We have had a Samba LDAP-PDC-BDC system setup for close to 3 months with about 60 computers in the domain. Earlier we had a power outage and about 30 computers no longer were able to log into the domain or authenticate. Some were NT Workstations and some were W2k. But not all NT or W2K workstations were affected. If we went to network neighborhood we would see the error message " "The trust relationship between this workstation and the primary domain failed" When someone tries to login to these computers then they get the error "The system cannot log you on to this domain because the system's computer account in it's primary domain is missing or the password on that account is incorrect". We were able to fix the problem on the computers by taking the computers out of the domain and re-entering them into the domain. Went into System->Network Identification-> put the machine in a workgroup -> reboot -> Go back in and put the machine back into the domain. No manual deletion on the PDC was done. This was all done on the client. I reviewed LDAP backups and thus far have not found any descrepancies with the systems profiles before or after the power outage. The records indicate that there has not been any change in the LDAP information in the last 2 months for the machines which have the problem. Of course once the systems have been relogged into the domain the SambaNTPassword changes. I am currently both baffled and concerned as to how or why this would happen. If anybody could shed more light on what could have happened I would appreciate it. I would also like to know if there is a way to re-add or add a client on the Samba-LDAP-PDC instead of going to each individual client.
On Sat, 2006-02-18 at 11:11 -0600, Philip Washington wrote:> We have had a Samba LDAP-PDC-BDC system setup for close to 3 months with > about 60 computers in the domain. Earlier we had a power outage and > about 30 computers no longer were able to log into the domain or > authenticate. Some were NT Workstations and some were W2k. But not all > NT or W2K workstations were affected. > If we went to network neighborhood we would see the error message > " "The trust relationship between this workstation and the primary domain > failed" > When someone tries to login to these computers then they get the error > "The system cannot log you on to this domain because the system's > computer account in it's primary domain is missing or the password on > that account is incorrect". > > We were able to fix the problem on the computers by taking the computers > out of the domain and re-entering them into the domain. Went into > System->Network Identification-> put the machine in a workgroup -> > reboot -> Go back in and put the machine back into the domain. No > manual deletion on the PDC was done. This was all done on the client. > > I reviewed LDAP backups and thus far have not found any descrepancies > with the systems profiles before or after the power outage. The records > indicate that there has not been any change in the LDAP information in > the last 2 months for the machines which have the problem. Of course > once the systems have been relogged into the domain the SambaNTPassword > changes. > > I am currently both baffled and concerned as to how or why this would > happen. If anybody could shed more light on what could have happened I > would appreciate it. > I would also like to know if there is a way to re-add or add a client on > the Samba-LDAP-PDC instead of going to each individual client.---- probably would be a good idea to figure out how to troubleshoot your setup as one could only conjecture about what your problem is as you describe it. I do know that there is some faulty logic in your assumptions above since the workstations will automatically change their password with the passdb approximately once each month and I am quite certain that this is documented in the samba documentation. So in view of your faulty assumption, my guess would be that your PDC/BDC setup in LDAP probably isn't working properly as there should be evidence in some log somewhere when the workstations change their password and that the password changes propagate from LDAP server to LDAP server and assuming that you are using something like 'slurpd' to replicate changes in LDAP, there should be evidence of some failures (aka rejects) unless you are allowing changes directly to the 'slave' LDAP server in which case, you have a lot to fix. Craig
mallapadi niranjan wrote:> Hi Philip > > > yes, I have the same properties, (for checking i did the rid*2+1000 > and object class test. , but > once the computer are rejoined, it gets new rid, not the rid which is > in the LDIF. > > Regards > Niranjan >Okay, then this is something else I don't understand. If the LDAP database is getting corrupted then I can see how this problem could happen. But if the PDC goes down as you describe in scenario-2 then it doesn't make sense that the computers should have to rejoin the domain, unless there is some information which is not being stored in the LDAP database.> On 2/21/06, *Philip Washington* <phwashington@comcast.net > <mailto:phwashington@comcast.net>> wrote: > > mallapadi niranjan wrote: > > > Hi Craig > > > > Thanks for replying, The samba PDC gets rebooted because of Power > > outage, at night times. > > After the system gets rebooted, > > Scenario -01 > > 1. Either some times the ldap gets hanged, (2.2.13) may be > because of > > inconsistency. > > 2. since ldap hangs, samba doesn't come up properly. > > 3. so i run db_recover and try to start the ldap service and > then samba > > > > Scenario-02 > > if LDAP doesn't hang, and samba comes up nicely, the computer had to > > rejoin. > > but in my ldapdatabase, in OU=Computers, all the computer accounts > > exist. with > > rid and Object class intact. > > but some how i don't know why i have to rejoin, > > > Okay I just want to clarify this. After an unplanned reboot (power > outage) , your PDC comes back up and you find that some of the > computers > in your domain need to rejoin the domain?? Do you have recent > ldiff or > slapcats indicating that most of these computers have the same > properties in the LDAP database as before. > > > Scenario-03. > > I take the regular backup of LDAP, to LDIF file, and restore with > > latest LDIF file, > > eventhough i don't get the Computer Accounts and also i lose user 's > > passwords, > > After restoring from LDIF file. > > > > Scenario-04 > > If i do safe reboot or shutdown, there 's no problem , the server > > works properly without any > > problem > > > > Regards > > Niranjan > > > > > > On 2/20/06, *Craig White* <craigwhite@azapple.com > <mailto:craigwhite@azapple.com> > > <mailto: craigwhite@azapple.com > <mailto:craigwhite@azapple.com>>> wrote: > > > > On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote: > > > Hi all > > > > > > > > > I too have the same problem , i am also using samba 3.0.21 > with > > > openldap version 2.2.13 on Redhat Enterprise Linux 4 > enterprise > > > server. > > > if the samba PDC gets rebooted aburuptly, some of my clients > > > workstations (Windows 2000 professional) have to rejoin. > > > i was asked to check whether RID of the computer name is > > correct(uid*2 > > > + 1000) , ans whether > > > computer names have SambaSAMAccount object class. > > > eventhough my computernames' exist in the database with > correct > > object > > > class and rid, the clients > > > have to be rejoined. this happens only when samba PDC with > ldap > > gets > > > rebooted abruptly. > > > having said that, so i assume that LDAP is unable to maintain > > > consistency when it gets rebooted. > > > > > > so i had kept DB_CONFIG file in /var/lib/ldap(this is > where all bdb > > > files are there) and use db_recover > > > in case of any crash of ldap. > > > > > > But if we take backup in LDIF file and restore it, but > still my > > > computer accounts are not getting back, i had to rejoin. > > > > > > this is the problem that i am having, but still could not > find the > > > correct solution. > > ---- > > No - as you and he describe it, these are separate problems. > > > > Your issues is that PDC shouldn't get rebooted abruptly and > newer > > versions of openldap have a script that automatically runs > db_recover. > > This however doesn't come in the version of openldap that > ships with > > RHEL > > > > You might want to set up a cron script that performs a > slapcat on > > a more > > frequent basis so that if it is necessary to dump the entire > LDAP DSA > > and reload from an ldif, the ldif is much more current and > thus, you > > wouldn't have to rejoin many if any computers to the domain. > > > > Craig > > > > > >
mallapadi niranjan wrote:> Hi Philip > > > yes, I have the same properties, (for checking i did the rid*2+1000 > and object class test. , but > once the computer are rejoined, it gets new rid, not the rid which is > in the LDIF. > > Regards > Niranjan >You might check your MS client event logs for this error. error 3224 Changing machine account password for account <COMPUTER>$ failed with the following error: A remote procedure call (RPC) protocol error occurred.> On 2/21/06, *Philip Washington* <phwashington@comcast.net > <mailto:phwashington@comcast.net>> wrote: > > mallapadi niranjan wrote: > > > Hi Craig > > > > Thanks for replying, The samba PDC gets rebooted because of Power > > outage, at night times. > > After the system gets rebooted, > > Scenario -01 > > 1. Either some times the ldap gets hanged, (2.2.13) may be > because of > > inconsistency. > > 2. since ldap hangs, samba doesn't come up properly. > > 3. so i run db_recover and try to start the ldap service and > then samba > > > > Scenario-02 > > if LDAP doesn't hang, and samba comes up nicely, the computer had to > > rejoin. > > but in my ldapdatabase, in OU=Computers, all the computer accounts > > exist. with > > rid and Object class intact. > > but some how i don't know why i have to rejoin, > > > Okay I just want to clarify this. After an unplanned reboot (power > outage) , your PDC comes back up and you find that some of the > computers > in your domain need to rejoin the domain?? Do you have recent > ldiff or > slapcats indicating that most of these computers have the same > properties in the LDAP database as before. > > > Scenario-03. > > I take the regular backup of LDAP, to LDIF file, and restore with > > latest LDIF file, > > eventhough i don't get the Computer Accounts and also i lose user 's > > passwords, > > After restoring from LDIF file. > > > > Scenario-04 > > If i do safe reboot or shutdown, there 's no problem , the server > > works properly without any > > problem > > > > Regards > > Niranjan > > > > > > On 2/20/06, *Craig White* <craigwhite@azapple.com > <mailto:craigwhite@azapple.com> > > <mailto: craigwhite@azapple.com > <mailto:craigwhite@azapple.com>>> wrote: > > > > On Mon, 2006-02-20 at 11:55 +0530, mallapadi niranjan wrote: > > > Hi all > > > > > > > > > I too have the same problem , i am also using samba 3.0.21 > with > > > openldap version 2.2.13 on Redhat Enterprise Linux 4 > enterprise > > > server. > > > if the samba PDC gets rebooted aburuptly, some of my clients > > > workstations (Windows 2000 professional) have to rejoin. > > > i was asked to check whether RID of the computer name is > > correct(uid*2 > > > + 1000) , ans whether > > > computer names have SambaSAMAccount object class. > > > eventhough my computernames' exist in the database with > correct > > object > > > class and rid, the clients > > > have to be rejoined. this happens only when samba PDC with > ldap > > gets > > > rebooted abruptly. > > > having said that, so i assume that LDAP is unable to maintain > > > consistency when it gets rebooted. > > > > > > so i had kept DB_CONFIG file in /var/lib/ldap(this is > where all bdb > > > files are there) and use db_recover > > > in case of any crash of ldap. > > > > > > But if we take backup in LDIF file and restore it, but > still my > > > computer accounts are not getting back, i had to rejoin. > > > > > > this is the problem that i am having, but still could not > find the > > > correct solution. > > ---- > > No - as you and he describe it, these are separate problems. > > > > Your issues is that PDC shouldn't get rebooted abruptly and > newer > > versions of openldap have a script that automatically runs > db_recover. > > This however doesn't come in the version of openldap that > ships with > > RHEL > > > > You might want to set up a cron script that performs a > slapcat on > > a more > > frequent basis so that if it is necessary to dump the entire > LDAP DSA > > and reload from an ldif, the ldif is much more current and > thus, you > > wouldn't have to rejoin many if any computers to the domain. > > > > Craig > > > > > >