samba - Jun 2003 - Samba as PDC with WinXP Clients -> headache!!

Hi.

my last post was about upscale configuration for my WinXP clients, 
because I believed I had it working, but ...

Next day I booted the client and .... it wouldnt let me log onto the 
domain again. :-(

I am using Samba 2.2.8a with Ldap backend which works great in workgroup 
mode.

Joining the domain is very easy and works well, but then after rebooting 
I get:

"Es kann keine Verbindung mit der Dom?ne hergestellt werden, da der 
Domaincontroller nicht verf?gbar ist bzw. das Computerkonto nicht 
gefunden wurde. Wiederholen Sie den Vorgang sp?ter...." [german]

In english it is something like:

"No connection to the domain could be established, because the 
Domaincontroller is not available or the computeraccount is not found. 
Please retry later...."

(very funny:-> "retry later", M$ joke!!)

I searched on Google for this problem and found some people with the 
same problem.

The were told to do the reg hack "requiresignorseal" = 0, deactivate 
encryption (for client/server) change to use "LM and NTLM".

These settings are already all done on my systems, but still I get the 
message.

The computer can connect to the samba server on share basis manually.

The strange thing is, that it doesnt matter wether I type in my passwort 
correct or false, i always "in milliseconds" get the same messagebox. 
There is no communication between the workstation and the samba server.

I also found that there is something like "fast logons" which uses 
asyncron logon which is default. I also tried the syncron mode. No success.

The test clients are  PC a Windows XP where the domainlogon worked, but 
stopped working now and PC b which was a fresh install and domainlogon 
never worked.

Can you help?
How can I debug this?


Thanks

Daniel

Daniel,
for XP you need to patch the registry in order to cooperate with a Samba
PDC. I don't have the exact info handy at the moment, but if you search
the Samba docs for "XP" and "registry" you should find it
easily.

Thomas


On Wed, 2003-06-04 at 09:42, Daniel Zeiss wrote:
> Hi.
> 
> my last post was about upscale configuration for my WinXP clients, 
> because I believed I had it working, but ...
> 
> Next day I booted the client and .... it wouldnt let me log onto the 
> domain again. :-(
> 
> I am using Samba 2.2.8a with Ldap backend which works great in workgroup 
> mode.
> 
> Joining the domain is very easy and works well, but then after rebooting 
> I get:
> 
> "Es kann keine Verbindung mit der Dom?ne hergestellt werden, da der 
> Domaincontroller nicht verf?gbar ist bzw. das Computerkonto nicht 
> gefunden wurde. Wiederholen Sie den Vorgang sp?ter...." [german]
> 
> In english it is something like:
> 
> "No connection to the domain could be established, because the 
> Domaincontroller is not available or the computeraccount is not found. 
> Please retry later...."
> 
> (very funny:-> "retry later", M$ joke!!)
> 
> I searched on Google for this problem and found some people with the 
> same problem.
> 
> The were told to do the reg hack "requiresignorseal" = 0,
deactivate
> encryption (for client/server) change to use "LM and NTLM".
> 
> These settings are already all done on my systems, but still I get the 
> message.
> 
> The computer can connect to the samba server on share basis manually.
> 
> The strange thing is, that it doesnt matter wether I type in my passwort 
> correct or false, i always "in milliseconds" get the same
messagebox.
> There is no communication between the workstation and the samba server.
> 
> I also found that there is something like "fast logons" which
uses
> asyncron logon which is default. I also tried the syncron mode. No success.
> 
> The test clients are  PC a Windows XP where the domainlogon worked, but 
> stopped working now and PC b which was a fresh install and domainlogon 
> never worked.
> 
> Can you help?
> How can I debug this?
> 
> 
> Thanks
> 
> Daniel
>

Dear Thomas,

thanks for your answer.
> for XP you need to patch the registry in order to cooperate with a Samba
> PDC.
that is exactly what I have done and tried to explain with my words:

 > They were told to do the reg hack "requiresignorseal" = 0,
deactivate
 > encryption (for client/server) change to use "LM and NTLM".
 >
 > These settings are already all done on my systems, but still I get the
 > message.

I would love to hear some more specific ideas like:

 > Can you help?
 > How can I debug this?

Because Google doesnt tell more than I have read. I am trying to solve 
this problem now for 2 whole days. There is a chance that the solution 
is very very simple and I am blind for it now and that the solution is 
too complex that nobody here on the list has an idea.
I am praying for the first. :-)

bye
Daniel

I'm having the same problems as Daniel Zeiss, hence the message with the
same subject!

As is the case with Daniel, I'm having very unsatisfacory performance
with Samba as PDC and WinXP (Pro) clients.

Basically, XP machines seem to join the domain OK, but then fall off at
random, and tell me that no domain controler is available, without any
apparant network activity.

I'm using 2.2.8a, with "normal" encrypted passwords (no LDAP).

I have essentially the same setup at several sites.  I'm not the first
point of contact at any of the sites, but unfortunately I'm responsible
for making samba work at all of them.  Access to the sites (and direct
experience of the problems as opposed to user reports) is relatively
difficult.  Also the different sites have different first-port-of-call
administrators, and probably very different usage patterns....

At one site ("the good site") there are around 13 XP workstations no
other windows machines.  I seldom hear of any problems at this site.
However I know the administrator here is routinely reinstalls XP (and
re-joins the domain) whenever there is a problem.

I've also heard that they sometimes have the "can't log in"
problem, and
have solved it by re-joining the domain.  I'm not sure exactly how
frequent this is because I'm not always told.

Historically most of the sites have been on 95/98, and most probably
still have a majority of 98 machines, but lately most of them also have
a few XP machines as well.

Again I am hamstrung by limited direct experience at these sites, but it
appears that the "no domain controler" error happens at these sites
too.
Usually re-joining the domain solves this issue, but some clients seem
not to be able to join the domain at all, or only after repeated
attempts.

My setup runs a logon script, which syncs the workstation time and maps
certain shares ("NET USE... etc.")  according to the user logged in.
The scripts are different according to the windows client architecture.
Win 95 script looks like:

NET TIME \\SERVER /YES /SET
NET USE H: /home
NET USE S: \\SERVER\STORAGE
NET USE W: \\SERVER\WEBSITE
...
(maps 11 drives)
WinNT and Win2K scripts are the same:
NET TIME \\SERVER /YES /SET
NET USE H: \\SERVER\alex
NET USE S: \\SERVER\STORAGE
NET USE W: \\SERVER\WEBSITE
...
(I assume XP appears as the 2K archetecture in the %a samba config
variable substitution)

We have a problem with some XP machines which seem to be partially
working... they log in but don't run the sripts.  They map the home
drive as Z, but don't get any further....

I really need to get these problems sorted, if anyone can offer any
general debugging advice please feel free.  I have tried a few
times to go onsite and "sort it once and for all", spending many hours
on it searching google etc. but always hitting a brick wall.  I've tried
increasing the log level, packet dumps etc, but never get anything
useful.

Alex

smb.conf follows:
# Samba configuration file
[global]
   workgroup = WORKGROUP
   debug level = 1
#   interfaces = eth* ppp* _SAMBATUNLIF_
   hosts allow = 127.0.0.1 : 192.168.2.0/255.255.255.0
   hosts deny = 0.0.0.0/0.0.0.0
   printing = bsd
   printcap name = /etc/printcap
   hide files = AppleVolumes
   load printers = yes
   guest account = nobody
#   invalid users = root
   security = user
   server string = %h server (Samba %v)
#   socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096 SO_RCVBUF=4096
   encrypt passwords = yes
   smbpasswd file = /etc/smbpasswd
   wins support = yes
   os level = 65
   domain master = yes
   local master = yes
   preferred master = yes
   logon script = %a\%U.bat
   logon drive = Z:
   logon home = "\\%N\%U\profile"
   logon path = "\\%N\NTPROFILE\%U"
   dns proxy = no
   preserve case = yes
   short preserve case = yes
   domain logons = yes
   unix password sync = false
   add user script = /usr/sbin/useradd -d /dev/null -g users -s
/bin/false %u
   domain admin group = alex, blair, root

[homes]
   comment = Home
   browseable = no
   read only = no
   create mask = 0600
   directory mask = 0700

[netlogon]
   path = /var/shares/netlogon
   writeable = no
   guest ok = no

[ntprofile]
   comment = NT Profiles
   writable = yes
   path = /var/shares/ntprofile
   create mask = 600
   directory mask = 700

[website]
   comment = Web site
   writeable = yes
   valid users = @website
   force group = website
   path = /var/shares/website
   create mask = 664
   directory mask = 775

[intranet]
   comment = Intranet
   writeable = yes
   valid users = @intranet
   force group = intranet
   path = /var/www
   create mask = 664
   directory mask = 775

[storage]
   comment = Storage
   writable = no
   write list = @storage
   force group = storage
   path = /extra/storage
   create mask = 664
   directory mask = 775

....
(more shares)

Hi
> In XP have you set the WINS server address?
Yes. It is set. Normal browsing is working fine.
> I am running XP Pro with Samba 2.2.8a and its running fine after the
> registry patch.
How did you set it up?
Are you using SP1?
How is the load on your Samba PDC when clients log on? Are you running a 
domain?
Can you send me a copy of your registry in text files, so I can compare.

Thank you.

Daniel

Hello All,

so lets summarize a bit the trouble which is out there with Samba and 
WinXP Pro using Samba as PDC. (Also something for the howto for John :-)

Trouble
-------

* very unsatisfactory performace when clients log on

* trouble with "no domain controller" even because WinXP client didnt
   really check
	seems there are similar problems with NT4 servers :
http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&oe=UTF-8&threadm=e%23bq23q7BHA.2080%40tkmsftngp05&rnum=9&prev=/groups%3Fq%3Dwin%2Bxp%2B%2Bnt4%26hl%3Dde%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3De%2523bq23q7BHA.2080%2540tkmsftngp05%26rnum%3D9


* simple folder redirection activates Windows Offline Files function
  (not always wanted)

* NEW! smbpasswd wont find a machine account in the LDAP database:
	when not putting the machine account in /etc/passwd the command
	smbpasswd -m -a machinename$  will fail, even with the same
	entries in LDAP

* WinXP clients which do just part of the netlogonscript and stop there


* samba log file which doesn tell much on why somethings fail

* many hours of "sort it once and for all" but no solution


Stuff to do on WinXP to use Samba (which I assume we all did):
------

* network encryption
			 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000
or
Group Policy editor (gpedit.msc)
Computer Configuration\Windows Settings\Security Settings\Local 
Policies\Security Options
deactivate:
Domain Member: Digitally encrypt or sign secure channel data (always)
Domain Member: Digitally sign secure channel data (when possible)


* Network security: LAN Manager Authentication Level change to use "LM 
and NTLM"

*for roaming profiles:
  run gpedit.msc
	Select Computer Configuration > Administrative Templates >
	 System > User Profiles
	    * Do not check for user ownership of Roaming Profile Folders
		 - Enabled
or
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
  "CompatibleRUPSecurity"=dword:00000001
or
in smb.conf   (RECOMMENDED!!)
[profile]
     profile acls = yes


* delete local copies of roaming profiles
	Select Computer Configuration > Administrative Templates >
	 System > User Profiles
	    * Delete cache copies of roaming profiles

or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Edit or add value DeleteRoamingCache as type REG_DWORD. Set it to 1.

* turn off slow link connection 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon]
"SlowLinkDetectEnabled"=dword:00000000

* disable fast user switching
   it is done with the group policies. it should help windows to wait for
   the network to get online. sorry. cant find the link anymore.


* tell WinXP to use NTConfig.POL file from NETLOGON share
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q274478&
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Update\NetworkPath
value REG_SZ (UNC) path  eg: \\Servername\Policies\Ntconfig.pol.

Solutions for "no domain controll" which worked somewhere
---------

* rejoining the domain		(didnt work for me)

* reinstalling WinXP		(not really an option)


Suggestions
-----------

* GPL  NTConfig.POL file which does the most important stuff (folder 
redirection etc)

* GPL  gpedit.msc which is a proposal for everybody to use (applied 
manually at every workstation)


cool links:
http://hr.uoregon.edu/davidrl/samba/
http://www.diariolinux.com/phorum/list.php?f=17

any more ideas?

bye
Daniel

The way we have it setup is as follows:

Each machine is populated with a "local" startup and shutdown
scripts, and the local Group Policy is modified to activate this.
(Even though I found the registry changes which happen, they alone
are not enough. So I could not automate this with a VBScript or
Python code). These local scripts mount a network share 
(\\sambaserver\netlogon in our case) under guest credentials,
and then execute the "real" startup and shutdown scripts respectively.
Once the real scripts have finished executing the local script cleans
up after itself.

The local machine startup and shutdown scripts run as SYSTEM. This
account is not allowed network access even under guest credentials.
This problem has been solved in many ways. What I do, is to mount the
\\sambaserver\\IPC$ as non-priveleged user. To do this the username and
password must be given there in clear text. Since this user, is only 
allowed to read from the share, this is not a security problem. Once
you have mounted the IPC$ share, you can mount \\sambaserver\netlogon
and then execute the real scripts. Once the real script finishes, we 
have to remove all the network connections including the IPC$ connection
so that when a user logs on, it mounts it using the right credentials 
(may be you mount IPC$ as the user).

Initially debugging is a pain. Since I am unable to become the
"SYSTEM"
user, even using runas (what password?). So in a test machine, I modify 
the group policy and ask it to run the scripts in a console, and not to
terminate the console (default will be to close it after some specified 
timeout). Then in the startup script, run "cmd.exe". That way you are 
the SYSTEM user now. Infact it you run explorer.exe then you see the 
familiar taskbar, desktop... as well the "Press Alt-Ctrl-Del to login"
dialog (that in itself is a curious sight... using windows explorer, and 
seeinf the Alt-Ctrl-Del message). Using this trick, one can debug the 
startup scripts.

Now you are all set to use it to do some interesting things. The last 
thing our "real" startup script does is to update the
"local" shutdown
script and vice versa. So in case you need to change the local scripts,
you dont have to go around to each machine and do it all over again.

Currently I use the startup scripts to:
1. Stop unnecessary services.
2. synchronise the time
3. Clear all windows print queues (through a VBScript)
4. Make registry changes (not yet implemented but in the works)

I plan to use the shutdown scripts to:
1. Upload drivers for new peripherals to C:\Drivers (or somesuch place)
    and modify the registry, so that windows will look here in
    addition to C:\WINDOWS\INF.
    This way, I drop in the audio driver, and make the registry change,
    next reboot windows sees the new device, and finds a driver for it
    and installs it automatically. This technique will work for all
    peripherals except ofcourse network cards (for obvious reasons)

I plan to use the startup scripts to setup system monitoring software.
Basically setup cron jobs, which run python scripts at specified 
frequency collect data, and update a central database, which has a web 
based (mod_python ofcourse) front end. We already have this working
on Linux,Solaris machines (using PIKT). This will do it on Windows 
machines as well.

I do not know enough about how group policies work. So I havent tried 
anything. I was thinking in terms of NT4 System Policies. But if as you
say I can create a group policy file and store it on a network location,
then all I have to do at machine startup is to activate the settings.
I dont know how to do it. If somebody can tell me it would be useful.

Since I am going on a loong vacation, I wont be able to test these 
things out soon.

Do you need any more information?

- Murali

Daniel Zeiss wrote:
> Hello Murali,
> 
>> One other idea: Nobody seems to be interested in machine level,
>> startup and shutdown scripts (not user logon and logoff scripts).
> 
> 
> I am very interested in that since this would be the possibility of 
> implementing the Active Directory stuff the other way around.
> Imagine on startup the machine would execute a script which executes a 
> script from netlogon share.
> This last script then decides on which machine it is running, which 
> gpedit.msc file it should copy from the server and like this you can 
> distribute group policies like ADS can do.
> 
> No need for ADS anymore ;-)
> 
>> script, using local Group Policies (tried with just registry changes
>> did not work). These local scripts just mount a network share
>> and execute the real startup and shutdown scripts.
> 
> 
> Will you try more? I would love to hear your successes. :-)
> 
> bye
> Daniel
> 
>

[ Read the recent posts to
"SUMMARY: [Samba] Samba asPDC with WinXP Clients -> headache"
thread
first. Changed the subject line so this becomes a new thread.]

 >> Each machine is populated with a "local" startup and
shutdown
 >> scripts, and the local Group Policy is modified to activate this.
 >
 >
 > Where do I find these settings in gpedit.msc?

Modifying local group policy
----------------------------
+ \Windows\System32\GroupPolicy\Machine\Scripts has the scripts
   in appropriate directory.
+ Put a copy of the script in \Windows\....\Scripts\Startup
+ gpedit.msc -> Local Computer Policy -> Computer Configuration
      -> Windows Settings -> Scripts (Startup/Shutdown) -> SOMETHING
+ The scripts directory may not exist unless you run gpedit.msc
   and navigate to above mentioned page.
> How do you mount IPC$ as non-priveleged user if the script runs as SYSTEM?
> 
See the script.

---- localstartup -----
@echo off
rem -- Get network privileges by posing as nobody
net use \\sambaserver\IPC$ password /USER:sambdaserver\guestuser
rem -- mount the netlogon share
net use S: \\sambaserver\netlogon password /USER:sambaserver\guestuser
rem -- and execute the script
call S:\startup.cmd
rem -- Change directory to local drive
%SYSTEMDRIVE%
rem -- unmount all network drives
net use S: /D /YES
net use * /D /YES
------- end of script -----

Same script with obvious changes becomes the shutdown script.

Is there a place where one can put Windows scripts useful to
samba administrators? If there isn't any some one should set it up.
Basically a contrib directory, which may/may not ship with Samba,
but these are windows scripts written with console based automation
in mind.
>> 3. Clear all windows print queues (through a VBScript)
> Could you send me a copy of this function?
------------ lprm.vbs ------------
Set objWMIService = GetObject("winmgmts:" _
     & "{impersonationLevel=impersonate}!\\.\root\cimv2")
Set colInstalledPrinters =  objWMIService.ExecQuery _
     ("Select * from Win32_Printer")
For Each objPrinter in colInstalledPrinters
     objPrinter.CancelAllJobs()
     Wscript.Echo "Name: " & objPrinter.Name
Next
----------- end of script ----------

This should work. Not tested it yet.

One can use the WMIService to get lots of information. Most of the
/proc stuff is accessible through WMI. Just need to know what classes
they are called. All the pieces of info you mentioned is accessible
using the WMI interface. So all you need to do is to write a VBScript
or a Python Script to gather the info.

 > I would like to add the systeminformation which you can find in
 > Linux under /proc eg. CPU Type, RAM, NICs MAC address etc into my LDAP
 > and let it update itself
> 
>> I do not know enough about how group policies work. 
> 
> It is one file called gpedit.msc, which sits in some folder under 
> C:\WINDOWS. It will get updated on startup and every 90mins (Default) 
> There are reg keys to set this behavior. I found something on the web, 
> telling if you just substitute the file and restart, it will get loaded 
> on restart. so that would be something for the shutdown script to do.
> 
Which registry key is that? Is there any other way to force a reread of
gpedit.msc? Something along the lines of

rundll32.exe somedll,somefunction

If we can figure out which dll has the code for rereading the gpedit.msc
it would be great.

- Murali