Hello I have a network setup with one Samba PDC and two Samba BDCs separated by routers (ref http://www.cybersource.com.au/users/mikef/samba/). In this test environment the Samba servers all use the master OpenLDAP server on the PDC, but the production system will have OpenLDAP servers (using master-slave replication) on all Samba servers. I can't get the Windows XP client to change a password or enroll on the domain when connected to either of the BDC's networks, however both functions work fine when connected directly to the PDC's network. If the XP client is enrolled onto the domain while connected to the PDC's network then it successfully authenticates against the domain on all three networks, incl after being relocated to either BDC network. Anyone got any ideas what my problem might be? -- Mike Fabre
On 02/04/2010 05:21 PM, Mike Fabre wrote:> Hello > > I have a network setup with one Samba PDC and two Samba BDCs separated by routers (ref http://www.cybersource.com.au/users/mikef/samba/). In this test environment the Samba servers all use the master OpenLDAP server on the PDC, but the production system will have OpenLDAP servers (using master-slave replication) on all Samba servers. > > I can't get the Windows XP client to change a password or enroll on the domain when connected to either of the BDC's networks, however both functions work fine when connected directly to the PDC's network. If the XP client is enrolled onto the domain while connected to the PDC's network then it successfully authenticates against the domain on all three networks, incl after being relocated to either BDC network. > > Anyone got any ideas what my problem might be? > >Mike, In your smb.conf files for you have "interface only = yes" - if so, remove it and it should work. Check Samba bugzilla - there is a bug report about this. - John T.
On Thu, Feb 04, 2010 at 05:34:41PM -0600, John H Terpstra wrote:> On 02/04/2010 05:21 PM, Mike Fabre wrote: > > Hello > > > > I have a network setup with one Samba PDC and two Samba BDCs separated by routers (ref http://www.cybersource.com.au/users/mikef/samba/). In this test environment the Samba servers all use the master OpenLDAP server on the PDC, but the production system will have OpenLDAP servers (using master-slave replication) on all Samba servers. > > > > I can't get the Windows XP client to change a password or enroll on the domain when connected to either of the BDC's networks, however both functions work fine when connected directly to the PDC's network. If the XP client is enrolled onto the domain while connected to the PDC's network then it successfully authenticates against the domain on all three networks, incl after being relocated to either BDC network. > > > > Anyone got any ideas what my problem might be? > > In your smb.conf files for you have "interface only = yes" - if so, > remove it and it should work. Check Samba bugzilla - there is a bug > report about this.I don't have that option set in any of the config files, so I tried add 'interface only = no' on all three then ran testparm and it said 'Ignoring unknown parameter "interface only"'. Is this the bug you are talking about: https://bugzilla.samba.org/show_bug.cgi?id=6970 That bug mentions the 'bind interfaces only' and 'interfaces' options which I also don't have in any of my config files and when I added it and ran testparm it didn't give me an error but the config it gave back didn't have either of those options in it. -- Mike Fabre
On Thu, Feb 04, 2010 at 06:21:41PM -0600, John H Terpstra wrote:> On 02/04/2010 06:19 PM, Mike Fabre wrote: > > On Thu, Feb 04, 2010 at 06:10:14PM -0600, John H Terpstra wrote: > >> On 02/04/2010 06:05 PM, Mike Fabre wrote: > >>> On Thu, Feb 04, 2010 at 05:34:41PM -0600, John H Terpstra wrote: > >>>> On 02/04/2010 05:21 PM, Mike Fabre wrote: > >>>>> Hello > >>>>> > >>>>> I have a network setup with one Samba PDC and two Samba BDCs separated by routers (ref http://www.cybersource.com.au/users/mikef/samba/). In this test environment the Samba servers all use the master OpenLDAP server on the PDC, but the production system will have OpenLDAP servers (using master-slave replication) on all Samba servers. > >>>>> > >>>>> I can't get the Windows XP client to change a password or enroll on the domain when connected to either of the BDC's networks, however both functions work fine when connected directly to the PDC's network. If the XP client is enrolled onto the domain while connected to the PDC's network then it successfully authenticates against the domain on all three networks, incl after being relocated to either BDC network. > >>>>> > >>>>> Anyone got any ideas what my problem might be? > >>>> > >>>> In your smb.conf files for you have "interface only = yes" - if so, > >>>> remove it and it should work. Check Samba bugzilla - there is a bug > >>>> report about this. > >>> > >>> I don't have that option set in any of the config files, so I tried add 'interface only = no' on all three then ran testparm and it said 'Ignoring unknown parameter "interface only"'. Is this the bug you are talking about: > >>> > >>> https://bugzilla.samba.org/show_bug.cgi?id=6970 > >>> > >>> That bug mentions the 'bind interfaces only' and 'interfaces' options which I also don't have in any of my config files and when I added it and ran testparm it didn't give me an error but the config it gave back didn't have either of those options in it. > >> > >> You are correct, the parameter is "bind interfaces only = No", See: > >> https://bugzilla.samba.org/show_bug.cgi?id=6348 > > > > OK, well I still don't have that in any of my config files, running 'grep -i inter /etc/samba/smb.conf' on all three machines doesn't give me any output. > > To see all the Samba configuration parameters simply execute: > > testparm -sv | less > > to find the interface settings: > > testparm -sv | grep interfaceThanks for that, it doesn't look like I should be being affected by that bug, here is the output I get: # testparm -sv | grep interface Load smb config files from /etc/samba/smb.conf Processing section "[homes]" Processing section "[netlogon]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC interfaces = bind interfaces only = No It is the same on all three machines except that the server role on the BDCs is ROLE_DOMAIN_BDC instead of ROLE_DOMAIN_PDC which it is on the PDC. -- Mike Fabre
On Fri, 2010-02-05 at 10:21 +1100, Mike Fabre wrote:> Hello > > I have a network setup with one Samba PDC and two Samba BDCs separated > by routers (ref http://www.cybersource.com.au/users/mikef/samba/). In > this test environment the Samba servers all use the master OpenLDAP > server on the PDC, but the production system will have OpenLDAP > servers (using master-slave replication) on all Samba servers. > > I can't get the Windows XP client to change a password or enroll on > the domain when connected to either of the BDC's networks, however > both functions work fine when connected directly to the PDC's network. > If the XP client is enrolled onto the domain while connected to the > PDC's network then it successfully authenticates against the domain on > all three networks, incl after being relocated to either BDC network. > > Anyone got any ideas what my problem might be?What you need to do is either install a central WINS server, and point the various networks at that single server, or (my preference) abuse the separation of 'netbios name space' that your router has created, and make all the Samba DCs PDCs of their own networks. That way, they will all be contacted for password changes, because on each of their local networks, they hold the DOMAIN#1B name. (They need not be read-write OpenLDAP replicas, as Samba happily handles the referral to the master for writes). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20100206/9900e0fd/attachment.pgp>