Hi Scott,
Good to see 64bit, I would suggest doing something like this as follows>
logon to a BDC that is currently accepting domain logons and is replicating
the database from the PDC.
as root > slapcat-v -l ldiif-transfer.txt ; to dump the database.
root > scp ldif-transfer.txt root@RHE4BDC:/dir
root > net getlocalsid | cat sidtransfer.txt # vi and check the file for sid
number
root > scp sidtransfer.txt root@RHE4BDC:/dir
logon to the RHE4 BDC as root
root> cd /dir # you should see ldif-transfer.txt & sidtransfer.txt
root > service ldap stop
root > cd /var/lib/ldap
root > rm -rf * # be sure to be in right dir "/var/lib/ldap"
root > cd /dir
root > slapadd -v -l ldif.transfer.txt
root > chown -R ldap.ldap /var/lib/ldap
root > service ldap start
root > smbpasswd -w secretpassword
root > net rpc getsid
root > net rpc join
at this stage restart samba & ldap on the RHE4BDC and do a
root > net getlocalsid # check that it matches ur sid from
/dir/sidtransfer.txt
# if not cat sidtransfer.txt and "net
setlocalsid sid-556S-1-5-21-3018044689..
Test again and let us know, make sure user names are been replicated from
the pdc to all bdc;s.
Cheers,
Adrian Sender
>From: "Scott Moorhouse" <smoorhouse@ae-solutions.com>
>To: <samba@lists.samba.org>
>Subject: [Samba] 64-bit RHEL4 BDC doesn't allow workstation logons
>Date: Mon, 5 Jun 2006 12:22:07 -0500
>
>I'm trying to set up Samba on RHEL4 as a BDC for subnet 10.6.0.0/16.
The
>PDC is located at another site and on another network. Its IP address is
>10.2.0.2. There are other BDCs on subnets 10.1.0.0/16, 10.3.0.0/16, and
>10.4.0.0/16 that all function fine. This is the only one on RHEL and this
>is the only one on a 64 bit box.
>
>We are using ldapsam for the passdb. The important config lines are:
>
>[global]
>workgroup = AEI
>netbios name = APPDEVEL-BIS
>passdb backend = ldapsam:ldap://ldap.server.name
>local master = yes
>preferred master = no
>domain master = no
>os level = 33
>domain logons = yes
>wins server = 10.2.0.2
>
>I have used smbpasswd -w secret, as well as net rpc join with a successful
>domain join.
>
>Whenever someone logs in on a computer joined to the domain on this subnet
>(and all the computers in this domain were already joined to the domain AEI
>before this BDC was put into place) they get the:
>
>"Windows cannot connect to the domain, either because the domain
controller
>is down or otherwise unavailable, or because your computer account was not
>found. Please try again later. [...]"
>
>Modifying the config file to say domain logons = no passes the logon to
>another DC and then the logon works.
>
>Logs at log level 5 say such scary things as:
>[token.log, a workstation trying to log in]
>
>[2006/06/05 12:13:07, 5] auth/auth_util.c:debug_nt_user_token(486)
> NT user token: (NULL)
>[2006/06/05 12:13:07, 5] auth/auth_util.c:debug_unix_user_token(505)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
>[2006/06/05 12:13:07, 5] auth/auth_util.c:is_trusted_domain(1491)
> is_trusted_domain: Checking for domain trust with [AEI]
>[2006/06/05 12:13:07, 5]
>passdb/secrets.c:secrets_fetch_trusted_domain_password(
>334)
> secrets_fetch failed!
>[2006/06/05 12:13:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>[2006/06/05 12:13:07, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
> no entry for trusted domain AEI found.
>[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(133)
> attempting to make a user_info for ()
>[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(143)
> making strings for 's user_info struct
>[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(185)
> making blobs for 's user_info struct
>[2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(219)
> check_ntlm_password: Checking password for unmapped user []\[]@[TOKEN]
>with the new password interface
>[2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(222)
> check_ntlm_password: mapped user is: [AEI]\[]@[TOKEN]
>
>At which point it looks like it tries guest access by mapping null user to
>nobody, which isn't allowed, and fails.
>
>I'm convinced that the machine actually doesn't believe that
it's a domain
>member. For instance, in Printers and Faxes, it says the privileged user
>is
>APPDEVEL-BIS\Administrators, not AEI\Administrators. etc. That would seem
>to make some sense with its behavior, but I don't know how else to
convince
>it it's a domain member other than what I've already done with net
rpc
>join,
>which has been successful for me in the past. But what's also bizarre
is
>that after one gets logged in, you can browse APPDEVEL-BIS's shares fine
>without having to log in, and with seemingly the correct access levels.
>
>Is there a 64-bit issue going on here? Or maybe a library version issue?
>Right now I'm using samba 3.0.10 which comes with RHEL4, but I have
>experienced the same problems with 3.0.22 built from source and I'm
staying
>on 3.0.10 right now because I'm querying Red Hat support with this same
>question -- though they seem just as stumped as I am so far.
>
>Can someone please give me some pointers where I can look next?
