Scott Moorhouse
2006-Jun-05 17:51 UTC
[Samba] 64-bit RHEL4 BDC doesn't allow workstation logons
I'm trying to set up Samba on RHEL4 as a BDC for subnet 10.6.0.0/16. The PDC is located at another site and on another network. Its IP address is 10.2.0.2. There are other BDCs on subnets 10.1.0.0/16, 10.3.0.0/16, and 10.4.0.0/16 that all function fine. This is the only one on RHEL and this is the only one on a 64 bit box. We are using ldapsam for the passdb. The important config lines are: [global] workgroup = AEI netbios name = APPDEVEL-BIS passdb backend = ldapsam:ldap://ldap.server.name local master = yes preferred master = no domain master = no os level = 33 domain logons = yes wins server = 10.2.0.2 I have used smbpasswd -w secret, as well as net rpc join with a successful domain join. Whenever someone logs in on a computer joined to the domain on this subnet (and all the computers in this domain were already joined to the domain AEI before this BDC was put into place) they get the: "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. [...]" Modifying the config file to say domain logons = no passes the logon to another DC and then the logon works. Logs at log level 5 say such scary things as: [token.log, a workstation trying to log in] [2006/06/05 12:13:07, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2006/06/05 12:13:07, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/06/05 12:13:07, 5] auth/auth_util.c:is_trusted_domain(1491) is_trusted_domain: Checking for domain trust with [AEI] [2006/06/05 12:13:07, 5] passdb/secrets.c:secrets_fetch_trusted_domain_password( 334) secrets_fetch failed! [2006/06/05 12:13:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/06/05 12:13:07, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184) no entry for trusted domain AEI found. [2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(133) attempting to make a user_info for () [2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(143) making strings for 's user_info struct [2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(185) making blobs for 's user_info struct [2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user []\[]@[TOKEN] with the new password interface [2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [AEI]\[]@[TOKEN] At which point it looks like it tries guest access by mapping null user to nobody, which isn't allowed, and fails. I'm convinced that the machine actually doesn't believe that it's a domain member. For instance, in Printers and Faxes, it says the privileged user is APPDEVEL-BIS\Administrators, not AEI\Administrators. etc. That would seem to make some sense with its behavior, but I don't know how else to convince it it's a domain member other than what I've already done with net rpc join, which has been successful for me in the past. But what's also bizarre is that after one gets logged in, you can browse APPDEVEL-BIS's shares fine without having to log in, and with seemingly the correct access levels. Is there a 64-bit issue going on here? Or maybe a library version issue? Right now I'm using samba 3.0.10 which comes with RHEL4, but I have experienced the same problems with 3.0.22 built from source and I'm staying on 3.0.10 right now because I'm querying Red Hat support with this same question -- though they seem just as stumped as I am so far. Can someone please give me some pointers where I can look next? -- Scott Moorhouse : < smoorhouse@ae-solutions.com > Systems Architect : Applied Engineering, Inc. Red Hat Certified Engineer : Bismarck, ND