Hello, There are Samba and OpenLDAP servers on FreeBSD. Configurations was not changed for several years and everything worked. From time to time software was updated of course. Now I need to join new computers (actually reinstalled), and Samba DC refuses to add them. It did not work with 3.6.5, then I updated it to 3.6.6 and result is the same. These lines from log.smbd related to these issue: ----------------------------------------------------------------------------- [2012/07/28 15:56:30.218624, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) netr_ServerAuthenticate: struct netr_ServerAuthenticate in: struct netr_ServerAuthenticate server_name : * server_name : '\\LAB' account_name : * account_name : 'ABC-10$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : * computer_name : 'ABC-10' credentials : * credentials: struct netr_Credential data : 1a70e6834f73ff70 [2012/07/28 15:56:30.218709, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate: no challenge sent to client ABC-10 [2012/07/28 15:56:30.218724, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) netr_ServerAuthenticate: struct netr_ServerAuthenticate out: struct netr_ServerAuthenticate return_credentials : * return_credentials: struct netr_Credential data : 0000000000000000 result : NT_STATUS_ACCESS_DENIED [2012/07/28 15:56:30.218789, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \netlogon successfully ----------------------------------------------------------------------------- and ----------------------------------------------------------------------------- [2012/07/28 15:56:31.253490, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) samr_OpenDomain: struct samr_OpenDomain in: struct samr_OpenDomain connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000010-0000-0000-1350-7fe151630000 access_mask : 0x00000211 (529) 1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 1: SAMR_DOMAIN_ACCESS_CREATE_USER 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 sid : * sid : S-1-5-21-610032424-962248149-385347502 [2012/07/28 15:56:31.253627, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 10 00 00 00 00 00 00 00 13 50 7F E1 ........ .....P.. [0010] 51 63 00 00 Qc.. [2012/07/28 15:56:31.253672, 10] rpc_server/rpc_handles.c:410(_policy_handle_find) found handle of type struct samr_connect_info [2012/07/28 15:56:31.253691, 4] rpc_server/srv_access_check.c:104(access_check_object) _samr_OpenDomain: access DENIED (requested: 0x00000211, granted: 0x00000010) [2012/07/28 15:56:31.253707, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) samr_OpenDomain: struct samr_OpenDomain out: struct samr_OpenDomain domain_handle : * domain_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 00000000-0000-0000-0000-000000000000 result : NT_STATUS_ACCESS_DENIED [2012/07/28 15:56:31.253762, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \samr successfully ----------------------------------------------------------------------------- Additional info: Samba DC allows computers to exit from the domain (and then they cannot join the domain), it also allows to access shares using domain administrator login and already joined computers work correctly. This is smb.conf (I just renamed domain name, server name and removed interfaces addresses and host addresses): [global] netbios name = LABSERVER workgroup = LAB server string = LABSERVER Samba Server interfaces = ... bind interfaces only = yes security = user os level = 255 domain master = yes local master = yes preferred master = yes hosts allow = ... load printers = no printcap cache time = 0 domain logons = yes ldap ssl = no passdb backend = ldapsam:ldapi:/// ldap suffix = o=lab ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=users ldap admin dn = "cn=manager,o=lab" ldap delete dn = no ldap passwd sync = yes private dir = /usr/local/etc/samba guest account = guest max log size = 50000 log level = 10 follow symlinks = no unix charset = koi8-r dos charset = CP866 socket options=SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY min receivefile size=16384 use sendfile=true aio read size = 16384 aio write size = 16384 [install] comment = Install path = /home/install read only = yes guest ok = yes [netlogon] path = /usr/local/etc/samba.netlogon writeable = no guest ok = no browseable = no available = yes [homes] browseable = no writeable = yes path = %H/.Windows/home [profiles] browsable = no guest ok = yes writeable = yes path = %H/.Windows/profile [share] comment = Share path = /home/edu/share writeable = yes guest ok = yes inherit permissions = yes force user = smbshare force group = smbshare According to slapd logs I do not see any errors (also I tried to enable read/write access to LDAP base for everyone).
I managed to join computers to Samba DC again. All my users are kept in the LDAP database and since I keep backups of my LDAP database I can explain the situation. There is the winadmin user, that belong to the wingroup group (this group GID is specified in winadmin's gidNumber field, this is a usual group) and also winadmin is listed in "cn=Domain Admins" (gidNumber=512) in memberUId field. I use this login name to join XP computers to DC. Such configuration worked before. Now I changed winadmin's gidNumber to 512 ("cn=Domain Admins") and XP computers again can join DC. [2012/07/30 15:24:23.105228, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) samr_OpenDomain: struct samr_OpenDomain in: struct samr_OpenDomain connect_handle : * connect_handle: struct policy_handle handle_type : 0x00000000 (0) uuid : 0000000e-0000-0000-1650-f77cc8760100 access_mask : 0x00000211 (529) 1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1 0: SAMR_DOMAIN_ACCESS_SET_INFO_1 0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2 0: SAMR_DOMAIN_ACCESS_SET_INFO_2 1: SAMR_DOMAIN_ACCESS_CREATE_USER 0: SAMR_DOMAIN_ACCESS_CREATE_GROUP 0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS 0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS 0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS 1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT 0: SAMR_DOMAIN_ACCESS_SET_INFO_3 sid : * sid : S-1-5-21-610032424-962248149-385347502 [2012/07/30 15:24:23.105401, 4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal) Found policy hnd[0] [0000] 00 00 00 00 0E 00 00 00 00 00 00 00 16 50 F7 7C ........ .....P.| [0010] C8 76 01 00 .v.. [2012/07/30 15:24:23.105457, 10] rpc_server/rpc_handles.c:410(_policy_handle_find) found handle of type struct samr_connect_info [2012/07/30 15:24:23.105477, 4] rpc_server/srv_access_check.c:104(access_check_object) _samr_OpenDomain: access GRANTED (requested: 0x00000211, granted: 0x00000211) Can somebody comment this?
In the description I guess there was already an ACCESS_DENIED earlier but the client ignored it.
Looks like that
(In reply to comment #2) > In the description I guess there was already an ACCESS_DENIED earlier but the > client ignored it. That log messages were from Samba 3.6.6 and clients that could not join the domain, so I'm not sure which clients ignored ACCESS_DENIED. I updated the title of this bug report, since previously "net rpc join ..." also did not work, now I can join the domain from another FreeBSD system using this command as well. Looks like that starting from some Samba version the login name used on a client computer to join the domain should have GID 512 in its gidNumber field in the LDAP database. Previously it was enough to add such user to group with GID 512 ("cn=Domain Admins" in LDAP).
We need more details from the log. The two snippets you posted aren't enough to understand the problem. The first question is why there is no challenge sent and the reason is probably in the lines above the first snippet. The second is that the user doesn't have enough rights to join the domain. As you didn't post any information about the user here, we don't see the user token with the sids we don't know what's really going on. Here is a howto of information we normally need to be able to understand a problem. SAMBA BUG REPORTING ++++++++++++++++++++ This is a small howto to help you to provide all information which are needed to find out what's going on your machine. This is a general howto so maybe it will cover more things you don't use. Providing Samba log files ========================== Post the output of 'rpm -qi samba' or 'rpm -qi samba-<subpackage>' if you're on a RPM based system. It gives detailed information about the installed packages. We need that information to reconstruct what happened and possibly to reproduce the bug on our machines. Provide all log files from '/var/log/samba/' directory and the tdb files from '/var/lib/samba' and the configuration file '/etc/samba/smb.conf'. If winbind for logging in is part of the problem please provide '/etc/security/pam_winbind.conf' and if you have enabled debug in 'pam_winbind.conf' '/var/log/messages' or '/var/log/secure' is required too. More detailed description about different Samba components can be found below this section. Providing backtraces ===================== If you discover a crash in one of the Samba components, please make sure that you have installed debuginfo packages. Often the backtrace can be found in the log files. If you have installed debuginfo packages, you can find a short backtrace in the log files and a few lines later the full backtrace. Make sure you provide the full backtrace. Testing daemons (winbind, smb, nmb) ==================================== 1. Stop all running Samba processes (winbind, smb, nmb) 2. Remove all log files from /var/log/samba/ With this approach we ensure to have the start date of the testing in the log files. 3. Edit /etc/samba/smb.conf and set the following variables in the in the [general] section of the config: debug level = 10 debug pid = true max log size = 0 Instead of setting a global debug level in smb.conf it's also visible to use smbcontrol <damon_name> debug 10 to increase the debug level of the Samba daemon in question to 10 at run time. If winbind is part of the scenario edit /etc/security/pam_winbind.conf and set: debug = yes 4. Start the processes again (winbind, smb, nmb) 5. Reproduce the error and note the time when you start any test. If a problem occurs while testing note the time (use date on the system you perform the tests on to get a time fitting to the log files). Attach the log files from '/var/log/samba/' and the tdb files from '/var/lib/samba/' to the bug. If possible, remove the tdb files and provide clean files. Therefore it's best to bond them to one compressed tar archive. The relevant parts of '/var/log/messages' could be interesting too. Network traces =============== If possible create network traces with tcpdump or wireshark from the problem and attach them too. Always make sure to capture only one problem per network trace file. This makes it easier to understand the problem. tcpdump -n -i eth0 -s 0 -w samba-problem-description.pcap Network topology ================= If you have a special network setup especially with Active Domain controllers please describe how you're network looks like and what the domain names are. Tell us which version of Windows you're using and which functional level of AD.
(In reply to comment #5) > We need more details from the log. The two snippets you posted aren't enough to > understand the problem. > > The first question is why there is no challenge sent and the reason is probably > in the lines above the first snippet. > Ok, that log was removed, so I reproduce it (real domain, server and client names were changed, in previous message I incorrectly changed server_name to \\LAB, it should be \\LABSERVER): ------------------------------------------------------------------- [2012/07/30 20:14:32.623695, 10] ../lib/util/util.c:415(dump_data) [0000] 00 5C 00 4E 00 45 00 54 00 4C 00 4F 00 47 00 4F .\.N.E.T .L.O.G.O [0010] 00 4E 00 00 00 .N... [2012/07/30 20:14:32.623742, 3] smbd/process.c:1467(switch_message) switch message SMBntcreateX (pid 1956) conn 0x804808450 [2012/07/30 20:14:32.623758, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2012/07/30 20:14:32.623777, 10] smbd/nttrans.c:505(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x16, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x400040 root_dir_fid = 0x0, fname = NETLOGON [2012/07/30 20:14:32.623798, 4] smbd/nttrans.c:293(nt_open_pipe) nt_open_pipe: Opening pipe \NETLOGON. [2012/07/30 20:14:32.623818, 5] smbd/files.c:140(file_new) allocated file structure 12415, fnum = 16511 (2 used) [2012/07/30 20:14:32.623837, 10] smbd/files.c:705(file_name_hash) file_name_hash: /var/tmp/NETLOGON hash 0x171defb0 [2012/07/30 20:14:32.623858, 4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p) Create pipe requested \netlogon [2012/07/30 20:14:32.623878, 10] rpc_server/rpc_handles.c:116(init_pipe_handles) init_pipe_handle_list: created handle list for pipe \netlogon [2012/07/30 20:14:32.623894, 10] rpc_server/rpc_handles.c:133(init_pipe_handles) init_pipe_handle_list: pipe_handles ref count = 1 for pipe \netlogon [2012/07/30 20:14:32.623918, 4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p) Created internal pipe \netlogon (pipes_open=0) [2012/07/30 20:14:32.623935, 5] smbd/nttrans.c:382(do_ntcreate_pipe_open) do_ntcreate_pipe_open: open pipe = \NETLOGON [2012/07/30 20:14:32.624172, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 136 [2012/07/30 20:14:32.624193, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x88 [2012/07/30 20:14:32.624209, 3] smbd/process.c:1662(process_smb) Transaction 25 of length 140 (0 toread) [2012/07/30 20:14:32.624224, 5] lib/util.c:332(show_msg) [2012/07/30 20:14:32.624234, 5] lib/util.c:342(show_msg) size=136 smb_com=0x2f smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51207 smb_tid=1 smb_pid=65279 smb_uid=100 smb_mid=1600 smt_wct=14 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]=57054 (0xDEDE) smb_vwv[ 2]=16511 (0x407F) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]=65535 (0xFFFF) smb_vwv[ 6]=65535 (0xFFFF) smb_vwv[ 7]= 8 (0x8) smb_vwv[ 8]= 72 (0x48) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 72 (0x48) smb_vwv[11]= 64 (0x40) smb_vwv[12]= 0 (0x0) smb_vwv[13]= 0 (0x0) smb_bcc=73 [2012/07/30 20:14:32.624369, 10] ../lib/util/util.c:415(dump_data) [0000] EE 05 00 0B 03 10 00 00 00 48 00 00 00 01 00 00 ........ .H...... [0010] 00 B8 10 B8 10 00 00 00 00 01 00 00 00 00 00 01 ........ ........ [0020] 00 78 56 34 12 34 12 CD AB EF 00 01 23 45 67 CF .xV4.4.. ....#Eg. [0030] FB 01 00 00 00 04 5D 88 8A EB 1C C9 11 9F E8 08 ......]. ........ [0040] 00 2B 10 48 60 02 00 00 00 .+.H`... . [2012/07/30 20:14:32.624480, 3] smbd/process.c:1467(switch_message) switch message SMBwriteX (pid 1956) conn 0x804808450 [2012/07/30 20:14:32.624496, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2012/07/30 20:14:32.624512, 6] smbd/pipes.c:300(reply_pipe_write_and_X) reply_pipe_write_and_X: 407f name: NETLOGON len: 72 [2012/07/30 20:14:32.624529, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 72 [2012/07/30 20:14:32.624545, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 72 [2012/07/30 20:14:32.624560, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72 [2012/07/30 20:14:32.624575, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0 [2012/07/30 20:14:32.624591, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2012/07/30 20:14:32.624606, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2012/07/30 20:14:32.624621, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56 [2012/07/30 20:14:32.624637, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2012/07/30 20:14:32.624652, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 56 [2012/07/30 20:14:32.624667, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56 [2012/07/30 20:14:32.624683, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2012/07/30 20:14:32.624701, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND (11) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 11) bind: struct dcerpc_bind max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x00000000 (0) num_contexts : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ctx_list context_id : 0x0000 (0) num_transfer_syntaxes : 0x01 (1) abstract_syntax: struct ndr_syntax_id uuid : 12345678-1234-abcd-ef00-01234567cffb if_version : 0x00000001 (1) transfer_syntaxes: ARRAY(1) transfer_syntaxes: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2012/07/30 20:14:32.624926, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 11 [2012/07/30 20:14:32.624942, 3] rpc_server/srv_pipe.c:889(api_pipe_bind_req) api_pipe_bind_req: \PIPE\netlogon -> \PIPE\netlogon [2012/07/30 20:14:32.624959, 5] rpc_server/srv_pipe.c:923(api_pipe_bind_req) api_pipe_bind_req: make response. 923 [2012/07/30 20:14:32.624974, 3] rpc_server/srv_pipe.c:339(check_bind_req) check_bind_req for \netlogon [2012/07/30 20:14:32.624990, 3] rpc_server/srv_pipe.c:346(check_bind_req) check_bind_req: \PIPE\netlogon -> \PIPE\netlogon [2012/07/30 20:14:32.625011, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) &r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_BIND_ACK (12) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x0048 (72) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 12) bind_ack: struct dcerpc_bind_ack max_xmit_frag : 0x10b8 (4280) max_recv_frag : 0x10b8 (4280) assoc_group_id : 0x000053f0 (21488) secondary_address_size : 0x000f (15) secondary_address : '\PIPE\netlogon' _pad1 : DATA_BLOB length=0 num_results : 0x01 (1) ctx_list: ARRAY(1) ctx_list: struct dcerpc_ack_ctx result : 0x0000 (0) reason : 0x0000 (0) syntax: struct ndr_syntax_id uuid : 8a885d04-1ceb-11c9-9fe8-08002b104860 if_version : 0x00000002 (2) auth_info : DATA_BLOB length=0 [2012/07/30 20:14:32.625218, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 56 [2012/07/30 20:14:32.625238, 3] smbd/pipes.c:361(pipe_write_andx_done) writeX-IPC nwritten=72 [2012/07/30 20:14:32.625407, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 59 [2012/07/30 20:14:32.625429, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0x3b [2012/07/30 20:14:32.625445, 3] smbd/process.c:1662(process_smb) Transaction 26 of length 63 (0 toread) [2012/07/30 20:14:32.625460, 5] lib/util.c:332(show_msg) [2012/07/30 20:14:32.625470, 5] lib/util.c:342(show_msg) size=59 smb_com=0x2e smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51207 smb_tid=1 smb_pid=65279 smb_uid=100 smb_mid=1664 smt_wct=12 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]=57054 (0xDEDE) smb_vwv[ 2]=16511 (0x407F) smb_vwv[ 3]= 0 (0x0) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 1024 (0x400) smb_vwv[ 6]= 1024 (0x400) smb_vwv[ 7]=65535 (0xFFFF) smb_vwv[ 8]=65535 (0xFFFF) smb_vwv[ 9]= 1024 (0x400) smb_vwv[10]= 0 (0x0) smb_vwv[11]= 0 (0x0) smb_bcc=0 [2012/07/30 20:14:32.625590, 10] ../lib/util/util.c:415(dump_data) [2012/07/30 20:14:32.625601, 3] smbd/process.c:1467(switch_message) switch message SMBreadX (pid 1956) conn 0x804808450 [2012/07/30 20:14:32.625617, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2012/07/30 20:14:32.625633, 6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe) name: \netlogon len: 1024 [2012/07/30 20:14:32.625650, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe) read_from_pipe: \netlogon: current_pdu_len = 72, current_pdu_sent = 0 returning 72 bytes. [2012/07/30 20:14:32.625667, 3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context: destroying talloc pool of size 27 [2012/07/30 20:14:32.625686, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv) Received 72 bytes. There is no more data outstanding [2012/07/30 20:14:32.625702, 3] smbd/pipes.c:485(pipe_read_andx_done) readX-IPC min=1024 max=1024 nread=72 [2012/07/30 20:14:32.626313, 10] lib/util_sock.c:519(read_smb_length_return_keepalive) got smb length of 208 [2012/07/30 20:14:32.626338, 6] smbd/process.c:1660(process_smb) got message type 0x0 of len 0xd0 [2012/07/30 20:14:32.626355, 3] smbd/process.c:1662(process_smb) Transaction 27 of length 212 (0 toread) [2012/07/30 20:14:32.626370, 5] lib/util.c:332(show_msg) [2012/07/30 20:14:32.626381, 5] lib/util.c:342(show_msg) size=208 smb_com=0x25 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51207 smb_tid=1 smb_pid=892 smb_uid=100 smb_mid=1728 smt_wct=16 smb_vwv[ 0]= 0 (0x0) smb_vwv[ 1]= 124 (0x7C) smb_vwv[ 2]= 0 (0x0) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 0 (0x0) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 0 (0x0) smb_vwv[ 7]= 0 (0x0) smb_vwv[ 8]= 0 (0x0) smb_vwv[ 9]= 0 (0x0) smb_vwv[10]= 84 (0x54) smb_vwv[11]= 124 (0x7C) smb_vwv[12]= 84 (0x54) smb_vwv[13]= 2 (0x2) smb_vwv[14]= 38 (0x26) smb_vwv[15]=16511 (0x407F) smb_bcc=141 [2012/07/30 20:14:32.626520, 10] ../lib/util/util.c:415(dump_data) [2012/07/30 20:14:32.626716, 3] smbd/process.c:1467(switch_message) switch message SMBtrans (pid 1956) conn 0x804808450 [2012/07/30 20:14:32.626732, 4] smbd/uid.c:351(change_to_user) Skipping user change - already user [2012/07/30 20:14:32.626749, 3] smbd/ipc.c:560(handle_trans) trans <\PIPE\> data=124 params=0 setup=2 [2012/07/30 20:14:32.626767, 5] smbd/ipc.c:593(handle_trans) calling named_pipe [2012/07/30 20:14:32.626782, 3] smbd/ipc.c:511(named_pipe) named pipe command on <> name [2012/07/30 20:14:32.626797, 5] smbd/ipc.c:434(api_fd_reply) api_fd_reply [2012/07/30 20:14:32.626812, 3] smbd/ipc.c:475(api_fd_reply) Got API command 0x26 on pipe "NETLOGON" (pnum 407f) [2012/07/30 20:14:32.626828, 10] smbd/ipc.c:477(api_fd_reply) api_fd_reply: p:0x804845910 max_trans_reply: 1024 [2012/07/30 20:14:32.626843, 6] rpc_server/srv_pipe_hnd.c:520(np_write_send) np_write_send: len: 124 [2012/07/30 20:14:32.626859, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 124 [2012/07/30 20:14:32.626874, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 124 [2012/07/30 20:14:32.626890, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header) fill_rpc_header: data_to_copy = 124, len_needed_to_complete_hdr = 16, receive_len = 0 [2012/07/30 20:14:32.626906, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 16 [2012/07/30 20:14:32.626921, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 108 [2012/07/30 20:14:32.626936, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 108 [2012/07/30 20:14:32.626952, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe) write_to_pipe: data_used = 0 [2012/07/30 20:14:32.626967, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe) write_to_pipe: data_left = 108 [2012/07/30 20:14:32.626982, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data) process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 108, incoming data = 108 [2012/07/30 20:14:32.626998, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu) PDU is in Little Endian format! [2012/07/30 20:14:32.627015, 1] ../librpc/ndr/ndr.c:247(ndr_print_debug) r: struct ncacn_packet rpc_vers : 0x05 (5) rpc_vers_minor : 0x00 (0) ptype : DCERPC_PKT_REQUEST (0) pfc_flags : 0x03 (3) drep: ARRAY(4) [0] : 0x10 (16) [1] : 0x00 (0) [2] : 0x00 (0) [3] : 0x00 (0) frag_length : 0x007c (124) auth_length : 0x0000 (0) call_id : 0x00000001 (1) u : union dcerpc_payload(case 0) request: struct dcerpc_request alloc_hint : 0x00000064 (100) context_id : 0x0000 (0) opnum : 0x0005 (5) object : union dcerpc_object(case 0) empty: struct dcerpc_empty _pad : DATA_BLOB length=0 stub_and_verifier : DATA_BLOB length=100 [2012/07/30 20:14:32.627380, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu) Processing packet type 0 [2012/07/30 20:14:32.627395, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request) Checking request auth. [2012/07/30 20:14:32.627411, 5] rpc_server/srv_pipe.c:1571(api_pipe_request) Requested \PIPE\\netlogon [2012/07/30 20:14:32.627427, 4] rpc_server/srv_pipe.c:1611(api_rpcTNP) api_rpcTNP: \netlogon op 0x5 - api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE [2012/07/30 20:14:32.627444, 6] rpc_server/srv_pipe.c:1645(api_rpcTNP) api_rpc_cmds[5].fn == 0x12b59a0 [2012/07/30 20:14:32.627463, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) netr_ServerAuthenticate: struct netr_ServerAuthenticate in: struct netr_ServerAuthenticate server_name : * server_name : '\\LABSERVER' account_name : * account_name : 'ABC-10$' secure_channel_type : SEC_CHAN_WKSTA (2) computer_name : * computer_name : 'ABC-10' credentials : * credentials: struct netr_Credential data : b135a86043435ad7 [2012/07/30 20:14:32.627556, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate: no challenge sent to client ABC-10 [2012/07/30 20:14:32.627572, 1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug) netr_ServerAuthenticate: struct netr_ServerAuthenticate out: struct netr_ServerAuthenticate return_credentials : * return_credentials: struct netr_Credential data : 0000000000000000 result : NT_STATUS_ACCESS_DENIED [2012/07/30 20:14:32.627624, 5] rpc_server/srv_pipe.c:1679(api_rpcTNP) api_rpcTNP: called \netlogon successfully ------------------------------------------------------------------- > The second is that the user doesn't have enough rights to join the domain. As > you didn't post any information about the user here, we don't see the user > token with the sids we don't know what's really going on. I use the winadmin user to join the domain. This is data for winadmin I used before (now it does not work): ------------------------------------------------------------------- dn: uid=winadmin,ou=users,o=lab cn: winadmin sn: winadmin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 1994 uid: winadmin uidNumber: 1995 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomeDrive: Z: sambaPrimaryGroupSID: S-1-5-21-610032424-962248149-385347502-512 sambaSID: S-1-5-21-610032424-962248149-385347502-4990 loginShell: /bin/false gecos: Netbios Domain Administrator structuralObjectClass: inetOrgPerson entryUUID: c1d6b6d4-01f9-102c-9adc-e9f7b20c961c creatorsName: cn=manager,o=lab createTimestamp: 20070928103146Z sambaProfilePath: \\LABSERVER\profiles sambaHomePath: \\LABSERVER\homes homeDirectory: /home/edu/winadmin sambaLMPassword: 38F3D7FF7B53984D8EB62CE4BD5331F5 sambaAcctFlags: [U] sambaNTPassword: 45D8E9629F811BFE93E76C93F4A2810D sambaPwdLastSet: 1227896575 sambaPwdMustChange: 2091896575 userPassword:: e1NTSEF9d2huV1RRYnFZblZTbGxaRzlwcHpXa3Vub1hadEx6a3c= shadowLastChange: 14211 shadowMax: 10000 entryCSN: 20081128182256Z#000000#00#000000 modifiersName: cn=manager,o=lab modifyTimestamp: 20081128182256Z dn: cn=Domain Admins,ou=groups,o=lab objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: winadmin description: Netbios Domain Administrators sambaSID: S-1-5-21-610032424-962248149-385347502-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: c1dc9af4-01f9-102c-9ade-e9f7b20c961c creatorsName: cn=manager,o=lab createTimestamp: 20070928103146Z entryCSN: 20070928103146Z#000003#00#000000 modifiersName: cn=manager,o=lab modifyTimestamp: 20070928103146Z dn: cn=wingroup,ou=groups,o=lab objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping cn: wingroup gidNumber: 1994 structuralObjectClass: posixGroup entryUUID: b632961c-01fa-102c-9967-a1ca547b88c8 creatorsName: cn=manager,o=lab createTimestamp: 20070928103836Z sambaSID: S-1-5-21-610032424-962248149-385347502-4989 sambaGroupType: 2 displayName: wingroup entryCSN: 20070928103836Z#000001#00#000000 modifiersName: cn=manager,o=lab modifyTimestamp: 20070928103836Z ------------------------------------------------------------------- This is data for winadmin I use now (only password was changed and group ID): ------------------------------------------------------------------- dn: uid=winadmin,ou=users,o=lab cn: winadmin sn: winadmin objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount uid: winadmin uidNumber: 1995 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomeDrive: Z: sambaPrimaryGroupSID: S-1-5-21-610032424-962248149-385347502-512 sambaSID: S-1-5-21-610032424-962248149-385347502-4990 loginShell: /bin/false gecos: Netbios Domain Administrator structuralObjectClass: inetOrgPerson entryUUID: c1d6b6d4-01f9-102c-9adc-e9f7b20c961c creatorsName: cn=manager,o=lab createTimestamp: 20070928103146Z sambaProfilePath: \\LABSERVER\profiles sambaHomePath: \\LABSERVER\homes homeDirectory: /home/edu/winadmin sambaAcctFlags: [U] sambaPwdMustChange: 2091896575 shadowLastChange: 14211 shadowMax: 10000 sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 userPassword:: e1NTSEF9dFAwVXk5b1FGaGZZNVlnWElPa3NQUzZPNlBSNHNGV3U= sambaNTPassword: FD4CBBD49F64593C332EE19ED863DFBC sambaPwdLastSet: 1343643200 gidNumber: 512 entryCSN: 20120730120853Z#000000#00#000000 modifiersName: cn=manager,o=lab modifyTimestamp: 20120730120853Z dn: cn=Domain Admins,ou=groups,o=lab objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: winadmin description: Netbios Domain Administrators sambaSID: S-1-5-21-610032424-962248149-385347502-512 sambaGroupType: 2 displayName: Domain Admins structuralObjectClass: posixGroup entryUUID: c1dc9af4-01f9-102c-9ade-e9f7b20c961c creatorsName: cn=manager,o=lab createTimestamp: 20070928103146Z entryCSN: 20070928103146Z#000003#00#000000 modifiersName: cn=manager,o=lab modifyTimestamp: 20070928103146Z ------------------------------------------------------------------- Now it everything works as before, but this require to change gidNumber for the winadmin user, before this was not needed.
To which group belonged the user "winadmin" before and how was it tight to "Domain Administrator" group. You're talking about a group named "wingroup" what kind of group is this? What's the primary group of winadmin?
s/tight/tied/ :)
Before: user widadmin had primary group wingroup (just a group without any special privileges) and winadmin was listed in memberUid in "Domain Admins". This configuration works and winadmin login was used on XP to join computers to the domain. Now: user winadmin had primary group "Domain Admins" and is not listed in any other group. And this configuration allows to use winadmin login on XP computers to join them to the domain. I cannot tell starting from which version of Samba my previous configuration (used for several years) did not allow to join XP computers to the domain, I update Samba from time to time and has to re-join XP computers each year.
no progress here, I also haven't seen such issues in similar setups, closing now.