Hello!
I've run into a strange problem with samba-2.2.7a. I compiled it with
--with-ldapsam on a Debian/Woody box, set up openLDAP 2.0.23 with all users
and machine trust accounts and configured samba to using LDAP and being a
PDC. Works ok so far, users may authenticate and use their shares.
But they can not *always* log into the domain from NT4.0 workstations.
Sometimes yes, sometimes after the eighth or more try, sometimes not at all.
Regardless what machine or what user or what day of week. The error code is
always the same "...cannot log you on...(C000019b)". In the cases where it
works, everything runs all normal. Domain logon, scripts, even password
change with LDAP (great thing by the way). There is no visible difference in
setup of any component between the cases where it works and the ones where
it doesn't.
I did the (I suppose...) normal procedure: set up the machine trust account
in LDAP with smbpasswd -m -a <machine$> and added the NT4.0 box into the
domain (success message appeared on NT: "Welcome to Domain...").
I have read the FAQ about this error code and I am sure I have not changed
the domain SID nor up- or downgraded samba version. I have learned that
domain SID is not longer in $privatedir/DOMAIN.SID but is now rather a
record in secrets.tdb. So I compiled tdbdump from the samba distribution,
watched closely what might happen to the domain SID and made sure it has
indeed not been changed since the initial install of this samba.
Could this problem be LDAP specific? Or maybe a network problem?
Some further thoughts:
In log.smb with loglevel 4 there is no entry at all of the machine where the
error occurs. So maybe the NT4.0 box is completely refusing to talk to the
server from some point on?
Deleting and readding the machine trust account and rejoining the
workstation *seems* to have a little effect (maybe just imagination), often
the login succeeds after the first or second try (instead of fourth to
eighth) after rejoining but only with some machines/users.
For any ideas I would be greatly thankful!
Here are the configuration details:
./configure \
--host=i386-linux \
--build=i386-linux \
--with-fhs \
--prefix=/usr \
--sysconfdir=/etc \
--with-privatedir=/etc/samba \
--localstatedir=/var \
--with-netatalk \
--with-smbmount \
--with-pam \
--with-syslog \
--with-sambabook \
--with-utmp \
--with-readline \
--with-pam_smbpass \
--with-libsmbclient \
--with-winbind \
--with-msdfs \
--with-ldapsam
(actually the standard Packaging/Debian/debian/rules build with added
--with-ldapsam)
I have put it into PDC mode by putting the standard stuff into smb.conf:
security = user
domain logons = yes
domain master = yes
os level = 99
preferred master = yes
wins support = yes
encrypt passwords = yes
and a netlogon share, of course.
I have put all users and machine trust accounts into LDAP. I am using the
posixAccount objectclass with pam_ldap and nss_ldap, so apart from root and
the standard system users, /etc/passwd is empty. /etc/samba/smbpasswd does
not exist at all.
Here is an example ldif of a user account:
dn: cn=Busse,ou=users,o=zq-aekn,c=de
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaAccount
objectClass: inetOrgPerson
sn: Busse
uidNumber: 2001
gidNumber: 100
homeDirectory: /home/users/busse
userPassword:: xxx
shadowLastChange: 12087
uid: Busse
pwdLastSet: 1044369387
logonTime: 2147483647
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 2147483647
pwdMustChange: 2147483647
cn: Busse
rid: 5002
primaryGroupID: 5003
lmPassword: xxx
ntPassword: xxx
acctFlags: [U ]
and one of a machine trust account:
dn: cn=pc-155$,ou=computers,o=zq-aekn,c=de
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaAccount
uidNumber: 3023
gidNumber: 100
homeDirectory: /dev/null
uid: pc-155$
pwdLastSet: 1044877124
logonTime: 2147483647
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 2147483647
pwdMustChange: 2147483647
cn: pc-155$
rid: 7046
primaryGroupID: 7047
lmPassword: xxx
ntPassword: xxx
acctFlags: [W ]
Bye
Tobias
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
