[Samba] "Windows cannot obtain the domain controller name foryour
computer network" error on XP Pro SP2 clients for Samba 3.0.23dPDC
stephen mulcahy
smulcahy at aplpi.com
Tue Feb 13 21:51:40 GMT 2007
Hi,
In the interests of getting to the bottom of this I went and configured
Samba on another system as a PDC for a second domain. I then joined yet
another machine to this domain (of the same spec and configuration as
the systems I'd previous experienced problems with) and diligently
examined the event log for any errors ... noting that there were no
event id 1054 's reported this time.
I think took this client and joined it to the original domain/samba
server I was having problems with, but only after removing my first
attempt at policy file (NTConfig.POL) from the netlogon share.
Another restart and I login to the client and again examine the event
logs and verified, again, that there were no 1054 errors.
The only conclusion I can come to at this stage is that I somehow
mangled the registry on my first test clients with some setting in my
NTConfig.POL which lead to the 1054 errors (lovely circular chain of
events there). So the good news is my Samba configuration works, the bad
news is I have 2 systems with dodgy registries (and registry backups
were ... errr, next on my TODO list).
I'll be more cautious with future NT policy creation but I'm glad to
have gotten to the bottom of this. Sorry if I wasted anyones time,
hopefully someone can learn from my mistakes.
-stephen
stephen mulcahy wrote:
> Hi,
>
> While perusing the SAMBA HOWTOs I decided to try some of the validation
> steps including the wins test at
> http://www.samba.org/samba/docs/man/Samba-Guide/secure.html#ch4valid
>
> If I try the following,
>
> 1. start samba with "wins support = yes"
> 2. edit /etc/nsswitch.conf and change hosts to wins only.
> 3. ping the samba server and I get "unknown host" error.
>
> Does this suggest my wins configuration is broken? I verified in this
> case that nmbd was running and the log.nmbd doesn't contain any obvious
> error messages.
>
> Thanks,
>
> -stephen
>
> stephen mulcahy wrote:
>> Hi,
>>
>> In effort to resolve the 1054 errors on the XP client, I tried to create
>> a new test domain on a separate server and join one of the XP clients to
>> that.
>>
>> The joining process went smoothly (with one caveat below) but I notice
>> the same event is logged in the new domain. I notice that is it
>> preceeded by an AutoEnrollment error with event id 15 which is discussed
>> here - http://lists.linux.org.au/archives/lias/2002-November/msg00033.html
>>
>> Is it possible that this is connected to my errors? Did I miss some
>> documentation in the Samba HOWTO relating to my XP client setup?
>>
>> On a related note, when I restarted the XP client for the first time
>> after joining the new test domain, it displayed a dialog on the login
>> screen saying "Please wait while the domain list is created" which
>> stayed there for a few minutes. Is that normal or is it indicative of a
>> problem?
>>
>> Finally, whats the most current recommended documentation for
>> configuring Samba with a tdbsam backend as a PDC? I'm wondering if
>> further reading of some fine manual may help me in my quest.
>>
>> Thanks,
>>
>> -stephen
>>
>> stephen mulcahy wrote:
>>> Hi Paul,
>>>
>>> Thanks for your reply. I tried adding the following to lmhosts as suggested,
>>>
>>> 10.1.2.3 duck #PRE #DOM:APLPI
>>>
>>> and rebooted but I'm still seeing the same error (should I disable the
>>> WINS server I have enabled in samba to correctly verify this?). I would
>>> note that on the client if I type 'net view \\duck' this consistently
>>> works suggesting that name resolution is working (but is there a better
>>> way of testing name resolution in a samba environment?)
>>>
>>> I restarted samba with some additional logging and noted 2 things
>>>
>>> 1. Samba creates a log-file for the client with the ip address first and
>>> then subsequently creates a log-file with the client name. Is this
>>> normal or indicative of a problem?
>>>
>>> 2. I can clearly see the client successfully opening the NTConfig.POL
>>> file (and the logon.cmd file) indicating that the client has connected
>>> to and downloaded the policy file .. so the nature of the Event 1054
>>> error is unclear to me ..
>>>
>>> [2007/02/08 14:35:20, 2] smbd/reply.c:reply_tcon_and_X(711)
>>> Serving IPC$ as a Dfs root
>>> [2007/02/08 14:35:22, 2] smbd/reply.c:reply_tcon_and_X(711)
>>> Serving IPC$ as a Dfs root
>>> [2007/02/08 14:35:22, 2] auth/auth.c:check_ntlm_password(309)
>>> check_ntlm_password: authentication for user [smulcahy] -> [smulcahy]
>>> -> [smulcahy] succeeded
>>> [2007/02/08 14:35:22, 2] smbd/reply.c:reply_tcon_and_X(711)
>>> Serving IPC$ as a Dfs root
>>> [2007/02/08 14:35:22, 2] auth/auth.c:check_ntlm_password(309)
>>> check_ntlm_password: authentication for user [smulcahy] -> [smulcahy]
>>> -> [smulcahy] succeeded
>>> [2007/02/08 14:35:22, 1] smbd/service.c:make_connection_snum(950)
>>> puck (10.7.44.30) connect to service netlogon initially as user
>>> smulcahy (uid=1000, gid=1000) (pid 29041)
>>> [2007/02/08 14:35:22, 2] smbd/reply.c:reply_tcon_and_X(711)
>>> Serving netlogon as a Dfs root
>>> [2007/02/08 14:35:22, 2] smbd/open.c:open_file(352)
>>> smulcahy opened file NTConfig.POL read=Yes write=No (numopen=1)
>>> [2007/02/08 14:35:22, 2] smbd/close.c:close_normal_file(344)
>>> smulcahy closed file NTConfig.POL (numopen=0)
>>> [2007/02/08 14:35:22, 1] smbd/service.c:make_connection_snum(950)
>>> puck (10.7.44.30) connect to service smulcahy initially as user
>>> smulcahy (uid=1000, gid=1000) (pid 29041)
>>> [2007/02/08 14:35:22, 2] smbd/reply.c:reply_tcon_and_X(711)
>>> Serving smulcahy as a Dfs root
>>> [2007/02/08 14:35:23, 2] smbd/open.c:open_file(352)
>>> smulcahy opened file logon.cmd read=Yes write=No (numopen=1)
>>> [2007/02/08 14:35:23, 2] smbd/open.c:open_file(352)
>>> smulcahy opened file logon.cmd read=Yes write=No (numopen=2)
>>>
>>> Not sure if that is any help in the grand scheme of things but I'm
>>> running out of ideas on how to resolve this.
>>>
>>> Is it possible that something is being cached somewhere? I've tried
>>> removing the machine from the domain (deleting the tdbsam entry with
>>> pdbedit -x and the password entry for the machine) rejoining the client
>>> to the domain in the hope that it might reset something but to no effect
>>> -- are there additional steps I should perform to ensure there are no
>>> traces of the client/domain membership remaining on either the client or
>>> samba?
>>>
>>> Thanks,
>>>
>>> -stephen
>>>
>>>
>>> Paul McGrath wrote:
>>>> It could be a name resolving issue. Try creating a lmhosts file in the
>>>> etc folder using the examples listed in the file. Copy lmhosts.sam
>>>> lmhosts then edit the lmhosts file (it doesn't have an extension).
>>>> 111.111.111.1 dc-server #PRE #DOM:mydomain
>>>>
>>>> Then reboot.
>>>>
>>>> If you don't have a WINS server and you havent entered this into your
>>>> client then your best bet is to use the lmhosts file. Also helps if
>>>> your clients are on different subnets.
>>>> Regards
>>>> Paul
>>>>
>>>>> -----Original Message-----
>>>>> From: stephen mulcahy [mailto:smulcahy at aplpi.com]
>>>>> Sent: Thursday 08 February 2007 10:29
>>>>> To: samba at lists.samba.org
>>>>> Subject: Re: [Samba] "Windows cannot obtain the domain
>>>>> controller name foryour computer network" error on XP Pro SP2
>>>>> clients for Samba 3.0.23dPDC
>>>>>
>>>>> Hi,
>>>>>
>>>>> Further debugging of this - I see that the logon.cmd is
>>>>> successfully executed by the Windows XP client even as it
>>>>> logs the 1054 Event -- the logon.cmd simply mounts some shares.
>>>>>
>>>>> Looking at the samba logs (default log level) I can't see any errors.
>>>>>
>>>>> Is this some browsing issue? Or a problem with name
>>>>> resolution? Any suggestions on tools to diagnose this further
>>>>> would be appreciated.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -stephen
>>>>>
>>>>> stephen mulcahy wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I've recently reinstalled our Samba server with a view to
>>>>> getting it
>>>>>> working as a PDC using the tdbsam backend. I've
>>>>> successfully connected
>>>>>> a number of XP Pro SP2 clients to the domain and can login
>>>>> ok, but I'm
>>>>>> have problems getting the clients to read/apply an
>>>>> NTConfig.POL file I
>>>>>> created following the instructions at
>>>>>> http://www.pcc-services.com/custom_poledit.html
>>>>>>
>>>>>> I'm seeing the following error logged in the event log on
>>>>> the XP Pro
>>>>>> SP2 clients,
>>>>>>
>>>>>> Event ID: 1054
>>>>>> Source: Userenv
>>>>>> Type: Error
>>>>>> Description: Windows cannot obtain the domain controller
>>>>> name for your
>>>>>> computer network. (The specified domain either does not
>>>>> exist or exist
>>>>>> or could not be contacted). Group Policy processing aborted. Data:
>>>>>> (unavailable)
>>>>>>
>>>>>> Some Googling turns up the following
>>>>>>
>>>>>> http://support.microsoft.com/kb/840669
>>>>>>
>>>>>> and various other postings on this on the net. In response to those
>>>>>> I've tried various combinations of the following,
>>>>>>
>>>>>> 1. Change from using DHCP to static IP on client.
>>>>>> 2. Applied various registry hacks including turning DHCP
>>>>> media sensing off.
>>>>>> 3. Disabled various network card options such as media sensing.
>>>>>> 4. Forced the card to 100Mbps/full duplex (rather than auto).
>>>>>> 5. Upgraded to the latest network card drivers.
>>>>>> 6. Downgraded to older network card drivers.
>>>>>>
>>>>>> I'm getting the same error message on 3 XP Pro SP2 clients which I
>>>>>> test this on, all of which have gigabit broadcom cards (various
>>>>>> different chipsets). The knowledge base article suggests this is a
>>>>>> problem which occurs with gigabit cards .. short of trying
>>>>> adding new
>>>>>> network cards to the systems (some of which are laptops) -
>>>>> does anyone
>>>>>> have any suggestions on what I could try? I assumes others are
>>>>>> successfully running with a similar config or are PDCs with tdbsam
>>>>>> rare (or is that totally unrelated to the problems I'm
>>>>> experiencing).
>>>>>> I've also tried using a Samba PDC config from the HOWTO
>>>>> rather than my
>>>>>> own hand-crafted one (see below for both).
>>>>>>
>>>>>> Samba version is 3.0.23d running on 2.6.17-2-686 Debian
>>>>> etch on Dell
>>>>>> Poweredge 1600sc with an Intel Corporation 82540EM Gigabit Ethernet
>>>>>> Controller (rev 02).
>>>>>>
>>>>>> I have a djbdns dhcp server on the network serving which references
>>>>>> the samba server as a wins server.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> -stephen
>>>>>>
>>>>>> Original PDC config
>>>>>>
>>>>>> [global]
>>>>>> workgroup = XXXXX
>>>>>> netbios name = XXXX
>>>>>> server string = %h server (Samba %v)
>>>>>> log file = /var/log/samba/log.%m
>>>>>> max log size = 1000
>>>>>> syslog = 0
>>>>>> panic action = /usr/share/samba/panic-action %d
>>>>>> security = user
>>>>>> encrypt passwords = true
>>>>>> passdb backend = tdbsam
>>>>>> obey pam restrictions = yes
>>>>>> guest account = nobody
>>>>>> unix password sync = yes
>>>>>> passwd program = /usr/bin/passwd %u
>>>>>> pam password change = yes
>>>>>> domain logons = yes
>>>>>> os level = 40
>>>>>> logon path = \\%L\profiles\%U
>>>>>> logon drive = U:
>>>>>> logon home = \\%L\%U
>>>>>> logon script = logon.cmd
>>>>>> add machine script = /usr/sbin/useradd -d
>>>>> /var/lib/nobody -g 1015
>>>>>> -s /bin/false %u
>>>>>> load printers = yes
>>>>>> printing = cups
>>>>>> printcap name = cups
>>>>>> socket options = TCP_NODELAY
>>>>>> domain master = yes
>>>>>> preferred master = yes
>>>>>> wins support = yes
>>>>>> idmap uid = 10000-20000
>>>>>> idmap gid = 10000-20000
>>>>>> template shell = /bin/bash
>>>>>> smb ports = 445
>>>>>>
>>>>>> [homes]
>>>>>> comment = Home Directories
>>>>>> browseable = no
>>>>>> writable = yes
>>>>>> create mask = 0700
>>>>>> directory mask = 0700
>>>>>> hide files = /desktop.ini/ntuser.ini/NTUSER.*/RECYCLER/
>>>>>>
>>>>>> [printers]
>>>>>> comment = All Printers
>>>>>> browseable = no
>>>>>> path = /var/spool/samba
>>>>>> printable = yes
>>>>>> public = no
>>>>>> writable = no
>>>>>> create mode = 0700
>>>>>>
>>>>>>
>>>>>> # Windows clients look for this share name as a source of
>>>>> downloadable
>>>>>> # printer drivers [print$]
>>>>>> comment = Printer Drivers
>>>>>> path = /var/lib/samba/printers
>>>>>> write list = root, @ntadmin
>>>>>> printer admin = root, @ntadmin
>>>>>>
>>>>>> [netlogon]
>>>>>> comment = Network Logon Service
>>>>>> path = /var/lib/samba/netlogon
>>>>>> guest ok = yes
>>>>>> writable = no
>>>>>> share modes = no
>>>>>>
>>>>>> # For profiles to work, create a user directory under the path #
>>>>>> shown. i.e., mkdir -p /var/lib/samba/profiles/maryo [profiles]
>>>>>> comment = Roaming Profile Share
>>>>>> path = /var/lib/samba/profiles
>>>>>> read only = No
>>>>>> profile acls = Yes
>>>>>>
>>>>>>
>>>>>> PDC config from HOWTO
>>>>>>
>>>>>> [global]
>>>>>> workgroup = XXXX
>>>>>> netbios name = XXXX
>>>>>> passdb backend = tdbsam
>>>>>> printcap name = cups
>>>>>> add user script = /usr/sbin/useradd -m %u delete user script =
>>>>>> /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g
>>>>>> delete group script = /usr/sbin/groupdel %g add user to
>>>>> group script =
>>>>>> /usr/sbin/groupmod -A %u %g delete user from group script =
>>>>>> /usr/sbin/groupmod -R %u %g add machine script =
>>>>> /usr/sbin/useradd -s
>>>>>> /bin/false -d /var/lib/nobody %u # Note: The following
>>>>> specifies the
>>>>>> default logon script.
>>>>>> # Per user logon scripts can be specified in the user account using
>>>>>> pdbedit logon script = scripts\logon.bat # This sets the default
>>>>>> profile path. Set per user paths with pdbedit logon path =
>>>>>> \\%L\Profiles\%U logon drive = H:
>>>>>> logon home = \\%L\%U
>>>>>> domain logons = Yes
>>>>>> os level = 35
>>>>>> preferred master = Yes
>>>>>> domain master = Yes
>>>>>> idmap uid = 15000-20000
>>>>>> idmap gid = 15000-20000
>>>>>> printing = cups
>>>>>> wins support = yes
>>>>>>
>>>>>> [homes]
>>>>>> comment = Home Directories
>>>>>> valid users = %S
>>>>>> read only = No
>>>>>> browseable = No
>>>>>>
>>>>>> # Printing auto-share (makes printers available thru CUPS)
>>>>> [printers]
>>>>>> comment = All Printers path = /var/spool/samba printer admin = root
>>>>>> create mask = 0600 guest ok = Yes printable = Yes browseable = No
>>>>>>
>>>>>> [print$]
>>>>>> comment = Printer Drivers Share
>>>>>> path = /var/lib/samba/drivers
>>>>>> write list = root
>>>>>> printer admin = root
>>>>>>
>>>>>> # Needed to support domain logons
>>>>>> [netlogon]
>>>>>> comment = Network Logon Service
>>>>>> path = /var/lib/samba/netlogon
>>>>>> admin users = root
>>>>>> guest ok = Yes
>>>>>> browseable = No
>>>>>>
>>>>>> # For profiles to work, create a user directory under the path #
>>>>>> shown. i.e., mkdir -p /var/lib/samba/profiles/maryo
>>>>> [Profiles] comment
>>>>>> = Roaming Profile Share path = /var/lib/samba/profiles read
>>>>> only = No
>>>>>> profile acls = Yes
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> Stephen Mulcahy, Applepie Solutions Ltd, Innovation in
>>>>> Business Center,
>>>>> GMIT, Dublin Rd, Galway, Ireland. mailto:smulcahy at aplpi.com
>>>>> mobile:+353.87.2930252 office:+353.91.751262 http://www.aplpi.com
>>>>>
>>>>>
>
--
Stephen Mulcahy, Applepie Solutions Ltd, Innovation in Business Center,
GMIT, Dublin Rd, Galway, Ireland. mailto:smulcahy at aplpi.com
mobile:+353.87.2930252 office:+353.91.751262 http://www.aplpi.com
More information about the samba
mailing list