3 domain client samba + samba pdc problem. (long story)

Harald H Hannelius harald at penti.sit.fi
Fri Jan 8 15:07:55 GMT 1999 


Hi there, I have a fairly large network here that validates users from a
samba PDC. We have approx 60 Windows 95 machines, and some 16 WindowsNT
NTSP3 workstations. Please let me call it a large network ;)

The setup is as following:

THAT:	slackware based distro, 2.0.36. 700+ users, NIS+NFS server
	This machine serves homedirs, and authenticates
	Samba 2.1 pre-alpha

THIS:		-"-		, 1 local user, NIS client. 
	This is an app-server, and printer-spool server.
	2.0.0beta5 security=server (domain doesn't work)

Windows95 workstations work like a dream (laughter heard in the
background). Oh well, as nice as win95 works.. I have profiles and
policies loaded from the server ok. All is fine. But, then came NT.. I had
to put these NT workstations in the domain too..and now I have 6 problems: 
(Well 16 problems, if I count the NT-workstations :)


1) 	PDC not always Master for the domain
If i browse THIS with smbclient, it sometimes say that one of the NT-wks
machines is the master for the domain. This has not happened today, but
sometimes is does. I don't think this is really a problem, but it could
cause the sluggishness connecting from NT to THIS.


2)	Accessing the THIS server from NT is sometimes sluggish

When trying to connect to a share on the slave server THIS, NT-wks
sometimes just sits there. After a while it presents the user with a
username+password box. This could of course be related to me either
re-starting (HUP) the slave THIS, or an election? This is not a major
problem, but nice to know.

This is what I found on syslog on THIS when running it as
'security=server'. (Log cleaned a bit)

Jan  8 10:20:57 this smbd[20430]: [1999/01/08 10:20:57, 0]
smbd/password.c:server_validate(1108) 
Jan  8 10:20:57 this smbd[20430]:   server_validate: [1] password server
THAT allows users as non-guest with a bad password. 
Jan  8 10:20:57 this smbd[20430]: [1999/01/08 10:20:57, 0]
smbd/password.c:server_validate(1110) 
Jan  8 10:20:57 this smbd[20430]:   server_validate: [1] This is broken
(and insecure) behaviour. Please do not use this machine as the password
server. 

Cold shivers on my back....



3)	Logging on to NT wks causes load on the server.. slow..

When all 16 Nt-wks were freshly installed students rushed in, and started
logging in. The load on the server got up to 14. :( (PPro200,128Mb,50Gb)
Ok, the load got back to .2 again, but I have noticed that loggin on to a
NT-wks sometimes take a minute or so. And then you are informed that "Your
password expires today.. blaah blaah". Could someone please fix this?
It's a bit annoying...

I have noticed that logging on to a 'real' Nt-server also takes about
½ min. Couldn't we make samba faster in this respect? :)

4)	Connecting to other nt-wks causes load on server.

If I, in Network Neighborhood, try click any NT-wks in the domain, the
server load rises, and the NT-wks freezes for a while. Don't know why.
Perhaps NT-wks don't know how to validate agains samba-pdc? Stupid NT,
give us the source for NT so we can fix it ;)
Nothing in the logs so far. smbd can rise to something like 80-90%.
This is probably related to the previous problem.

5)	Mapping of home-dirs on NT .... weird

in login.bat, I cannot run 'net use h: /home', probably because I have the 
profiles in \\%N\%U\Windows .. Windows NT seems to map h: (profile share) 
directly when loggin on, so I don't map h: at all at logon.. This is my
login-script that seems to work ok for both windows95 and NT:

 rem @echo off
rem if exist c:\winnt net use h: /delete /yes
if exist c:\bc copy \\that\netlogon\lnk\bc.bat c:\bc\bc.bat
set acadserver=@arcsrv2;@adlm
if exist c:\windows\arp.exe net use h: /home
if exist c:\winnt\system.ini net use h: \\that\homes /persistent:no
if not exist h:\Windows mkdir h:\Windows 
if not exist h:\Windows\Desktop mkdir h:\Windows\Desktop
if not exist h:\Windows\Desktop\ssh.lnk copy \\that\netlogon\lnk\SSH.LNK
h:\Windows\Desktop 
net time \\that /set /y
if exist h:\.login.bat call h:\.login.bat

Is this the right thing to do? It shure seems to work. Why are docos
discouraging admins from placing profiles in users ~ ?

6)	THIS server not working in 'security=domain'

I would like to run the THIS slave server in security=domain, but for some
reason it doesn't work. I get a lot of these in the logs on the THAT pdc
machine: (for every machine account)

Jan  8 15:44:16 that smbd[11063]: [1999/01/08 15:44:16, 0]
passdb/sampass.c:getsamfile21pwent(108) 
Jan  8 15:44:16 that smbd[11063]:   trust account ARCWKS15$ should be in
DOMAIN_GROUP_RID_USERS 

I also get stuff in THIS's log about THAT not working properly. 
(same log as in question #2)

an  8 10:20:57 this smbd[20430]: [1999/01/08 10:20:57, 0]
smbd/password.c:server_validate(1108) 
Jan  8 10:20:57 this smbd[20430]:   server_validate: [1] password server
THAT allows users as non-guest with a bad password. 
Jan  8 10:20:57 this smbd[20430]: [1999/01/08 10:20:57, 0]
smbd/password.c:server_validate(1110) 
Jan  8 10:20:57 this smbd[20430]:   server_validate: [1] This is broken
(and insecure) behaviour. Please do not use this machine as the password server. 

When I try to connect to a share on THIS with debug 10 I get this:
(THAT pdc server spits out tens of lines with "trust account NTWKSX$
should be in DOMAIN_GROUP_RID_USER")

screenshot:

that[~] # smbclient '\\this\info' -Uharald -Wsamba
Password: 
session setup failed: code 0
that[~] # 

syslog:

Jan  8 16:54:31 this smbd[1510]: [1999/01/08 16:54:31, 0]
rpc_client/cli_pipe.c:rpc_api_pipe(297) 
Jan  8 16:54:31 this smbd[1510]:   cli_pipe: return critical error. Error
was code 0 
Jan  8 16:54:31 this smbd[1510]: [1999/01/08 16:54:31, 0]
smbd/password.c:domain_client_validate(1357) 
Jan  8 16:54:31 this smbd[1510]:   domain_client_validate: unable to
validate password for user harald in domain SAMBA to Domain controller
THAT. Error was code 0. 



Maybe an 'upgrade' to 2.1prealpha on THIS would fix some things? 



--------------------
Hope this helps, I am very willing to help you out in debugging. I'm sad
to say that I am not that good at programming yet. Otherwise I would help
you out in any way I could. 


##########
Tips:

TIP1: 
If you create a windows .lnk file on a NT, it always puts the UNC
path in the link. This WILL cause problems if you copy the link from the
logon share to a users profile at logon. I found a nice util called
'scut.exe' that clips of UNC paths from link/shortcut-files. It takes
about 3sec to clip it off from about 180 lnk-files. After that WinNT is
faster when accessing *anything* in the Start Menu. I recommend taking a
look at: http://www.coffeecomputing.com/free/

Tip2:

When _new_ users log on to NT, they get their Nt-profile from
"c:\winnt\profiles\Default User". If you want a nice default profile for
new users in the domain, this is the profile to edit *before* users log
on.




===========================================================        
Harald H Hannelius | harald at sit.fi      | GSM +358405470870
Mauritzgatan 14D41 | www.iki.fi/~harald | Pho +35892783568
00170 HKI FINLAND  | harald at iki.fi      | Fax +35892783568
===========================================================

More information about the samba-ntdom mailing list