Hi. my last post was about upscale configuration for my WinXP clients, because I believed I had it working, but ... Next day I booted the client and .... it wouldnt let me log onto the domain again. :-( I am using Samba 2.2.8a with Ldap backend which works great in workgroup mode. Joining the domain is very easy and works well, but then after rebooting I get: "Es kann keine Verbindung mit der Dom?ne hergestellt werden, da der Domaincontroller nicht verf?gbar ist bzw. das Computerkonto nicht gefunden wurde. Wiederholen Sie den Vorgang sp?ter...." [german] In english it is something like: "No connection to the domain could be established, because the Domaincontroller is not available or the computeraccount is not found. Please retry later...." (very funny:-> "retry later", M$ joke!!) I searched on Google for this problem and found some people with the same problem. The were told to do the reg hack "requiresignorseal" = 0, deactivate encryption (for client/server) change to use "LM and NTLM". These settings are already all done on my systems, but still I get the message. The computer can connect to the samba server on share basis manually. The strange thing is, that it doesnt matter wether I type in my passwort correct or false, i always "in milliseconds" get the same messagebox. There is no communication between the workstation and the samba server. I also found that there is something like "fast logons" which uses asyncron logon which is default. I also tried the syncron mode. No success. The test clients are PC a Windows XP where the domainlogon worked, but stopped working now and PC b which was a fresh install and domainlogon never worked. Can you help? How can I debug this? Thanks Daniel
Thomas Klettke
2003-Jun-04 15:11 UTC
[Samba] Samba as PDC with WinXP Clients -> headache!!
Daniel, for XP you need to patch the registry in order to cooperate with a Samba PDC. I don't have the exact info handy at the moment, but if you search the Samba docs for "XP" and "registry" you should find it easily. Thomas On Wed, 2003-06-04 at 09:42, Daniel Zeiss wrote:> Hi. > > my last post was about upscale configuration for my WinXP clients, > because I believed I had it working, but ... > > Next day I booted the client and .... it wouldnt let me log onto the > domain again. :-( > > I am using Samba 2.2.8a with Ldap backend which works great in workgroup > mode. > > Joining the domain is very easy and works well, but then after rebooting > I get: > > "Es kann keine Verbindung mit der Dom?ne hergestellt werden, da der > Domaincontroller nicht verf?gbar ist bzw. das Computerkonto nicht > gefunden wurde. Wiederholen Sie den Vorgang sp?ter...." [german] > > In english it is something like: > > "No connection to the domain could be established, because the > Domaincontroller is not available or the computeraccount is not found. > Please retry later...." > > (very funny:-> "retry later", M$ joke!!) > > I searched on Google for this problem and found some people with the > same problem. > > The were told to do the reg hack "requiresignorseal" = 0, deactivate > encryption (for client/server) change to use "LM and NTLM". > > These settings are already all done on my systems, but still I get the > message. > > The computer can connect to the samba server on share basis manually. > > The strange thing is, that it doesnt matter wether I type in my passwort > correct or false, i always "in milliseconds" get the same messagebox. > There is no communication between the workstation and the samba server. > > I also found that there is something like "fast logons" which uses > asyncron logon which is default. I also tried the syncron mode. No success. > > The test clients are PC a Windows XP where the domainlogon worked, but > stopped working now and PC b which was a fresh install and domainlogon > never worked. > > Can you help? > How can I debug this? > > > Thanks > > Daniel >
Dear Thomas, thanks for your answer.> for XP you need to patch the registry in order to cooperate with a Samba > PDC.that is exactly what I have done and tried to explain with my words: > They were told to do the reg hack "requiresignorseal" = 0, deactivate > encryption (for client/server) change to use "LM and NTLM". > > These settings are already all done on my systems, but still I get the > message. I would love to hear some more specific ideas like: > Can you help? > How can I debug this? Because Google doesnt tell more than I have read. I am trying to solve this problem now for 2 whole days. There is a chance that the solution is very very simple and I am blind for it now and that the solution is too complex that nobody here on the list has an idea. I am praying for the first. :-) bye Daniel
I'm having the same problems as Daniel Zeiss, hence the message with the same subject! As is the case with Daniel, I'm having very unsatisfacory performance with Samba as PDC and WinXP (Pro) clients. Basically, XP machines seem to join the domain OK, but then fall off at random, and tell me that no domain controler is available, without any apparant network activity. I'm using 2.2.8a, with "normal" encrypted passwords (no LDAP). I have essentially the same setup at several sites. I'm not the first point of contact at any of the sites, but unfortunately I'm responsible for making samba work at all of them. Access to the sites (and direct experience of the problems as opposed to user reports) is relatively difficult. Also the different sites have different first-port-of-call administrators, and probably very different usage patterns.... At one site ("the good site") there are around 13 XP workstations no other windows machines. I seldom hear of any problems at this site. However I know the administrator here is routinely reinstalls XP (and re-joins the domain) whenever there is a problem. I've also heard that they sometimes have the "can't log in" problem, and have solved it by re-joining the domain. I'm not sure exactly how frequent this is because I'm not always told. Historically most of the sites have been on 95/98, and most probably still have a majority of 98 machines, but lately most of them also have a few XP machines as well. Again I am hamstrung by limited direct experience at these sites, but it appears that the "no domain controler" error happens at these sites too. Usually re-joining the domain solves this issue, but some clients seem not to be able to join the domain at all, or only after repeated attempts. My setup runs a logon script, which syncs the workstation time and maps certain shares ("NET USE... etc.") according to the user logged in. The scripts are different according to the windows client architecture. Win 95 script looks like: NET TIME \\SERVER /YES /SET NET USE H: /home NET USE S: \\SERVER\STORAGE NET USE W: \\SERVER\WEBSITE ... (maps 11 drives) WinNT and Win2K scripts are the same: NET TIME \\SERVER /YES /SET NET USE H: \\SERVER\alex NET USE S: \\SERVER\STORAGE NET USE W: \\SERVER\WEBSITE ... (I assume XP appears as the 2K archetecture in the %a samba config variable substitution) We have a problem with some XP machines which seem to be partially working... they log in but don't run the sripts. They map the home drive as Z, but don't get any further.... I really need to get these problems sorted, if anyone can offer any general debugging advice please feel free. I have tried a few times to go onsite and "sort it once and for all", spending many hours on it searching google etc. but always hitting a brick wall. I've tried increasing the log level, packet dumps etc, but never get anything useful. Alex smb.conf follows: # Samba configuration file [global] workgroup = WORKGROUP debug level = 1 # interfaces = eth* ppp* _SAMBATUNLIF_ hosts allow = 127.0.0.1 : 192.168.2.0/255.255.255.0 hosts deny = 0.0.0.0/0.0.0.0 printing = bsd printcap name = /etc/printcap hide files = AppleVolumes load printers = yes guest account = nobody # invalid users = root security = user server string = %h server (Samba %v) # socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096 encrypt passwords = yes smbpasswd file = /etc/smbpasswd wins support = yes os level = 65 domain master = yes local master = yes preferred master = yes logon script = %a\%U.bat logon drive = Z: logon home = "\\%N\%U\profile" logon path = "\\%N\NTPROFILE\%U" dns proxy = no preserve case = yes short preserve case = yes domain logons = yes unix password sync = false add user script = /usr/sbin/useradd -d /dev/null -g users -s /bin/false %u domain admin group = alex, blair, root [homes] comment = Home browseable = no read only = no create mask = 0600 directory mask = 0700 [netlogon] path = /var/shares/netlogon writeable = no guest ok = no [ntprofile] comment = NT Profiles writable = yes path = /var/shares/ntprofile create mask = 600 directory mask = 700 [website] comment = Web site writeable = yes valid users = @website force group = website path = /var/shares/website create mask = 664 directory mask = 775 [intranet] comment = Intranet writeable = yes valid users = @intranet force group = intranet path = /var/www create mask = 664 directory mask = 775 [storage] comment = Storage writable = no write list = @storage force group = storage path = /extra/storage create mask = 664 directory mask = 775 .... (more shares)
Hi> In XP have you set the WINS server address?Yes. It is set. Normal browsing is working fine.> I am running XP Pro with Samba 2.2.8a and its running fine after the > registry patch.How did you set it up? Are you using SP1? How is the load on your Samba PDC when clients log on? Are you running a domain? Can you send me a copy of your registry in text files, so I can compare. Thank you. Daniel
Daniel Zeiss
2003-Jun-05 14:07 UTC
SUMMARY: [Samba] Samba as PDC with WinXP Clients -> headache!!
Hello All, so lets summarize a bit the trouble which is out there with Samba and WinXP Pro using Samba as PDC. (Also something for the howto for John :-) Trouble ------- * very unsatisfactory performace when clients log on * trouble with "no domain controller" even because WinXP client didnt really check seems there are similar problems with NT4 servers : http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&oe=UTF-8&threadm=e%23bq23q7BHA.2080%40tkmsftngp05&rnum=9&prev=/groups%3Fq%3Dwin%2Bxp%2B%2Bnt4%26hl%3Dde%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3De%2523bq23q7BHA.2080%2540tkmsftngp05%26rnum%3D9 * simple folder redirection activates Windows Offline Files function (not always wanted) * NEW! smbpasswd wont find a machine account in the LDAP database: when not putting the machine account in /etc/passwd the command smbpasswd -m -a machinename$ will fail, even with the same entries in LDAP * WinXP clients which do just part of the netlogonscript and stop there * samba log file which doesn tell much on why somethings fail * many hours of "sort it once and for all" but no solution Stuff to do on WinXP to use Samba (which I assume we all did): ------ * network encryption [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "requiresignorseal"=dword:00000000 "signsecurechannel"=dword:00000000 or Group Policy editor (gpedit.msc) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options deactivate: Domain Member: Digitally encrypt or sign secure channel data (always) Domain Member: Digitally sign secure channel data (when possible) * Network security: LAN Manager Authentication Level change to use "LM and NTLM" *for roaming profiles: run gpedit.msc Select Computer Configuration > Administrative Templates > System > User Profiles * Do not check for user ownership of Roaming Profile Folders - Enabled or [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] "CompatibleRUPSecurity"=dword:00000001 or in smb.conf (RECOMMENDED!!) [profile] profile acls = yes * delete local copies of roaming profiles Select Computer Configuration > Administrative Templates > System > User Profiles * Delete cache copies of roaming profiles or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Edit or add value DeleteRoamingCache as type REG_DWORD. Set it to 1. * turn off slow link connection [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon] "SlowLinkDetectEnabled"=dword:00000000 * disable fast user switching it is done with the group policies. it should help windows to wait for the network to get online. sorry. cant find the link anymore. * tell WinXP to use NTConfig.POL file from NETLOGON share http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q274478& HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update\NetworkPath value REG_SZ (UNC) path eg: \\Servername\Policies\Ntconfig.pol. Solutions for "no domain controll" which worked somewhere --------- * rejoining the domain (didnt work for me) * reinstalling WinXP (not really an option) Suggestions ----------- * GPL NTConfig.POL file which does the most important stuff (folder redirection etc) * GPL gpedit.msc which is a proposal for everybody to use (applied manually at every workstation) cool links: http://hr.uoregon.edu/davidrl/samba/ http://www.diariolinux.com/phorum/list.php?f=17 any more ideas? bye Daniel
ganapathy murali krishnan
2003-Jun-05 22:59 UTC
SUMMARY: [Samba] Samba as PDC with WinXP Clients -> headache!!
The way we have it setup is as follows: Each machine is populated with a "local" startup and shutdown scripts, and the local Group Policy is modified to activate this. (Even though I found the registry changes which happen, they alone are not enough. So I could not automate this with a VBScript or Python code). These local scripts mount a network share (\\sambaserver\netlogon in our case) under guest credentials, and then execute the "real" startup and shutdown scripts respectively. Once the real scripts have finished executing the local script cleans up after itself. The local machine startup and shutdown scripts run as SYSTEM. This account is not allowed network access even under guest credentials. This problem has been solved in many ways. What I do, is to mount the \\sambaserver\\IPC$ as non-priveleged user. To do this the username and password must be given there in clear text. Since this user, is only allowed to read from the share, this is not a security problem. Once you have mounted the IPC$ share, you can mount \\sambaserver\netlogon and then execute the real scripts. Once the real script finishes, we have to remove all the network connections including the IPC$ connection so that when a user logs on, it mounts it using the right credentials (may be you mount IPC$ as the user). Initially debugging is a pain. Since I am unable to become the "SYSTEM" user, even using runas (what password?). So in a test machine, I modify the group policy and ask it to run the scripts in a console, and not to terminate the console (default will be to close it after some specified timeout). Then in the startup script, run "cmd.exe". That way you are the SYSTEM user now. Infact it you run explorer.exe then you see the familiar taskbar, desktop... as well the "Press Alt-Ctrl-Del to login" dialog (that in itself is a curious sight... using windows explorer, and seeinf the Alt-Ctrl-Del message). Using this trick, one can debug the startup scripts. Now you are all set to use it to do some interesting things. The last thing our "real" startup script does is to update the "local" shutdown script and vice versa. So in case you need to change the local scripts, you dont have to go around to each machine and do it all over again. Currently I use the startup scripts to: 1. Stop unnecessary services. 2. synchronise the time 3. Clear all windows print queues (through a VBScript) 4. Make registry changes (not yet implemented but in the works) I plan to use the shutdown scripts to: 1. Upload drivers for new peripherals to C:\Drivers (or somesuch place) and modify the registry, so that windows will look here in addition to C:\WINDOWS\INF. This way, I drop in the audio driver, and make the registry change, next reboot windows sees the new device, and finds a driver for it and installs it automatically. This technique will work for all peripherals except ofcourse network cards (for obvious reasons) I plan to use the startup scripts to setup system monitoring software. Basically setup cron jobs, which run python scripts at specified frequency collect data, and update a central database, which has a web based (mod_python ofcourse) front end. We already have this working on Linux,Solaris machines (using PIKT). This will do it on Windows machines as well. I do not know enough about how group policies work. So I havent tried anything. I was thinking in terms of NT4 System Policies. But if as you say I can create a group policy file and store it on a network location, then all I have to do at machine startup is to activate the settings. I dont know how to do it. If somebody can tell me it would be useful. Since I am going on a loong vacation, I wont be able to test these things out soon. Do you need any more information? - Murali Daniel Zeiss wrote:> Hello Murali, > >> One other idea: Nobody seems to be interested in machine level, >> startup and shutdown scripts (not user logon and logoff scripts). > > > I am very interested in that since this would be the possibility of > implementing the Active Directory stuff the other way around. > Imagine on startup the machine would execute a script which executes a > script from netlogon share. > This last script then decides on which machine it is running, which > gpedit.msc file it should copy from the server and like this you can > distribute group policies like ADS can do. > > No need for ADS anymore ;-) > >> script, using local Group Policies (tried with just registry changes >> did not work). These local scripts just mount a network share >> and execute the real startup and shutdown scripts. > > > Will you try more? I would love to hear your successes. :-) > > bye > Daniel > >
[ Read the recent posts to "SUMMARY: [Samba] Samba asPDC with WinXP Clients -> headache" thread first. Changed the subject line so this becomes a new thread.] >> Each machine is populated with a "local" startup and shutdown >> scripts, and the local Group Policy is modified to activate this. > > > Where do I find these settings in gpedit.msc? Modifying local group policy ---------------------------- + \Windows\System32\GroupPolicy\Machine\Scripts has the scripts in appropriate directory. + Put a copy of the script in \Windows\....\Scripts\Startup + gpedit.msc -> Local Computer Policy -> Computer Configuration -> Windows Settings -> Scripts (Startup/Shutdown) -> SOMETHING + The scripts directory may not exist unless you run gpedit.msc and navigate to above mentioned page.> How do you mount IPC$ as non-priveleged user if the script runs as SYSTEM? >See the script. ---- localstartup ----- @echo off rem -- Get network privileges by posing as nobody net use \\sambaserver\IPC$ password /USER:sambdaserver\guestuser rem -- mount the netlogon share net use S: \\sambaserver\netlogon password /USER:sambaserver\guestuser rem -- and execute the script call S:\startup.cmd rem -- Change directory to local drive %SYSTEMDRIVE% rem -- unmount all network drives net use S: /D /YES net use * /D /YES ------- end of script ----- Same script with obvious changes becomes the shutdown script. Is there a place where one can put Windows scripts useful to samba administrators? If there isn't any some one should set it up. Basically a contrib directory, which may/may not ship with Samba, but these are windows scripts written with console based automation in mind.>> 3. Clear all windows print queues (through a VBScript) > Could you send me a copy of this function?------------ lprm.vbs ------------ Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\.\root\cimv2") Set colInstalledPrinters = objWMIService.ExecQuery _ ("Select * from Win32_Printer") For Each objPrinter in colInstalledPrinters objPrinter.CancelAllJobs() Wscript.Echo "Name: " & objPrinter.Name Next ----------- end of script ---------- This should work. Not tested it yet. One can use the WMIService to get lots of information. Most of the /proc stuff is accessible through WMI. Just need to know what classes they are called. All the pieces of info you mentioned is accessible using the WMI interface. So all you need to do is to write a VBScript or a Python Script to gather the info. > I would like to add the systeminformation which you can find in > Linux under /proc eg. CPU Type, RAM, NICs MAC address etc into my LDAP > and let it update itself> >> I do not know enough about how group policies work. > > It is one file called gpedit.msc, which sits in some folder under > C:\WINDOWS. It will get updated on startup and every 90mins (Default) > There are reg keys to set this behavior. I found something on the web, > telling if you just substitute the file and restart, it will get loaded > on restart. so that would be something for the shutdown script to do. >Which registry key is that? Is there any other way to force a reread of gpedit.msc? Something along the lines of rundll32.exe somedll,somefunction If we can figure out which dll has the code for rereading the gpedit.msc it would be great. - Murali