Eric A. Hall
2010-Oct-19 06:02 UTC
[Samba] problems with login and browsing on 3.5.4 LDAP PDC
I was running 3.0.25c (I think) LDAP PDC for a couple of years and just tried swapping in a new 3.5.4 setup. I had some problems so I wiped all the entries and *.tdb files, and started from scratch. Problem in a nutshell: I can't browse the domain normally, nor can I logon to the domain. However I can access the server shares fine if I point to the server specifically. SOMETIMES this will then cause browsing to succeed as well. Normally I can see the domain in network neighborhood but if I click on I get the "domain is not accessible error". From a command prompt "net view /domain:DOMAIN" also typically produces an error 59. However if I "net view \\SERVER" then that works fine, and THEN I am sometimes able to successfully view the domain (about half the time sometimes more). I am able to successfully join machines to the domain (they show up in LDAP) but am unable to login to the domain from any of them. On XP/SP3 boxes the error is "the system cannot log you on now because the domain DOMAIN is not available", while Windows 7 says "there are currently no logon servers available to service the logon request" I have looked at the smb/nmb/winbind logs at level 3 and near as I can tell everything is operating correctly although something seems to be crashing a lot--there are many entries about brl and lock database after unclean shutdown. I don't know SMB protocol very well but from watching some wireshark traces and reading the corresponding logs it looks like the nodes are negotiating IPC$ connection but not getting data. Client asks for copy 4, server offers copy 1, client negotiates TCP/IP session then closes, and everything starts over again. Perhaps once they authenticate (enough to view \\SERVER shares) the negotiation is reused and this is what works? Are there security permissions on IPC$ that need to be set? Where should I be looking and what should I be looking for? Thanks -- Eric A. Hall http://www.eric-a-hall.com/ Network Technology Research Group http://www.ntrg.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
Gaiseric Vandal
2010-Oct-19 13:47 UTC
[Samba] problems with login and browsing on 3.5.4 LDAP PDC
Is your samba server also a WINS server? That may help browsing issues.
Do you have "smb ports" defined in smb.conf?
The default is
smb ports = 445 139
I found if I set
smb ports = 139
some clients would have trouble locating shares or authenticating to
servers.
wiki.samba.org should have the registry settings required to let Windows
7 machines join on a Samba domain.
Also, make sure that you do have correct group mappings for the key well
know windows groups (including Administrators, Domain Admins, Users)
# net groupmap list
I would concentrate on the XP machines first since they don't need the
registry changes.
Also, the windows diagnostic tools (netdiag, dcdiag, nbtstat ?) may
help you determine which domain controller and master browser the client
is using.
On 10/19/2010 02:02 AM, Eric A. Hall wrote:> I was running 3.0.25c (I think) LDAP PDC for a couple of years and just
> tried swapping in a new 3.5.4 setup. I had some problems so I wiped all
> the entries and *.tdb files, and started from scratch.
>
> Problem in a nutshell: I can't browse the domain normally, nor can I
logon
> to the domain. However I can access the server shares fine if I point to
> the server specifically. SOMETIMES this will then cause browsing to
> succeed as well.
>
> Normally I can see the domain in network neighborhood but if I click on I
> get the "domain is not accessible error". From a command prompt
"net view
> /domain:DOMAIN" also typically produces an error 59. However if I
"net
> view \\SERVER" then that works fine, and THEN I am sometimes able to
> successfully view the domain (about half the time sometimes more).
>
> I am able to successfully join machines to the domain (they show up in
> LDAP) but am unable to login to the domain from any of them. On XP/SP3
> boxes the error is "the system cannot log you on now because the
domain
> DOMAIN is not available", while Windows 7 says "there are
currently no
> logon servers available to service the logon request"
>
> I have looked at the smb/nmb/winbind logs at level 3 and near as I can
> tell everything is operating correctly although something seems to be
> crashing a lot--there are many entries about brl and lock database after
> unclean shutdown.
>
> I don't know SMB protocol very well but from watching some wireshark
> traces and reading the corresponding logs it looks like the nodes are
> negotiating IPC$ connection but not getting data. Client asks for copy 4,
> server offers copy 1, client negotiates TCP/IP session then closes, and
> everything starts over again. Perhaps once they authenticate (enough to
> view \\SERVER shares) the negotiation is reused and this is what works?
>
> Are there security permissions on IPC$ that need to be set?
>
> Where should I be looking and what should I be looking for?
>
> Thanks
>
>