David M Noriega
2009-Jul-08 15:52 UTC
[Samba] Authentication requests being handled by PDC not local BDC
I have a PDC+LDAP as well as a BDC+LDAP in another subnet setup with a
domain member in the same subnet as the BDC. From my understanding the
domain member should be hitting the BDC for all authentication but
watching the logs I see the PDC is the one handling it all. The BDC
just sits there. Am I missing something?
Here are the smb.conf for each servers:
PDC:
[global]
workgroup = X.X.X
netbios name = Ross
server string = PDC %v
map to guest = Bad User
encrypt passwords = yes
passdb backend = ldapsam:ldap://ldap1.x.x.x
enable privileges = yes
log level = 2
syslog = 0
time server = Yes
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=32768
SO_SNDBUF=32768
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-group-del '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x
'%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
logon path = \\%L\profiles\%U
logon script = netlogin.bat
# logon drive = M:
# logon home = \\cajal.x.x.x\%U
domain logons = Yes
os level = 225
domain master = Yes
local master = Yes
wins support = Yes
# remote announce = x.x.x.255/X.X.X #bishop subnet
ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=machines
ldap passwd sync = Yes
ldap suffix = dc=x,dc=x,dc=x
ldap ssl = start tls
ldap user suffix = ou=people
create mask = 0640
directory mask = 0750
case sensitive = No
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
interfaces = eth0 lo
bind interfaces only = yes
hosts deny = ALL
hosts allow = xxx.xxx.0.0/255.255.0.0
BDC:
[Global]
workgroup = X.X.X
netbios name = BISHOP
server string = BDC %v
interfaces = eth0 lo
bind interfaces only = yes
hosts deny = ALL
hosts allow = xxx.xxx.0.0/255.255.0.0
passdb backend = ldapsam:ldap://ldap2.x.x.x
domain master = no
domain logons = yes
ldap suffix = dc=x,dc=x,dc=x
ldap user suffix = ou=people
ldap group suffix = ou=group
ldap machine suffix = ou=machines
ldap admin dn = cn=manager,dc=x,dc=x,dc=x
encrypt passwords = yes
enable privileges = yes
log level = 3
syslog = 0
domain master = no
wins server = ross.x.x.x
wins proxy = yes
remote announce = xxx.xxx.xxx.255/X.X.X #Ross subnet
remote browse sync = xxx.xxx.xxx.xxx #ross ip
ntlm auth = yes
lanman auth = yes
ldap ssl = start tls
local master = yes
os level = 65
preferred master = yes
Domain Member:
[Global]
workgroup = X.X.X
server string = CAJAL %v
security = domain
password server = *
lanman auth = Yes
encrypt passwords = yes
enable privileges = yes
loglevel = 2
syslog = 0
deadtime = 5
os level = 8
local master = No
domain master = No
remote announce = xxx.xxx.xxx.255/X.X.XXX
interfaces = ce0 lo0
bind interfaces only = yes
hosts allow = xxx.xxx.0.0/255.255.0.0
hosts deny = ALL
--
Personally, I liked the university. They gave us money and facilities,
we didn't have to produce anything! You've never been out of college!
You don't know what it's like out there! I've worked in the private
sector. They expect results. -Ray Ghostbusters
David M Noriega
2009-Jul-09 16:15 UTC
[Samba] Re: Authentication requests being handled by PDC not local BDC
It seems leaving password server = * on the domain member causes it to fail after a while as it fails to find any servers. Setting it to explicitly saying password server = BISHOP ROSS gets it working again but it still only talks to the PDC(in a different subnet). On Wed, Jul 8, 2009 at 10:53 AM, David M Noriega<davidmnoriega@gmail.com> wrote:> I have a PDC+LDAP as well as a BDC+LDAP in another subnet setup with a > domain member in the same subnet as the BDC. From my understanding the > domain member should be hitting the BDC for all authentication but > watching the logs I see the PDC is the one handling it all. The BDC > just sits there. Am I missing something? > > Here are the smb.conf for each servers: > > PDC: > [global] > ? ? ? ?workgroup = X.X.X > ? ? ? ?netbios name = Ross > ? ? ? ?server string = PDC %v > ? ? ? ?map to guest = Bad User > ? ? ? ?encrypt passwords = yes > ? ? ? ?passdb backend = ldapsam:ldap://ldap1.x.x.x > ? ? ? ?enable privileges = yes > ? ? ? ?log level = 2 > ? ? ? ?syslog = 0 > ? ? ? ?time server = Yes > ? ? ? ?socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=32768 > SO_SNDBUF=32768 > ? ? ? ?add user script = /usr/sbin/smbldap-useradd -m '%u' > ? ? ? ?delete user script = /usr/sbin/smbldap-userdel %u > ? ? ? ?add group script = /usr/sbin/smbldap-groupadd -p '%g' > ? ? ? ?delete group script = /usr/sbin/smbldap-group-del '%g' > ? ? ? ?add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > ? ? ? ?delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' > ? ? ? ?set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > ? ? ? ?add machine script = /usr/sbin/smbldap-useradd -w '%u' > ? ? ? ?logon path = \\%L\profiles\%U > ? ? ? ?logon script = netlogin.bat > # ? ? ? ?logon drive = M: > # ? ? ? ?logon home = \\cajal.x.x.x\%U > ? ? ? ?domain logons = Yes > ? ? ? ?os level = 225 > ? ? ? ?domain master = Yes > ? ? ? ?local master = Yes > ? ? ? ?wins support = Yes > # ? ? ? remote announce = x.x.x.255/X.X.X #bishop subnet > ? ? ? ?ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x > ? ? ? ?ldap group suffix = ou=group > ? ? ? ?ldap idmap suffix = ou=Idmap > ? ? ? ?ldap machine suffix = ou=machines > ? ? ? ?ldap passwd sync = Yes > ? ? ? ?ldap suffix = dc=x,dc=x,dc=x > ? ? ? ?ldap ssl = start tls > ? ? ? ?ldap user suffix = ou=people > ? ? ? ?create mask = 0640 > ? ? ? ?directory mask = 0750 > ? ? ? ?case sensitive = No > ? ? ? ?dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd > ? ? ? ?interfaces = eth0 lo > ? ? ? ?bind interfaces only = yes > ? ? ? ?hosts deny = ALL > ? ? ? ?hosts allow = xxx.xxx.0.0/255.255.0.0 > > BDC: > [Global] > ?workgroup = X.X.X > ?netbios name = BISHOP > ?server string = BDC %v > ?interfaces = eth0 lo > ?bind interfaces only = yes > ?hosts deny = ALL > ?hosts allow = xxx.xxx.0.0/255.255.0.0 > ?passdb backend = ldapsam:ldap://ldap2.x.x.x > ?domain master = no > ?domain logons = yes > ?ldap suffix = dc=x,dc=x,dc=x > ?ldap user suffix = ou=people > ?ldap group suffix = ou=group > ?ldap machine suffix = ou=machines > ?ldap admin dn = cn=manager,dc=x,dc=x,dc=x > ?encrypt passwords = yes > ?enable privileges = yes > ?log level = 3 > ?syslog = 0 > ?domain master = no > ?wins server = ross.x.x.x > ?wins proxy = yes > ?remote announce = xxx.xxx.xxx.255/X.X.X #Ross subnet > ?remote browse sync = xxx.xxx.xxx.xxx #ross ip > ?ntlm auth = yes > ?lanman auth = yes > ?ldap ssl = start tls > ?local master = yes > ?os level = 65 > ?preferred master = yes > > Domain Member: > [Global] > ?workgroup = X.X.X > ?server string = CAJAL %v > ?security = domain > ?password server = * > ?lanman auth = Yes > ?encrypt passwords = yes > ?enable privileges = yes > ?loglevel = 2 > ?syslog = 0 > ?deadtime = 5 > ?os level = 8 > ?local master = No > ?domain master = No > ?remote announce = xxx.xxx.xxx.255/X.X.XXX > ?interfaces = ce0 lo0 > ?bind interfaces only = yes > ?hosts allow = xxx.xxx.0.0/255.255.0.0 > ?hosts deny = ALL > > -- > Personally, I liked the university. They gave us money and facilities, > we didn't have to produce anything! You've never been out of college! > You don't know what it's like out there! I've worked in the private > sector. They expect results. -Ray Ghostbusters >-- Personally, I liked the university. They gave us money and facilities, we didn't have to produce anything! You've never been out of college! You don't know what it's like out there! I've worked in the private sector. They expect results. -Ray Ghostbusters