samba - May 2005 - Strange intermittent join with XP SP2 and Samba 3.0.14a

Hi all!

I'm a system administrator for a company that uses Samba (the latest,
3.0.14a) as a PDC for a subnet with various windows clients. The following
diagram illustrates the situation of the various host in my network:


          +----------+
          | Win 2003 |
          +--+-------+       - Clients -
             |              10.100.0.0/16
             |
+--------+   |  +----------+
| XP sp2 |   |  | 2000 SP4 |
+-----+--+   |  +-+--------+
      |      |    |
      |      |    |
    +-+------+----+-+
    | Switch 10/100 |
    +-------+-------+
            |
            |
       +----+-----+
       | Firewall |
       +----+-----+
            | .1             - Services -
            |               192.168.2.0/24
    +-------+-------+
    | Switch 10/100 |
    +-------+----+--+
      |           |  \
      |           |   +------------------------+
      |           |                            |
      | .6 (eth0) | .8 (eth0:1)                | .7 (eth0)
      |           |                            |
   +----+-----------+     HA Link     +----+-------------+
   | Samba PDC (up) |  172.16.1.0/24  | Samba PDC (down) |
   +----------------+ <-------------> +------------------+
   |   LDAP (up)    |     (eth1)      |   LDAP (down)    |
   +----------------+                 +------------------+


The Samba 3.0.14a uses LDAP as a SAM backend for all the windows domain
accounts and related authentication. In the previous diagram you can
notice that there are two PDC (in high avaiability, 192.168.2.6 and
192.168.2.7) linked each other with a dedicated cross cable for a private
Heartbeat network (the 172.16.1.0/24). The current active high avaiability
PDC uses a virtual interface with ip 192.168.2.8, that is, the shared
ip address resource raised by Heartbeat during its boot (in the diagram, i
taken the Samba with ip 192.168.2.6 as the currently active PDC).

The problem that occurs, involves just windows XP with service pack 2 and
less frequently windows 2003 (not win2K sp4 or windows XP with service
pack 1) and it consists in an intermittent join to the NT domain
controlled by the Samba PDC.

I'll explain this problem better.

With xp sp2 (and 2003) i have to repeat various times the join phase
before get success from the PDC, and, during each failed join, i get the
error:

		"user unknown or incorrect password"

and this does never occur with xp sp1 or win2k sp4. What a strange thing!
Moreover, if i reset any XP sp2 client into a workgroup and after i do a
rejoin to the domain, the problem still occurs!

I played a lot with the voices "interfaces, bind interfaces only, remote
anounce" in the samba configuration file, in any combination! But seems i
can't solve that annoying problem.

I thought it could be a firewall problem, but, why the join does works
always with windows XP sp1 and 2000?

I add that the same problem could be replicated with each version 3.0.X
(and also 15pre2) of Samba.

I'm in trobles, please help me!

follows my smb.conf:

[global]

; PDC Dominio AZIENDA
workgroup = AZIENDA
server string = PDC
netbios name = PDC
security = user
preferred master = yes
domain logons = yes
domain master = yes
encrypt passwords = yes
map acl inherit = yes
wins support = yes
interfaces = 192.168.2.8/24 127.0.0.1/8
#interfaces = 192.168.2.6 192.168.2.7 192.168.2.8 127.0.0.1
bind interfaces only = no
#bind interfaces only = yes
#username map = /etc/samba/username.map
#remote announce = 10.100.255.255/AZIENDA

dos charset = 850
unix charset = ISO8859-1

log file = /var/samba/log.samba.%m
log level = 1
max log size = 20000
lock directory = /var/samba/locks
pid directory = /var/samba/run
private dir = /var/samba/private

passdb backend = ldapsam:ldap://localhost
ldap admin dn = cn=root,dc=pdc,dc=azienda,dc=pri
ldap suffix = dc=pdc,dc=azienda,dc=pri
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap delete dn = no

add machine script = /etc/samba/scripts/smbldap-useradd.pl -w '%u'
add user script = /etc/samba/scripts/smbuseradd.sh '%u'
add group script = /etc/samba/scripts/smbgroupadd.sh '%g'
add user to group script = /etc/samba/scripts/smbldap-groupmod.pl -m
'%u' '%g'
delete user script = /etc/samba/scripts/smbuserdel.sh '%u'
delete group script = /etc/samba/scripts/smbgroupdel.sh '%g'
delete user from group script = /etc/samba/scripts/smbldap-groupmod.pl -x
'%u' '%g'
set primary group script = /etc/samba/scripts/smbldap-usermod.pl -g '%g'
'%u'

;logon path = \\%L\profiles
logon path logon script = logon.cmd
logon drive = Z:

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192


Thanx in advance friends! Help me please!

Giuseppe.

Hello Megat0N,

Sunday, May 22, 2005, 2:01:23 PM, you wrote:



M> With xp sp2 (and 2003) i have to repeat various times the join phase
M> before get success from the PDC, and, during each failed join, i get the
M> error:

M>                 "user unknown or incorrect password"

This  does  not  seem  to be a firewall issue, but an XP-samba interaction
issue of some type. I do not have the answer, but it should be interesting
if  you try to join a XP SP2 client (which has intermittent issues) to the
domain  after  connecting  it  to  the  server's  network,  thus  avoiding
completely the firewall.



-- 

  Fabio "Kurgan" Muzzi