Bug 6263 - Domain login problems in Windows XP without SP3
Summary: Domain login problems in Windows XP without SP3
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.2.10
Hardware: x64 Windows XP
: P3 major
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL: http://www.wzb.eu
Keywords:
: 6265 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-04-15 03:59 UTC by Peter Rindfuss
Modified: 2009-04-18 20:05 UTC (History)
1 user (show)

See Also:


Attachments
Test. (8.05 KB, patch)
2009-04-15 12:21 UTC, Jeremy Allison
no flags Details
Patch for 3.2.x. (770 bytes, patch)
2009-04-15 19:02 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Rindfuss 2009-04-15 03:59:46 UTC
After upgrading from Samba 3.2.8 to 3.2.10, domain logins do not work correctly anymore for Windows XP clients that do not have SP3 installed.

Environment: OpenSUSE 11.0 PDC and BDC with Samba 3.2.10 and OpenLDAP. Clients are Windows XP Pro with SP3 or SP2.

Symptoms: After login, an lsass.exe error is displayed, and windows starts shutting down (60 secs left). This happens reproducibly with all Windows XP SP2 clients. If I stop the shutdown, I can work with the mounted shares. If I open, however, the control panel system properties "computer name" tab, a popup tells me that there is no RPC server, and the domain name is "*unknown*". There are some more symptoms.

It is possible to log locally into a computer, to mount shares on the PDC manually and to work normally with them. The problem seems to be related to domain and/or security functions, not to file services.

I downgraded the PDC and the BDC to 3.2.8, and with that, everything is fine again. This unfortunately means that I cannot do any testing.

Peter Rindfuss

-------------------------
smb.conf 
[global]
	display charset = UTF-8
	workgroup = WZB
	server string = File Server
	interfaces = 127.0.0.1, 193.174.6.4
	bind interfaces only = Yes
	passdb backend = ldapsam:ldapi://%2fvar%2frun%2fslapd%2fldapi/
	guest account = guest
	passwd program = /usr/local/sbin/wzbpasswd -U -M -s -x %u
	passwd chat = *Enter*password* %n\n *Re-enter*password* %n\n *changed*
	username map = /etc/samba/smbusers
	unix password sync = Yes
	syslog = 0
	smb ports = 139
	time server = Yes
	unix extensions = No
	socket options = TCP_NODELAY SO_KEEPALIVE
	load printers = No
	printcap name = /dev/null
	add user script = /usr/local/sbin/wzbuseradd -q -I -y -c %u
	delete user script = /usr/local/sbin/wzbuserdel -q -d %u
	add group script = /usr/local/sbin/wzbgroupadd -q -y '%g'
	delete group script = /usr/local/sbin/wzbgroupdel -q '%g'
	add user to group script = /usr/local/sbin/wzbgroupmemberadd -q '%g' %u
	delete user from group script = /usr/local/sbin/wzbgroupmemberdel -q '%g' %u
	set primary group script = /usr/local/sbin/wzbgroupprim -q %u '%g'
	add machine script = /usr/local/sbin/wzbuseradd -q -y -x %m
	logon script = login.cmd
	logon path =
	logon home = \\selene\wzb
	domain logons = Yes
	os level = 65
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	wins support = Yes
	kernel oplocks = No
	ldap admin dn = cn=root,dc=wzb,dc=eu
	ldap group suffix = ou=groups
	ldap machine suffix = ou=machines
	ldap suffix = ou=accounts,dc=wzb,dc=eu
	ldap user suffix = ou=users
	host msdfs = No
	ldapsam:trusted = Yes
	admin users = @admins
	create mask = 0700
	directory mask = 0700
	hosts allow = 193.174.6.0/255.255.254.0
	ea support = Yes
	map acl inherit = Yes
	cups options = raw
	hide unreadable = Yes
	map archive = No
	mangled names = No
	store dos attributes = Yes
	dos filemode = Yes

[netlogon]
	comment = Network Logon Service
	path = /wzb/netlogon
	valid users = @admins, @users, root
	admin users = @admins, root
	guest ok = Yes
	browseable = No

[wzb]
	comment = WZB File Server
	path = /wzb/samba
	valid users = @admins, @users, root
	admin users = @admins, root
	read only = No
	inherit permissions = Yes
	inherit acls = Yes
	inherit owner = Yes
	use sendfile = Yes
	hide dot files = No
	hide special files = Yes
	map readonly = permissions
	mangled names = Yes
	root preexec = /usr/local/sbin/wzbldapsettime %u sambaLogonTime
	root postexec = /usr/local/sbin/wzbldapsettime %u sambaLogoffTime

[pmail]
	comment = Pegasus Mail Share
	path = /wzb/pmail
	valid users = @admins, @users
	read only = No
	inherit permissions = Yes
	inherit acls = Yes
	inherit owner = Yes
	hide special files = Yes
	map readonly = permissions
	mangled names = Yes

[antivirus]
	path = /wzb/antivirus
	valid users = @admins, @users
	read only = No
	inherit permissions = Yes
	inherit acls = Yes
	inherit owner = Yes
	mangled names = Yes
Comment 1 Jeremy Allison 2009-04-15 12:21:00 UTC
Created attachment 4067 [details]
Test.

Ok, here is a reverse diff of changes in the rpc_server subsystems between 3.2.8 (which works) and 3.2.10 (which doesn't). Could you apply this patch to 3.2.10 and see if the clients start working again ?

If they do, then let's narrow down which change it was that caused the problem. My guess would be the changes in rpc_server/srv_netlogon_nt.c which were added to allow us to cope with upcoming Windows 7 code. So you could try swapping the 3.2.8 and 3.2.10 versions of that file into 3.2.10 and seeing if that fixes the issue.

Your help on this would be greatly appreciated !

Thanks,

Jeremy.
Comment 2 Peter Rindfuss 2009-04-15 13:45:24 UTC
Jeremy,

I'd be happy to help, but

- I have no testing environment
- We are talking about our central server (up to 450 workstations attached)
- I usually do not compile Samba, but apply opensuse binaries.

But I could try on Saturday (April 18) afternoon, if that is soon enough,
and if I manage to modify and compile the opensuse source rpm.

Best, Peter
Comment 3 Guenther Deschner 2009-04-15 18:26:04 UTC
*** Bug 6265 has been marked as a duplicate of this bug. ***
Comment 4 Guenther Deschner 2009-04-15 18:26:53 UTC
Jeremy, I know what is going on and I am able to reproduce.
Comment 5 Guenther Deschner 2009-04-15 18:58:08 UTC
Thanks for the diff Jeremy, that really helped :)

A fix for this is pushed to all branches:

v3-2-test:
http://git.samba.org/?p=samba.git;a=commitdiff;h=f049fb5643f93cc4806ada5db8e591bbe4cb9204

v3-3-test:
http://git.samba.org/?p=samba.git;a=commitdiff;h=597be402e40ff880b595ae49a8600b932365cbcb

Everyone please test.
Comment 6 Jeremy Allison 2009-04-15 19:02:47 UTC
Created attachment 4070 [details]
Patch for 3.2.x.

In case people can't get to git, here is Guenther's patch as an attachment for 3.2.x.
Jeremy.
Comment 7 Adam Williams 2009-04-16 08:18:01 UTC
I am having the exact same error on Vista Business 32bit w/ SP1 and all updates installed.  I thought it was a bad Windows Update pushed out by Microsoft (our WSUS server pushes out all updates automatically).  My only solution was to go in to safe mode as administrator, open a cmd prompt and run:

net stop winmgmt /y
del /s /q c:\windows\system32\wbem\Repository\*.*

and then reboot.  But now that you mention it, I was only getting that error after I joined the Vista clients to my domain.

Comment 8 Guenther Deschner 2009-04-16 18:49:12 UTC
Just verified with Vista: 

And yes, without typing or pressing anything, Vista SP1 gets into an infinite  crashe and reboot loop. The fix that has been published and pushed resolves this. We also made sure in our automated testsuite that this never happens again.

If we could have any further positive feedback we could close this bug.
Comment 9 Peter Rindfuss 2009-04-18 11:40:54 UTC
3.2.11 works fine with WinXP / SP2.
Cheers, Peter
Comment 10 Guenther Deschner 2009-04-18 20:05:43 UTC
Thanks for verifiying, Peter.

Closing as fixed.