3 domain client samba + samba pdc problem. (long story)

Allen Reese allen at driversoft.com
Fri Jan 8 17:41:52 GMT 1999 

As far as the NT machines beoming master browser, I had a problem back
with 1.9.18p10 where my NT machines would become the master browser and
refuse to acknowledge some of the machines on the network.  Wk4sp3 was the
machine that would become master browser.  There is a registry setting for
making it so an NT machine can't be the master browser.

The Key is:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\
MaintainServerList

Which can be:  yes, no, auto.

setting that key to no will make it never participate in elections.

Hope that helps,

Allen Reese
Senior Software Engineer
Driversoft, Inc.
allen at driversoft.com

On Sat, 9 Jan 1999, Harald H Hannelius wrote:

> 
> 
> Hi there, I have a fairly large network here that validates users from a
> samba PDC. We have approx 60 Windows 95 machines, and some 16 WindowsNT
> NTSP3 workstations. Please let me call it a large network ;)
> 
> The setup is as following:
> 
> THAT:	slackware based distro, 2.0.36. 700+ users, NIS+NFS server
> 	This machine serves homedirs, and authenticates
> 	Samba 2.1 pre-alpha
> 
> THIS:		-"-		, 1 local user, NIS client. 
> 	This is an app-server, and printer-spool server.
> 	2.0.0beta5 security=server (domain doesn't work)
> 
> Windows95 workstations work like a dream (laughter heard in the
> background). Oh well, as nice as win95 works.. I have profiles and
> policies loaded from the server ok. All is fine. But, then came NT.. I had
> to put these NT workstations in the domain too..and now I have 6 problems: 
> (Well 16 problems, if I count the NT-workstations :)
> 
> 
> 1) 	PDC not always Master for the domain
> If i browse THIS with smbclient, it sometimes say that one of the NT-wks
> machines is the master for the domain. This has not happened today, but
> sometimes is does. I don't think this is really a problem, but it could
> cause the sluggishness connecting from NT to THIS.
> 
> 
> 2)	Accessing the THIS server from NT is sometimes sluggish
> 
> When trying to connect to a share on the slave server THIS, NT-wks
> sometimes just sits there. After a while it presents the user with a
> username+password box. This could of course be related to me either
> re-starting (HUP) the slave THIS, or an election? This is not a major
> problem, but nice to know.
> 
> This is what I found on syslog on THIS when running it as
> 'security=server'. (Log cleaned a bit)
> 
> Jan  8 10:20:57 this smbd[20430]: [1999/01/08 10:20:57, 0]
> smbd/password.c:server_validate(1108) 
> Jan  8 10:20:57 this smbd[20430]:   server_validate: [1] password server
> THAT allows users as non-guest with a bad password. 
> Jan  8 10:20:57 this smbd[20430]: [1999/01/08 10:20:57, 0]
> smbd/password.c:server_validate(1110) 
> Jan  8 10:20:57 this smbd[20430]:   server_validate: [1] This is broken
> (and insecure) behaviour. Please do not use this machine as the password
> server. 
> 
> Cold shivers on my back....
> 
> 
> 
> 3)	Logging on to NT wks causes load on the server.. slow..
> 
> When all 16 Nt-wks were freshly installed students rushed in, and started
> logging in. The load on the server got up to 14. :( (PPro200,128Mb,50Gb)
> Ok, the load got back to .2 again, but I have noticed that loggin on to a
> NT-wks sometimes take a minute or so. And then you are informed that "Your
> password expires today.. blaah blaah". Could someone please fix this?
> It's a bit annoying...
> 
> I have noticed that logging on to a 'real' Nt-server also takes about
> ½ min. Couldn't we make samba faster in this respect? :)
> 
> 4)	Connecting to other nt-wks causes load on server.
> 
> If I, in Network Neighborhood, try click any NT-wks in the domain, the
> server load rises, and the NT-wks freezes for a while. Don't know why.
> Perhaps NT-wks don't know how to validate agains samba-pdc? Stupid NT,
> give us the source for NT so we can fix it ;)
> Nothing in the logs so far. smbd can rise to something like 80-90%.
> This is probably related to the previous problem.
> 
> 5)	Mapping of home-dirs on NT .... weird
> 
> in login.bat, I cannot run 'net use h: /home', probably because I have the 
> profiles in \\%N\%U\Windows .. Windows NT seems to map h: (profile share) 
> directly when loggin on, so I don't map h: at all at logon.. This is my
> login-script that seems to work ok for both windows95 and NT:
> 
>  rem @echo off
> rem if exist c:\winnt net use h: /delete /yes
> if exist c:\bc copy \\that\netlogon\lnk\bc.bat c:\bc\bc.bat
> set acadserver=@arcsrv2;@adlm
> if exist c:\windows\arp.exe net use h: /home
> if exist c:\winnt\system.ini net use h: \\that\homes /persistent:no
> if not exist h:\Windows mkdir h:\Windows 
> if not exist h:\Windows\Desktop mkdir h:\Windows\Desktop
> if not exist h:\Windows\Desktop\ssh.lnk copy \\that\netlogon\lnk\SSH.LNK
> h:\Windows\Desktop 
> net time \\that /set /y
> if exist h:\.login.bat call h:\.login.bat
> 
> Is this the right thing to do? It shure seems to work. Why are docos
> discouraging admins from placing profiles in users ~ ?
> 
> 6)	THIS server not working in 'security=domain'
> 
> I would like to run the THIS slave server in security=domain, but for some
> reason it doesn't work. I get a lot of these in the logs on the THAT pdc
> machine: (for every machine account)
> 
> Jan  8 15:44:16 that smbd[11063]: [1999/01/08 15:44:16, 0]
> passdb/sampass.c:getsamfile21pwent(108) 
> Jan  8 15:44:16 that smbd[11063]:   trust account ARCWKS15$ should be in
> DOMAIN_GROUP_RID_USERS 
> 
> I also get stuff in THIS's log about THAT not working properly. 
> (same log as in question #2)
> 
> an  8 10:20:57 this smbd[20430]: [1999/01/08 10:20:57, 0]
> smbd/password.c:server_validate(1108) 
> Jan  8 10:20:57 this smbd[20430]:   server_validate: [1] password server
> THAT allows users as non-guest with a bad password. 
> Jan  8 10:20:57 this smbd[20430]: [1999/01/08 10:20:57, 0]
> smbd/password.c:server_validate(1110) 
> Jan  8 10:20:57 this smbd[20430]:   server_validate: [1] This is broken
> (and insecure) behaviour. Please do not use this machine as the password server. 
> 
> When I try to connect to a share on THIS with debug 10 I get this:
> (THAT pdc server spits out tens of lines with "trust account NTWKSX$
> should be in DOMAIN_GROUP_RID_USER")
> 
> screenshot:
> 
> that[~] # smbclient '\\this\info' -Uharald -Wsamba
> Password: 
> session setup failed: code 0
> that[~] # 
> 
> syslog:
> 
> Jan  8 16:54:31 this smbd[1510]: [1999/01/08 16:54:31, 0]
> rpc_client/cli_pipe.c:rpc_api_pipe(297) 
> Jan  8 16:54:31 this smbd[1510]:   cli_pipe: return critical error. Error
> was code 0 
> Jan  8 16:54:31 this smbd[1510]: [1999/01/08 16:54:31, 0]
> smbd/password.c:domain_client_validate(1357) 
> Jan  8 16:54:31 this smbd[1510]:   domain_client_validate: unable to
> validate password for user harald in domain SAMBA to Domain controller
> THAT. Error was code 0. 
> 
> 
> 
> Maybe an 'upgrade' to 2.1prealpha on THIS would fix some things? 
> 
> 
> 
> --------------------
> Hope this helps, I am very willing to help you out in debugging. I'm sad
> to say that I am not that good at programming yet. Otherwise I would help
> you out in any way I could. 
> 
> 
> ##########
> Tips:
> 
> TIP1: 
> If you create a windows .lnk file on a NT, it always puts the UNC
> path in the link. This WILL cause problems if you copy the link from the
> logon share to a users profile at logon. I found a nice util called
> 'scut.exe' that clips of UNC paths from link/shortcut-files. It takes
> about 3sec to clip it off from about 180 lnk-files. After that WinNT is
> faster when accessing *anything* in the Start Menu. I recommend taking a
> look at: http://www.coffeecomputing.com/free/
> 
> Tip2:
> 
> When _new_ users log on to NT, they get their Nt-profile from
> "c:\winnt\profiles\Default User". If you want a nice default profile for
> new users in the domain, this is the profile to edit *before* users log
> on.
> 
> 
> 
> 
> ===========================================================        
> Harald H Hannelius | harald at sit.fi      | GSM +358405470870
> Mauritzgatan 14D41 | www.iki.fi/~harald | Pho +35892783568
> 00170 HKI FINLAND  | harald at iki.fi      | Fax +35892783568
> ===========================================================  
> 
> 
> 
> 
> 
>

More information about the samba-ntdom mailing list