I am configuring two identical PDCs so that, if one goes down, the
other can start to serve logins.
The first PDC, a Debian 3.0 with Samba 2.999+3.0cvs20020723-1, works
fine.
The second PDC, that I bring up after killing manually smbd and nmbd
on the first one, is a Red Hat 7.3 with Samba compiled from the same
sources (but with gcc2.96 instead of 2.95) and the same smb.conf,
except for the interfaces parameter. It serves logins to XP clients
well. It does not with W2k.
Both get account data from the same LDAP server.
In log.smbd, after a failed login from a W2k host, I cannot find what
goes wrong (the Domain Group warning appears when clients successfully
log with the other PDC, too):
[2002/10/11 16:58:55, 3] rpc_server/srv_pipe.c:api_pipe_request(1136)
Doing \PIPE\NETLOGON
[2002/10/11 16:58:55, 3] rpc_server/srv_pipe.c:api_rpcTNP(1168)
api_rpcTNP: rpc command: NET_SAMLOGON
[2002/10/11 16:58:55, 3]
rpc_server/srv_netlog_nt.c:_net_sam_logon(547)
SAM Logon (Interactive). Domain:[DEBIAN]. User:[foo@HAL9000]
Requested Domain:[DEBIAN]
[2002/10/11 16:58:55, 3] auth/auth.c:check_ntlm_password(190)
check_password: Checking password for unmapped user
[DEBIAN]\[foo]@[HAL9000] with the new password interface
[2002/10/11 16:58:55, 3] auth/auth.c:check_ntlm_password(193)
check_password: mapped user is: [DEBIAN]\[foo]@[HAL9000]
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:push_sec_ctx(255)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2002/10/11 16:58:55, 3] smbd/uid.c:push_conn_ctx(278)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:set_sec_ctx(287)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2002/10/11 16:58:55, 2]
passdb/pdb_ldap.c:ldapsam_open_connection(249)
ldap_open_connection: connection opened
[2002/10/11 16:58:55, 2] passdb/pdb_ldap.c:ldapsam_connect_system(326)
ldap_connect_system: succesful connection to the LDAP server
[2002/10/11 16:58:55, 2]
passdb/pdb_ldap.c:ldapsam_search_one_user(338)
ldapsam_search_one_user: searching
for:[(&(uid=foo)(objectclass=sambaAccount))]
[2002/10/11 16:58:55, 2] passdb/pdb_ldap.c:init_sam_from_ldap(584)
Entry found for user: foo
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:pop_sec_ctx(394)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2002/10/11 16:58:55, 3] auth/auth.c:check_ntlm_password(222)
check_password: sam authentication for user [foo] suceeded
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:push_sec_ctx(255)
push_sec_ctx(99, 99) : sec_ctx_stack_ndx = 1
[2002/10/11 16:58:55, 3] smbd/uid.c:push_conn_ctx(278)
push_conn_ctx(100) : conn_ctx_stack_ndx = 0
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:set_sec_ctx(287)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2002/10/11 16:58:55, 3] smbd/sec_ctx.c:pop_sec_ctx(394)
pop_sec_ctx (99, 99) - sec_ctx_stack_ndx = 0
[2002/10/11 16:58:55, 2] auth/auth.c:check_ntlm_password(261)
check_password: authentication for user [foo] -> [foo] -> [foo]
suceeded
[2002/10/11 16:58:55, 0]
rpc_server/srv_util.c:get_domain_user_groups(346)
get_domain_user_groups: primary gid of user [foo] is not a Domain
group !
get_domain_user_groups: You should fix it, NT doesn't like that
[2002/10/11 16:58:55, 3]
rpc_server/srv_pipe_hnd.c:free_pipe_context(548)
free_pipe_context: destroying talloc pool of size 4742
[2002/10/11 16:58:55, 3] smbd/pipes.c:reply_pipe_write_and_X(198)
writeX-IPC pnum=74d7 nwritten=272
[2002/10/11 16:58:55, 3] smbd/process.c:process_smb(868)
Transaction 33 of length 63
[2002/10/11 16:58:55, 3] smbd/process.c:switch_message(679)
switch message SMBreadX (pid 6689)
[2002/10/11 16:58:55, 3] smbd/pipes.c:reply_pipe_read_and_X(241)
readX-IPC pnum=74d7 min=1024 max=1024 nread=524
The message on the W2k host says (translated):
``Access denied. Make sure username and password are correct...''
This is the smb.conf on both machines:
[global]
workgroup = DEBIAN
server string = Debian Samba Server
encrypt passwords = true
interfaces = 192.168.65.222/24
domain logons = yes
os level = 34
preferred master = yes
local master = yes
domain master = yes
# providing fqdn of ldap server when using ssl is CRITICAL
passdb backend = ldapsam:ldaps://my.ldap.server tdbsam
log level = 3
# remove root from the following prior to adding a new machine
invalid users = root daemon bin sys sync games man lp mail news uucp proxy
postgres www-data backup operator list irc gnats identd sshd postfix dictd bard
security = user
browseable = no
writeable = no
guest ok = no
use spnego = no
ldap suffix = dc=rcost,dc=unisannio,dc=it
ldap machine suffix = ou=Computers,dc=rcost,dc=unisannio,dc=it
ldap user suffix = ou=Users,dc=rcost,dc=unisannio,dc=it
ldap admin dn = cn=admin,dc=rcost,dc=unisannio,dc=it
ldap ssl = yes
#add user script = /usr/local/sbin/smbldap-useradd.pl -w %u
logon path = \\%N\profiles\%U
# Following two are default. LDAP attributes override smb.conf.
# logon home = \\%N\%U
# logon drive = Z:
unix password sync = yes
passwd program = /usr/bin/passwd %u
[common]
comment = Area comune
path = /lan/samba/common
writeable = yes
guest ok = yes
browseable = yes
[netlogon]
path = /lan/samba/logon
[profiles]
path = /lan/samba/profile
writeable = yes
guest ok = yes
create mode = 0600
directory mode = 0700
[homes]
read only = no
writable = yes
valid users = %S
create mode = 0644
directory mode = 0775
Anybody has an idea of what is happening? The fact that XP logs fine
puzzles me, I thought RequireSignOrSeal was the only difference to
keep in mind when setting them up.
Massimiliano
