problems after upgrade from 3.3.2 to 3.4.0

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

problems after upgrade from 3.3.2 to 3.4.0

Thomas Gutzler-3
Hi,

After upgrading one of my samba servers from ubuntu jaunty (3.3.2) to
karmic (3.4.0) I cannot access the shares any more.

The server (FINTLEWOODLEWIX) is set up to check authentication via a PDC
(IO), which is also running 3.4.0 (and has been before). Guest access is
allowed so that any users without a local unix account will be granted
read access. Valid users are allowed read/write.

After the upgrade I'm not able to connect to the share any more unless I
specifically use the guest account (nobody) and its password. When
trying to connect from a windows box (KRIKKIT), the logfile says the
following (smbd runs in -d3). It doesn't seem to matter if the user
(tom) has a local unix account or not:

[2010/05/26 11:00:17,  3] libsmb/namequery_dc.c:199(rpc_dc_name)
  rpc_dc_name: Returning DC IO (130.95.136.177) for domain OBEL
[2010/05/26 11:00:17,  3] libsmb/cliconnect.c:2031(cli_start_connection)
  Connecting to host=IO
[2010/05/26 11:00:17,  3] lib/util_sock.c:1025(open_socket_out_send)
  Connecting to 130.95.136.177 at port 445
[2010/05/26 11:00:17,  3] lib/util_sock.c:1025(open_socket_out_send)
  Connecting to 130.95.136.177 at port 139
[2010/05/26 11:00:17,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[KRIKKIT]\[tom]@[KRIKKIT] with the new password interface
[2010/05/26 11:00:17,  3] auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [FINTLEWOODLEWIX]\[tom]@[KRIKKIT]
[2010/05/26 11:00:17,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/05/26 11:00:17,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/05/26 11:00:17,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/05/26 11:00:17,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/26 11:00:17,  3] auth/auth_sam.c:282(check_sam_security)
  check_sam_security: Couldn't find user 'tom' in passdb.
[2010/05/26 11:00:17,  3] auth/auth_winbind.c:54(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain
[FINTLEWOODLEWIX] was for this SAM.
[2010/05/26 11:00:17,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [tom] -> [tom] FAILED
with error NT_STATUS_NO_SUCH_USER
[2010/05/26 11:00:17,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

The same user can directly connect to IO with not problems. Sending
"OBEL\tom" as user instead gives the following error:
[2010/05/26 11:08:17,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[OBEL]\[tom]@[KRIKKIT] with the new password interface
[2010/05/26 11:08:17,  3] auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [FINTLEWOODLEWIX]\[tom]@[KRIKKIT]
[2010/05/26 11:08:17,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/05/26 11:08:17,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/05/26 11:08:17,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/05/26 11:08:17,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/05/26 11:08:17,  3] auth/auth_sam.c:282(check_sam_security)
  check_sam_security: Couldn't find user 'tom' in passdb.
[2010/05/26 11:08:17,  3] auth/auth_winbind.c:54(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain
[FINTLEWOODLEWIX] was for this SAM.
[2010/05/26 11:08:17,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [tom] -> [tom] FAILED
with error NT_STATUS_NO_SUCH_USER
[2010/05/26 11:08:17,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

Here is the output from testparm:
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[data]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = OBEL
        server string = %h file server
        security = DOMAIN
        map to guest = Bad Uid
        password server = 130.95.136.177
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        invalid users = root

[data]
        comment = valuable not backed up research data
        path = /home/fintlewoodlewix/data
        read only = No
        create mask = 0644
        force create mode = 0644
        force directory mode = 0755
        guest ok = Yes

I also set guest account = nobody in the global section which isn't
listed by testparm; maybe because it's the default.

net rpc testjoin reports: Join to 'OBEL' is OK

pdbedit -L only shows the 'nobody' account

Any suggestions how to fix this?

Cheers,
  Tom
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems after upgrade from 3.3.2 to 3.4.0

Christian Perrier
Quoting Thomas Gutzler ([hidden email]):
> Hi,
>
> After upgrading one of my samba servers from ubuntu jaunty (3.3.2) to
> karmic (3.4.0) I cannot access the shares any more.

The default for "passdb backend" changed between these versions (from
"smbpasswd" to "tdbsam") and, as you don't explicitly set it in
smb.conf, I'd gues this might be the reason for this.

Try adding:

passdb backend = smbpasswd


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems after upgrade from 3.3.2 to 3.4.0

Thomas Gutzler-3
Hi Christian,

On 26/05/2010 4:44 PM, Christian PERRIER wrote:

> Quoting Thomas Gutzler ([hidden email]):
>> Hi,
>>
>> After upgrading one of my samba servers from ubuntu jaunty (3.3.2) to
>> karmic (3.4.0) I cannot access the shares any more.
>
> The default for "passdb backend" changed between these versions (from
> "smbpasswd" to "tdbsam") and, as you don't explicitly set it in
> smb.conf, I'd gues this might be the reason for this.
>
> Try adding:
>
> passdb backend = smbpasswd

Thanks for your reply. I am aware of this change but thought I wasn't
affected because both smb.conf (PDC and other samba server) had
   passdb backend = tdbsam
already set. Yet another setting not listed by testparm.

Out of curiosity I tried setting it to smbpasswd on fintlewoodlewix;
didn't make a difference.

Here is the full smb.conf:
[global]
   workgroup = OBEL
   server string = %h file server
   dns proxy = no
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0
   panic action = /usr/share/samba/panic-action %d
   security = domain
   password server = 130.95.136.177
   encrypt passwords = true
   passdb backend = tdbsam
   invalid users = root
   unix password sync = no
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
map to guest = bad uid
guest account = nobody
   socket options = TCP_NODELAY
[data]
   comment = valuable not backed up research data
   writeable = yes
   path = /home/fintlewoodlewix/data
   create mode = 0644
   force create mode = 0644
   force directory mode = 0755
   directory mode = 0755
   guest ok = yes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems after upgrade from 3.3.2 to 3.4.0

Christian Perrier
Quoting Thomas Gutzler ([hidden email]):

>    passdb backend = tdbsam
> already set. Yet another setting not listed by testparm.

Ah, because this is the default so it's trimmed by testparm. 3.3.2
testparm would probably have it shown.

So, sorry for the wrong answer.

Are you in position to upgrade your Ubuntu box again to "whatever
funky name used by Ubuntu 10.04" so that you bump to samba 3.4.7?

(sorry, there are too many codenames in Ubuntu and I can never
remember all of them...this is why I like to see us, Debian, release
every 2 year..:-))

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems after upgrade from 3.3.2 to 3.4.0

Harry Jede
In reply to this post by Thomas Gutzler-3
On Mittwoch, 26. Mai 2010 wrote Thomas Gutzler:

> Hi Christian,
>
> On 26/05/2010 4:44 PM, Christian PERRIER wrote:
> > Quoting Thomas Gutzler ([hidden email]):
> >> Hi,
> >>
> >> After upgrading one of my samba servers from ubuntu jaunty (3.3.2)
> >> to karmic (3.4.0) I cannot access the shares any more.
> >
> > The default for "passdb backend" changed between these versions
> > (from "smbpasswd" to "tdbsam") and, as you don't explicitly set it
> > in smb.conf, I'd gues this might be the reason for this.
> >
> > Try adding:
> >
> > passdb backend = smbpasswd
>
> Thanks for your reply. I am aware of this change but thought I wasn't
> affected because both smb.conf (PDC and other samba server) had
>    passdb backend = tdbsam
> already set. Yet another setting not listed by testparm.
Mmmh, testparm is not so bad ;-)

Try this:
# testparm -v -s /dev/null |grep passdb

Or my favorite upgrade path:
# testparm -v -s /dev/null > smb.conf.default-$(smbd -V|cut -f2 -d' ')
Run this before and after upgrading samba

To get a small host specific file without the services:
# testparm -s --section-name=global  > smb.conf.$HOSTNAME-$(smbd -V|
cut -f2 -d' ')

So you may end up with 4 files:
# ls smb.conf.*
smb.conf.myserver-3.0.22
smb.conf.myserver-3.4.7
smb.conf.default-3.0.22
smb.conf.default-3.4.7

Run a diff against the default files and you may see which config params
has changed their default values.

--

Regards
        Harry Jede
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems after upgrade from 3.3.2 to 3.4.0

Thomas Gutzler-3
On 27/05/2010 4:19 AM, Harry Jede wrote:

> On Mittwoch, 26. Mai 2010 wrote Thomas Gutzler:
>>
>> On 26/05/2010 4:44 PM, Christian PERRIER wrote:
>>> Quoting Thomas Gutzler ([hidden email]):
>>>>
>>>> After upgrading one of my samba servers from ubuntu jaunty (3.3.2)
>>>> to karmic (3.4.0) I cannot access the shares any more.
>>>
>
> Or my favorite upgrade path:
> # testparm -v -s /dev/null > smb.conf.default-$(smbd -V|cut -f2 -d' ')
> Run this before and after upgrading samba
>
> To get a small host specific file without the services:
> # testparm -s --section-name=global  > smb.conf.$HOSTNAME-$(smbd -V|
> cut -f2 -d' ')

It's a bit late to run it before the upgrade now but I found another
machine running jaunty (enjoy), so I installed samba and ran testparm
with the smb.conf from the updated machine (fintlewoodlewix). Here's the
diff between the two defaults (without the line numbers):
# diff smb.conf.default-3.3.2 smb.conf.default-3.4.0
<       netbios name = ENJOY
>       netbios name = FINTLEWOODLEWIX
<       server string = Samba 3.3.2
>       server string = Samba 3.4.0
<       config backend = file
<       passdb backend = smbpasswd
>       passdb backend = tdbsam
<       use kerberos keytab = No
>       dedicated keytab file =
>       kerberos method = default
>       map untrusted to domain = No
<       max open files = 10000
>       max open files = 16384
<       config file =
<       lock directory =
>       lock directory = /var/run/samba
>       state directory = /var/lib/samba
>       cache directory = /var/cache/samba
>       perfcount module =
>       access based share enum = No
>       browsable = Yes
<       include =

And the host specific ones. The only thing I changed there was to get
rid of the PAM stuff and change the password server from name to IP.
# diff smb.conf.enjoy-3.3.2 smb.conf.fintlewoodlewix-3.4.0
<       obey pam restrictions = Yes
<       password server = io
>       password server = 130.95.136.177
<       passdb backend = tdbsam
<       pam password change = Yes


I also deleted all .tdb files in /var/lib/samba, the machine account on
the PDC and rejoined the domain but authentication still doesn't work.
Neither does the mapping to guest for invalid users.

While I had samba running on the jaunty machine, I joined it to the
domain and tried if I could connect to it using the same machine and
credentials as before; and I could. Even the guest account seems to work
alright with no change in the configuration other than the path in the
share.

I might follow Christians suggestion and upgrade to 10.04 unless there
are any other suggestions. Maybe a second upgrade fixes it.

Tom
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems after upgrade from 3.3.2 to 3.4.0

Dale Schroeder
On 05/26/2010 9:00 PM, Thomas Gutzler wrote:

> On 27/05/2010 4:19 AM, Harry Jede wrote:
>    
>> On Mittwoch, 26. Mai 2010 wrote Thomas Gutzler:
>>      
>>> On 26/05/2010 4:44 PM, Christian PERRIER wrote:
>>>        
>>>> Quoting Thomas Gutzler ([hidden email]):
>>>>          
>>>>> After upgrading one of my samba servers from ubuntu jaunty (3.3.2)
>>>>> to karmic (3.4.0) I cannot access the shares any more.
>>>>>            
>>>>          
>> Or my favorite upgrade path:
>> # testparm -v -s /dev/null>  smb.conf.default-$(smbd -V|cut -f2 -d' ')
>> Run this before and after upgrading samba
>>
>> To get a small host specific file without the services:
>> # testparm -s --section-name=global>  smb.conf.$HOSTNAME-$(smbd -V|
>> cut -f2 -d' ')
>>      
> It's a bit late to run it before the upgrade now but I found another
> machine running jaunty (enjoy), so I installed samba and ran testparm
> with the smb.conf from the updated machine (fintlewoodlewix). Here's the
> diff between the two defaults (without the line numbers):
> # diff smb.conf.default-3.3.2 smb.conf.default-3.4.0
> <        netbios name = ENJOY
>    
>>        netbios name = FINTLEWOODLEWIX
>>      
> <        server string = Samba 3.3.2
>    
>>        server string = Samba 3.4.0
>>      
> <        config backend = file
> <        passdb backend = smbpasswd
>    
>>        passdb backend = tdbsam
>>      
> <        use kerberos keytab = No
>    
>>        dedicated keytab file =
>>        kerberos method = default
>>        map untrusted to domain = No
>>      
I recall you saying that you had accounted for the default passdb
backend change in 3.4.0.
That leaves the authentications changes as the other big difference with
3.4.0.
I don't recall you saying whether or not KRIKKIT is in the domain.  If
KRIKKIT is not in the domain, try setting

         map untrusted to domain = Yes

on the box that is giving you problems.

Dale

> <        max open files = 10000
>    
>>        max open files = 16384
>>      
> <        config file =
> <        lock directory =
>    
>>        lock directory = /var/run/samba
>>        state directory = /var/lib/samba
>>        cache directory = /var/cache/samba
>>        perfcount module =
>>        access based share enum = No
>>        browsable = Yes
>>      
> <        include =
>
> And the host specific ones. The only thing I changed there was to get
> rid of the PAM stuff and change the password server from name to IP.
> # diff smb.conf.enjoy-3.3.2 smb.conf.fintlewoodlewix-3.4.0
> <        obey pam restrictions = Yes
> <        password server = io
>    
>>        password server = 130.95.136.177
>>      
> <        passdb backend = tdbsam
> <        pam password change = Yes
>
>
> I also deleted all .tdb files in /var/lib/samba, the machine account on
> the PDC and rejoined the domain but authentication still doesn't work.
> Neither does the mapping to guest for invalid users.
>
> While I had samba running on the jaunty machine, I joined it to the
> domain and tried if I could connect to it using the same machine and
> credentials as before; and I could. Even the guest account seems to work
> alright with no change in the configuration other than the path in the
> share.
>
> I might follow Christians suggestion and upgrade to 10.04 unless there
> are any other suggestions. Maybe a second upgrade fixes it.
>
> Tom
>    
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: problems after upgrade from 3.3.2 to 3.4.0

Thomas Gutzler-3
On 28/05/2010 3:14 AM, Dale Schroeder wrote:

>>>>> Quoting Thomas Gutzler ([hidden email]):
>>>>>        
>>>>>> After upgrading one of my samba servers from ubuntu jaunty (3.3.2)
>>>>>> to karmic (3.4.0) I cannot access the shares any more.
>      
> I recall you saying that you had accounted for the default passdb
> backend change in 3.4.0.
> That leaves the authentications changes as the other big difference with
> 3.4.0.
> I don't recall you saying whether or not KRIKKIT is in the domain.  If
> KRIKKIT is not in the domain, try setting
>
>         map untrusted to domain = Yes
>
> on the box that is giving you problems.

That fixed it.
And I really don't know why I didn't spot that from the output I posted.
I must have been assuming identical behaviour for PDC and domain member,
which isn't the case for map untrusted to domain.

Thanks for your help!

Tom
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba