If you're my mother, or something like that, feel free to skip this entry, because it'll be complete gibberish to you.
I'm having trouble with my Samba install at work, and need some help...
OK, I'm trying to get Samba working with LDAP. And I have it... sort of.
I have a Samba server TESTBOX, and I can authenticate to it just fine.
It seems that if I change the "netbios name" (which I was doing to simulate "connecting from some other samba server in our network"), I get:
$ smbclient //FS01/files 'foo' -U dballing -I testbox.byramhealthcare.com -N -d 4 added interface ip=10.15.49.49 bcast=10.15.49.255 nmask=255.255.255.0 Client started (version 3.0.0beta1-1 for Debian). Connecting to 10.15.49.46 at port 445 session request ok Serverzone is 14400 Doing spnego session setup (blob length=58) got OID=1 3 6 1 4 1 311 2 2 10 got principal=NONE session setup failed: NT_STATUS_INTERNAL_DB_ERROR
... if I set the "netbios name" back to "TESTBOX", it works just fine:
$ smbclient //TESTBOX/files 'foo' -U dballing -I testbox.byramhealthcare.com -N -d 4 added interface ip=10.15.49.49 bcast=10.15.49.255 nmask=255.255.255.0 Client started (version 3.0.0beta1-1 for Debian). Connecting to 10.15.49.46 at port 445 session request ok Serverzone is 14400 Doing spnego session setup (blob length=58) got OID=1 3 6 1 4 1 311 2 2 10 got principal=NONE OS=[Unix] Server=[Samba 3.0.0beta2-1 for Debian] session setup ok tconx ok smb: \>
... is the NETBIOS name stored in the LDAP password info in such a way that it would be impossible to connect from two different netbios hosts? This seems like it would be counterproductive as a "centralized authentication database" for more than one server. Am I doing something wrong?
Anything in the logs on the other end?
log.nmbd shows nothing.
log.smbd shows:
[2003/07/17 08:11:28, 0] smbd/server.c:main(747)
smbd version 3.0.0beta2-1 for Debian started.
Copyright Andrew Tridgell and the Samba Team 1992-2003
[2003/07/17 08:11:48, 1] sam/idmap_tdb.c:db_idmap_init(487)
idmap uid range missing or invalid
idmap will be unable to map foreign SIDs
[2003/07/17 08:11:48, 1] sam/idmap_tdb.c:db_idmap_init(499)
idmap gid range missing or invalid
idmap will be unable to map foreign SIDs
... but I get that even when I'm using the (old/working) netbios name.
I'm still runnung through the source code for the 3.0.0beta1 release, but here's my current thinking:
The NT_STATUS_INTERNAL_DB_ERROR error code that you are getting is from the idmap_tdb.c file. Cross that with the idmap errors in your samba log, and I'll hazard that the two are related.
Try fixing the idmap section of the smb.conf first. It's covered pretty well in the documentation, mostly just a bullshit entry to make the system stop complaining and use reasonable values. There is a related Usenet thread here: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=2DgG.7Jq.3%40gated-at.bofh.it&scoring=d&prev=/groups%3Fq%3Didmap%2Bsamba%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3D2DgG.7Jq.3%2540gated-at.bofh.it%26rnum%3D2
I'm still looking through the source code, and I'll get back with more.
I'm a little confused by the idmap thing.
I put in:
idmap backend = ldap:ldap://ldapmaster.byramhealthcare.com
idmap only = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
(because the config says "make sure you're not using the ranges for something else", and that range of uid and gid is not in use in our company).
I then restarted samba, reset my password, and tried again, and got:
session setup failed: NT_STATUS_LOGON_FAILURE
(and that's for the "baseline" of using the netbios name "TESTBOX")
D
OK, so I fat-fingered the password. But now, if I do the "netbios name change" game, I get:
# smbclient //SOMEONE/files 'foo' -U dballing -I testbox -N -d 5
INFO: Current debug levels:
all: True/5
tdb: False/0
printdrivers: False/0
lanman: False/0
smb: False/0
rpc_parse: False/0
rpc_srv: False/0
rpc_cli: False/0
passdb: False/0
sam: False/0
auth: False/0
winbind: False/0
vfs: False/0
idmap: False/0
added interface ip=10.15.49.46 bcast=10.15.49.255 nmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="SOMEONE"
Client started (version 3.0.0beta2-1 for Debian).
Connecting to 10.15.49.46 at port 445
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 0
socket option SO_BROADCAST = 0
socket option TCP_NODELAY = 1
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 50244
socket option SO_RCVBUF = 87424
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
session request ok
read_socket_with_timeout: timeout read. EOF from client.
size=0
smb_com=0x0
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=0
smb_flg2=0
smb_tid=0
smb_pid=0
smb_uid=0
smb_mid=0
smt_wct=0
smb_bcc=0
protocol negotiation failed
I don't know much of anything about the Samba side. But I have seen things from the AD side with authentication issues. The one that sticks out in my head is our "unixprint" user that only has logon rights in the Domain to specific machines. We never realized it was set up like that until we changed the unix server it was making it's SMB connection from. The new server wasn't in the list of "logon to" servers for that user object, so the domain wouldn't authenticate it. Adding the new server to the "Account/Logo On To..." list for the user in AD fixed the problem.
I wasn't privy to the specific error on Samba, so I don't know if that is at all relevant to what you are doing.