Univention Bugzilla – Bug 52276
univention-samba-slave-pdc broken? (windows join and logon not possible)
Last modified: 2020-11-02 16:06:18 CET
I'm not sure what to use case is for the univention-samba-slave-pdc package/setup, but the join of windows clients and the logon on windows clients (after the join problem is fixed) does not work. master slave (with the univention-samba-slave-pdc package) UCS: 4.4-6 errata776 Installed: samba-memberserver=4.7 samba: 2:4.10.1-1A~4.4.0.2020100715 win7 client, with the slave as DNS/WINS server. Join fails because the slave does not habe the permissions to create a computer object in the LDAP (via the samba -> /usr/share/univention-admin-tools/univention-addmachine) @slave-> /usr/share/univention-admin-tools/univention-addmachine 'win1$' Traceback (most recent call last): File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 231, in doit output = univention.admincli.adduser.doit(arglist) File "/usr/lib/python2.7/dist-packages/univention/admincli/adduser.py", line 263, in doit object.create() File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 557, in create dn = self._create(response=response, serverctrls=serverctrls) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1270, in _create six.reraise(exc[0], exc[1], exc[2]) File "/usr/lib/python2.7/dist-packages/univention/admin/handlers/__init__.py", line 1254, in _create self.lo.add(self.dn, al, serverctrls=serverctrls, response=response) File "/usr/lib/python2.7/dist-packages/univention/admin/uldap.py", line 860, in add raise univention.admin.uexceptions.permissionDenied permissionDenied Temporarily fixed that in my master's slapd.conf and ni was able to join the windows client. But now a logon with a domain user on the windows client fails. Windows says "not enough memory available" log.smbd Mapping user []\[] from workstation [WIN7PRO] [2020/10/28 14:10:16.550691, 5] ../../source3/auth/user_info.c:64(make_user_info) attempting to make a user_info for () [2020/10/28 14:10:16.550702, 5] ../../source3/auth/user_info.c:72(make_user_info) making strings for 's user_info struct [2020/10/28 14:10:16.550712, 5] ../../source3/auth/user_info.c:117(make_user_info) making blobs for 's user_info struct [2020/10/28 14:10:16.550723, 3] ../../source3/auth/auth.c:189(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[]@[WIN7PRO] with the new password interface [2020/10/28 14:10:16.550739, 3] ../../source3/auth/auth.c:192(auth_check_ntlm_password) check_ntlm_password: mapped user is: []\[]@[WIN7PRO] [2020/10/28 14:10:16.550750, 5] ../../lib/util/util.c:511(dump_data) [0000] B9 BD FB 05 EA 1F 8F D3 ........ [2020/10/28 14:10:16.550770, 4] ../../source3/smbd/sec_ctx.c:216(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2020/10/28 14:10:16.550781, 4] ../../source3/smbd/uid.c:576(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2020/10/28 14:10:16.550791, 4] ../../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2020/10/28 14:10:16.550801, 5] ../../libcli/security/security_token.c:53(security_token_debug) Security token: (NULL) [2020/10/28 14:10:16.550810, 5] ../../source3/auth/token_util.c:866(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2020/10/28 14:10:16.554149, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2020/10/28 14:10:16.554255, 5] ../../source3/auth/auth.c:251(auth_check_ntlm_password) auth_check_ntlm_password: winbind authentication for user [] FAILED with error NT_STATUS_NO_MEMORY, authoritative=1 [2020/10/28 14:10:16.554354, 2] ../../source3/auth/auth.c:334(auth_check_ntlm_password) check_ntlm_password: Authentication for user [] -> [] FAILED with error NT_STATUS_NO_MEMORY, authoritative=1 [2020/10/28 14:10:16.554460, 2] ../../auth/auth_log.c:647(log_authentication_event_human_readable) Auth: [SMB2,(null)] user []\[] at [Mi, 28 Okt 2020 14:10:16.554440 CET] with [(null)] status [NT_STATUS_NO_MEMORY] workstation [WIN7PRO] remote host [ipv4:10.200.7.60:49159] mapped to []\[]. local host [ipv4:10.200.7.161:445] {"timestamp": "2020-10-28T14:10:16.554690+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4625, "logonType": 3, "status": "NT_STATUS_NO_MEMORY", "localAddress": "ipv4:10.200.7.161:445", "remoteAddress": "ipv4:10.200.7.60:49159", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "", "clientAccount": "", "workstation": "WIN7PRO", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "", "mappedDomain": "", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": null, "duration": 16852}} [2020/10/28 14:10:16.554852, 5] ../../source3/auth/auth_ntlmssp.c:196(auth3_check_password) Checking NTLMSSP password for \ failed: NT_STATUS_NO_MEMORY, authoritative=1 [2020/10/28 14:10:16.554947, 5] ../../auth/ntlmssp/ntlmssp_server.c:386(ntlmssp_server_auth_send) ntlmssp_server_auth_send: Checking NTLMSSP password for \ failed: NT_STATUS_NO_MEMORY [2020/10/28 14:10:16.555044, 4] ../../source3/smbd/sec_ctx.c:438(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2020/10/28 14:10:16.555148, 5] ../../auth/gensec/gensec.c:508(gensec_update_done) gensec_update_done: ntlmssp[0x5600338be710]: NT_STATUS_NO_MEMORY [2020/10/28 14:10:16.555243, 3] ../../auth/gensec/spnego.c:1444(gensec_spnego_server_negTokenTarg_step) gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_MEMORY [2020/10/28 14:10:16.555344, 5] ../../auth/gensec/gensec.c:508(gensec_update_done) gensec_update_done: spnego[0x5600338bd860]: NT_STATUS_NO_MEMORY Did we break that with an earlier update? What is the use case for univention-samba-slave-pdc?
In the tests for UCS-5 / Samba 4.13 we see that smbd doesn't start with: [2020/11/02 15:29:03.435554, 0] ../../source3/smbd/server.c:1784(main) smbd version 4.13.0-Univention started. Copyright Andrew Tridgell and the Samba Team 1992-2020 [2020/11/02 15:29:03.503291, 0] ../../source3/lib/smbldap.c:1052(smbldap_connect_system) failed to bind to server ldap://slave098.autotest098.local:7389 with dn=""cn=slave098,cn=dc,cn=computers,dc=autotest098,dc=local"" Error: Invalid DN syntax invalid DN [2020/11/02 15:29:19.642529, 0] ../../source3/passdb/pdb_ldap.c:6754(pdb_ldapsam_init_common) pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain. We cannot work reliably without it. [2020/11/02 15:29:19.642712, 0] ../../source3/passdb/pdb_interface.c:180(make_pdb_method_name) pdb backend ldapsam:"ldap://slave098.autotest098.local:7389" did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) Maybe that's related. If I got to smb.conf and remove the quotes from the dn given for parameter "ldap admin dn" and do "smbpasswd -w" again then smbd starts again.
Good find with the ldap dn syntax. The last bit of your error log: ... pdb backend ldapsam:"ldap://slave098.autotest098.local:7389" did not correctly init (error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) has already been spotted in bug 46437, and there is a workaround for it in our testsetup.