Problems joining a domain with a Samba-TNG PDC

Paul Kennedy pkennedy at loudcloud.com
Mon Feb 28 03:07:51 GMT 2000 

I'm getting pretty frustrated trying to get a Samba PDC working with an
LDAP backend. Here's how I'm configuring my system.

I am running Samba, built --with-ldap and installed from the latest
Samba-TNG cvs source (as of Sunday Feb 27 2000 3pm PST) , on a host
running RHL 2.2.12-20-smp, which is a HP Lpr Pentium III named
millstreet.loudcloud.com. I am running all 8 daemons (nmbd, lsarpcd,
smbd, etc) required for PDC support.

[root at millstreet bin]# pdc-smb start
Starting smbd...
Starting nmbd...
Starting srvsvcd...
Starting wkssvcd...
Starting lsarpcd...
Starting samrd...
Starting netlogond...
Starting winregd...
[root at millstreet bin]#

For LDAP backend, I'm using Netscape Directory Server 4.12 on the same
Linux host.

I also have a PC with hostname PAULPC, running NT Server 4.0 SP5, which
I am trying to make a member of the domain.

The Linux host (PDC ) and PC (NT Server) are on different subnets.

The Samba server's shares can be successfully viewed from other hosts.
The problems arise when I try to add a new member to the domain.

I've followed all but the out-of-date instructions at
http://www.kneschke.de/projekte/samba_tng/faq/configuration.php3. In
other words, I'm not using smbpasswd -m as directed there. Instead, I'm
adding workstation accounts to the /etc/passwd file on the Linux system
with /usr/sbin/useradd.

In summary:
    Samba Domain name: AIRIUS
    Samba PDC Hostname: MILLSTREET
    NT Server:  PAULPC

[root at millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c
"NT Workstation Trust Account Samba" "millstreet\$"
[root at millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c
"NT Workstation Trust Account Samba" "paulpc\$"
[root at millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -d
/h/paul -c "User Account" nelson -p o9Huu26
[root at millstreet slapd-millstreet]# cat /etc/passwd | grep $:
millstreet$:x:10107:10107:NT Workstation Trust Account
Samba:/home/millstreet$:/bin/false
paulpc$:x:10108:10108:NT Workstation Trust Account
Samba:/home/paulpc$:/bin/false
[root at millstreet slapd-millstreet]# cat /etc/passwd | grep nelson
nelson:x:10109:10109:User Account:/h/paul:/bin/false
[root at millstreet slapd-millstreet]#


[root at millstreet bin]# samedit -S . -U root
Added interface ip=192.168.100.62 bcast=192.168.100.255
nmask=255.255.255.0
Enter Password:
[root at .]$
[root at .]$
[root at .]$ createuser millstreet$ -j
createuser millstreet$ -j
socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
SAM Create Domain User
Domain: AIRIUS Name: millstreet$ ACB: [W          ]
socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
Create Domain User: OK
Join MILLSTREET to Domain AIRIUS
LSA_OPENSECRET:
Set $MACHINE.ACC: OK
[root at .]$
[root at .]$
[root at .]$ createuser paulpc$
createuser paulpc$
socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
SAM Create Domain User
Domain: AIRIUS Name: paulpc$ ACB: [W          ]
socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
Create Domain User: OK
[root at .]$
[root at .]$
[root at .]$ createuser nelson -p o9Huu26
createuser nelson -p o9Huu26
socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
SAM Create Domain User
Domain: AIRIUS Name: nelson ACB: [U          ]
socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
Create Domain User: OK
[root at .]$

Normally the PC running NT Server is a member of a workgroup, but when I
make it a member of my AIRIUS domain, reboot and try to login to the
AIRIUS domain using the nelson credentials which I've added above, the
Linux host immediately ramps up to 100% cpu usage, and quickly reports
"too many files open" when I try to run any commands at any shell
prompt. Eventually, the NT Server logon attempt fails and a dialog is
raised containing the message "The system cannot log you on now because
the domain AIRIUS is not ".

Questions:

1) Is the above sequence of operations for joining a workstation/server
to a domain correct ?

2) Has anyone experienced similar behaviour ?

I can post any fragments of logfiles. Here are some fragments which look
useful:

>From log.lsarpc:

Changed root to /
msrpc_process: client_name: lsarpc my_name: millstreet
api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd
Doing \PIPE\lsarpc
api_rpc_command: LSA_OPENPOLICY2
Doing \PIPE\lsarpc
api_rpc_command: LSA_OPENSECRET
Doing \PIPE\lsarpc
api_rpc_command: LSA_CLOSE
policy(pnum=1 ): Closing
end of file from client
Error getting policy state
Error getting policy state
Error getting policy rid
policy(pnum=2 ): Closing
Closing connections
Server exit (normal exit)
Changed root to /
msrpc_process: client_name: lsarpc my_name: millstreet
api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd
Doing \PIPE\lsarpc
api_rpc_command: LSA_OPENPOLICY2


>From log.nmb

process_logon_packet: SAMLOGON request from PAULPC(192.168.1.87) for
PAULPC$, returning logon svr \\MILLSTREET domain AIRIUS code 13
token=ffff
process_logon_packet: Logon from 192.168.1.87: code = 7
process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87,
reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff
lm_20 token=ffff
wins_process_name_registration_request: Unique name registration for
name AIRIUS<1d> IP 192.168.1.87
wins_process_name_registration_request: Ignoring request to register
name AIRIUS<1d> from IP
192.168.1.87.wins_process_name_registration_request: Group name
registration for name __MSBROWSE__<01> IP 192.168.1.87
wins_process_name_registration_request: Adding IP 255.255.255.255 to
group name __MSBROWSE__<01>.
wins_process_name_query: name query for name AIRIUS<1b> from IP
192.168.1.87
wins_process_name_query: name query for name AIRIUS<1b> returning first
IP 192.168.100.62.
process_logon_packet: Logon from 192.168.1.87: code = 7
process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87,
reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff
lm_20 token=ffff

: Negative DNS answer for *SMBSERVER
add_name_to_subnet: Added netbios name *SMBSERVER<20> with first IP
0.0.0.0 ttl=3600 nb_flags= 4 to subnet WINS_SERVER_SUBNET
DNS calling send_wins_name_query_response
process_name_query_request: Name query from 192.168.100.62 on subnet
192.168.100.62 for name MILLSTREET<20>
OK
process_name_query_request: Name query from 192.168.100.62 on subnet
192.168.100.62 for name MILLSTREET<20>
OK
process_name_query_request: Name query from 192.168.100.62 on subnet
192.168.100.62 for name MILLSTREET<20>
OK
process_name_query_request: Name query from 192.168.100.62 on subnet
192.168.100.62 for name *SMBSERVER<20>
wins_process_name_query: name query for name *SMBSERVER<20> from IP
192.168.100.62
wins_process_name_query: name query for name *SMBSERVER<20> returning
DNS fail.
process_name_query_request: Name query from 192.168.100.62 on subnet
192.168.100.62 for name MILLSTREET<20>
OK
process_name_query_request: Name query from 192.168.100.62 on subnet
192.168.100.62 for name MILLSTREET<20>
OK
process_name_query_request: Name query from 192.168.100.62 on subnet
192.168.100.62 for name *SMBSERVER<20>
wins_process_name_query: name query for name *SMBSERVER<20> from IP
192.168.100.62
wins_process_name_query: name query for name *SMBSERVER<20> returning
DNS fail.
process_name_query_request: Name query from 192.168.100.62 on subnet
192.168.100.62 for name *SMBSERVER<20>



Below is my smb.conf

[global]
ldap suffix = "o=airius.com, o=loudcloud.com"
ldap bind as = "uid=admin, ou=Administrators, ou=TopologyManagement,
o=NetscapeRoot"
ldap passwd file = /usr/local/etc/samba/private/ldappasswd
ldap server = millstreet.loudcloud.com
ldap port = 389

workgroup = AIRIUS
netbios name = MILLSTREET
comment = Linux RedHat PDC Samba Server with LDAP backend
security = user
null passwords = yes
encrypt passwords = yes
password server = millstreet

logon path = \\MERCURY\profiles\%G
logon script = %U.bat
logon drive = U:

socket options = TCP_NODELAY
keep alive = 60
dead time = 30

domain master = yes
domain logons = yes

wins support = yes
name resolve order = wins lmhosts hosts bcast
wins proxy = yes

time server = yes

name resolve order = wins lmhosts hosts bcast

[netlogon]
path = /usr/local/etc/samba/netlogon
locking = no
writeable = yes
comment = Net Logon share
guest ok = no
browseable = yes

[joffre]
path = /tmp/samba
locking = no
writeable = yes
comment = Joffre share
guest ok = yes
browseable = yes

More information about the samba-ntdom mailing list