Bug 3585 - Machine Accounts don't work after a "net rpc vampire"
Machine Accounts don't work after a "net rpc vampire"
Status: RESOLVED WORKSFORME
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.20b
Other Windows 2000
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-06 09:08 UTC by Luis Vinay
Modified: 2014-06-13 18:01 UTC (History)
0 users

See Also:


Attachments
The log of the vampire process (128.28 KB, text/plain)
2006-03-06 09:43 UTC, Luis Vinay
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Luis Vinay 2006-03-06 09:08:08 UTC
Trying to replace a NT4-PDC I have configured a Samba+LDAP server, and done an "net rpc vampire [...]", everything works fine but the machine accounts don't, obiously, if I join a workstation to domain it works fine. Also I've found something strange, If you previously logged in to that machine you can use the workstation and to the server shares and printers, with no problem (I know that you can login to a W2k workstation if the domain is not available).
I done some dbugging and the only error that seems (to me) to be related is this: 

All events have the same date

rpc_parse/parse_prs.c:prs_ntstatus(701)
      01bc status      : NT_STATUS_OK
rpc_server/srv_pipe.c:api_rpcTNP(1590)
  api_rpcTNP: called NETLOGON successfully
rpc_server/srv_pipe.c:api_rpcTNP(1599)
  api_rpcTNP: rpc input buffer underflow (parse error?)
rpc_parse/parse_prs.c:prs_uint8s(758)
  010a : 00 00 8a e3 13 71 02 f4 36 71 01 40 04 00 01 00 00 00 03 00 00 00 44 06 04 00 80 2f 0b 00
rpc_server/srv_pipe_hnd.c:free_pipe_context(543)


by the way here is my smb.conf

[global]
        workgroup = IPLAN
        netbios name = PDCIPLAN
        server string = IplanTest Samba3 & OpenLDAP PDC Server
        interfaces = eth0
        bind interfaces only = Yes
        passdb backend = ldapsam:ldap://localhost
        enable privileges = Yes
        username map = /etc/samba/smbusers
        log level = 10
        syslog = 0
        log file = /var/log/samba/%m.log
        max log size = 1024
        logon path =
        logon drive = X:
        logon home =
        name resolve order = host wins bcast
        time server = Yes
        printing = cups
        printcap name = cups
        show add printer wizard = No
        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
        delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
        delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
        passwd program = /opt/IDEALX/sbin/smbldap-passwd %u
        logon script = scripts\logon.bat
        domain logons = Yes
        printcap cache time = 3
        domain master = Yes
        local master = Yes
        preferred master = Yes
        os level = 65
        security = user
        wins support = Yes
        ldap suffix = dc=iplan,dc=com,dc=ar
        ldap machine suffix = ou=People
        ldap user suffix = ou=People
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=Administrator,dc=iplan,dc=com,dc=ar
        idmap backend = ldap:ldap://127.0.0.1
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        map acl inherit = Yes
Comment 1 Guenther Deschner 2006-03-06 09:24:07 UTC
Could you please upload the full log level 10 logfile of the failed vampire process?
Comment 2 Luis Vinay 2006-03-06 09:43:35 UTC
Created attachment 1776 [details]
The log of the vampire process
Comment 3 Luis Vinay 2006-03-06 09:46:24 UTC
The vampire process was ok, there been some minor problems like "Cannot delete user (daieta) from his primary group (Domain Users)"
Comment 4 Luis Vinay 2006-03-06 09:58:27 UTC
I've done some "forensics" and compare two machine accounts in the LDAP Server, and saw that both entries are "equivalent", the first entry (RESERVAS-1$) have the machine account and I cannot login to them, and the other machine (DELLD510W2K-001$) is joined to the domain and works fine.

# RESERVAS-1$, People, iplan.com.ar
dn: uid=RESERVAS-1$,ou=People,dc=iplan,dc=com,dc=ar
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: RESERVAS-1$
sn: RESERVAS-1$
uid: RESERVAS-1$
uidNumber: 1755
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-3918550812-1676614423-225969733-4534
displayName: RESERVAS-1$
sambaNTPassword: 29649CFC435BB9EEF96521D95873C5D2
sambaPwdLastSet: 1139317252
sambaAcctFlags: [W          ]
gidNumber: 513
sambaPrimaryGroupSID: S-1-5-21-3918550812-1676614423-225969733-513

# DELLD510W2K-001$, People, iplan.com.ar
dn: uid=DELLD510W2K-001$,ou=People,dc=iplan,dc=com,dc=ar
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: DELLD510W2K-001$
sn: DELLD510W2K-001$
uid: DELLD510W2K-001$
uidNumber: 1917
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-3918550812-1676614423-225969733-4917
displayName: DELLD510W2K-001$
sambaAcctFlags: [W          ]
gidNumber: 513
sambaPrimaryGroupSID: S-1-5-21-3918550812-1676614423-225969733-513
sambaPwdCanChange: 1141394735
sambaPwdMustChange: 1146578735
sambaNTPassword: 774CEBB6A0319EFBE7F3F2F013602257
sambaPwdLastSet: 1141394735
Comment 5 Björn Jacke 2014-06-13 18:01:35 UTC
hard to debug and worked for me in other cases. please reopen if you still see this bug and if there are any new insights on this.