Hi,
I want vpn clients which have a valid x509 Cert and a valid user account in the
M$ domain can access to the LAN. The M$ DC is an SBS2003 Server in mixed mode.
I don't want to manage two user db's. I want the vpn server to ask the
domain controller for a valid user account.So I've installed the nessecary
stuff on the vpn server. The interresting things here are:
samba/winbind 3.0.22 samba-common.
After a while of testings and changes everything was working fine. Then one day
the vpn/samba server became the same netbios name like the M$ DC
accidantily.Now every time the vpn server becomes online, the SBS Server is
inaccessible for the internal M$ clients, but the vpn client can still access
the LAN. On some machines are popups like "The IP you are using is already
in use", but it isn't. Nevertheless the NIC is getting disabled. The DC
is also the dhcp server. I've renamed the samba netbios- name of course
and deleted the machine account on the DC. Also I've deleted the *.tdb's
on the samba machine and the samba machine became another IP-address. Then
I've let the samba server rejoin the M$ Domain successfully. I can get the
DC accounts by using wbinfo -u and -g. getent is working also. ntlm_auth
username=<> also. Everything seems to be fine, but the internal network is
breaking down by DC strike. DC's system eventlog is saying:
The session could not be established, because the security database could not
determine a trust account accordingly the asking computer. (Sorry, this is my
translation from german. It may be not exactly the same word by word, like the
original english event description. Event ID is: 5723, source: NETLOGON)
That's it in the event logs. A browstat status on DC is listing:
Status for domain DOMAIN on transport
\Device\NetBT_Tcpip_{0D040CB9-B2E6-4BE5-BF6A-59E9C86B54EA}
Browsing is active on domain.
Master browser name is: TEST
Master browser is running build 3790
2 backup servers retrieved from master TEST
\\UMS
\\TEST
There are 13 servers in domain DOMAIN on transport
\Device\NetBT_Tcpip_{0D040CB9-B2E6-4BE5-BF6A-59E9C86B54EA}
There are 2 domains in domain DOMAIN on transport
\Device\NetBT_Tcpip_{0D040CB9-B2E6-4BE5-BF6A-59E9C86B54EA}
A nmblookup -M DOMAIN: TEST
When network is going down on the samba server, everything awakes...
The event log o n the local XP clients complains something like: There is no
Domain Controller available by following reason: the RPC call was aborting Event
ID:5719
The event log on UMS, the backup browser complains:The reading of the backuplist
aborted because there is no master browser accessible The backup browser could
not get a serverlist from the master browser on the network {... }Event ID:8021.
It looks like the SBS2003 machine can't 'forget' that a second
machine with the same netbios name was appearing in the network.
Perhaps the reason therefore is the special SBS license.
However, perhaps someone has done the same experiences and maybe, much more
important, worked out a solution for this problem.
The smb.conf:
[global]
workgroup = DOMAIN
os level = 0
preferred master = No
local master = No
domain master = No
wins server = 172.16.5.60
interfaces = eth1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 6
security = Domain
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n *password\supdated\ssuccessfully* .
;domain logons = yes
;logon drive = H:
;logon home = \\%N\%U
;logon script = logon.cmd
socket options = TCP_NODELAY
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
Thanks for answer
Hugo
