Compile 3.5.4 on Opensolaris snv_134
in [Samba]
|
From: Marcis Lielturks on 19 Jul 2010 02:50 Hi! Here's comparison of "net ads join" output, between my first build of samba 3.5.4 that gave "pkcs 11 error" and second build, that is failing with "rpc: Logon failure". Can anyone comment on differences. I'm starting to think, that the "diff -u" output say's that 2nd build is failing sooner than the first build did. As you can see there's a lot of missing lines with "sasl", "ldap" and "krb5". MMM On 07/16/10 04:34 PM, Gaiseric Vandal wrote: > Which version of Samba? I had more trouble with Samba 3.5.x. And I > have never managed to get Samba to compile with sun cc. I figured > Samba was written with gcc in mind. > > > The "failed to lookup DC info for domain 'mydomain.COM' over rpc: > Logon failure' " message is interesting - not sure if you are getting > login errors before lookup errors. Is you samba server configure to > use your AD server as the DNS server? What version of windows is the > AD server? What domain/foreset mode is your AD server in? > > In the "windows" world clients can locate the the login server via > specific resource records in DNS. I don't know if Samba does this do > or is still relying on netbios. I had one AD domain that was in > NT4-compatibility mode and one AD domain that was in Windows 2003 > native mode. Changing the client DNS settings on the samba machine > seemed to help with locating the "2003 native" mode. DC. > > > > On 07/16/2010 05:29 AM, Marcis Lielturks wrote: >> Hi! >> >> First of all, thanks for replies to all ;)! >> >> Using GCC was a fail for me - too much errors and 2 additional things >> must be compiled (tdb & talloc) . I only managed to compile using >> Sun's cc and gmake and will stick to them. I'm a bit further now. Now >> I don't get PKCS 11 erros, when trying to do "net ads join". I >> recompiled openldap with slapd (but with null backend) and "-lpkcs11" >> in LDFLAGS (I think this is what helped). However now I'm getting >> following when doing "net ads join" >> >> [2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex) >> lp_load_ex: refreshing parameters >> [2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals) >> Initialising global parameters >> [2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files) >> rlimit_max: rlimit_max (256) below minimum Windows limit (16384) >> [2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process) >> params.c:pm_process() - Processing configuration file >> "/opt/samba/lib/smb.conf" >> [2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section) >> Processing section "[global]" >> [2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface) >> added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255 >> netmask=255.255.255.0 >> [2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join) >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> in: struct libnet_JoinCtx >> dc_name : NULL >> machine_name : 'SAMBA-DEV' >> domain_name : * >> domain_name : 'mydomain.COM' >> account_ou : NULL >> admin_account : 'Administrator' >> admin_password : * >> machine_password : NULL >> join_flags : 0x00000023 (35) >> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS >> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME >> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT >> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN >> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED >> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE >> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED >> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE >> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE >> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE >> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE >> os_version : NULL >> os_name : NULL >> create_upn : 0x00 (0) >> upn : NULL >> modify_config : 0x00 (0) >> ads : NULL >> debug : 0x01 (1) >> use_kerberos : 0x00 (0) >> secure_channel_type : SEC_CHAN_WKSTA (2) >> [2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon) >> cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT >> [2010/07/16 12:17:00.141661, 3] >> libsmb/cliconnect.c:2201(cli_start_connection) >> Connecting to host=BORED.mydomain.com >> [2010/07/16 12:17:00.141828, 3] >> lib/util_sock.c:974(open_socket_out_send) >> Connecting to 192.168.0.94 at port 445 >> [2010/07/16 12:17:00.143207, 3] >> libsmb/cliconnect.c:991(cli_session_setup_spnego) >> Doing spnego session setup (blob length=107) >> [2010/07/16 12:17:00.143274, 3] >> libsmb/cliconnect.c:1019(cli_session_setup_spnego) >> got OID=1.2.840.48018.1.2.2 >> got OID=1.2.840.113554.1.2.2 >> got OID=1.2.840.113554.1.2.2.3 >> got OID=1.3.6.1.4.1.311.2.2.10 >> [2010/07/16 12:17:00.143302, 3] >> libsmb/cliconnect.c:1029(cli_session_setup_spnego) >> got principal=bored$@mydomain.COM >> [2010/07/16 12:17:00.143856, 3] >> libsmb/ntlmssp.c:1101(ntlmssp_client_challenge) >> Got challenge flags: >> [2010/07/16 12:17:00.143870, 3] >> libsmb/ntlmssp.c:65(debug_ntlmssp_flags) >> Got NTLMSSP neg_flags=0x62898215 >> [2010/07/16 12:17:00.143883, 3] >> libsmb/ntlmssp.c:1123(ntlmssp_client_challenge) >> NTLMSSP: Set final flags: >> [2010/07/16 12:17:00.143894, 3] >> libsmb/ntlmssp.c:65(debug_ntlmssp_flags) >> Got NTLMSSP neg_flags=0x60088215 >> [2010/07/16 12:17:00.143984, 3] >> libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) >> NTLMSSP Sign/Seal - Initialising with flags: >> [2010/07/16 12:17:00.143997, 3] >> libsmb/ntlmssp.c:65(debug_ntlmssp_flags) >> Got NTLMSSP neg_flags=0x60088215 >> [2010/07/16 12:17:00.177128, 3] >> libsmb/cliconnect.c:1249(cli_session_setup) >> SPNEGO login failed: Logon failure >> [2010/07/16 12:17:00.177159, 1] >> libsmb/cliconnect.c:2307(cli_full_connection) >> failed session setup with NT_STATUS_LOGON_FAILURE >> [2010/07/16 12:17:00.177271, 1] libnet/libnet_join.c:1978(libnet_Join) >> libnet_Join: >> libnet_JoinCtx: struct libnet_JoinCtx >> out: struct libnet_JoinCtx >> account_name : NULL >> netbios_domain_name : NULL >> dns_domain_name : NULL >> forest_name : NULL >> dn : NULL >> domain_sid : NULL >> domain_sid : (NULL SID) >> modified_config : 0x00 (0) >> error_string : 'failed to lookup DC info >> for domain 'mydomain.COM' over rpc: Logon failure' >> domain_is_ad : 0x00 (0) >> result : WERR_LOGON_FAILURE >> [2010/07/16 12:17:00.177442, 2] utils/net.c:916(main) >> >> >> Intersting is that if I supply wrong username output doesn't differ >> much. Below you can see differences (I stripped time to be able to >> use diff). >> >> --- pass_ok_stripped.txt 2010-07-16 12:19:11.869234402 +0300 >> +++ pass_wrong_stripped.txt 2010-07-16 12:19:22.318101275 +0300 >> @@ -19,7 +19,7 @@ >> domain_name : * >> domain_name : 'mydomain.COM' >> account_ou : NULL >> - admin_account : 'Administrator' >> + admin_account : 'Adminisdgasgasdtor' >> admin_password : * >> machine_password : NULL >> join_flags : 0x00000023 (35) >> @@ -43,8 +43,6 @@ >> debug : 0x01 (1) >> use_kerberos : 0x00 (0) >> secure_channel_type : SEC_CHAN_WKSTA (2) >> - libads/cldap.c:97(ads_cldap_netlogon) >> - cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT >> libsmb/cliconnect.c:2201(cli_start_connection) >> Connecting to host=BORED.ProServe.com >> lib/util_sock.c:974(open_socket_out_send) >> >> >> Maybe I'm missing some rpc things? "smbd -b | tail -2" says: >> >> Builtin modules: >> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam rpc_lsarpc >> rpc_winreg rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl >> rpc_ntsvcs rpc_netlogon rpc_netdfs rpc_srvsvc rpc_spoolss >> rpc_eventlog rpc_samr idmap_ldap idmap_tdb idmap_passdb idmap_nss >> idmap_rid idmap_hash nss_info_template auth_sam auth_unix >> auth_winbind auth_wbc auth_server auth_domain auth_builtin >> auth_netlogond vfs_default vfs_solarisacl vfs_zfsacl >> >> >> MMM >> >> On 07/15/10 04:32 PM, Gaiseric Vandal wrote: >>> I compiled Samba 3.4.x on Solaris 10. (I have a Samba 3.4.x pdc >>> with two Samba 3.0.x BDC's.) Samba 3.0.x DC"s will not support >>> Windows 7 clients (don't have any yet but it is probably inevitable) >>> and doesn't seem to support trusts with Windows 2003 Native domains >>> (at least it didn't for me.) >>> >>> >>> If you following the opensolaris forums it seems unlikely that >>> there will be compiled build of 3.4.x or 3.5.x of samba in Solaris >>> 10 or OpenSolaris in the near future. I don't think it really is >>> a licensing or even major technical issue. There is seems to >>> more interest in CIFS project as an alternative to Samba. >>> Oracle/Sun sells a NAS server that runs on opensolaris and users >>> CIFS so I don't think they have much interest in Samba. I don't see >>> Oracle/Sun paying any one work on Samba 3.4.x or 3.5.x integration >>> when they have "better" solutions and more important priorities. >>> >>> To be specific, Samba doesn't require OpenLDAP but it does require >>> LDAP with certain functionality. The Solaris-bundled Samba does >>> use OpenLDAP. But if you are compiling it yourself OpenLDAP is >>> the way to do it. Easiest to just get the openldap precompiled >>> from blastwave or sunfreeware.com. And there is precompiled Samba >>> available from Sunfreeware and Blastwave but it may lack the >>> features you need, so you probably need to compile anyway. >>> >>> If you don't need AD support, then then the Sun ldap client >>> functionality should be sufficient. >>> >>> >>> I didn't know about the NGROUPS_MAX option. I would have disabled >>> it if I had known, since I am subject to the 16 group NFS v3 limit. >>> (What I really need to do is switch to NFS v4 and use kerberos >>> authentication for NFS clients.) >>> >>> The OpenSolaris developer build (from earlier this year- not the >>> official release from last year- has updated GCC and other tools >>> that may make compiling easier. Gcc from Sun (and even >>> Sunfreeware) use "/usr/ccs/bin/ld" as the linker. You may need to >>> renamed the file and symlink it to gld (gnu linker.) Samba >>> compiling also requires that you get set the CPPFLAGS and LDFLAGS as >>> well. >>> >>> e.g. >>> >>> >>> PATH=/usr/swf/bin:/usr/ccs/bin:$PATH >>> PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH >>> LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH >>> LD_LIBRARY_PATH=/usr/local/samba- 3.4.5:$LD_LIBRARY_PATH >>> >>> export LD_LIBRARY_PATH >>> export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include >>> -I/usr/include" >>> export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib >>> -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib" >>> >>> >>> >>> >>> I posted questions/results to the list earlier this year about my >>> experiences. >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On 07/14/2010 05:38 PM, MÄrcis Lielturks wrote: >>>> >>>> >>>> On 15 July 2010 00:28, Jeremy Allison <jra(a)samba.org >>>> <mailto:jra(a)samba.org>> wrote: >>>> >>>> On Thu, Jul 15, 2010 at 12:26:05AM +0300, MÄrcis Lielturks wrote: >>>> > Thanks, machine wont provide NFS or ssh login services, so >>>> fiddling with max >>>> > groups should do no harm! >>>> > >>>> > I googled a bit at found that samba should be recompiled to take >>>> advantage >>>> > of new NGROUPS_MAX. "./configure" logs also suggested that >>>> NGROUPS_MAX is >>>> > evaluated only at compile time. >>>> >>>> Yep. Recompilation should do the trick once the kernel understands >>>> large numbers of groups. >>>> >>>> > Can anybody share experience on compiling samba on OpenSolaris? >>>> What's the >>>> > most painless way? I'm considering to use latest 3.5.5 but maybe >>>> I should >>>> > use same version Sun (Oracle) is using - 3.0.37? I have to set >>>> up Samba on 2 >>>> > servers, which already replicate storage, so ID mapping must be >>>> consistent >>>> > between both Samba servers. Servers have to provide shares also >>>> to trusted >>>> > domains, but 3.0.37 doesn't have idmap_hash and seems that >>>> idmap_rid is not >>>> > supported to provide mappings for more than one domain, so >>>> anything newer >>>> > than 3.0.37 sounds like the right choice. >>>> >>>> The only reason they use 3.0.x is they're still unable to cope >>>> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle >>>> Linux has been shipping GPLv3 Samba for a while. But it's a big >>>> company, you can't expect one part to know what another part is >>>> up to :-). >>>> >>>> Yeah, I read about that, but still, I was thinking that as they >>>> ship 3.0.37, it should also be easier to compile because OS has all >>>> that's necessary for 3.0.37. Newer Samba versions may have some >>>> dependencies (new libs or newer version of libs), that might be >>>> harder to satisfy. I have never compiled samba so far and all I >>>> know at the moment (from documentation) is that AD support requires >>>> krb5 and openldap development libraries and files. >>>> >>>> >>>> Jeremy. >>>> >>>> >>>> >>>> >>>> -- >>>> ML >>> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Mārcis Lielturks on 20 Jul 2010 03:30 Hi! I'm still stuck at the point where samba compiles, but I cannot join domain. I see "SPNEGO login failure" when using debug level 3 and "failed to lookup DC info for domain 'DOMAIN.COM' over rpc: Logon failure" on STDOUT. I have compiled: - openssl 0.9.8o - openldap 2.4.21 - MIT Kerberos5 1.8.2 - GNU GSS 0.1.5 - openssl with kerberos support - samba 3.5.4 I'm using sunstudio12.1 cc compiler and gnu make on snv_134. Everything is "--prefix'ed" to /opt/samba. I have set CPPFLAGS and LDFLAGS to point to /opt/samba/include and /opt/samba/lib 1. Can anyone help on explaining this SPNEGO thing? I suspect that it means that samba was unable to negotiate some gssapi related stuff, so I might have compiled something wrong. 2. Why "struct libnet_JoinCtx" suggests that kerberos won't be used (see line marked with arrows)? Here's some lines from "net -U domainadmin%pass ads join -d10" [2010/07/20 09:37:05.413534, 2] lib/interface.c:338(add_interface) added interface e1000g0:6 ip=192.168.0.84 bcast=192.168.0.255 netmask=255.255.255.0 [2010/07/20 09:37:05.413946, 1] libnet/libnet_join.c:1947(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx in: struct libnet_JoinCtx dc_name : NULL machine_name : 'SAMBA-DEV' domain_name : * domain_name : 'DOMAIN.COM' account_ou : NULL admin_account : 'Administrator' admin_password : * machine_password : NULL join_flags : 0x00000023 (35) 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT 0: WKSSVC_JOIN_FLAGS_DEFER_SPN 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE os_version : NULL os_name : NULL create_upn : 0x00 (0) upn : NULL modify_config : 0x00 (0) ads : NULL debug : 0x01 (1) ----------> use_kerberos : 0x00 (0) <-------------------------------------------------------------------------------------- secure_channel_type : SEC_CHAN_WKSTA (2) ....................SKIP...................... [2010/07/20 09:37:05.521247, 5] libsmb/ntlmssp.c:1196(ntlmssp_client_challenge) NTLMSSP challenge set by NTLM2 [2010/07/20 09:37:05.521259, 5] libsmb/ntlmssp.c:1197(ntlmssp_client_challenge) challenge is: [2010/07/20 09:37:05.521270, 5] ../lib/util/util.c:278(_dump_data) [0000] A3 7C 51 9D 27 CF 26 FA .|Q.'.&. [2010/07/20 09:37:05.521349, 1] ../librpc/ndr/ndr.c:214(ndr_print_debug) &authenticate: struct AUTHENTICATE_MESSAGE Signature : 'NTLMSSP' MessageType : NtLmAuthenticate (3) LmChallengeResponseLen : 0x0018 (24) LmChallengeResponseMaxLen: 0x0018 (24) LmChallengeResponse : * LmChallengeResponse : union ntlmssp_LM_RESPONSE(case 24) v1: struct LM_RESPONSE Response : 52ef40e69996a2ef00000000000000000000000000000000 NtChallengeResponseLen : 0x0018 (24) NtChallengeResponseMaxLen: 0x0018 (24) NtChallengeResponse : * NtChallengeResponse : union ntlmssp_NTLM_RESPONSE(case 24) v1: struct NTLM_RESPONSE Response : dccf3343610fc15a038074885a333ab7ce0d8aef7cd17728 DomainNameLen : 0x0000 (0) DomainNameMaxLen : 0x0000 (0) DomainName : * DomainName : '' UserNameLen : 0x001a (26) UserNameMaxLen : 0x001a (26) UserName : * UserName : 'Administrator' WorkstationLen : 0x0012 (18) WorkstationMaxLen : 0x0012 (18) Workstation : * Workstation : 'SAMBA-DEV' EncryptedRandomSessionKeyLen: 0x0010 (16) EncryptedRandomSessionKeyMaxLen: 0x0010 (16) EncryptedRandomSessionKey: * EncryptedRandomSessionKey: DATA_BLOB length=16 [2010/07/20 09:37:05.521558, 10] ../lib/util/util.c:278(_dump_data) [0000] 08 5C F1 71 2B 7B 55 BF E7 25 D6 0D F6 E7 E1 31 .\.q+{U. .%.....1 NegotiateFlags : 0x60088215 (1611170325) 1: NTLMSSP_NEGOTIATE_UNICODE 0: NTLMSSP_NEGOTIATE_OEM 1: NTLMSSP_REQUEST_TARGET 1: NTLMSSP_NEGOTIATE_SIGN 0: NTLMSSP_NEGOTIATE_SEAL 0: NTLMSSP_NEGOTIATE_DATAGRAM 0: NTLMSSP_NEGOTIATE_LM_KEY 0: NTLMSSP_NEGOTIATE_NETWARE 1: NTLMSSP_NEGOTIATE_NTLM 0: NTLMSSP_NEGOTIATE_NT_ONLY 0: NTLMSSP_ANONYMOUS 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN 0: NTLMSSP_TARGET_TYPE_DOMAIN 0: NTLMSSP_TARGET_TYPE_SERVER 0: NTLMSSP_TARGET_TYPE_SHARE 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY 0: NTLMSSP_NEGOTIATE_IDENTIFY 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY 0: NTLMSSP_NEGOTIATE_TARGET_INFO 0: NTLMSSP_NEGOTIATE_VERSION 1: NTLMSSP_NEGOTIATE_128 1: NTLMSSP_NEGOTIATE_KEY_EXCH 0: NTLMSSP_NEGOTIATE_56 [2010/07/20 09:37:05.521750, 3] libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) NTLMSSP Sign/Seal - Initialising with flags: [2010/07/20 09:37:05.521763, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH [2010/07/20 09:37:05.521921, 10] libsmb/smb_signing.c:209(smb_signing_sign_pdu) smb_signing_sign_pdu: sent SMB signature of [2010/07/20 09:37:05.521935, 10] ../lib/util/util.c:278(_dump_data) [0000] 42 53 52 53 50 59 4C 20 BSRSPYL [2010/07/20 09:37:05.521956, 6] libsmb/clientgen.c:323(write_socket) write_socket(7,270) [2010/07/20 09:37:05.521978, 6] libsmb/clientgen.c:326(write_socket) write_socket(7,270) wrote 270 [2010/07/20 09:37:05.558662, 10] lib/util_sock.c:726(read_smb_length_return_keepalive) got smb length of 35 [2010/07/20 09:37:05.558704, 5] lib/util.c:617(show_msg) [2010/07/20 09:37:05.558715, 5] lib/util.c:620(show_msg) size=35 smb_com=0x73 smb_rcls=109 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=16481 smb_uid=2051 smb_mid=3 smt_wct=0 smb_bcc=0 [2010/07/20 09:37:05.558782, 5] lib/util.c:617(show_msg) [2010/07/20 09:37:05.558791, 5] lib/util.c:620(show_msg) size=35 smb_com=0x73 smb_rcls=109 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=51205 smb_tid=0 smb_pid=16481 smb_uid=2051 smb_mid=3 smt_wct=0 smb_bcc=0 [2010/07/20 09:37:05.559036, 3] libsmb/cliconnect.c:1249(cli_session_setup) SPNEGO login failed: Logon failure [2010/07/20 09:37:05.559098, 1] libsmb/cliconnect.c:2307(cli_full_connection) failed session setup with NT_STATUS_LOGON_FAILURE [2010/07/20 09:37:05.559256, 1] libnet/libnet_join.c:1978(libnet_Join) libnet_Join: libnet_JoinCtx: struct libnet_JoinCtx out: struct libnet_JoinCtx account_name : NULL netbios_domain_name : NULL dns_domain_name : NULL forest_name : NULL dn : NULL domain_sid : NULL domain_sid : (NULL SID) modified_config : 0x00 (0) error_string : 'failed to lookup DC info for domain 'DOMAIN.COM' over rpc: Logon failure' domain_is_ad : 0x00 (0) result : WERR_LOGON_FAILURE Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM' over rpc: Logon failure On 19 July 2010 09:42, Marcis Lielturks <marcis.lielturks(a)gmail.com> wrote: > Hi! > > Here's comparison of "net ads join" output, between my first build of samba > 3.5.4 that gave "pkcs 11 error" and second build, that is failing with "rpc: > Logon failure". Can anyone comment on differences. I'm starting to think, > that the "diff -u" output say's that 2nd build is failing sooner than the > first build did. As you can see there's a lot of missing lines with "sasl", > "ldap" and "krb5". > > MMM > > > On 07/16/10 04:34 PM, Gaiseric Vandal wrote: > >> Which version of Samba? I had more trouble with Samba 3.5.x. And I have >> never managed to get Samba to compile with sun cc. I figured Samba was >> written with gcc in mind. >> >> >> The "failed to lookup DC info for domain 'mydomain.COM' over rpc: Logon >> failure' " message is interesting - not sure if you are getting login >> errors before lookup errors. Is you samba server configure to use your AD >> server as the DNS server? What version of windows is the AD server? What >> domain/foreset mode is your AD server in? >> >> In the "windows" world clients can locate the the login server via >> specific resource records in DNS. I don't know if Samba does this do or is >> still relying on netbios. I had one AD domain that was in >> NT4-compatibility mode and one AD domain that was in Windows 2003 native >> mode. Changing the client DNS settings on the samba machine seemed to >> help with locating the "2003 native" mode. DC. >> >> >> >> On 07/16/2010 05:29 AM, Marcis Lielturks wrote: >> >>> Hi! >>> >>> First of all, thanks for replies to all ;)! >>> >>> Using GCC was a fail for me - too much errors and 2 additional things >>> must be compiled (tdb & talloc) . I only managed to compile using Sun's cc >>> and gmake and will stick to them. I'm a bit further now. Now I don't get >>> PKCS 11 erros, when trying to do "net ads join". I recompiled openldap with >>> slapd (but with null backend) and "-lpkcs11" in LDFLAGS (I think this is >>> what helped). However now I'm getting following when doing "net ads join" >>> >>> [2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex) >>> lp_load_ex: refreshing parameters >>> [2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals) >>> Initialising global parameters >>> [2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files) >>> rlimit_max: rlimit_max (256) below minimum Windows limit (16384) >>> [2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process) >>> params.c:pm_process() - Processing configuration file >>> "/opt/samba/lib/smb.conf" >>> [2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section) >>> Processing section "[global]" >>> [2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface) >>> added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255 >>> netmask=255.255.255.0 >>> [2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join) >>> libnet_Join: >>> libnet_JoinCtx: struct libnet_JoinCtx >>> in: struct libnet_JoinCtx >>> dc_name : NULL >>> machine_name : 'SAMBA-DEV' >>> domain_name : * >>> domain_name : 'mydomain.COM' >>> account_ou : NULL >>> admin_account : 'Administrator' >>> admin_password : * >>> machine_password : NULL >>> join_flags : 0x00000023 (35) >>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS >>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME >>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT >>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN >>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED >>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE >>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED >>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE >>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE >>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE >>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE >>> os_version : NULL >>> os_name : NULL >>> create_upn : 0x00 (0) >>> upn : NULL >>> modify_config : 0x00 (0) >>> ads : NULL >>> debug : 0x01 (1) >>> use_kerberos : 0x00 (0) >>> secure_channel_type : SEC_CHAN_WKSTA (2) >>> [2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon) >>> cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT >>> [2010/07/16 12:17:00.141661, 3] >>> libsmb/cliconnect.c:2201(cli_start_connection) >>> Connecting to host=BORED.mydomain.com >>> [2010/07/16 12:17:00.141828, 3] >>> lib/util_sock.c:974(open_socket_out_send) >>> Connecting to 192.168.0.94 at port 445 >>> [2010/07/16 12:17:00.143207, 3] >>> libsmb/cliconnect.c:991(cli_session_setup_spnego) >>> Doing spnego session setup (blob length=107) >>> [2010/07/16 12:17:00.143274, 3] >>> libsmb/cliconnect.c:1019(cli_session_setup_spnego) >>> got OID=1.2.840.48018.1.2.2 >>> got OID=1.2.840.113554.1.2.2 >>> got OID=1.2.840.113554.1.2.2.3 >>> got OID=1.3.6.1.4.1.311.2.2.10 >>> [2010/07/16 12:17:00.143302, 3] >>> libsmb/cliconnect.c:1029(cli_session_setup_spnego) >>> got principal=bored$@mydomain.COM >>> [2010/07/16 12:17:00.143856, 3] >>> libsmb/ntlmssp.c:1101(ntlmssp_client_challenge) >>> Got challenge flags: >>> [2010/07/16 12:17:00.143870, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) >>> Got NTLMSSP neg_flags=0x62898215 >>> [2010/07/16 12:17:00.143883, 3] >>> libsmb/ntlmssp.c:1123(ntlmssp_client_challenge) >>> NTLMSSP: Set final flags: >>> [2010/07/16 12:17:00.143894, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) >>> Got NTLMSSP neg_flags=0x60088215 >>> [2010/07/16 12:17:00.143984, 3] >>> libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) >>> NTLMSSP Sign/Seal - Initialising with flags: >>> [2010/07/16 12:17:00.143997, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) >>> Got NTLMSSP neg_flags=0x60088215 >>> [2010/07/16 12:17:00.177128, 3] >>> libsmb/cliconnect.c:1249(cli_session_setup) >>> SPNEGO login failed: Logon failure >>> [2010/07/16 12:17:00.177159, 1] >>> libsmb/cliconnect.c:2307(cli_full_connection) >>> failed session setup with NT_STATUS_LOGON_FAILURE >>> [2010/07/16 12:17:00.177271, 1] libnet/libnet_join.c:1978(libnet_Join) >>> libnet_Join: >>> libnet_JoinCtx: struct libnet_JoinCtx >>> out: struct libnet_JoinCtx >>> account_name : NULL >>> netbios_domain_name : NULL >>> dns_domain_name : NULL >>> forest_name : NULL >>> dn : NULL >>> domain_sid : NULL >>> domain_sid : (NULL SID) >>> modified_config : 0x00 (0) >>> error_string : 'failed to lookup DC info for >>> domain 'mydomain.COM' over rpc: Logon failure' >>> domain_is_ad : 0x00 (0) >>> result : WERR_LOGON_FAILURE >>> [2010/07/16 12:17:00.177442, 2] utils/net.c:916(main) >>> >>> >>> Intersting is that if I supply wrong username output doesn't differ much. >>> Below you can see differences (I stripped time to be able to use diff). >>> >>> --- pass_ok_stripped.txt 2010-07-16 12:19:11.869234402 +0300 >>> +++ pass_wrong_stripped.txt 2010-07-16 12:19:22.318101275 +0300 >>> @@ -19,7 +19,7 @@ >>> domain_name : * >>> domain_name : 'mydomain.COM' >>> account_ou : NULL >>> - admin_account : 'Administrator' >>> + admin_account : 'Adminisdgasgasdtor' >>> admin_password : * >>> machine_password : NULL >>> join_flags : 0x00000023 (35) >>> @@ -43,8 +43,6 @@ >>> debug : 0x01 (1) >>> use_kerberos : 0x00 (0) >>> secure_channel_type : SEC_CHAN_WKSTA (2) >>> - libads/cldap.c:97(ads_cldap_netlogon) >>> - cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT >>> libsmb/cliconnect.c:2201(cli_start_connection) >>> Connecting to host=BORED.ProServe.com >>> lib/util_sock.c:974(open_socket_out_send) >>> >>> >>> Maybe I'm missing some rpc things? "smbd -b | tail -2" says: >>> >>> Builtin modules: >>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam rpc_lsarpc rpc_winreg >>> rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl rpc_ntsvcs rpc_netlogon >>> rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog rpc_samr idmap_ldap idmap_tdb >>> idmap_passdb idmap_nss idmap_rid idmap_hash nss_info_template auth_sam >>> auth_unix auth_winbind auth_wbc auth_server auth_domain auth_builtin >>> auth_netlogond vfs_default vfs_solarisacl vfs_zfsacl >>> >>> >>> MMM >>> >>> On 07/15/10 04:32 PM, Gaiseric Vandal wrote: >>> >>>> I compiled Samba 3.4.x on Solaris 10. (I have a Samba 3.4.x pdc with >>>> two Samba 3.0.x BDC's.) Samba 3.0.x DC"s will not support Windows 7 clients >>>> (don't have any yet but it is probably inevitable) and doesn't seem to >>>> support trusts with Windows 2003 Native domains (at least it didn't for me.) >>>> >>>> >>>> If you following the opensolaris forums it seems unlikely that there >>>> will be compiled build of 3.4.x or 3.5.x of samba in Solaris 10 or >>>> OpenSolaris in the near future. I don't think it really is a licensing or >>>> even major technical issue. There is seems to more interest in CIFS >>>> project as an alternative to Samba. Oracle/Sun sells a NAS server that >>>> runs on opensolaris and users CIFS so I don't think they have much interest >>>> in Samba. I don't see Oracle/Sun paying any one work on Samba 3.4.x or >>>> 3.5.x integration when they have "better" solutions and more important >>>> priorities. >>>> >>>> To be specific, Samba doesn't require OpenLDAP but it does require LDAP >>>> with certain functionality. The Solaris-bundled Samba does use OpenLDAP. >>>> But if you are compiling it yourself OpenLDAP is the way to do it. >>>> Easiest to just get the openldap precompiled from blastwave or >>>> sunfreeware.com. And there is precompiled Samba available from >>>> Sunfreeware and Blastwave but it may lack the features you need, so you >>>> probably need to compile anyway. >>>> >>>> If you don't need AD support, then then the Sun ldap client >>>> functionality should be sufficient. >>>> >>>> >>>> I didn't know about the NGROUPS_MAX option. I would have disabled it if >>>> I had known, since I am subject to the 16 group NFS v3 limit. (What I >>>> really need to do is switch to NFS v4 and use kerberos authentication for >>>> NFS clients.) >>>> >>>> The OpenSolaris developer build (from earlier this year- not the >>>> official release from last year- has updated GCC and other tools that may >>>> make compiling easier. Gcc from Sun (and even Sunfreeware) use >>>> "/usr/ccs/bin/ld" as the linker. You may need to renamed the file and >>>> symlink it to gld (gnu linker.) Samba compiling also requires that you >>>> get set the CPPFLAGS and LDFLAGS as well. >>>> >>>> e.g. >>>> >>>> >>>> PATH=/usr/swf/bin:/usr/ccs/bin:$PATH >>>> PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH >>>> LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH >>>> LD_LIBRARY_PATH=/usr/local/samba- 3.4.5:$LD_LIBRARY_PATH >>>> >>>> export LD_LIBRARY_PATH >>>> export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include >>>> -I/usr/include" >>>> export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib >>>> -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib" >>>> >>>> >>>> >>>> >>>> I posted questions/results to the list earlier this year about my >>>> experiences. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 07/14/2010 05:38 PM, MÄrcis Lielturks wrote: >>>> >>>>> >>>>> >>>>> On 15 July 2010 00:28, Jeremy Allison <jra(a)samba.org <mailto: >>>>> jra(a)samba.org>> wrote: >>>>> >>>>> On Thu, Jul 15, 2010 at 12:26:05AM +0300, MÄrcis Lielturks wrote: >>>>> > Thanks, machine wont provide NFS or ssh login services, so >>>>> fiddling with max >>>>> > groups should do no harm! >>>>> > >>>>> > I googled a bit at found that samba should be recompiled to take >>>>> advantage >>>>> > of new NGROUPS_MAX. "./configure" logs also suggested that >>>>> NGROUPS_MAX is >>>>> > evaluated only at compile time. >>>>> >>>>> Yep. Recompilation should do the trick once the kernel understands >>>>> large numbers of groups. >>>>> >>>>> > Can anybody share experience on compiling samba on OpenSolaris? >>>>> What's the >>>>> > most painless way? I'm considering to use latest 3.5.5 but maybe >>>>> I should >>>>> > use same version Sun (Oracle) is using - 3.0.37? I have to set >>>>> up Samba on 2 >>>>> > servers, which already replicate storage, so ID mapping must be >>>>> consistent >>>>> > between both Samba servers. Servers have to provide shares also >>>>> to trusted >>>>> > domains, but 3.0.37 doesn't have idmap_hash and seems that >>>>> idmap_rid is not >>>>> > supported to provide mappings for more than one domain, so >>>>> anything newer >>>>> > than 3.0.37 sounds like the right choice. >>>>> >>>>> The only reason they use 3.0.x is they're still unable to cope >>>>> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle >>>>> Linux has been shipping GPLv3 Samba for a while. But it's a big >>>>> company, you can't expect one part to know what another part is >>>>> up to :-). >>>>> >>>>> Yeah, I read about that, but still, I was thinking that as they ship >>>>> 3.0.37, it should also be easier to compile because OS has all that's >>>>> necessary for 3.0.37. Newer Samba versions may have some dependencies (new >>>>> libs or newer version of libs), that might be harder to satisfy. I have >>>>> never compiled samba so far and all I know at the moment (from >>>>> documentation) is that AD support requires krb5 and openldap development >>>>> libraries and files. >>>>> >>>>> >>>>> Jeremy. >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> ML >>>>> >>>> >>>> >> -- ML -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Mārcis Lielturks on 22 Jul 2010 04:20 Hi! Ok, I now have compiled samba, that can join domain. Only thing, compiled before samba, is MIT Kerberos v5 (notice no LDAP!). * net ads join - WORKS * wbinfo -u/-g/-m - WORKS * nsswitch.conf entries are as follows passwd: files winbind group: files winbind * smbd, nmbd, winbind - RUNNING * id DOMAIN+user - DOESN'T WORK * connecting to shares - DOESN'T WORK What I see in the logs (and on CLI if running with "-FiS") is that samba (and UNIXs "id") is having trouble getting user information from winbind. I cannot access shares as domain admin and manage shares when connecting to samba server from "manage computer" dialog. Were to look/debug next? Recompile it with newest GNUs gettext and libiconv? Try to fix the socket options problems? When tracing smbd with "truss smbd -d10 -FiS" I see some unsuccessfull stats for nss_winbind.so.1 library (I compiled without --enable-nss-wrapper). For now I'll try to recompile with this option and see what happens. 21017: write(1, " T r y i n g _ G e t _".., 60) = 60 21017: getuid() = 0 [0] 21017: getuid() = 0 [0] 21017: open64("/var/run/name_service_door", O_RDONLY) Err#2 ENOENT 21017: open("/etc/passwd", O_RDONLY) = 32 21017: fstat64(32, 0x080466C0) = 0 21017: fstat64(32, 0x080465D0) = 0 21017: ioctl(32, TCGETA, 0x08046670) Err#25 ENOTTY 21017: read(32, " r o o t : x : 0 : 0 : S".., 1536) = 1255 21017: read(32, 0x0893096C, 1536) = 0 21017: llseek(32, 0, SEEK_CUR) = 1255 21017: close(32) = 0 21017: stat64("/opt/samba/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT 21017: stat64("/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT 21017: stat64("/usr/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT Checking combinations of 0 uppercase letters in administrator 21017: write(1, " C h e c k i n g c o m".., 62) = 62 Get_Pwnam_internals didn't find user [Administrator]! 21017: write(1, " G e t _ P w n a m _ i n".., 54) = 54 21017: getpid() = 21017 [21016] 21017: getpid() = 21017 [21016] 21017: pollsys(0x08044B50, 1, 0x08044C68, 0x00000000) = 0 21017: write(18, " 0\b\0\0 %\0\0\0\0\0\0\0".., 2096) = 2096 21017: pollsys(0x080445C0, 1, 0x080446D8, 0x00000000) = 1 21017: read(18, "A8\r\0\002\0\0\0\0\0\0\0".., 3496) = 3496 Username PROSERVE+Administrator is invalid on this system 21017: write(1, " T r y i n g _ G e t _".., 60) = 60 21017: getuid() = 0 [0] 21017: getuid() = 0 [0] 21017: open64("/var/run/name_service_door", O_RDONLY) Err#2 ENOENT 21017: open("/etc/passwd", O_RDONLY) = 32 21017: fstat64(32, 0x080466C0) = 0 21017: fstat64(32, 0x080465D0) = 0 21017: ioctl(32, TCGETA, 0x08046670) Err#25 ENOTTY 21017: read(32, " r o o t : x : 0 : 0 : S".., 1536) = 1255 21017: read(32, 0x0893096C, 1536) = 0 21017: llseek(32, 0, SEEK_CUR) = 1255 21017: close(32) = 0 21017: stat64("/opt/samba/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT 21017: stat64("/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT 21017: stat64("/usr/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT Checking combinations of 0 uppercase letters in administrator 21017: write(1, " C h e c k i n g c o m".., 62) = 62 Get_Pwnam_internals didn't find user [Administrator]! 21017: write(1, " G e t _ P w n a m _ i n".., 54) = 54 21017: getpid() = 21017 [21016] 21017: getpid() = 21017 [21016] 21017: pollsys(0x08044B50, 1, 0x08044C68, 0x00000000) = 0 21017: write(18, " 0\b\0\0 %\0\0\0\0\0\0\0".., 2096) = 2096 21017: pollsys(0x080445C0, 1, 0x080446D8, 0x00000000) = 1 21017: read(18, "A8\r\0\002\0\0\0\0\0\0\0".., 3496) = 3496 Username PROSERVE+Administrator is invalid on this system bored is the machine I tried to connect to shares from ==> var/bored.log <== [2010/07/22 10:34:52.985835, 5] lib/util_sock.c:462(read_fd_with_timeout) read_fd_with_timeout: blocking read. EOF from client. [2010/07/22 10:34:52.985936, 10] smbd/process.c:286(receive_smb_raw_talloc) receive_smb_raw: NT_STATUS_END_OF_FILE [2010/07/22 10:34:52.985982, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/07/22 10:34:52.986022, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2010/07/22 10:34:52.986060, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2010/07/22 10:34:52.986130, 5] smbd/uid.c:369(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2010/07/22 10:34:52.986198, 3] smbd/connection.c:31(yield_connection) Yielding connection to [2010/07/22 10:34:52.986272, 10] lib/dbwrap_tdb.c:100(db_tdb_fetch_locked) Locking key 8E410000FFFFFFFF0000 [2010/07/22 10:34:52.986331, 10] lib/dbwrap_tdb.c:129(db_tdb_fetch_locked) Allocated locked data 0x891ff50 [2010/07/22 10:34:52.986397, 10] lib/dbwrap_tdb.c:42(db_tdb_record_destr) Unlocking key 8E410000FFFFFFFF0000 [2010/07/22 10:34:52.986571, 3] smbd/server.c:902(exit_server_common) Server exit (failed to receive smb request) ==> var/winbindd.log <== [2010/07/22 10:34:41.543123, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22 [2010/07/22 10:34:41.543235, 10] winbindd/winbindd.c:620(process_request) process_request: request fn INTERFACE_VERSION [2010/07/22 10:34:41.543277, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [16782]: request interface version [2010/07/22 10:34:41.543343, 10] winbindd/winbindd.c:716(winbind_client_response_written) winbind_client_response_written[16782:INTERFACE_VERSION]: deliverd response to client [2010/07/22 10:34:41.543410, 10] winbindd/winbindd.c:620(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2010/07/22 10:34:41.543450, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [16782]: request location of privileged pipe [2010/07/22 10:34:41.543525, 10] winbindd/winbindd.c:716(winbind_client_response_written) winbind_client_response_written[16782:WINBINDD_PRIV_PIPE_DIR]: deliverd response to client [2010/07/22 10:34:41.543615, 6] winbindd/winbindd.c:768(new_connection) accepted socket 24 [2010/07/22 10:34:41.543686, 10] winbindd/winbindd.c:593(process_request) process_request: Handling async request 16782:PING [2010/07/22 10:34:41.543733, 10] winbindd/winbindd.c:655(wb_request_done) wb_request_done[16782:PING]: NT_STATUS_OK [2010/07/22 10:34:41.543795, 10] winbindd/winbindd.c:716(winbind_client_response_written) winbind_client_response_written[16782:PING]: deliverd response to client [2010/07/22 10:34:41.543857, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 22, client exited [2010/07/22 10:34:47.643788, 6] winbindd/winbindd.c:768(new_connection) accepted socket 22 [2010/07/22 10:34:47.643895, 2] winbindd/winbindd.c:819(winbind_client_request_read) Could not read client request from fd 22: I/O error [2010/07/22 10:34:52.988128, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 24, client exited in mean time samba.log is throwing out following [2010/07/22 10:34:41.462806, 5] lib/util_sock.c:304(print_socket_options) Socket options: SO_KEEPALIVE = 8 SO_REUSEADDR = 4 SO_BROADCAST = 0 TCP_NODELAY = 1 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 49152 SO_RCVBUF = 64240 Could not test socket option SO_SNDLOWAT. Could not test socket option SO_RCVLOWAT. Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. [2010/07/22 10:34:41.463146, 5] lib/util_sock.c:304(print_socket_options) Socket options: SO_KEEPALIVE = 8 SO_REUSEADDR = 4 SO_BROADCAST = 0 TCP_NODELAY = 1 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_SNDBUF = 49152 SO_RCVBUF = 64240 Could not test socket option SO_SNDLOWAT. Could not test socket option SO_RCVLOWAT. Could not test socket option SO_SNDTIMEO. Could not test socket option SO_RCVTIMEO. my smb.conf [global] server string = Cepure log file = /opt/samba/var/%m.log log level = 10 max log size = 1024 passwd chat timeout=10 load printers = no netbios name = cepure ;security = user security = ADS workgroup = PROSERVE realm = PROSERVE.COM encrypt passwords = yes ;password server = bored.proserve.com local master = no domain master = no ;client ntlmv2 auth = Yes ;client lanman auth = Yes ;client plaintext auth = Yes ;lanman auth = Yes ;client use spnego = no ;ldap connection timeout = 10 ;ldap ssl = no ;max stat cache size = 1024 ;kerberos method = system keytab winbind separator = + winbind enum users = yes winbind enum groups = yes idmap uid = 10000 - 30000 idmap gid = 10000 - 30000 ;case sensitive = yes ;default case = upper ;preserve case = yes ;short preserve case = yes ;vfs objects = zfsacl ;nfs4: mode = special ;nfs4: acedup = merge [SAMBA] path = /SAMBA admin users = @"PROSERVE+domain admins" PROSERVE+administrator read only = no comment = test share guest ok = yes On 20 July 2010 10:27, MÄrcis Lielturks <marcis.lielturks(a)gmail.com> wrote: > Hi! > > I'm still stuck at the point where samba compiles, but I cannot join > domain. I see "SPNEGO login failure" when using debug level 3 and "failed to > lookup DC info for domain 'DOMAIN.COM' over rpc: Logon failure" on STDOUT. > > I have compiled: > > - openssl 0.9.8o > - openldap 2.4.21 > - MIT Kerberos5 1.8.2 > - GNU GSS 0.1.5 > - openssl with kerberos support > - samba 3.5.4 > > I'm using sunstudio12.1 cc compiler and gnu make on snv_134. Everything is > "--prefix'ed" to /opt/samba. I have set CPPFLAGS and LDFLAGS to point to > /opt/samba/include and /opt/samba/lib > > > 1. Can anyone help on explaining this SPNEGO thing? I suspect that it > means that samba was unable to negotiate some gssapi related stuff, so I > might have compiled something wrong. > 2. Why "struct libnet_JoinCtx" suggests that kerberos won't be used > (see line marked with arrows)? > > > > Here's some lines from "net -U domainadmin%pass ads join -d10" > > [2010/07/20 09:37:05.413534, 2] lib/interface.c:338(add_interface) > added interface e1000g0:6 ip=192.168.0.84 bcast=192.168.0.255 > netmask=255.255.255.0 > [2010/07/20 09:37:05.413946, 1] libnet/libnet_join.c:1947(libnet_Join) > > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > in: struct libnet_JoinCtx > dc_name : NULL > machine_name : 'SAMBA-DEV' > domain_name : * > domain_name : 'DOMAIN.COM' > > account_ou : NULL > admin_account : 'Administrator' > admin_password : * > machine_password : NULL > join_flags : 0x00000023 (35) > 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS > 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME > 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT > 0: WKSSVC_JOIN_FLAGS_DEFER_SPN > 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED > 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE > 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED > 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE > 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE > 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE > 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE > os_version : NULL > os_name : NULL > create_upn : 0x00 (0) > upn : NULL > modify_config : 0x00 (0) > ads : NULL > debug : 0x01 (1) > ----------> use_kerberos : 0x00 (0) > <-------------------------------------------------------------------------------------- > secure_channel_type : SEC_CHAN_WKSTA (2) > ....................SKIP...................... > [2010/07/20 09:37:05.521247, 5] > libsmb/ntlmssp.c:1196(ntlmssp_client_challenge) > NTLMSSP challenge set by NTLM2 > [2010/07/20 09:37:05.521259, 5] > libsmb/ntlmssp.c:1197(ntlmssp_client_challenge) > challenge is: > [2010/07/20 09:37:05.521270, 5] ../lib/util/util.c:278(_dump_data) > [0000] A3 7C 51 9D 27 CF 26 FA .|Q.'.&. > [2010/07/20 09:37:05.521349, 1] ../librpc/ndr/ndr.c:214(ndr_print_debug) > &authenticate: struct AUTHENTICATE_MESSAGE > Signature : 'NTLMSSP' > MessageType : NtLmAuthenticate (3) > LmChallengeResponseLen : 0x0018 (24) > LmChallengeResponseMaxLen: 0x0018 (24) > LmChallengeResponse : * > LmChallengeResponse : union ntlmssp_LM_RESPONSE(case 24) > v1: struct LM_RESPONSE > Response : > 52ef40e69996a2ef00000000000000000000000000000000 > NtChallengeResponseLen : 0x0018 (24) > NtChallengeResponseMaxLen: 0x0018 (24) > NtChallengeResponse : * > NtChallengeResponse : union ntlmssp_NTLM_RESPONSE(case > 24) > v1: struct NTLM_RESPONSE > Response : > dccf3343610fc15a038074885a333ab7ce0d8aef7cd17728 > DomainNameLen : 0x0000 (0) > DomainNameMaxLen : 0x0000 (0) > DomainName : * > DomainName : '' > UserNameLen : 0x001a (26) > UserNameMaxLen : 0x001a (26) > UserName : * > UserName : 'Administrator' > WorkstationLen : 0x0012 (18) > WorkstationMaxLen : 0x0012 (18) > Workstation : * > Workstation : 'SAMBA-DEV' > EncryptedRandomSessionKeyLen: 0x0010 (16) > EncryptedRandomSessionKeyMaxLen: 0x0010 (16) > EncryptedRandomSessionKey: * > EncryptedRandomSessionKey: DATA_BLOB length=16 > [2010/07/20 09:37:05.521558, 10] ../lib/util/util.c:278(_dump_data) > [0000] 08 5C F1 71 2B 7B 55 BF E7 25 D6 0D F6 E7 E1 31 .\.q+{U. > .%.....1 > NegotiateFlags : 0x60088215 (1611170325) > 1: NTLMSSP_NEGOTIATE_UNICODE > 0: NTLMSSP_NEGOTIATE_OEM > 1: NTLMSSP_REQUEST_TARGET > 1: NTLMSSP_NEGOTIATE_SIGN > 0: NTLMSSP_NEGOTIATE_SEAL > 0: NTLMSSP_NEGOTIATE_DATAGRAM > 0: NTLMSSP_NEGOTIATE_LM_KEY > 0: NTLMSSP_NEGOTIATE_NETWARE > 1: NTLMSSP_NEGOTIATE_NTLM > 0: NTLMSSP_NEGOTIATE_NT_ONLY > 0: NTLMSSP_ANONYMOUS > 0: NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED > 0: NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED > 0: NTLMSSP_NEGOTIATE_THIS_IS_LOCAL_CALL > 1: NTLMSSP_NEGOTIATE_ALWAYS_SIGN > 0: NTLMSSP_TARGET_TYPE_DOMAIN > 0: NTLMSSP_TARGET_TYPE_SERVER > 0: NTLMSSP_TARGET_TYPE_SHARE > 1: NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY > 0: NTLMSSP_NEGOTIATE_IDENTIFY > 0: NTLMSSP_REQUEST_NON_NT_SESSION_KEY > 0: NTLMSSP_NEGOTIATE_TARGET_INFO > 0: NTLMSSP_NEGOTIATE_VERSION > 1: NTLMSSP_NEGOTIATE_128 > 1: NTLMSSP_NEGOTIATE_KEY_EXCH > 0: NTLMSSP_NEGOTIATE_56 > [2010/07/20 09:37:05.521750, 3] > libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) > > NTLMSSP Sign/Seal - Initialising with flags: > [2010/07/20 09:37:05.521763, 3] libsmb/ntlmssp.c:65(debug_ntlmssp_flags) > > Got NTLMSSP neg_flags=0x60088215 > NTLMSSP_NEGOTIATE_UNICODE > NTLMSSP_REQUEST_TARGET > NTLMSSP_NEGOTIATE_SIGN > NTLMSSP_NEGOTIATE_NTLM > NTLMSSP_NEGOTIATE_ALWAYS_SIGN > NTLMSSP_NEGOTIATE_NTLM2 > NTLMSSP_NEGOTIATE_128 > NTLMSSP_NEGOTIATE_KEY_EXCH > [2010/07/20 09:37:05.521921, 10] > libsmb/smb_signing.c:209(smb_signing_sign_pdu) > smb_signing_sign_pdu: sent SMB signature of > [2010/07/20 09:37:05.521935, 10] ../lib/util/util.c:278(_dump_data) > [0000] 42 53 52 53 50 59 4C 20 BSRSPYL > [2010/07/20 09:37:05.521956, 6] libsmb/clientgen.c:323(write_socket) > write_socket(7,270) > [2010/07/20 09:37:05.521978, 6] libsmb/clientgen.c:326(write_socket) > write_socket(7,270) wrote 270 > [2010/07/20 09:37:05.558662, 10] > lib/util_sock.c:726(read_smb_length_return_keepalive) > got smb length of 35 > [2010/07/20 09:37:05.558704, 5] lib/util.c:617(show_msg) > [2010/07/20 09:37:05.558715, 5] lib/util.c:620(show_msg) > size=35 > smb_com=0x73 > smb_rcls=109 > smb_reh=0 > smb_err=49152 > smb_flg=136 > smb_flg2=51205 > smb_tid=0 > smb_pid=16481 > smb_uid=2051 > smb_mid=3 > smt_wct=0 > smb_bcc=0 > [2010/07/20 09:37:05.558782, 5] lib/util.c:617(show_msg) > [2010/07/20 09:37:05.558791, 5] lib/util.c:620(show_msg) > size=35 > smb_com=0x73 > smb_rcls=109 > smb_reh=0 > smb_err=49152 > smb_flg=136 > smb_flg2=51205 > smb_tid=0 > smb_pid=16481 > smb_uid=2051 > smb_mid=3 > smt_wct=0 > smb_bcc=0 > [2010/07/20 09:37:05.559036, 3] > libsmb/cliconnect.c:1249(cli_session_setup) > > SPNEGO login failed: Logon failure > [2010/07/20 09:37:05.559098, 1] > libsmb/cliconnect.c:2307(cli_full_connection) > > failed session setup with NT_STATUS_LOGON_FAILURE > [2010/07/20 09:37:05.559256, 1] libnet/libnet_join.c:1978(libnet_Join) > > libnet_Join: > libnet_JoinCtx: struct libnet_JoinCtx > out: struct libnet_JoinCtx > account_name : NULL > netbios_domain_name : NULL > dns_domain_name : NULL > forest_name : NULL > dn : NULL > domain_sid : NULL > domain_sid : (NULL SID) > modified_config : 0x00 (0) > error_string : 'failed to lookup DC info for > domain 'DOMAIN.COM' over rpc: Logon failure' > > domain_is_ad : 0x00 (0) > result : WERR_LOGON_FAILURE > Failed to join domain: failed to lookup DC info for domain 'DOMAIN.COM' > over rpc: Logon failure > > > > On 19 July 2010 09:42, Marcis Lielturks <marcis.lielturks(a)gmail.com>wrote: > >> Hi! >> >> Here's comparison of "net ads join" output, between my first build of >> samba 3.5.4 that gave "pkcs 11 error" and second build, that is failing with >> "rpc: Logon failure". Can anyone comment on differences. I'm starting to >> think, that the "diff -u" output say's that 2nd build is failing sooner than >> the first build did. As you can see there's a lot of missing lines with >> "sasl", "ldap" and "krb5". >> >> MMM >> >> >> On 07/16/10 04:34 PM, Gaiseric Vandal wrote: >> >>> Which version of Samba? I had more trouble with Samba 3.5.x. And I have >>> never managed to get Samba to compile with sun cc. I figured Samba was >>> written with gcc in mind. >>> >>> >>> The "failed to lookup DC info for domain 'mydomain.COM' over rpc: Logon >>> failure' " message is interesting - not sure if you are getting login >>> errors before lookup errors. Is you samba server configure to use your AD >>> server as the DNS server? What version of windows is the AD server? What >>> domain/foreset mode is your AD server in? >>> >>> In the "windows" world clients can locate the the login server via >>> specific resource records in DNS. I don't know if Samba does this do or is >>> still relying on netbios. I had one AD domain that was in >>> NT4-compatibility mode and one AD domain that was in Windows 2003 native >>> mode. Changing the client DNS settings on the samba machine seemed to >>> help with locating the "2003 native" mode. DC. >>> >>> >>> >>> On 07/16/2010 05:29 AM, Marcis Lielturks wrote: >>> >>>> Hi! >>>> >>>> First of all, thanks for replies to all ;)! >>>> >>>> Using GCC was a fail for me - too much errors and 2 additional things >>>> must be compiled (tdb & talloc) . I only managed to compile using Sun's cc >>>> and gmake and will stick to them. I'm a bit further now. Now I don't get >>>> PKCS 11 erros, when trying to do "net ads join". I recompiled openldap with >>>> slapd (but with null backend) and "-lpkcs11" in LDFLAGS (I think this is >>>> what helped). However now I'm getting following when doing "net ads join" >>>> >>>> [2010/07/16 12:16:54, 3] param/loadparm.c:9158(lp_load_ex) >>>> lp_load_ex: refreshing parameters >>>> [2010/07/16 12:16:54, 3] param/loadparm.c:4929(init_globals) >>>> Initialising global parameters >>>> [2010/07/16 12:16:54, 2] param/loadparm.c:4785(max_open_files) >>>> rlimit_max: rlimit_max (256) below minimum Windows limit (16384) >>>> [2010/07/16 12:16:54.047848, 3] ../lib/util/params.c:550(pm_process) >>>> params.c:pm_process() - Processing configuration file >>>> "/opt/samba/lib/smb.conf" >>>> [2010/07/16 12:16:54.047875, 3] param/loadparm.c:7842(do_section) >>>> Processing section "[global]" >>>> [2010/07/16 12:16:54.048365, 2] lib/interface.c:338(add_interface) >>>> added interface e1000g0:3 ip=192.168.0.84 bcast=192.168.0.255 >>>> netmask=255.255.255.0 >>>> [2010/07/16 12:16:54.048517, 1] libnet/libnet_join.c:1947(libnet_Join) >>>> libnet_Join: >>>> libnet_JoinCtx: struct libnet_JoinCtx >>>> in: struct libnet_JoinCtx >>>> dc_name : NULL >>>> machine_name : 'SAMBA-DEV' >>>> domain_name : * >>>> domain_name : 'mydomain.COM' >>>> account_ou : NULL >>>> admin_account : 'Administrator' >>>> admin_password : * >>>> machine_password : NULL >>>> join_flags : 0x00000023 (35) >>>> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS >>>> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME >>>> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT >>>> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN >>>> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED >>>> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE >>>> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED >>>> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE >>>> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE >>>> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE >>>> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE >>>> os_version : NULL >>>> os_name : NULL >>>> create_upn : 0x00 (0) >>>> upn : NULL >>>> modify_config : 0x00 (0) >>>> ads : NULL >>>> debug : 0x01 (1) >>>> use_kerberos : 0x00 (0) >>>> secure_channel_type : SEC_CHAN_WKSTA (2) >>>> [2010/07/16 12:17:00.052208, 2] libads/cldap.c:97(ads_cldap_netlogon) >>>> cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT >>>> [2010/07/16 12:17:00.141661, 3] >>>> libsmb/cliconnect.c:2201(cli_start_connection) >>>> Connecting to host=BORED.mydomain.com >>>> [2010/07/16 12:17:00.141828, 3] >>>> lib/util_sock.c:974(open_socket_out_send) >>>> Connecting to 192.168.0.94 at port 445 >>>> [2010/07/16 12:17:00.143207, 3] >>>> libsmb/cliconnect.c:991(cli_session_setup_spnego) >>>> Doing spnego session setup (blob length=107) >>>> [2010/07/16 12:17:00.143274, 3] >>>> libsmb/cliconnect.c:1019(cli_session_setup_spnego) >>>> got OID=1.2.840.48018.1.2.2 >>>> got OID=1.2.840.113554.1.2.2 >>>> got OID=1.2.840.113554.1.2.2.3 >>>> got OID=1.3.6.1.4.1.311.2.2.10 >>>> [2010/07/16 12:17:00.143302, 3] >>>> libsmb/cliconnect.c:1029(cli_session_setup_spnego) >>>> got principal=bored$@mydomain.COM >>>> [2010/07/16 12:17:00.143856, 3] >>>> libsmb/ntlmssp.c:1101(ntlmssp_client_challenge) >>>> Got challenge flags: >>>> [2010/07/16 12:17:00.143870, 3] >>>> libsmb/ntlmssp.c:65(debug_ntlmssp_flags) >>>> Got NTLMSSP neg_flags=0x62898215 >>>> [2010/07/16 12:17:00.143883, 3] >>>> libsmb/ntlmssp.c:1123(ntlmssp_client_challenge) >>>> NTLMSSP: Set final flags: >>>> [2010/07/16 12:17:00.143894, 3] >>>> libsmb/ntlmssp.c:65(debug_ntlmssp_flags) >>>> Got NTLMSSP neg_flags=0x60088215 >>>> [2010/07/16 12:17:00.143984, 3] >>>> libsmb/ntlmssp_sign.c:343(ntlmssp_sign_init) >>>> NTLMSSP Sign/Seal - Initialising with flags: >>>> [2010/07/16 12:17:00.143997, 3] >>>> libsmb/ntlmssp.c:65(debug_ntlmssp_flags) >>>> Got NTLMSSP neg_flags=0x60088215 >>>> [2010/07/16 12:17:00.177128, 3] >>>> libsmb/cliconnect.c:1249(cli_session_setup) >>>> SPNEGO login failed: Logon failure >>>> [2010/07/16 12:17:00.177159, 1] >>>> libsmb/cliconnect.c:2307(cli_full_connection) >>>> failed session setup with NT_STATUS_LOGON_FAILURE >>>> [2010/07/16 12:17:00.177271, 1] libnet/libnet_join.c:1978(libnet_Join) >>>> libnet_Join: >>>> libnet_JoinCtx: struct libnet_JoinCtx >>>> out: struct libnet_JoinCtx >>>> account_name : NULL >>>> netbios_domain_name : NULL >>>> dns_domain_name : NULL >>>> forest_name : NULL >>>> dn : NULL >>>> domain_sid : NULL >>>> domain_sid : (NULL SID) >>>> modified_config : 0x00 (0) >>>> error_string : 'failed to lookup DC info for >>>> domain 'mydomain.COM' over rpc: Logon failure' >>>> domain_is_ad : 0x00 (0) >>>> result : WERR_LOGON_FAILURE >>>> [2010/07/16 12:17:00.177442, 2] utils/net.c:916(main) >>>> >>>> >>>> Intersting is that if I supply wrong username output doesn't differ >>>> much. Below you can see differences (I stripped time to be able to use >>>> diff). >>>> >>>> --- pass_ok_stripped.txt 2010-07-16 12:19:11.869234402 +0300 >>>> +++ pass_wrong_stripped.txt 2010-07-16 12:19:22.318101275 +0300 >>>> @@ -19,7 +19,7 @@ >>>> domain_name : * >>>> domain_name : 'mydomain.COM' >>>> account_ou : NULL >>>> - admin_account : 'Administrator' >>>> + admin_account : 'Adminisdgasgasdtor' >>>> admin_password : * >>>> machine_password : NULL >>>> join_flags : 0x00000023 (35) >>>> @@ -43,8 +43,6 @@ >>>> debug : 0x01 (1) >>>> use_kerberos : 0x00 (0) >>>> secure_channel_type : SEC_CHAN_WKSTA (2) >>>> - libads/cldap.c:97(ads_cldap_netlogon) >>>> - cldap_netlogon() failed: NT_STATUS_IO_TIMEOUT >>>> libsmb/cliconnect.c:2201(cli_start_connection) >>>> Connecting to host=BORED.ProServe.com >>>> lib/util_sock.c:974(open_socket_out_send) >>>> >>>> >>>> Maybe I'm missing some rpc things? "smbd -b | tail -2" says: >>>> >>>> Builtin modules: >>>> pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_wbc_sam rpc_lsarpc rpc_winreg >>>> rpc_initshutdown rpc_dssetup rpc_wkssvc rpc_svcctl rpc_ntsvcs rpc_netlogon >>>> rpc_netdfs rpc_srvsvc rpc_spoolss rpc_eventlog rpc_samr idmap_ldap idmap_tdb >>>> idmap_passdb idmap_nss idmap_rid idmap_hash nss_info_template auth_sam >>>> auth_unix auth_winbind auth_wbc auth_server auth_domain auth_builtin >>>> auth_netlogond vfs_default vfs_solarisacl vfs_zfsacl >>>> >>>> >>>> MMM >>>> >>>> On 07/15/10 04:32 PM, Gaiseric Vandal wrote: >>>> >>>>> I compiled Samba 3.4.x on Solaris 10. (I have a Samba 3.4.x pdc with >>>>> two Samba 3.0.x BDC's.) Samba 3.0.x DC"s will not support Windows 7 clients >>>>> (don't have any yet but it is probably inevitable) and doesn't seem to >>>>> support trusts with Windows 2003 Native domains (at least it didn't for me.) >>>>> >>>>> >>>>> If you following the opensolaris forums it seems unlikely that there >>>>> will be compiled build of 3.4.x or 3.5.x of samba in Solaris 10 or >>>>> OpenSolaris in the near future. I don't think it really is a licensing or >>>>> even major technical issue. There is seems to more interest in CIFS >>>>> project as an alternative to Samba. Oracle/Sun sells a NAS server that >>>>> runs on opensolaris and users CIFS so I don't think they have much interest >>>>> in Samba. I don't see Oracle/Sun paying any one work on Samba 3.4.x or >>>>> 3.5.x integration when they have "better" solutions and more important >>>>> priorities. >>>>> >>>>> To be specific, Samba doesn't require OpenLDAP but it does require LDAP >>>>> with certain functionality. The Solaris-bundled Samba does use OpenLDAP. >>>>> But if you are compiling it yourself OpenLDAP is the way to do it. >>>>> Easiest to just get the openldap precompiled from blastwave or >>>>> sunfreeware.com. And there is precompiled Samba available from >>>>> Sunfreeware and Blastwave but it may lack the features you need, so you >>>>> probably need to compile anyway. >>>>> >>>>> If you don't need AD support, then then the Sun ldap client >>>>> functionality should be sufficient. >>>>> >>>>> >>>>> I didn't know about the NGROUPS_MAX option. I would have disabled it >>>>> if I had known, since I am subject to the 16 group NFS v3 limit. (What I >>>>> really need to do is switch to NFS v4 and use kerberos authentication for >>>>> NFS clients.) >>>>> >>>>> The OpenSolaris developer build (from earlier this year- not the >>>>> official release from last year- has updated GCC and other tools that may >>>>> make compiling easier. Gcc from Sun (and even Sunfreeware) use >>>>> "/usr/ccs/bin/ld" as the linker. You may need to renamed the file and >>>>> symlink it to gld (gnu linker.) Samba compiling also requires that you >>>>> get set the CPPFLAGS and LDFLAGS as well. >>>>> >>>>> e.g. >>>>> >>>>> >>>>> PATH=/usr/swf/bin:/usr/ccs/bin:$PATH >>>>> PATH=/usr/local/samba-3.4.5/bin:/usr/local/samba-3.4.5/sbin:$PATH >>>>> LD_LIBRARY_PATH=/usr/sfw/lib:/usr/ccs/lib:$LD_LIBRARY PATH >>>>> LD_LIBRARY_PATH=/usr/local/samba- 3.4.5:$LD_LIBRARY_PATH >>>>> >>>>> export LD_LIBRARY_PATH >>>>> export CPPFLAGS="-I/usr/local/include -I/usr/local/ssl/include >>>>> -I/usr/include" >>>>> export LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib >>>>> -L/usr/local/lib -R/usr/local/lib -L/usr/lib -R/usr/lib" >>>>> >>>>> >>>>> >>>>> >>>>> I posted questions/results to the list earlier this year about my >>>>> experiences. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On 07/14/2010 05:38 PM, MÄrcis Lielturks wrote: >>>>> >>>>>> >>>>>> >>>>>> On 15 July 2010 00:28, Jeremy Allison <jra(a)samba.org <mailto: >>>>>> jra(a)samba.org>> wrote: >>>>>> >>>>>> On Thu, Jul 15, 2010 at 12:26:05AM +0300, MÄrcis Lielturks wrote: >>>>>> > Thanks, machine wont provide NFS or ssh login services, so >>>>>> fiddling with max >>>>>> > groups should do no harm! >>>>>> > >>>>>> > I googled a bit at found that samba should be recompiled to take >>>>>> advantage >>>>>> > of new NGROUPS_MAX. "./configure" logs also suggested that >>>>>> NGROUPS_MAX is >>>>>> > evaluated only at compile time. >>>>>> >>>>>> Yep. Recompilation should do the trick once the kernel understands >>>>>> large numbers of groups. >>>>>> >>>>>> > Can anybody share experience on compiling samba on OpenSolaris? >>>>>> What's the >>>>>> > most painless way? I'm considering to use latest 3.5.5 but maybe >>>>>> I should >>>>>> > use same version Sun (Oracle) is using - 3.0.37? I have to set >>>>>> up Samba on 2 >>>>>> > servers, which already replicate storage, so ID mapping must be >>>>>> consistent >>>>>> > between both Samba servers. Servers have to provide shares also >>>>>> to trusted >>>>>> > domains, but 3.0.37 doesn't have idmap_hash and seems that >>>>>> idmap_rid is not >>>>>> > supported to provide mappings for more than one domain, so >>>>>> anything newer >>>>>> > than 3.0.37 sounds like the right choice. >>>>>> >>>>>> The only reason they use 3.0.x is they're still unable to cope >>>>>> with the GPLv3 in (Open?)Solaris. Which is ironic as Oracle >>>>>> Linux has been shipping GPLv3 Samba for a while. But it's a big >>>>>> company, you can't expect one part to know what another part is >>>>>> up to :-). >>>>>> >>>>>> Yeah, I read about that, but still, I was thinking that as they ship >>>>>> 3.0.37, it should also be easier to compile because OS has all that's >>>>>> necessary for 3.0.37. Newer Samba versions may have some dependencies (new >>>>>> libs or newer version of libs), that might be harder to satisfy. I have >>>>>> never compiled samba so far and all I know at the moment (from >>>>>> documentation) is that AD support requires krb5 and openldap development >>>>>> libraries and files. >>>>>> >>>>>> >>>>>> Jeremy. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> ML >>>>>> >>>>> >>>>> >>> > > > -- > ML > -- ML -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Volker Lendecke on 22 Jul 2010 07:20 On Thu, Jul 22, 2010 at 11:13:40AM +0300, MÄrcis Lielturks wrote: > When tracing smbd with "truss smbd -d10 -FiS" I see some unsuccessfull stats > for nss_winbind.so.1 library (I compiled without --enable-nss-wrapper). For > now I'll try to recompile with this option and see what happens. > 21017: write(1, " T r y i n g _ G e t _".., 60) = 60 > 21017: getuid() = 0 [0] > 21017: getuid() = 0 [0] > 21017: open64("/var/run/name_service_door", O_RDONLY) Err#2 ENOENT > 21017: open("/etc/passwd", O_RDONLY) = 32 > 21017: fstat64(32, 0x080466C0) = 0 > 21017: fstat64(32, 0x080465D0) = 0 > 21017: ioctl(32, TCGETA, 0x08046670) Err#25 ENOTTY > 21017: read(32, " r o o t : x : 0 : 0 : S".., 1536) = 1255 > 21017: read(32, 0x0893096C, 1536) = 0 > 21017: llseek(32, 0, SEEK_CUR) = 1255 > 21017: close(32) = 0 > 21017: stat64("/opt/samba/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT > 21017: stat64("/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT > 21017: stat64("/usr/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT You have to copy the nss_winbind.so you have just compiled manually to one of those locations. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Marcis Lielturks on 22 Jul 2010 12:40 Hey! Thanks! This helped to get "id" working, but not smbd. smbd still exiting when domain admin tries to access share, winbindd and nmbd keep running. Last lines from smbd read_fd_with_timeout: blocking read. EOF from client. receive_smb_raw: NT_STATUS_END_OF_FILE setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 NT user token: (NULL) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups change_to_root_user: now uid=(0,0) gid=(0,0) Yielding connection to Locking key D6300000FFFFFFFF0000 Allocated locked data 0x893dcf8 Unlocking key D6300000FFFFFFFF0000 Server exit (failed to receive smb request) at the time when smbd kills itself, winbind says "Could not read client request from fd 17: I/O error" I can send output from truss (strace) and STDOUT for smbd, nbmd and winbindd (all running with "-FiS" and debug level 10). MMM by the way, did you know, that mouse initially was invented just for simplifying text selection in xterm? On 07/22/10 02:10 PM, Volker Lendecke wrote: > On Thu, Jul 22, 2010 at 11:13:40AM +0300, MÄrcis Lielturks wrote: > >> When tracing smbd with "truss smbd -d10 -FiS" I see some unsuccessfull stats >> for nss_winbind.so.1 library (I compiled without --enable-nss-wrapper). For >> now I'll try to recompile with this option and see what happens. >> 21017: write(1, " T r y i n g _ G e t _".., 60) = 60 >> 21017: getuid() = 0 [0] >> 21017: getuid() = 0 [0] >> 21017: open64("/var/run/name_service_door", O_RDONLY) Err#2 ENOENT >> 21017: open("/etc/passwd", O_RDONLY) = 32 >> 21017: fstat64(32, 0x080466C0) = 0 >> 21017: fstat64(32, 0x080465D0) = 0 >> 21017: ioctl(32, TCGETA, 0x08046670) Err#25 ENOTTY >> 21017: read(32, " r o o t : x : 0 : 0 : S".., 1536) = 1255 >> 21017: read(32, 0x0893096C, 1536) = 0 >> 21017: llseek(32, 0, SEEK_CUR) = 1255 >> 21017: close(32) = 0 >> 21017: stat64("/opt/samba/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT >> 21017: stat64("/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT >> 21017: stat64("/usr/lib/nss_winbind.so.1", 0x08045FF0) Err#2 ENOENT >> > You have to copy the nss_winbind.so you have just compiled > manually to one of those locations. > > Volker > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Next
|
Last
Pages: 1 2 3 Prev: User security and public shares Next: [Samba] Machine password change fails |