I have the following setup: PDC: Samba 3.0.37 on Solaris 10 BDC1: Samba 3.0.37 on Solaris 10 BDC2: Samba 3.4.3 on Solaris 10 Samba 3.0.37 is the bundled version of Samba. Samba 3.4.3 is compiled from source. BDC2 is a recent addition to the network. All machine use LDAP as the backend for everything. They use winbind to handle a domain trust with another domain, but otherwise isn't needed. If I start samba on BDC2 and logon to an XP (or Win 2003) Machine, the logon will be to BDC2. This can be verified with echo %logonserver%. Rebooting the XP machine is probably not necessary to see this. If I login as the domain administrator, I am effectively not considered a member of the local administrator group. If I look at the local Administrator group I will see the DOMAIN/Administrators as members. But I am unable to install software, see all local files, add users to local groups etc. "OS level" on all three DC's was not explictly set, so was 20 by default. I changed BDC2 to "os level=0" and set the PDC to "os level=33." I did not restart samba on PDC. It seems to be a browsing issue. I still logon to BDC2. So I have two issues: 1- How to make sure that the PDC (or PDC and BDC1) use used in preference to BDC2. I assume that something about BDC2 having a newer ver of samba is getting it priority. 2. What is wrong with the domain members in local users group. This may be a BDC config in general issue (and I just never found it because BDC1 never took precendence over PDC) or it may be something to do with Samba 3.4.x vs 3.0.x. Thanks
Setting "announce version = 4.5" in smb.conf on BDC2 did not change anything. (The other samba domain still use 4.9 as the default version.) Windows clients will still connect to BDC2 (if it is running.) On each DC, net getdomainsid and getlocalsid show that the local sid on each machine is the domain sid. BDC2# net getdomainsid SID for local machine BDC2 is: S-1-5-21-xxx-xxx-x99 SID for domain DOMAIN is: S-1-5-21-xxx-xxx-x99 BDC2# net getlocalsid SID for domain BDC is-xxx-xxx-x99 BDC2# Pdbedit -Lv, wbinfo -u and wbinfo -g all seem to give the same results Also BDC# wbinfo -t checking the trust secret via RPC calls succeeded Thanks -----Original Message----- From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] Sent: Friday, November 13, 2009 12:48 PM To: samba at lists.samba.org Subject: DC priority, BDC prob with domain groups I have the following setup: PDC: Samba 3.0.37 on Solaris 10 BDC1: Samba 3.0.37 on Solaris 10 BDC2: Samba 3.4.3 on Solaris 10 Samba 3.0.37 is the bundled version of Samba. Samba 3.4.3 is compiled from source. BDC2 is a recent addition to the network. All machine use LDAP as the backend for everything. They use winbind to handle a domain trust with another domain, but otherwise isn't needed. If I start samba on BDC2 and logon to an XP (or Win 2003) Machine, the logon will be to BDC2. This can be verified with echo %logonserver%. Rebooting the XP machine is probably not necessary to see this. If I login as the domain administrator, I am effectively not considered a member of the local administrator group. If I look at the local Administrator group I will see the DOMAIN/Administrators as members. But I am unable to install software, see all local files, add users to local groups etc. "OS level" on all three DC's was not explictly set, so was 20 by default. I changed BDC2 to "os level=0" and set the PDC to "os level=33." I did not restart samba on PDC. It seems to be a browsing issue. I still logon to BDC2. So I have two issues: 1- How to make sure that the PDC (or PDC and BDC1) use used in preference to BDC2. I assume that something about BDC2 having a newer ver of samba is getting it priority. 2. What is wrong with the domain members in local users group. This may be a BDC config in general issue (and I just never found it because BDC1 never took precendence over PDC) or it may be something to do with Samba 3.4.x vs 3.0.x. Thanks
There was an incorrect entry in smb.conf on BDC1 which mean it was not registering in WINS as a bdc. According to the Samba How To documentation, all other things being equal, Windows clients will use a bdc rather than a pdc. Now when I logon, I may get any of the three domain controllers. When I get BDC1 (Samba 3.0.37) I don't seem have problems. So my following problems remain: Can I adjust some variable so that one DC is more likely to be used by windows clients than another? Why does Samba 3.4.3 not seem to handle domain groups as members of local groups? If I connect from XP Pro client GATES [2009/11/16 17:34:46, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[]@[GATES] with t he new password interface [2009/11/16 17:34:46, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN]\[]@[GATES] ... It also looks like I may not get the same logon server each time I logon- so I guess my PC could have authenticated against one DC, and I could authenticate against another. Thanks On 11/13/09 19:04, Gaiseric Vandal wrote:> Setting "announce version = 4.5" in smb.conf on BDC2 did not change > anything. (The other samba domain still use 4.9 as the default version.) > Windows clients will still connect to BDC2 (if it is running.) On each > DC, net getdomainsid and getlocalsid show that the local sid on each > machine is the domain sid. > > > BDC2# net getdomainsid > SID for local machine BDC2 is: S-1-5-21-xxx-xxx-x99 > SID for domain DOMAIN is: S-1-5-21-xxx-xxx-x99 > > BDC2# net getlocalsid > SID for domain BDC is-xxx-xxx-x99 > BDC2# > > > Pdbedit -Lv, wbinfo -u and wbinfo -g all seem to give the same results > > Also > > BDC# wbinfo -t > checking the trust secret via RPC calls succeeded > > > Thanks > > -----Original Message----- > From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] > Sent: Friday, November 13, 2009 12:48 PM > To: samba at lists.samba.org > Subject: DC priority, BDC prob with domain groups > > I have the following setup: > PDC: Samba 3.0.37 on Solaris 10 > BDC1: Samba 3.0.37 on Solaris 10 > BDC2: Samba 3.4.3 on Solaris 10 > > > Samba 3.0.37 is the bundled version of Samba. > Samba 3.4.3 is compiled from source. > > BDC2 is a recent addition to the network. > All machine use LDAP as the backend for everything. They use winbind to > handle a domain trust with another domain, but otherwise isn't needed. > > If I start samba on BDC2 and logon to an XP (or Win 2003) Machine, the > logon will be to BDC2. This can be verified with echo > %logonserver%. Rebooting the XP machine is probably not necessary to > see this. > > If I login as the domain administrator, I am effectively not considered > a member of the local administrator group. If I look at the local > Administrator group I will see the DOMAIN/Administrators as members. > But I am unable to install software, see all local files, add users to > local groups etc. > > > "OS level" on all three DC's was not explictly set, so was 20 by > default. I changed BDC2 to "os level=0" and set the PDC to "os > level=33." I did not restart samba on PDC. It seems to be a browsing > issue. > > I still logon to BDC2. > > So I have two issues: > > 1- How to make sure that the PDC (or PDC and BDC1) use used in > preference to BDC2. I assume that something about BDC2 having a newer > ver of samba is getting it priority. > > > 2. What is wrong with the domain members in local users group. This > may be a BDC config in general issue (and I just never found it because > BDC1 never took precendence over PDC) or it may be something to do with > Samba 3.4.x vs 3.0.x. > > > > > Thanks > > > > >