Hi Scott,
Good to see 64bit, I would suggest doing something like this as follows>
logon to a BDC that is currently accepting domain logons and is replicating
the database from the PDC.
as root > slapcat-v -l ldiif-transfer.txt ; to dump the database.
root > scp ldif-transfer.txt [EMAIL PROTECTED]:/dir
root > net getlocalsid | cat sidtransfer.txt # vi and check the file for sid
number
root > scp sidtransfer.txt [EMAIL PROTECTED]:/dir
logon to the RHE4 BDC as root
root> cd /dir # you should see ldif-transfer.txt & sidtransfer.txt
root > service ldap stop
root > cd /var/lib/ldap
root > rm -rf * # be sure to be in right dir "/var/lib/ldap"
root > cd /dir
root > slapadd -v -l ldif.transfer.txt
root > chown -R ldap.ldap /var/lib/ldap
root > service ldap start
root > smbpasswd -w secretpassword
root > net rpc getsid
root > net rpc join
at this stage restart samba & ldap on the RHE4BDC and do a
root > net getlocalsid # check that it matches ur sid from
/dir/sidtransfer.txt
# if not cat sidtransfer.txt and "net
setlocalsid sid-556S-1-5-21-3018044689..
Test again and let us know, make sure user names are been replicated from
the pdc to all bdc;s.
Cheers,
Adrian Sender
From: "Scott Moorhouse" <[EMAIL PROTECTED]>
To: <samba@lists.samba.org>
Subject: [Samba] 64-bit RHEL4 BDC doesn't allow workstation logons
Date: Mon, 5 Jun 2006 12:22:07 -0500
I'm trying to set up Samba on RHEL4 as a BDC for subnet 10.6.0.0/16. The
PDC is located at another site and on another network. Its IP address is
10.2.0.2. There are other BDCs on subnets 10.1.0.0/16, 10.3.0.0/16, and
10.4.0.0/16 that all function fine. This is the only one on RHEL and this
is the only one on a 64 bit box.
We are using ldapsam for the passdb. The important config lines are:
[global]
workgroup = AEI
netbios name = APPDEVEL-BIS
passdb backend = ldapsam:ldap://ldap.server.name
local master = yes
preferred master = no
domain master = no
os level = 33
domain logons = yes
wins server = 10.2.0.2
I have used smbpasswd -w secret, as well as net rpc join with a successful
domain join.
Whenever someone logs in on a computer joined to the domain on this subnet
(and all the computers in this domain were already joined to the domain AEI
before this BDC was put into place) they get the:
"Windows cannot connect to the domain, either because the domain controller
is down or otherwise unavailable, or because your computer account was not
found. Please try again later. [...]"
Modifying the config file to say domain logons = no passes the logon to
another DC and then the logon works.
Logs at log level 5 say such scary things as:
[token.log, a workstation trying to log in]
[2006/06/05 12:13:07, 5] auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2006/06/05 12:13:07, 5] auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2006/06/05 12:13:07, 5] auth/auth_util.c:is_trusted_domain(1491)
is_trusted_domain: Checking for domain trust with [AEI]
[2006/06/05 12:13:07, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(
334)
secrets_fetch failed!
[2006/06/05 12:13:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/06/05 12:13:07, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
no entry for trusted domain AEI found.
[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(133)
attempting to make a user_info for ()
[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(143)
making strings for 's user_info struct
[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(185)
making blobs for 's user_info struct
[2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED]
with the new password interface
[2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
At which point it looks like it tries guest access by mapping null user to
nobody, which isn't allowed, and fails.
I'm convinced that the machine actually doesn't believe that it's a domain
member. For instance, in Printers and Faxes, it says the privileged user
is
APPDEVEL-BIS\Administrators, not AEI\Administrators. etc. That would seem
to make some sense with its behavior, but I don't know how else to convince
it it's a domain member other than what I've already done with net rpc
join,
which has been successful for me in the past. But what's also bizarre is
that after one gets logged in, you can browse APPDEVEL-BIS's shares fine
without having to log in, and with seemingly the correct access levels.
Is there a 64-bit issue going on here? Or maybe a library version issue?
Right now I'm using samba 3.0.10 which comes with RHEL4, but I have
experienced the same problems with 3.0.22 built from source and I'm staying
on 3.0.10 right now because I'm querying Red Hat support with this same
question -- though they seem just as stumped as I am so far.
Can someone please give me some pointers where I can look next?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
