network B, I can see the TCP session established, the challenge and
response negotiation, the Tree Connect AndX Request and Response, the
LANMAN server enumeration exchange, and orderly shutdown.
When using the same client to browse the Samba domain on network C, I can
see the TCP session established, the challenge and response negotiation,
the Tree Connect AndX Request and Response, but then the client shuts down
the session without trying to enumerate the LANMAN servers. This cycle
repeats 4 times for every failed browse attempt indicating that the client
believes it should be able to get an answer from the server.
Both responses show STATUS_SUCCESS in the SMB message. The only potential
difference that I can see between them is that the Samba response shows
"Security signatures are not supported" in the reply message. Perhaps
this
is preventing the client from following up with the LANMAN request to
enumerate the servers? Also I have long since set the registry options
needed for signatures, and this same configuration was working before the
upgrade. Did something about this change recently?
> Do you have "smb ports" defined in smb.conf?
I don't have it defined and am using the defaults. It does not seem to be
causing any problems.
> wiki.samba.org should have the registry settings required to let Windows
> 7 machines join on a Samba domain.
I have already made those changes and like I said I am able to join the
Win7 client to the domain and can view \\SERVER shares, but cannot browse
the domain or login to the server.
> I would concentrate on the XP machines first since they don't need the
> registry changes.
Yes that is what I'm doing. I have XP/SP3, Windows Server 2003 (and R2),
and Windows 7, but am focusing on XP/SP3.
> Also, make sure that you do have correct group mappings for the key well
> know windows groups (including Administrators, Domain Admins, Users)
> # net groupmap list
[ 12:39:47 -- bulldog:/root/ ]
[ root# ] net groupmap list
Domain Admins (S-1-5-21-[...]-512) -> Domain Admins
Domain Users (S-1-5-21-[...]-513) -> Domain Users
Domain Guests (S-1-5-21-[...]-514) -> Domain Guests
Domain Computers (S-1-5-21-[...]-515) -> Domain Computers
Local Admins (S-1-5-32-544) -> Local Admins
Local Users (S-1-5-32-545) -> users
Local Guests (S-1-5-32-546) -> nobody
For a while I thought it might be related to guest/nobody mapping but I
have exhausted all of the permutations there. I have tried smbusers
mapping, putting guest into LDAP, etc., and none of it seems to make much
any difference in the logs or with the problem at hand.
> Also, the windows diagnostic tools (netdiag, dcdiag, nbtstat ?) may
> help you determine which domain controller and master browser the client
> is using.
nbtstat is able to display remote data but it does not use the SMB/LANMAN
enumeration over IPC$ which is where the problem seems to lie.
Local utilities on the Samba server also seem to express normally although
I am happy to try specific things if somebody will name them.
I am able to use USRMGR.EXE to connect to the server and view/modify user
accounts successfully.
I have not looked at the others yet.
Thanks for the help
> On 10/19/2010 02:02 AM, Eric A. Hall wrote:
>> I was running 3.0.25c (I think) LDAP PDC for a couple of years and just
>> tried swapping in a new 3.5.4 setup. I had some problems so I wiped all
>> the entries and *.tdb files, and started from scratch.
>>
>> Problem in a nutshell: I can't browse the domain normally, nor can
I logon
>> to the domain. However I can access the server shares fine if I point
to
>> the server specifically. SOMETIMES this will then cause browsing to
>> succeed as well.
>>
>> Normally I can see the domain in network neighborhood but if I click on
I
>> get the "domain is not accessible error". From a command
prompt "net view
>> /domain:DOMAIN" also typically produces an error 59. However if I
"net
>> view \\SERVER" then that works fine, and THEN I am sometimes able
to
>> successfully view the domain (about half the time sometimes more).
>>
>> I am able to successfully join machines to the domain (they show up in
>> LDAP) but am unable to login to the domain from any of them. On XP/SP3
>> boxes the error is "the system cannot log you on now because the
domain
>> DOMAIN is not available", while Windows 7 says "there are
currently no
>> logon servers available to service the logon request"
>>
>> I have looked at the smb/nmb/winbind logs at level 3 and near as I can
>> tell everything is operating correctly although something seems to be
>> crashing a lot--there are many entries about brl and lock database
after
>> unclean shutdown.
>>
>> I don't know SMB protocol very well but from watching some
wireshark
>> traces and reading the corresponding logs it looks like the nodes are
>> negotiating IPC$ connection but not getting data. Client asks for copy
4,
>> server offers copy 1, client negotiates TCP/IP session then closes, and
>> everything starts over again. Perhaps once they authenticate (enough to
>> view \\SERVER shares) the negotiation is reused and this is what works?
>>
>> Are there security permissions on IPC$ that need to be set?
>>
>> Where should I be looking and what should I be looking for?
>>
>> Thanks
>>
>>
>
--
Eric A. Hall http://www.eric-a-hall.com/
Network Technology Research Group http://www.ntrg.com/
Internet Core Protocols http://www.oreilly.com/catalog/coreprot/