I've got a CentOS server that's been running for about 10 years. Every few years I wipe it and install the latest CentOS and reconfigure all the services. Obviously much of the hardware has also been changed.
This machine was running CentOS 4 with samba 3.x until recently, and acting as the PDC for a small office network of Windows XP machines. I wiped it and installed the latest CentOS 6 and samba 3.6.9. Then I copied over the old config file and adjusted anything that testparm
complained about.
Everything seemed to work fine - existing users could log on to their windows workstations using the existing windows domain.
Here is a testparm dump of the server settings:
[global]
workgroup = RRMSC_DOM
server string = RRM Primary Domain Controller Samba Server
interfaces = 192.168.231.0/24, 10.8.3.0/24
smb passwd file = /etc/samba/smbpasswd
passdb backend = smbpasswd
log file = /var/log/samba/smbd.log
max log size = 50
smb ports = 139
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %m$
logon script = logon.bat
logon path = \\%L\Profiles\%U
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
message command = /bin/mail -s 'message from #% on %M< %S; rm %S
idmap config * : backend = tdb
admin users = root, sdc
hosts allow = 192.168.231.0/24, 127.0.0.1, 10.8.3.0/24
cups options = raw
Recently I added a new user jim. Followed the standard procedure of using useradd
to add this user and add him to the same unix group as other users. I set his unix password with passwd
and his samba password with smbpasswd
.
However, I find that jim cannot log on to any of the windows workstations in the office. On the windows workstation you see the message 'Logon failure: unknown user name or bad password.'
I've checked eventvwr on a windows workstation and see nothing related to failed logins.
To troubleshoot this on the linux server side I increased my log level in smb.conf to
log level = 2 auth:10
And I see this in the log:
[2013/05/14 20:28:21.994731, 5] auth/auth_util.c:211(make_user_info_map)
Mapping user [RRMSC_DOM]\[jim] from workstation [UNCONFINED]
[2013/05/14 20:28:21.994754, 5] auth/auth_util.c:122(make_user_info)
attempting to make a user_info for jim (jim)
[2013/05/14 20:28:21.994773, 5] auth/auth_util.c:132(make_user_info)
making strings for jim's user_info struct
[2013/05/14 20:28:21.994792, 5] auth/auth_util.c:164(make_user_info)
making blobs for jim's user_info struct
[2013/05/14 20:28:21.994811, 10] auth/auth_util.c:182(make_user_info)
made an encrypted user_info for jim (jim)
[2013/05/14 20:28:21.994829, 3] auth/auth.c:216(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [RRMSC_DOM]\[jim]@[UNCONFINED] with the new password interface
[2013/05/14 20:28:21.994851, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [RRMSC_DOM]\[jim]@[UNCONFINED]
[2013/05/14 20:28:21.994882, 10] auth/auth.c:228(check_ntlm_password)
check_ntlm_password: auth_context challenge created by random
[2013/05/14 20:28:21.994901, 10] auth/auth.c:230(check_ntlm_password)
challenge is:
[2013/05/14 20:28:21.994921, 10] auth/auth.c:256(check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2013/05/14 20:28:21.995773, 4] auth/auth_sam.c:180(sam_account_ok)
sam_account_ok: Checking SMB password for user jim
[2013/05/14 20:28:21.995816, 5] auth/auth_sam.c:162(logon_hours_ok)
logon_hours_ok: user jim allowed to logon at this time (Wed May 15 03:28:21 2013
)
[2013/05/14 20:28:21.996529, 5] auth/auth_util.c:649(make_server_info_sam)
make_server_info_sam: made server info for user jim -> jim
[2013/05/14 20:28:21.996573, 3] auth/auth.c:265(check_ntlm_password)
check_ntlm_password: sam authentication for user [jim] succeeded
[2013/05/14 20:28:21.996611, 5] auth/auth.c:291(check_ntlm_password)
check_ntlm_password: PAM Account for user [jim] succeeded
[2013/05/14 20:28:21.996630, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [jim] -> [jim] -> [jim] succeeded
[2013/05/14 20:28:21.996652, 5] auth/auth_util.c:2119(free_user_info)
attempting to free (and zero) a user_info structure
[2013/05/14 20:28:21.996670, 10] auth/auth_util.c:2123(free_user_info)
structure was created for jim
the thing that particularly confuses me is the message about authentication for use [jim] succeeded
. That seems to indicate that the use logs in correctly on the server, but he can't log in on the workstation.
So can anyone tell me what is going wrong here or where else I should look to troubleshoot?
Note that I had previously set selinux to disabled on this machine so it's not a selinux problem.
Some internet friends suggested some sort of caching may be to blame. Based on that, I decided to try removing a workstation from the domain and re-adding it.
That worked! Once I forced the workstation to clear out the domain and re-add it, user jim could finally log on. Whee!
I am guessing that all you need to do is disable SELinux using this method outlined in this link. SELinux was probably not part of CentOS4. There is a way to get Samba to work with SELinux enabled but it isn't trivial.