Hello all, We have Samba (2.2.5) running on three servers, each in a different subnet. One of them is a PDC (domain master = yes). The Samba PDC is also the NIS master. The smbpasswd is replicated using rsync to the other machines that act as Samba BDCs (domain master = no). They are also NIS slave servers. The smbpasswd synchronization takes place automatically every time smbpasswd is updated, and the NIS maps are updated and pushed automatically to the slaves whenever a machine joins the domain. Let's say that the Samba PDC is in subnet A, and the BDCS are in subnets B and C. I can join the domain with NT, W2k and WXP from all of the subnets, and the machine trust accounts and passwords are being replicated as they should be. Nothing ever stops working in subnet A, where the PDC is (NT4, W2k and WXP join and never stop working). Also, the W2k and WXP clients never stop co-operating in subnet B and C. When I join the domain from subnet B or C with an NT4 workstation, it also works. But after I've joined the domain with some other machine, the previously joined NT4 will complain that the domain doesn't trust the machine anymore (I don't know the exact phrase in English, because all of our NT4s speak Finnish). I've checked that the machine trust account password doesn't change, so it shouldn't be that. I've also tried doing the smbpasswd synchronization manually after joining the domain (with rsync, also), but the results are similar. The second joining host breaks the first host's trust account, if the first host was an NT4 in a subnet of either of the BDCs. The NT4 workstations all have SP6 installed. Anybody have any ideas or suggestions? Where should I start debugging? -Mikko-
Mikko Kortelainen wrote:> > Hello all, > > We have Samba (2.2.5) running on three servers, each in a different > subnet. One of them is a PDC (domain master = yes). The Samba PDC is > also the NIS master. The smbpasswd is replicated using rsync to the > other machines that act as Samba BDCs (domain master = no). They are > also NIS slave servers. The smbpasswd synchronization takes place > automatically every time smbpasswd is updated, and the NIS maps are > updated and pushed automatically to the slaves whenever a machine joins > the domain.> Anybody have any ideas or suggestions? Where should I start debugging?Check that the domain SID is the same. Sync secrets.tdb, or use the new smbpasswd option (2.2.6) to 'suck' the SID from PDC to each BDC. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
>> We have Samba (2.2.5) running on three servers, each in a different >> subnet. One of them is a PDC (domain master = yes). The Samba PDC is>> also the NIS master. The smbpasswd is replicated using rsync to the >> other machines that act as Samba BDCs (domain master = no). They are >> also NIS slave servers. The smbpasswd synchronization takes place >> automatically every time smbpasswd is updated, and the NIS maps are >> updated and pushed automatically to the slaves whenever a machine >> joins the domain.>> Anybody have any ideas or suggestions? Where should I startdebugging?> Check that the domain SID is the same. Sync secrets.tdb, or use the > new smbpasswd option (2.2.6) to 'suck' the SID from PDC to each BDC.I understood that you can't just copy the secrets.tdb to the BDCs, because it contains some host specific information. I've ran "smbpasswd -S <domain>" on both BDCs before starting smbd on them (It seems that if you start smbd on the local host with option "workgroup = <the domain, the sid of which you're trying to retrieve>" in smb.conf, and run smbpasswd -S after that, it will retrieve the sid from the local smbd. At least in my configuration where the PDC is in a different subnet...?) Anyhow, I checked the secrets.tdb databases, and the 48 bytes following the string "SECRETS/SID/<domain>" match on every host (and more, there's a lot of zeroes). I'm not sure it that's the right place to look? Is there a way of printing out the domain SID in cleartext? Plus, shouldn't the other OSes complain also, if my domain SIDs were wrong? But it's just the NT4. What does it do differently than W2k and WXP...? -Mikko-
I checked with tdbtool that the domain SIDs are the same on all of the domain controllers. Also the machine trust account passwords are the same, and they don't change. It is enough that I change a user's password with "smbpasswd <user>", and afterwards I won't be able to log in to the domain with an NT 4 machine. (The problem was that an NT4 host in the subnet of a samba backup domain controller complains that either the machine trust account is missing from the domain or the trust account password is wrong, after there is a change in smbpasswd. The PDC is in a different subnet, and there's no such problem there.) I ran a level 10 debug when the machine was starting up. Right after I had joined the domain I found that lines saying "challenge: XYZ" and "calculated: XYZ" had the same value. It was also possible to log in to the domain. But after a simple password change with "smbpasswd <username>" and copying smbpasswd to the BDC with rsync, the same lines in the log file had different values, and after them there was a line saying "status: NT_STATUS_ACCESS_DENIED". Logging in to the domain was not possible. Earlier in the log there were complaints about null passwords not being valid, I don't know if that has anything to do with this. Is there something I should check in the log file, something that should be the same in both situations? Would somebody look at my log files if I post them here? (And is there some information in the log files that would be insecure to post here?) -Mikko- Gerald (Jerry) Carter wrote:> > >> We have Samba (2.2.5) running on three servers, each in a different > >> subnet. One of them is a PDC (domain master = yes). The Samba PDCis> > >> also the NIS master. The smbpasswd is replicated using rsync to the > >> other machines that act as Samba BDCs (domain master = no). Theyare> >> also NIS slave servers. The smbpasswd synchronization takes place > >> automatically every time smbpasswd is updated, and the NIS maps are > >> updated and pushed automatically to the slaves whenever a machine > >> joins the domain. > > >> Anybody have any ideas or suggestions? Where should I start > debugging? > > > Check that the domain SID is the same. Sync secrets.tdb, or use the > > new smbpasswd option (2.2.6) to 'suck' the SID from PDC to each BDC. > > I understood that you can't just copy the secrets.tdb to the BDCs, > because it contains some host specific information. I've ran"smbpasswd> -S <domain>" on both BDCs before starting smbd on them (It seems thatif> you start smbd on the local host with option "workgroup = <the domain, > the sid of which you're trying to retrieve>" in smb.conf, and run > smbpasswd -S after that, it will retrieve the sid from the local smbd. > At least in my configuration where the PDC is in a differentsubnet...?) certainly in HEAD's varient of this command, you can specify the host - try the -r option.> Anyhow, I checked the secrets.tdb databases, and the 48 bytesfollowing> the string "SECRETS/SID/<domain>" match on every host (and more,there's> a lot of zeroes). I'm not sure it that's the right place to look? Is > there a way of printing out the domain SID in cleartext?tdbtool can help there.> Plus, shouldn't the other OSes complain also, if my domain SIDs were > wrong? But it's just the NT4. What does it do differently than W2k and > WXP...?Hmm, that's werid - it should affect any host that contacts the 'wrong' DC.