Ian Scott
2007-Mar-23 15:34 UTC
[Samba] Domain Controller either fails to acquire or loses client machine identities after several hours
I am trying to use samba (version 3.0.24-4 on debian etch AMD64) as a primary domain controller and file server. When I try to set up the domain controller - it sometimes works. On occasion, I have been able to connect WinXP Pro machines, log in to the clients use domain accounts. However, the next morning after I had it working, I can no longer log into the machines. Windows refuses with a error message "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance." I have tried killing samba, destroying all the .tdb files, and rebuilding the domain from scratch. That worked once, but again the next morning I got the errors listed above. Now when I try to rebuild the samba server, I can supposedly add machines to the domain, but when I try to log on to them, I get the error above. I have not touched the samba settings between when it worked and when it didn't. The following checks and attempts to fix the problem do not make any difference. 1. Restart samba 2. Remove the machine account from the server, and then re-add to the domain. 3. Changing the sign-or-seal registry setting on the client. patch 4. Checked that the clients are using the WINS service on the server. 5. The file-server stills work. I can access the files, from a client machine, after giving it my explicit domain account details. 6. Checked with multiple clients (all WinXP Pro - we don't have anything else) with different hardware - one even on a virtual machine. 7. Checked with multiple user accounts. 8. I have tried a variety of example smb.conf files from the HowTo and various other web pages. All the settings described as important are in there. security = user domain master = yes preferred master = yes domain logons = yes 9. There are is firewall on the server, and just default 10. The file server aspect works fine, and I can see and use shares after giving a user name and password. Additional info: There is another (WindowsXP ADC) on the same Ethernet segment. It is not possible at the moment to test separating them onto different network segments. The relevant log entries from a failed login are [2007/03/23 09:21:32, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/03/23 09:21:32, 2] smbd/sesssetup.c:setup_new_vc_session(799) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/03/23 09:21:32, 2] lib/access.c:check_access(323) Allowed connection from (130.XXX.XXX.43) [2007/03/23 09:21:32, 2] smbd/uid.c:change_to_user(186) change_to_user: SMB user (unix user nobody, vuid 101) not permitted access to share IPC$. [2007/03/23 09:21:32, 0] smbd/service.c:make_connection_snum(849) Can't become connected user! I have checked the samba mailing lists - from where I got the above ideas. Additionally there seem to be quite a collection of similar problems for which no fix was ever presented, e.g. http://lists.samba.org/archive/samba/2005-January/098829.html http://lists.samba.org/archive/samba/2005-May/104872.html http://lists.samba.org/archive/samba/2006-January/117154.html http://lists.samba.org/archive/samba/2005-February/100725.html Many thanks, Ian.