Greetings, My environment is Samba 3.0.23d as a PDC, password backend is OpenLDAP 2.3.27, running on SuSE 10.1; workstations are Windows XP SP2, all recent patches applied. All machines are on the same Class B private IP network. Domain logons function perfectly, performance is very nice. For security and performance reasons we are looking at dividing the network into many VLANS, each with its own IP subnet. On the testing network, a very strange thing is happening. When the workstation is on the Class B subnet, all functions work perfectly - Adding machine to domain, logging in, mapping drive to samba server, etc. However, when placed on the test VLAN (a class C private IP subnet) some of this functionality goes away. I can ping the DC (meaning the packets are correctly routed). I can resolve the DC name to its IP (meaning name resolution across the subnet is working), I can resolve my own workstation name to the correct IP. However, when I try to add this machine to the domain, I get the following error: The following error occurred attempting to join the domain "DOMAIN" Logon Failure: unknown user name or bad password. Of course I'm using the same user name and password (root) as I use when on the Class B subnet. When I attempt to map a drive, I get "System error 1326 has occurred - Logon failure: unknown user name or bad password." Stranger yet is that every 5 or so times, this all works perfectly. I've considered problems with the switching hardware, however, I set the workstation to ping the DC constantly for like 4 hours and not a single packet was dropped. There is nothing strange about the setup, it's really very simple. All other services function perfectly between the VLANS. I also tried adding a VLAN on our production network using the production DC with the exact same results. I should add that on the testing network, although the logical layout is similar, we do not have a DHCP server so all address assignments are done by hand. However, when we move the workstation from one subnet to another, we are careful to put the workstation in the correct subnet and make sure that the WINS server is set correctly. I've attached my smb.conf. If any party is interested in further diagnosing the problem I'll be happy spend as much time as necessary to provide the information you might need. Here's my smb.conf (names have been changed to protect the guilty) [global] interfaces = eth0 lo bind interfaces only = yes workgroup = DOMAIN server string = "Domain Controller" passdb backend = ldapsam:ldap://127.0.0.1 log level = 1 syslog = 0 log file = /usr/local/samba/var/log.%m max log size = 2500 name resolve order = wins hosts bcast time server = Yes show add printer wizard = No add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' logon script = netlogon.cmd logon path = \\dc\profiles\%U ( file://\dcU ) logon home = \\dc\profiles\%U ( file://\dcU ) domain logons = Yes os level = 75 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=example,dc=org ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=people ldap suffix = dc=example,dc=org ldap user suffix = ou=people idmap backend = ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 profile acls = Yes map acl inherit = Yes [netlogon] comment = "Net logon share" path = /netlogon write list = root [profiles] comment = "Roaming profile share" path = /profiles read only = No hide files = /desktop.ini/Desktop.ini/DESKTOP.INI/ csc policy = disable create mask = 0700 force create mode = 0700 directory mask = 0700 force directory mode = 0700
Greetings, My environment is Samba 3.0.23d as a PDC, password backend is OpenLDAP 2.3.27, running on SuSE 10.1; workstations are Windows XP SP2, all recent patches applied. All machines are on the same Class B private IP network. Domain logons function perfectly, performance is very nice. For security and performance reasons we are looking at dividing the network into many VLANS, each with its own IP subnet. On the testing network, a very strange thing is happening. When the workstation is on the Class B subnet, all functions work perfectly - Adding machine to domain, logging in, mapping drive to samba server, etc. However, when placed on the test VLAN (a class C private IP subnet) some of this functionality goes away. I can ping the DC (meaning the packets are correctly routed). I can resolve the DC name to its IP (meaning name resolution across the subnet is working), I can resolve my own workstation name to the correct IP. However, when I try to add this machine to the domain, I get the following error: The following error occurred attempting to join the domain "DOMAIN" Logon Failure: unknown user name or bad password. Of course I'm using the same user name and password (root) as I use when on the Class B subnet. When I attempt to map a drive, I get "System error 1326 has occurred - Logon failure: unknown user name or bad password." Stranger yet is that every 5 or so times, this all works perfectly. I've considered problems with the switching hardware, however, I set the workstation to ping the DC constantly for like 4 hours and not a single packet was dropped. There is nothing strange about the setup, it's really very simple. All other services function perfectly between the VLANs. I also tried adding a VLAN on our production network using the production DC with the exact same results. I should add that on the testing network, although the logical layout is similar, we do not have a DHCP server so all address assignments are done by hand. However, when we move the workstation from one subnet to another, we are careful to put the workstation in the correct subnet and make sure that the WINS server is set correctly. I've attached my smb.conf. If any party is interested in further diagnosing the problem I'll be happy spend as much time as necessary to provide the information you might need. Here's my smb.conf (names have been changed to protect the guilty) [global] interfaces = eth0 lo bind interfaces only = yes workgroup = DOMAIN server string = "Domain Controller" passdb backend = ldapsam:ldap://127.0.0.1 log level = 1 syslog = 0 log file = /usr/local/samba/var/log.%m max log size = 2500 name resolve order = wins hosts bcast time server = Yes show add printer wizard = No add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' logon script = netlogon.cmd logon path = \\dc\profiles\%U logon home = \\dc\profiles\%U domain logons = Yes os level = 75 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=example,dc=org ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=people ldap suffix = dc=example,dc=org ldap user suffix = ou=people idmap backend = ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 profile acls = Yes map acl inherit = Yes [netlogon] comment = "Net logon share" path = /netlogon write list = root [profiles] comment = "Roaming profile share" path = /profiles read only = No hide files = /desktop.ini/Desktop.ini/DESKTOP.INI/ csc policy = disable create mask = 0700 force create mode = 0700 directory mask = 0700 force directory mode = 0700
Greetings, My environment is Samba 3.0.23d as a PDC, password backend is OpenLDAP 2.3.27, running on SuSE 10.1; workstations are Windows XP SP2, all recent patches applied. All machines are on the same Class B private IP network. Domain logons function perfectly, performance is very nice. For security and performance reasons we are looking at dividing the network into many VLANS, each with its own IP subnet. On the testing network, a very strange thing is happening. When the workstation is on the Class B subnet, all functions work perfectly - Adding machine to domain, logging in, mapping drive to samba server, etc. However, when placed on the test VLAN (a class C private IP subnet) some of this functionality goes away. I can ping the DC (meaning the packets are correctly routed). I can resolve the DC name to its IP (meaning name resolution across the subnet is working), I can resolve my own workstation name to the correct IP. However, when I try to add this machine to the domain, I get the following error: The following error occurred attempting to join the domain "DOMAIN" Logon Failure: unknown user name or bad password. Of course I'm using the same user name and password (root) as I use when on the Class B subnet. When I attempt to map a drive, I get "System error 1326 has occurred - Logon failure: unknown user name or bad password." Stranger yet is that every 5 or so times, this all works perfectly. I've considered problems with the switching hardware, however, I set the workstation to ping the DC constantly for like 4 hours and not a single packet was dropped. There is nothing strange about the setup, it's really very simple. All other services function perfectly between the VLANS. I also tried adding a VLAN on our production network using the production DC with the exact same results. I should add that on the testing network, although the logical layout is similar, we do not have a DHCP server so all address assignments are done by hand. However, when we move the workstation from one subnet to another, we are careful to put the workstation in the correct subnet and make sure that the WINS server is set correctly. I've attached my smb.conf. If any party is interested in further diagnosing the problem I'll be happy spend as much time as necessary to provide the information you might need. Here's my smb.conf (names have been changed to protect the guilty) [global] interfaces = eth0 lo bind interfaces only = yes workgroup = DOMAIN server string = "Domain Controller" passdb backend = ldapsam:ldap://127.0.0.1 log level = 1 syslog = 0 log file = /usr/local/samba/var/log.%m max log size = 2500 name resolve order = wins hosts bcast time server = Yes show add printer wizard = No add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u' delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u' add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g' delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g' add user to group script /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g' delete user from group script /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g' set primary group script /var/lib/samba/sbin/smbldap-usermod.pl -g '%g' '%u' add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u' logon script = netlogon.cmd logon path = \\dc\profiles\%U ( file://\dcU ) logon home = \\dc\profiles\%U ( file://\dcU ) domain logons = Yes os level = 75 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=example,dc=org ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=people ldap suffix = dc=example,dc=org ldap user suffix = ou=people idmap backend = ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 profile acls = Yes map acl inherit = Yes [netlogon] comment = "Net logon share" path = /netlogon write list = root [profiles] comment = "Roaming profile share" path = /profiles read only = No hide files = /desktop.ini/Desktop.ini/DESKTOP.INI/ csc policy = disable create mask = 0700 force create mode = 0700 directory mask = 0700 force directory mode = 0700