X
xriss
/dev/ask
Hallo,
sitze seit ein paar Tagen recht verzweifelt vor einem Problem:
Ich habe einen Debian Server (aktuell) mit samba. Der Server läuft schon eine Weile und zugegebenermaßen haben sich verschiedene Hände in der Vergangenheit an der Konfiguration versucht. Das sollte ja aber kein Problem sein
Daher hat der Server allerding schon verschiedene Rollen gespielt (server_only), jetzt ist er eigentlich ein PDC mit smbpassdb
Mein Problem:
Ich kann alles shares mit Windows- und Linux Rechnern sehen.
Ich kann Rechner aus der Domäne nehmen und sie wieder eintreten lassen.
Nur wenn ich mich mit einem in der Domäne vorhandenen Nutzer (von einem natürlich eingebundenen client) anmelden will kommt nach wenigen msec die ernüchternde Auskunft:
"Das System kann sie nicht bei dieser Domäne anmelden, da das Computerkonto des Systems in seiner primären Domäne fehlt, oder das Kennwort für dieses Computerkonto falsch ist."
Der wahrscheinlich interessante Satz in der /var/log/samba.clientname (loglevel=3):
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 1 of length 137
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBnegprot (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN1.0]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [Windows for Workgroups 3.1a]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [LM1.2X002]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN2.1]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [NT LM 0.12]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_nt1(333)
using SPNEGO
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(555)
Selected protocol NT LM 0.12
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 2 of length 202
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBsesssetupX (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_655)
wct=12 flg2=0xc807
[2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(60
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 3 6 1 4 1 311 2 2 10
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
Got secblob of size 32
[2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xe0008297
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 3 of length 240
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBsesssetupX (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_655)
wct=12 flg2=0xc807
[2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(60
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
Got user=[] domain=[] workstation=[POSEIDON] len1=1 len2=0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.cush_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/11/27 18:28:48, 3] smbd/uid.cush_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/11/27 18:28:48, 3] smbd/sec_ctx.cop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user []\[]@[POSEIDON] with the new password interface
[2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [xxx-xxxxxx]\[]@[POSEIDON]
[2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(26
check_ntlm_password: guest authentication for user [] succeeded
[2006/11/27 18:28:48, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60008295
[2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(222)
User name: nobody Real name: nobody
[2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(241)
UNIX uid 65534 is UNIX user nobody, and will be vuid 100
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 4 of length 78
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBtconX (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/service.c:make_connection_snum(479)
Connect path is '/tmp' for service [IPC$]
[2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(251)
[2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-500209785-908428947-3421464510-501
se_access_check: also S-1-5-21-500209785-908428947-3421464510-514
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
se_access_check: also S-1-5-21-500209785-908428947-3421464510-132069
[2006/11/27 18:28:48, 3] smbd/vfs.c:vfs_init_default(206)
Initialising default vfs hooks
[2006/11/27 18:28:48, 2] smbd/uid.c:change_to_user(202)
change_to_user: SMB user (unix user nobody, vuid 100) not permitted access to share IPC$.
[2006/11/27 18:28:48, 0] smbd/service.c:make_connection_snum(577)
Can't become connected user!
[2006/11/27 18:28:48, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(415) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
[2006/11/27 18:29:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:29:56, 3] smbd/process.crocess_smb(1091)
Transaction 5 of length 43
[2006/11/27 18:29:56, 3] smbd/process.c:switch_message(886)
switch message SMBulogoffX (pid 472) conn 0x0
[2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:29:56, 3] smbd/reply.c:reply_ulogoff1264)
ulogoffX vuid=100
[2006/11/27 18:29:56, 3] smbd/process.c:timeout_processing(1334)
timeout_processing: End of file from client (client has disconnected).
[2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:29:56, 2] smbd/server.c:exit_server(609)
Closing connections
[2006/11/27 18:29:56, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/11/27 18:29:56, 3] smbd/server.c:exit_server(652)
Server exit (normal exit)
Für mich sieht das so aus, als ob der Windows-Client keinen Nutzer und kein Passwort an den Domain-Controller übermittelt.
z.B.
"Checking password for unmapped user []\[]@[POSEIDON] with the new password interface"
(POSEIDON heißt der Client)
Nun - was kann ich noch tun.
Als mögliche Ansatzpunkte sehe ich (weil ich das in der SAMBA - FAQ) gefunden habe:
client signing
client schannel
server signing
Wo ich mir noch Sorgen mache (weil ich zu wenig weiß) ist der ganze SID Kram... ich werde das Gefühl nicht los, dass Domäne und Clients irgendwie mit unterschiedlichen SID's hantieren.
Hilfe - wie kann ich mich in der Domäne als Benutzer anmelden????
Grüße
Chris
sitze seit ein paar Tagen recht verzweifelt vor einem Problem:
Ich habe einen Debian Server (aktuell) mit samba. Der Server läuft schon eine Weile und zugegebenermaßen haben sich verschiedene Hände in der Vergangenheit an der Konfiguration versucht. Das sollte ja aber kein Problem sein
Daher hat der Server allerding schon verschiedene Rollen gespielt (server_only), jetzt ist er eigentlich ein PDC mit smbpassdb
Mein Problem:
Ich kann alles shares mit Windows- und Linux Rechnern sehen.
Ich kann Rechner aus der Domäne nehmen und sie wieder eintreten lassen.
Nur wenn ich mich mit einem in der Domäne vorhandenen Nutzer (von einem natürlich eingebundenen client) anmelden will kommt nach wenigen msec die ernüchternde Auskunft:
"Das System kann sie nicht bei dieser Domäne anmelden, da das Computerkonto des Systems in seiner primären Domäne fehlt, oder das Kennwort für dieses Computerkonto falsch ist."
Der wahrscheinlich interessante Satz in der /var/log/samba.clientname (loglevel=3):
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 1 of length 137
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBnegprot (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN1.0]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [Windows for Workgroups 3.1a]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [LM1.2X002]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN2.1]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(461)
Requested protocol [NT LM 0.12]
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_nt1(333)
using SPNEGO
[2006/11/27 18:28:48, 3] smbd/negprot.c:reply_negprot(555)
Selected protocol NT LM 0.12
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 2 of length 202
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBsesssetupX (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_655)
wct=12 flg2=0xc807
[2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(60
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 3 6 1 4 1 311 2 2 10
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
Got secblob of size 32
[2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xe0008297
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 3 of length 240
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBsesssetupX (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_655)
wct=12 flg2=0xc807
[2006/11/27 18:28:48, 2] smbd/sesssetup.c:setup_new_vc_session(60
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
Doing spnego session setup
[2006/11/27 18:28:48, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[]
[2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
Got user=[] domain=[] workstation=[POSEIDON] len1=1 len2=0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.cush_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/11/27 18:28:48, 3] smbd/uid.cush_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/11/27 18:28:48, 3] smbd/sec_ctx.cop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user []\[]@[POSEIDON] with the new password interface
[2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [xxx-xxxxxx]\[]@[POSEIDON]
[2006/11/27 18:28:48, 3] auth/auth.c:check_ntlm_password(26
check_ntlm_password: guest authentication for user [] succeeded
[2006/11/27 18:28:48, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/11/27 18:28:48, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60008295
[2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(222)
User name: nobody Real name: nobody
[2006/11/27 18:28:48, 3] smbd/password.c:register_vuid(241)
UNIX uid 65534 is UNIX user nobody, and will be vuid 100
[2006/11/27 18:28:48, 3] smbd/process.crocess_smb(1091)
Transaction 4 of length 78
[2006/11/27 18:28:48, 3] smbd/process.c:switch_message(886)
switch message SMBtconX (pid 472) conn 0x0
[2006/11/27 18:28:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:28:48, 3] smbd/service.c:make_connection_snum(479)
Connect path is '/tmp' for service [IPC$]
[2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(251)
[2006/11/27 18:28:48, 3] lib/util_seaccess.c:se_access_check(252)
se_access_check: user sid is S-1-5-21-500209785-908428947-3421464510-501
se_access_check: also S-1-5-21-500209785-908428947-3421464510-514
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
se_access_check: also S-1-5-21-500209785-908428947-3421464510-132069
[2006/11/27 18:28:48, 3] smbd/vfs.c:vfs_init_default(206)
Initialising default vfs hooks
[2006/11/27 18:28:48, 2] smbd/uid.c:change_to_user(202)
change_to_user: SMB user (unix user nobody, vuid 100) not permitted access to share IPC$.
[2006/11/27 18:28:48, 0] smbd/service.c:make_connection_snum(577)
Can't become connected user!
[2006/11/27 18:28:48, 3] smbd/error.c:error_packet(129)
error packet at smbd/reply.c(415) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
[2006/11/27 18:29:48, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:29:56, 3] smbd/process.crocess_smb(1091)
Transaction 5 of length 43
[2006/11/27 18:29:56, 3] smbd/process.c:switch_message(886)
switch message SMBulogoffX (pid 472) conn 0x0
[2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:29:56, 3] smbd/reply.c:reply_ulogoff1264)
ulogoffX vuid=100
[2006/11/27 18:29:56, 3] smbd/process.c:timeout_processing(1334)
timeout_processing: End of file from client (client has disconnected).
[2006/11/27 18:29:56, 3] smbd/sec_ctx.c:set_sec_ctx(28
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/27 18:29:56, 2] smbd/server.c:exit_server(609)
Closing connections
[2006/11/27 18:29:56, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/11/27 18:29:56, 3] smbd/server.c:exit_server(652)
Server exit (normal exit)
Für mich sieht das so aus, als ob der Windows-Client keinen Nutzer und kein Passwort an den Domain-Controller übermittelt.
z.B.
"Checking password for unmapped user []\[]@[POSEIDON] with the new password interface"
(POSEIDON heißt der Client)
Nun - was kann ich noch tun.
Als mögliche Ansatzpunkte sehe ich (weil ich das in der SAMBA - FAQ) gefunden habe:
client signing
client schannel
server signing
Wo ich mir noch Sorgen mache (weil ich zu wenig weiß) ist der ganze SID Kram... ich werde das Gefühl nicht los, dass Domäne und Clients irgendwie mit unterschiedlichen SID's hantieren.
Hilfe - wie kann ich mich in der Domäne als Benutzer anmelden????
Grüße
Chris
Zuletzt bearbeitet: