ryan punt
2006-Nov-21 15:18 UTC
[Samba] PDC/BDC problem - clients not authenticating against BDC
Hey list, I've got a problem with my PDC/BDC setup. They're both running 3.0.23c on Sarge, and I've verified that both the PDC and BDC will authenticate users. test-pdc:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC test-bdc:/var/log/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_BDC My PDC is also my WINS server, and I've verified that XP clients on other subnets see two "DOMAIN#1c" records. The problem I'm having is this: When SMBD on the PDC stops, XP clients will no longer authenticate; the specific error is "the system cannot log you on now because the domain GSS is not available." NMBD is still running, and XP clients still see 2 "#1c" records. How can I ensure that XP clients will authenticate against the BDC if the PDC is unavailable? Thanks, Ryan -------------- next part -------------- ------------------------------------------------- This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. ---------------------------------------------------------
Adrian A. Sender
2006-Nov-24 08:33 UTC
[Samba] PDC/BDC problem - clients not authenticating against BDC
Hello Ryan, As you are using PDC / BDC you are using LDAP arnt you? You have not provided much information, so its very hard to know where to even start. Assuming that users are been replicated to the BDC via LDAP slurpd, you may want to check the following; "net getlocalsid" on the PDC Verify that this matches the BDC "net getlocalsid" .. If not on the BDC "net setlocalsid S-1-5-21-x-y-z" Failing this remove your ldap database on the BDC (backup first) "slapcat -v -l transfer.ldif" on PDC Copy to BDC rm -rf /var/lib/ldap/* On BDC "slapadd -v -l transfer.ldif on BDC" All this is clearly explained in the documentation available on the samba web site. Let me know if this helps. Cheers, Adrian Sender From: "ryan punt" <rpunt@good-sam.com> Subject: [Samba] PDC/BDC problem - clients not authenticating against BDC Date: Tue, 21 Nov 2006 09:17:41 -0600 To: <samba@lists.samba.org> Hey list, I've got a problem with my PDC/BDC setup. They're both running 3.0.23c on Sarge, and I've verified that both the PDC and BDC will authenticate users. test-pdc:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC test-bdc:/var/log/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_BDC My PDC is also my WINS server, and I've verified that XP clients on other subnets see two "DOMAIN#1c" records. The problem I'm having is this: When SMBD on the PDC stops, XP clients will no longer authenticate; the specific error is "the system cannot log you on now because the domain GSS is not available." NMBD is still running, and XP clients still see 2 "#1c" records. How can I ensure that XP clients will authenticate against the BDC if the PDC is unavailable? Thanks, Ryan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
ryan punt
2006-Nov-24 15:49 UTC
[Samba] PDC/BDC problem - clients not authenticating against BDC
Adrian, Yes, I'm using LDAP for a backend. Both the PDC and BDC are using the same LDAP server, as my test environment only has one installed. I've verified the the SIDs are the same, and they'll both authenticate the same users from smbclient. The only differences between the two smb.conf files: rpunt@rpunt:~/documents/Samba3/backup$ diff pdc.smb.conf bdc.smb.conf 3,4c3,4 < netbios name = GSS-PDC < server string = Samba 3 PDC ---> netbios name = GSS-BDC > server string = Samba 3 BDC13c13 < os level = 255 ---> os level = 20015,16c15,16 < domain master = yes < preferred master = yes ---> domain master = no > preferred master = no18c18 < wins support = yes ---> wins server = 172.21.24.5 # test-pdc's IP addressThe same SID is returned for both machine and domain queries on the PDC and BDC: test-pdc:~# net getlocalsid GSS SID for domain GSS is: S-1-5-21-1079125125-2089603153-XXXXXXXX test-pdc:~# net getlocalsid SID for domain GSS-PDC is: S-1-5-21-1079125125-2089603153-XXXXXXXX test-bdc:~# net getlocalsid GSS SID for domain GSS is: S-1-5-21-1079125125-2089603153-XXXXXXXX test-bdc:~# net getlocalsid SID for domain GSS-BDC is: S-1-5-21-1079125125-2089603153-XXXXXXXX>>> "Adrian A. Sender" <adrians@tinistuffhosting.com> 11/22/2006 7:26:56 AM >>>Hello Ryan, As you are using PDC / BDC you are using LDAP arnt you? You have not provided much information, so its very hard to know where to even start. Assuming that users are been replicated to the BDC via LDAP slurpd, you may want to check the following; "net getlocalsid" on the PDC Verify that this matches the BDC "net getlocalsid" .. If not on the BDC "net setlocalsid S-1-5-21-x-y-z" Failing this remove your ldap database on the BDC (backup first) "slapcat -v -l transfer.ldif" on PDC Copy to BDC rm -rf /var/lib/ldap/* On BDC "slapadd -v -l transfer.ldif on BDC" All this is clearly explained in the documentation available on the samba web site. Let me know if this helps. Cheers, Adrian Sender From: "ryan punt" <rpunt@good-sam.com> Subject: [Samba] PDC/BDC problem - clients not authenticating against BDC Date: Tue, 21 Nov 2006 09:17:41 -0600 To: <samba@lists.samba.org> Hey list, I've got a problem with my PDC/BDC setup. They're both running 3.0.23c on Sarge, and I've verified that both the PDC and BDC will authenticate users. test-pdc:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC test-bdc:/var/log/samba# testparm Load smb config files from /etc/samba/smb.conf Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_BDC My PDC is also my WINS server, and I've verified that XP clients on other subnets see two "DOMAIN#1c" records. The problem I'm having is this: When SMBD on the PDC stops, XP clients will no longer authenticate; the specific error is "the system cannot log you on now because the domain GSS is not available." NMBD is still running, and XP clients still see 2 "#1c" records. How can I ensure that XP clients will authenticate against the BDC if the PDC is unavailable? Thanks, Ryan -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -------------- next part -------------- ------------------------------------------------- This email transmission and any documents, files or previous email messages attached to it may contain information that is confidential or legally privileged. If you are not the intended recipient, you are hereby notified that any disclosure, copying, printing, distributing or use of this transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by telephone or return email and delete the original transmission and its attachments without reading or saving in any manner. The Evangelical Lutheran Good Samaritan Society. ---------------------------------------------------------