:02:47.189854, 2]
check_ntlm_password: Authentication for user [roland] -> [roland]
FAILED with error NT_STATUS_LOCK_NOT_GRANTED
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
[2015/07/06 08:02:47.190446, 3]
SPNEGO login failed: NT_STATUS_LOCK_NOT_GRANTED
../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
So the problem is appearing here:
[2015/07/06 08:02:47.188335, 0]
../source3/auth/auth_domain.c:302(domain_client_validate)
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
Why on earth is this happening? When my win7 testmachine is trying
domain_client_validate: unable to validate password for user roland
in domain MYDOM to Domain controller PDCHOST. Error was
NT_STATUS_LOCK_NOT_GRANTED.
to access the 4.2.2 PDC directly everything is fine and easy. So I
believe the setup of the PDC is correct.
In the first 2 lines of the log I see the SIDs dumped.
Both for my domain and for my member server.
SID for local machine OSUSE-TEST is:
S-1-5-21-1853263269-3041869306-167322181
SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
Join to 'MYDOM' is OK
According to my LDAP the sid for my test member server (OSUSE-TEST)
should be S-1-5-21-290147797-1639656955-1287535205-61405
Is this maybe a problem? Or is this just the real local sid not the
domain sid of this machine?
Where shall I look on my 4.2.2 PDC to get more infos on the auth
problem? The logfiles for the member server are empty on my PDC.
Thanks for all your help! I hope this can be resolved soon!
Roland
Rowland Penny
Jul 6, 2015, 4:04:30 AM7/6/15
to
Have *you* set the SID somewhere?
>
> Is this maybe a problem? Or is this just the real local sid not the
> domain sid of this machine?
Rowland
Roland Schwingel
Jul 6, 2015, 6:35:23 AM7/6/15
to
Thanks for your reply,
Rowland Penny <rowlandpe...@gmail.com> wrote on 06.07.2015 10:03:20:
> > In the first 2 lines of the log I see the SIDs dumped.
> > Both for my domain and for my member server.
> >
> > SID for local machine OSUSE-TEST is:
> > S-1-5-21-1853263269-3041869306-167322181
> > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
> > Join to 'MYDOM' is OK
> >
> > According to my LDAP the sid for my test member server (OSUSE-TEST)
> > should be S-1-5-21-290147797-1639656955-1287535205-61405
>
> Just what do you mean by 'According to my LDAP' ?
> Have *you* set the SID somewhere?
switch to samba as AD right now. I made a little php script a decade ago
which is hooked in as "add machine script" to my PDC. This script
searches for a free domain sid and creates a machine account in LDAP.
This works very fine for many years now.
The sid for MYDOM is:
S-1-5-21-290147797-1639656955-1287535205
The sid for my domain member server in this domain is therefore:
S-1-5-21-290147797-1639656955-1287535205-61405
Here is the ldif for my still not working member server:
# osuse-test$, computers, samba, mydom.com
dn: uid=osuse-test$,ou=computers,ou=samba,dc=mydom,dc=com
sambaPwdLastSet: 1436177562
sambaNTPassword: B404FFE84BE2F31569CF908B3F2B6020
sambaAcctFlags: [WX ]
uid: osuse-test$
cn: osuse-test$
displayName: osuse-test$
gidNumber: 515
gecos: Computer
description: Computer
homeDirectory: /dev/null
loginShell: /bin/false
uidNumber: 61405
sambaSID: S-1-5-21-290147797-1639656955-1287535205-61405
sambaPrimaryGroupSID: S-1-5-21-290147797-1639656955-1287535205-515
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaKickoffTime: 2147483647
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaDomainName: MYDOM
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaSAMAccount
I have bootstrapped my samba member server before joining the domain with
net setdomainsid S-1-5-21-290147797-1639656955-1287535205
during net rpc join the domainsid ending in -61405 was generated by my
php script and written to ldap.
On my memberserver I get the following output of these commands:
net getlocalsid => S-1-5-21-1853263269-3041869306-167322181
net getdomainsid => S-1-5-21-290147797-1639656955-1287535205
Is there no way to detect on my PDC what is the problem. Why is my PDC
Samba rejecting my samba member server...?
Thanks for your help again,
Rowland Penny
Jul 6, 2015, 7:32:33 AM7/6/15
to
>
> I have bootstrapped my samba member server before joining the domain with
> net setdomainsid S-1-5-21-290147797-1639656955-1287535205
> during net rpc join the domainsid ending in -61405 was generated by my
> php script and written to ldap.
>
> On my memberserver I get the following output of these commands:
> net getlocalsid => S-1-5-21-1853263269-3041869306-167322181
> net getdomainsid => S-1-5-21-290147797-1639656955-1287535205
you are using.
>
> Is there no way to detect on my PDC what is the problem. Why is my PDC
> Samba rejecting my samba member server...?
>
It has been sometime since I did anything major with an LDAP PDC and
even then I used smbldap tools. It seems strange that 3.6 works but
4.2.2 doesn't, have you looked into the bug report that was posted in
this thread ?
From my understanding, you should be able to use 4.2.x just like 3.6.x,
but there are slight differences as I pointed out.
What are the problems, reasons etc for not moving to AD, I ask this
because you seem to be trying to set up a new domain and surely this is
the very time to upgrade.
Rowland
Roland Schwingel
Jul 7, 2015, 10:02:45 AM7/7/15
to
Hi ...
Rowland Penny wrote on 06.07.2015 13:22:57:
> > Is there no way to detect on my PDC what is the problem. Why is my PDC
> > Samba rejecting my samba member server...?
> >
>
> Permissions ?? Is the join correct ?
Yes... net rpc testjoin returns OK.
> It has been sometime since I did anything major with an LDAP PDC and
> even then I used smbldap tools. It seems strange that 3.6 works but
> 4.2.2 doesn't, have you looked into the bug report that was posted in
> this thread ?
>
> From my understanding, you should be able to use 4.2.x just like 3.6.x,
> but there are slight differences as I pointed out.
The good news is that I finally found the problem.
This morning I moved back my PDC and my test machine to samba 3.6.
Worked out of the box. Everything fine. Then I switched my PDC forward
to 4.2.2. Everything fine. Rejoined my 3.6 test client (to be on the
safe side). Everything works as expected. Switched my client to 4.2.2
(fresh install) gave me the same problems as before. 3.6.25 and 4.2.2
where using the very same smb.conf
When studying logs I saw that winbindd is consulted during auth. I did
not have any winbind running. Not on 3.6 and not on 4.2.2. As soon as I
joined my 4.2.2 machine to the domain I do obviously need winbindd
running on the client machine. On my PDC I still have no winbindd
running. Now my 4.2.2 PDC and my 4.2.2 domain member server are working
as they should.
I always thought that winbindd was an optional component. Has this changed?
> What are the problems, reasons etc for not moving to AD, I ask this
> because you seem to be trying to set up a new domain and surely this is
> the very time to upgrade.
Thanks for your advice.
But I can't upgrade. I am not setting up a new domain I am upgrading in
one network segment. I can't move to AD right now (sigh) because of a
VERY big LDAP in the backend. It is not even openLDAP. It is 389ds -
which is working excellent even with Multiple Master live replications
around the globe. Absolutely rock solid even when there are power
outages or network cuts happening. EVERYTHING here is LDAP centric. I
can't switch to sambas LDAP for this reason right now. This would be a
HUGE project. But I yet don't know whether it is already possible to
replace sambas LDAP with an own one or to get the SAMBA LDAP to
replicate with another LDAP (like 389DS).
The second reason is DNS. I am running here powerDNS with a custom pipe
backend. Here each network is autonomous. Every network has its own
LDAP,DHCP,DNS,Fileservers etc. LDAP replicates over all networks and all
subsidiaries. Each network additionally resolves certain internal DNS
names dynamcially. When you access a certain DNS Name in one network you
will be directed to a different server compared to when the same dns
name is resolved from another network. Yet I do not see how to move this
to AD.
Rowland Penny wrote on 06.07.2015 13:22:57:
> > Is there no way to detect on my PDC what is the problem. Why is my PDC
> > Samba rejecting my samba member server...?
> >
>
> Permissions ?? Is the join correct ?
> It has been sometime since I did anything major with an LDAP PDC and
> even then I used smbldap tools. It seems strange that 3.6 works but
> 4.2.2 doesn't, have you looked into the bug report that was posted in
> this thread ?
>
> From my understanding, you should be able to use 4.2.x just like 3.6.x,
> but there are slight differences as I pointed out.
This morning I moved back my PDC and my test machine to samba 3.6.
Worked out of the box. Everything fine. Then I switched my PDC forward
to 4.2.2. Everything fine. Rejoined my 3.6 test client (to be on the
safe side). Everything works as expected. Switched my client to 4.2.2
(fresh install) gave me the same problems as before. 3.6.25 and 4.2.2
where using the very same smb.conf
When studying logs I saw that winbindd is consulted during auth. I did
not have any winbind running. Not on 3.6 and not on 4.2.2. As soon as I
joined my 4.2.2 machine to the domain I do obviously need winbindd
running on the client machine. On my PDC I still have no winbindd
running. Now my 4.2.2 PDC and my 4.2.2 domain member server are working
as they should.
I always thought that winbindd was an optional component. Has this changed?
> What are the problems, reasons etc for not moving to AD, I ask this
> because you seem to be trying to set up a new domain and surely this is
> the very time to upgrade.
But I can't upgrade. I am not setting up a new domain I am upgrading in
one network segment. I can't move to AD right now (sigh) because of a
VERY big LDAP in the backend. It is not even openLDAP. It is 389ds -
which is working excellent even with Multiple Master live replications
around the globe. Absolutely rock solid even when there are power
outages or network cuts happening. EVERYTHING here is LDAP centric. I
can't switch to sambas LDAP for this reason right now. This would be a
HUGE project. But I yet don't know whether it is already possible to
replace sambas LDAP with an own one or to get the SAMBA LDAP to
replicate with another LDAP (like 389DS).
The second reason is DNS. I am running here powerDNS with a custom pipe
backend. Here each network is autonomous. Every network has its own
LDAP,DHCP,DNS,Fileservers etc. LDAP replicates over all networks and all
subsidiaries. Each network additionally resolves certain internal DNS
names dynamcially. When you access a certain DNS Name in one network you
will be directed to a different server compared to when the same dns
name is resolved from another network. Yet I do not see how to move this
to AD.
Rowland Penny
Jul 7, 2015, 11:33:39 AM7/7/15
to
samba4 in AD mode with anything other than the built-in samba ldap and
it will not replicate to anything other than another AD machine (well,
as far as I know).
DNS is possible and AD is made to do most of, if not all of what you are
doing, only problem is the lack of domain trusts, though I understand
this is being worked on. I think once the trusts problem is sorted will
be the time to start thinking of upgrading, in the mean time, you could
investigate if what you are doing is possible with microsoft AD, if it
is, then samba4 will ultimately be able to do it.
I was wondering why you couldn't join a linux client to your s4 NT4
style PDC, so I created a couple of VMs running wheezy and set one up as
an LDAP PDC and the other as a client and guess what, I couldn't get the
client to join either ;-)
Tried various things, including setting up bind9 DNS server on the PDC,
nothing until I sat and had a thought 'does samba know the user', quick
check with pdbedit proved it didn't DOH, so 'smbpasswd -a root' ,
entered the passwd twice and tried again, it now worked, don't know if
this is your problem.
Rowland
Roland Schwingel
Jul 8, 2015, 5:37:37 AM7/8/15
to
Good morning Rowland and samba list ...
Rowland Penny wrote on 03.07.2015 18:36:32:
> From: Rowland Penny <rowlandpe...@gmail.com>
> To: sa...@lists.samba.org,
> Date: 03.07.2015 18:40
> Subject: Re: [Samba] Migration Samba3 -> Samba4: Accessing domain
> member server is not working
> Sent by: samba-...@lists.samba.org
>
Rowland Penny wrote on 03.07.2015 18:36:32:
> From: Rowland Penny <rowlandpe...@gmail.com>
> To: sa...@lists.samba.org,
> Date: 03.07.2015 18:40
> Subject: Re: [Samba] Migration Samba3 -> Samba4: Accessing domain
> member server is not working
> Sent by: samba-...@lists.samba.org
>
> On 03/07/15 16:31, Roland Schwingel wrote:
> > Hi ...
> >
> > Hi ...
> >
> > When trying to migrate from samba3 to samba 4.2.2 I am facing a severe
> > problem that bugs me for hours now. I cannot get a samba 4.2.2
> > fileserver to work with a samba 4.2.2 PDC as a domain member.
> >
...
> Hi, there was some changes made when 4.2.0 came out, these changes may
> be your problem, see here:
>
> https://www.samba.org/samba/history/samba-4.2.0.html
>
> Under the heading: Winbindd/Netlogon improvements
Thanks for the hint. I read that and added "allow nt4 crypto = yes" to
my 4.2.2 PDC. This changed this a little bit but still gives me no
working 4.2.2 member server. Adding "require strong key = no" and
"client NTLMv2 auth = no" to the member servers smb.conf but it did not
change anything.
Here is the log file on the dedicated member server of one client trying
to connect my member server:
> > problem that bugs me for hours now. I cannot get a samba 4.2.2
> > fileserver to work with a samba 4.2.2 PDC as a domain member.
> >
...
> Hi, there was some changes made when 4.2.0 came out, these changes may
> be your problem, see here:
>
> https://www.samba.org/samba/history/samba-4.2.0.html
>
> Under the heading: Winbindd/Netlogon improvements
Thanks for the hint. I read that and added "allow nt4 crypto = yes" to
my 4.2.2 PDC. This changed this a little bit but still gives me no
working 4.2.2 member server. Adding "require strong key = no" and
"client NTLMv2 auth = no" to the member servers smb.conf but it did not
change anything.
Here is the log file on the dedicated member server of one client trying
to connect my member server:
SID for local machine OSUSE-TEST is:
S-1-5-21-1853263269-3041869306-167322181
SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
Join to 'MYDOM' is OK
S-1-5-21-1853263269-3041869306-167322181
SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
Join to 'MYDOM' is OK
In the first 2 lines of the log I see the SIDs dumped.
Both for my domain and for my member server.
SID for local machine OSUSE-TEST is:
S-1-5-21-1853263269-3041869306-167322181
SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
Join to 'MYDOM' is OK
According to my LDAP the sid for my test member server (OSUSE-TEST)
should be S-1-5-21-290147797-1639656955-1287535205-61405
Both for my domain and for my member server.
SID for local machine OSUSE-TEST is:
S-1-5-21-1853263269-3041869306-167322181
SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
Join to 'MYDOM' is OK
According to my LDAP the sid for my test member server (OSUSE-TEST)
should be S-1-5-21-290147797-1639656955-1287535205-61405
Is this maybe a problem? Or is this just the real local sid not the
domain sid of this machine?
domain sid of this machine?
Where shall I look on my 4.2.2 PDC to get more infos on the auth
problem? The logfiles for the member server are empty on my PDC.
Thanks for all your help! I hope this can be resolved soon!
Roland
problem? The logfiles for the member server are empty on my PDC.
Thanks for all your help! I hope this can be resolved soon!
Roland
Roland Schwingel
Jul 8, 2015, 5:39:49 AM7/8/15
to
> > In the first 2 lines of the log I see the SIDs dumped.
> > Both for my domain and for my member server.
> >
> > SID for local machine OSUSE-TEST is:
> > S-1-5-21-1853263269-3041869306-167322181
> > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
> > Join to 'MYDOM' is OK
> >
> > According to my LDAP the sid for my test member server (OSUSE-TEST)
> > should be S-1-5-21-290147797-1639656955-1287535205-61405
>
> > Both for my domain and for my member server.
> >
> > SID for local machine OSUSE-TEST is:
> > S-1-5-21-1853263269-3041869306-167322181
> > SID for domain MYDOM is: S-1-5-21-290147797-1639656955-1287535205
> > Join to 'MYDOM' is OK
> >
> > According to my LDAP the sid for my test member server (OSUSE-TEST)
> > should be S-1-5-21-290147797-1639656955-1287535205-61405
>
I have bootstrapped my samba member server before joining the domain with
net setdomainsid S-1-5-21-290147797-1639656955-1287535205
during net rpc join the domainsid ending in -61405 was generated by my
php script and written to ldap.
On my memberserver I get the following output of these commands:
net getlocalsid => S-1-5-21-1853263269-3041869306-167322181
net getdomainsid => S-1-5-21-290147797-1639656955-1287535205
net setdomainsid S-1-5-21-290147797-1639656955-1287535205
during net rpc join the domainsid ending in -61405 was generated by my
php script and written to ldap.
On my memberserver I get the following output of these commands:
net getlocalsid => S-1-5-21-1853263269-3041869306-167322181
net getdomainsid => S-1-5-21-290147797-1639656955-1287535205
Is there no way to detect on my PDC what is the problem. Why is my PDC
Samba rejecting my samba member server...?
Samba rejecting my samba member server...?
Thanks for your help again,
0 new messages