Maybe I missed it- but do you have problems if the client and server are on the same network segment?

Are all the local WINS servers samba servers or something else?

On 10/19/2010 12:45 PM, Eric A. Hall wrote:
On 10/19/2010 9:47 AM, Gaiseric Vandal wrote:
Is your samba server also a WINS server?  That may help browsing issues.
The nodes don't have any problems finding or communicating with the
server, the server just does not want to provide data. I have three
distinct networks that are interconnected by routers. Each segment has a
local DHCP/DNS/WINS/etc server that assigns H-Node WINS options to the
local clients, and in addition the broadcasts on 137/138 are also
forwarded from each segment to the WINS servers on the other segments.
What this means is clients try to resolve a name by asking the local
server, then will broadcast a query which is forwarded to the other
servers, which they answer. If a TCP session is required (such as fetching
a browse list via port 139) then that also happens as expected, once the
client knows the server to contact. This works for local and remote nodes

 From a client on network A that is trying to browse Windows 2003 domain on
network B, I can see the TCP session established, the challenge and
response negotiation, the Tree Connect AndX Request and Response, the
LANMAN server enumeration exchange, and orderly shutdown.

When using the same client to browse the Samba domain on network C, I can
see the TCP session established, the challenge and response negotiation,
the Tree Connect AndX Request and Response, but then the client shuts down
the session without trying to enumerate the LANMAN servers. This cycle
repeats 4 times for every failed browse attempt indicating that the client
believes it should be able to get an answer from the server.

Both responses show STATUS_SUCCESS in the SMB message. The only potential
difference that I can see between them is that the Samba response shows
"Security signatures are not supported" in the reply message. Perhaps this
is preventing the client from following up with the LANMAN request to
enumerate the servers? Also I have long since set the registry options
needed for signatures, and this same configuration was working before the
upgrade. Did something about this change recently?

Do you have "smb ports" defined in smb.conf?
I don't have it defined and am using the defaults. It does not seem to be
causing any problems. should have the registry settings required to let Windows
7 machines join on a Samba domain.
I have already made those changes and like I said I am able to join the
Win7 client to the domain and can view \\SERVER shares, but cannot browse
the domain or login to the server.

I would concentrate on the XP machines first since they don't need the
registry changes.
Yes that is what I'm doing. I have XP/SP3, Windows Server 2003 (and R2),
and Windows 7, but am focusing on XP/SP3.

Also, make sure that you do have correct group mappings for the key well
know windows groups  (including Administrators, Domain Admins, Users)
      # net groupmap list
[ 12:39:47 -- bulldog:/root/ ]
[ root# ] net groupmap list
Domain Admins (S-1-5-21-[...]-512) ->  Domain Admins
Domain Users (S-1-5-21-[...]-513) ->  Domain Users
Domain Guests (S-1-5-21-[...]-514) ->  Domain Guests
Domain Computers (S-1-5-21-[...]-515) ->  Domain Computers
Local Admins (S-1-5-32-544) ->  Local Admins
Local Users (S-1-5-32-545) ->  users
Local Guests (S-1-5-32-546) ->  nobody

For a while I thought it might be related to guest/nobody mapping but I
have exhausted all of the permutations there. I have tried smbusers
mapping, putting guest into LDAP, etc., and none of it seems to make much
any difference in the logs or with the problem at hand.

Also, the windows diagnostic tools (netdiag, dcdiag, nbtstat ?)  may
help you determine which domain controller and master browser the client
is using.
nbtstat is able to display remote data but it does not use the SMB/LANMAN
enumeration over IPC$ which is where the problem seems to lie.

Local utilities on the Samba server also seem to express normally although
I am happy to try specific things if somebody will name them.

I am able to use USRMGR.EXE to connect to the server and view/modify user
accounts successfully.

I have not looked at the others yet.

Thanks for the help

On 10/19/2010 02:02 AM, Eric A. Hall wrote:
I was running 3.0.25c (I think) LDAP PDC for a couple of years and just
tried swapping in a new 3.5.4 setup. I had some problems so I wiped all
the entries and *.tdb files, and started from scratch.

Problem in a nutshell: I can't browse the domain normally, nor can I logon
to the domain. However I can access the server shares fine if I point to
the server specifically. SOMETIMES this will then cause browsing to
succeed as well.

Normally I can see the domain in network neighborhood but if I click on I
get the "domain is not accessible error". From a command prompt "net view
/domain:DOMAIN" also typically produces an error 59. However if I "net
view \\SERVER" then that works fine, and THEN I am sometimes able to
successfully view the domain (about half the time sometimes more).

I am able to successfully join machines to the domain (they show up in
LDAP) but am unable to login to the domain from any of them. On XP/SP3
boxes the error is "the system cannot log you on now because the domain
DOMAIN is not available", while Windows 7 says "there are currently no
logon servers available to service the logon request"

I have looked at the smb/nmb/winbind logs at level 3 and near as I can
tell everything is operating correctly although something seems to be
crashing a lot--there are many entries about brl and lock database after
unclean shutdown.

I don't know SMB protocol very well but from watching some wireshark
traces and reading the corresponding logs it looks like the nodes are
negotiating IPC$ connection but not getting data. Client asks for copy 4,
server offers copy 1, client negotiates TCP/IP session then closes, and
everything starts over again. Perhaps once they authenticate (enough to
view \\SERVER shares) the negotiation is reused and this is what works?

Are there security permissions on IPC$ that need to be set?

Where should I be looking and what should I be looking for?


To unsubscribe from this list go to the following URL and read the

Reply via email to