Hi,
I want vpn clients which have a valid x509 Cert and a valid user account in the
M$ domain can access to the LAN. The M$ DC is an SBS2003 Server in mixed mode.
I don't want to manage two user db's. I want the vpn server to ask the domain
controller for a valid user account.So I've installed the nessecary stuff on
the vpn server. The interresting things here are:
samba/winbind 3.0.22 samba-common.
After a while of testings and changes everything was working fine. Then one day
the vpn/samba server became the same netbios name like the M$ DC
accidantily.Now every time the vpn server becomes online, the SBS Server is
inaccessible for the internal M$ clients, but the vpn client can still access
the LAN. On some machines are popups like "The IP you are using is already in
use", but it isn't. Nevertheless the NIC is getting disabled. The DC is also
the dhcp server. I've renamed the samba netbios- name of course and deleted
the machine account on the DC. Also I've deleted the *.tdb's on the samba
machine and the samba machine became another IP-address. Then I've let the
samba server rejoin the M$ Domain successfully. I can get the DC accounts by
using wbinfo -u and -g. getent is working also. ntlm_auth username=<> also.
Everything seems to be fine, but the internal network is breaking down by DC
strike. DC's system eventlog is saying:
The session could not be established, because the security database could not
determine a trust account accordingly the asking computer. (Sorry, this is my
translation from german. It may be not exactly the same word by word, like the
original english event description. Event ID is: 5723, source: NETLOGON) That's
it in the event logs. A browstat status on DC is listing:
Status for domain DOMAIN on transport
\Device\NetBT_Tcpip_{0D040CB9-B2E6-4BE5-BF6A-59E9C86B54EA}
Browsing is active on domain.
Master browser name is: TEST
Master browser is running build 3790
2 backup servers retrieved from master TEST
\\UMS
\\TEST
There are 13 servers in domain DOMAIN on transport
\Device\NetBT_Tcpip_{0D040CB9-B2E6-4BE5-BF6A-59E9C86B54EA}
There are 2 domains in domain DOMAIN on transport
\Device\NetBT_Tcpip_{0D040CB9-B2E6-4BE5-BF6A-59E9C86B54EA}
A nmblookup -M DOMAIN: TEST
When network is going down on the samba server, everything awakes...
The event log o n the local XP clients complains something like: There is no
Domain Controller available by following reason: the RPC call was aborting
Event ID:5719
The event log on UMS, the backup browser complains:The reading of the
backuplist aborted because there is no master browser accessible The backup
browser could not get a serverlist from the master browser on the network {...
}Event ID:8021.
It looks like the SBS2003 machine can't 'forget' that a second machine with the
same netbios name was appearing in the network.
Perhaps the reason therefore is the special SBS license.
However, perhaps someone has done the same experiences and maybe, much more
important, worked out a solution for this problem.
The smb.conf:
[global]
workgroup = DOMAIN
os level = 0
preferred master = No
local master = No
domain master = No
wins server = 172.16.5.60
interfaces = eth1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 6
security = Domain
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n *password\supdated\ssuccessfully* .
;domain logons = yes
;logon drive = H:
;logon home = \\%N\%U
;logon script = logon.cmd
socket options = TCP_NODELAY
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
Thanks for answer
Hugo
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
