Problems joining a domain with a Samba-TNG PDC

Luke Kenneth Casson Leighton lkcl at samba.org
Tue Feb 29 07:09:23 GMT 2000 

paul,

the passdb/ code is probably going recursive / infinite loop black hole
because of lib/domain_namemap.c

check that there are no duplicate names in users and groups that could
cause domain_namemap to go recursive.

either rename, remove or remap them ("doman group/alias/user/builtin map).

On Tue, 29 Feb 2000, Paul Kennedy wrote:

> I'm getting pretty frustrated trying to get a Samba PDC working with an
> LDAP backend. Here's how I'm configuring my system.
> 
> I am running Samba, built --with-ldap and installed from the latest
> Samba-TNG cvs source (as of Sunday Feb 27 2000 3pm PST) , on a host
> running RHL 2.2.12-20-smp, which is a HP Lpr Pentium III named
> millstreet.loudcloud.com. I am running all 8 daemons (nmbd, lsarpcd,
> smbd, etc) required for PDC support.
> 
> [root at millstreet bin]# pdc-smb start
> Starting smbd...
> Starting nmbd...
> Starting srvsvcd...
> Starting wkssvcd...
> Starting lsarpcd...
> Starting samrd...
> Starting netlogond...
> Starting winregd...
> [root at millstreet bin]#
> 
> For LDAP backend, I'm using Netscape Directory Server 4.12 on the same
> Linux host.
> 
> I also have a PC with hostname PAULPC, running NT Server 4.0 SP5, which
> I am trying to make a member of the domain.
> 
> The Linux host (PDC ) and PC (NT Server) are on different subnets.
> 
> The Samba server's shares can be successfully viewed from other hosts.
> The problems arise when I try to add a new member to the domain.
> 
> I've followed all but the out-of-date instructions at
> http://www.kneschke.de/projekte/samba_tng/faq/configuration.php3. In
> other words, I'm not using smbpasswd -m as directed there. Instead, I'm
> adding workstation accounts to the /etc/passwd file on the Linux system
> with /usr/sbin/useradd.
> 
> In summary:
>     Samba Domain name: AIRIUS
>     Samba PDC Hostname: MILLSTREET
>     NT Server:  PAULPC
> 
> [root at millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c
> "NT Workstation Trust Account Samba" "millstreet\$"
> [root at millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -c
> "NT Workstation Trust Account Samba" "paulpc\$"
> [root at millstreet slapd-millstreet]# /usr/sbin/useradd -s /bin/false -d
> /h/paul -c "User Account" nelson -p o9Huu26
> [root at millstreet slapd-millstreet]# cat /etc/passwd | grep $:
> millstreet$:x:10107:10107:NT Workstation Trust Account
> Samba:/home/millstreet$:/bin/false
> paulpc$:x:10108:10108:NT Workstation Trust Account
> Samba:/home/paulpc$:/bin/false
> [root at millstreet slapd-millstreet]# cat /etc/passwd | grep nelson
> nelson:x:10109:10109:User Account:/h/paul:/bin/false
> [root at millstreet slapd-millstreet]#
> 
> 
> [root at millstreet bin]# samedit -S . -U root
> Added interface ip=192.168.100.62 bcast=192.168.100.255
> nmask=255.255.255.0
> Enter Password:
> [root at .]$
> [root at .]$
> [root at .]$ createuser millstreet$ -j
> createuser millstreet$ -j
> socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> SAM Create Domain User
> Domain: AIRIUS Name: millstreet$ ACB: [W          ]
> socket connect to /tmp/.msrpc/.lsarpc/agent failed: Connection refused
> socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> Create Domain User: OK
> Join MILLSTREET to Domain AIRIUS
> LSA_OPENSECRET:
> Set $MACHINE.ACC: OK
> [root at .]$
> [root at .]$
> [root at .]$ createuser paulpc$
> createuser paulpc$
> socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> SAM Create Domain User
> Domain: AIRIUS Name: paulpc$ ACB: [W          ]
> socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> Create Domain User: OK
> [root at .]$
> [root at .]$
> [root at .]$ createuser nelson -p o9Huu26
> createuser nelson -p o9Huu26
> socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> SAM Create Domain User
> Domain: AIRIUS Name: nelson ACB: [U          ]
> socket connect to /tmp/.msrpc/.samr/agent failed: Connection refused
> Create Domain User: OK
> [root at .]$
> 
> Normally the PC running NT Server is a member of a workgroup, but when I
> make it a member of my AIRIUS domain, reboot and try to login to the
> AIRIUS domain using the nelson credentials which I've added above, the
> Linux host immediately ramps up to 100% cpu usage, and quickly reports
> "too many files open" when I try to run any commands at any shell
> prompt. Eventually, the NT Server logon attempt fails and a dialog is
> raised containing the message "The system cannot log you on now because
> the domain AIRIUS is not ".
> 
> Questions:
> 
> 1) Is the above sequence of operations for joining a workstation/server
> to a domain correct ?
> 
> 2) Has anyone experienced similar behaviour ?
> 
> I can post any fragments of logfiles. Here are some fragments which look
> useful:
> 
> >From log.lsarpc:
> 
> Changed root to /
> msrpc_process: client_name: lsarpc my_name: millstreet
> api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd
> Doing \PIPE\lsarpc
> api_rpc_command: LSA_OPENPOLICY2
> Doing \PIPE\lsarpc
> api_rpc_command: LSA_OPENSECRET
> Doing \PIPE\lsarpc
> api_rpc_command: LSA_CLOSE
> policy(pnum=1 ): Closing
> end of file from client
> Error getting policy state
> Error getting policy state
> Error getting policy rid
> policy(pnum=2 ): Closing
> Closing connections
> Server exit (normal exit)
> Changed root to /
> msrpc_process: client_name: lsarpc my_name: millstreet
> api_pipe_bind_req: \PIPE\lsarpc -> \PIPE\lsarpcd
> Doing \PIPE\lsarpc
> api_rpc_command: LSA_OPENPOLICY2
> 
> 
> >From log.nmb
> 
> process_logon_packet: SAMLOGON request from PAULPC(192.168.1.87) for
> PAULPC$, returning logon svr \\MILLSTREET domain AIRIUS code 13
> token=ffff
> process_logon_packet: Logon from 192.168.1.87: code = 7
> process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87,
> reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff
> lm_20 token=ffff
> wins_process_name_registration_request: Unique name registration for
> name AIRIUS<1d> IP 192.168.1.87
> wins_process_name_registration_request: Ignoring request to register
> name AIRIUS<1d> from IP
> 192.168.1.87.wins_process_name_registration_request: Group name
> registration for name __MSBROWSE__<01> IP 192.168.1.87
> wins_process_name_registration_request: Adding IP 255.255.255.255 to
> group name __MSBROWSE__<01>.
> wins_process_name_query: name query for name AIRIUS<1b> from IP
> 192.168.1.87
> wins_process_name_query: name query for name AIRIUS<1b> returning first
> IP 192.168.100.62.
> process_logon_packet: Logon from 192.168.1.87: code = 7
> process_logon_packet: GETDC request from PAULPC at IP 192.168.1.87,
> reporting MILLSTREET domain AIRIUS 0xc ntversion=1 lm_nt token=ffff
> lm_20 token=ffff
> 
> : Negative DNS answer for *SMBSERVER
> add_name_to_subnet: Added netbios name *SMBSERVER<20> with first IP
> 0.0.0.0 ttl=3600 nb_flags= 4 to subnet WINS_SERVER_SUBNET
> DNS calling send_wins_name_query_response
> process_name_query_request: Name query from 192.168.100.62 on subnet
> 192.168.100.62 for name MILLSTREET<20>
> OK
> process_name_query_request: Name query from 192.168.100.62 on subnet
> 192.168.100.62 for name MILLSTREET<20>
> OK
> process_name_query_request: Name query from 192.168.100.62 on subnet
> 192.168.100.62 for name MILLSTREET<20>
> OK
> process_name_query_request: Name query from 192.168.100.62 on subnet
> 192.168.100.62 for name *SMBSERVER<20>
> wins_process_name_query: name query for name *SMBSERVER<20> from IP
> 192.168.100.62
> wins_process_name_query: name query for name *SMBSERVER<20> returning
> DNS fail.
> process_name_query_request: Name query from 192.168.100.62 on subnet
> 192.168.100.62 for name MILLSTREET<20>
> OK
> process_name_query_request: Name query from 192.168.100.62 on subnet
> 192.168.100.62 for name MILLSTREET<20>
> OK
> process_name_query_request: Name query from 192.168.100.62 on subnet
> 192.168.100.62 for name *SMBSERVER<20>
> wins_process_name_query: name query for name *SMBSERVER<20> from IP
> 192.168.100.62
> wins_process_name_query: name query for name *SMBSERVER<20> returning
> DNS fail.
> process_name_query_request: Name query from 192.168.100.62 on subnet
> 192.168.100.62 for name *SMBSERVER<20>
> 
> 
> 
> Below is my smb.conf
> 
> [global]
> ldap suffix = "o=airius.com, o=loudcloud.com"
> ldap bind as = "uid=admin, ou=Administrators, ou=TopologyManagement,
> o=NetscapeRoot"
> ldap passwd file = /usr/local/etc/samba/private/ldappasswd
> ldap server = millstreet.loudcloud.com
> ldap port = 389
> 
> workgroup = AIRIUS
> netbios name = MILLSTREET
> comment = Linux RedHat PDC Samba Server with LDAP backend
> security = user
> null passwords = yes
> encrypt passwords = yes
> password server = millstreet
> 
> logon path = \\MERCURY\profiles\%G
> logon script = %U.bat
> logon drive = U:
> 
> socket options = TCP_NODELAY
> keep alive = 60
> dead time = 30
> 
> domain master = yes
> domain logons = yes
> 
> wins support = yes
> name resolve order = wins lmhosts hosts bcast
> wins proxy = yes
> 
> time server = yes
> 
> name resolve order = wins lmhosts hosts bcast
> 
> [netlogon]
> path = /usr/local/etc/samba/netlogon
> locking = no
> writeable = yes
> comment = Net Logon share
> guest ok = no
> browseable = yes
> 
> [joffre]
> path = /tmp/samba
> locking = no
> writeable = yes
> comment = Joffre share
> guest ok = yes
> browseable = yes
> 
> 
> 
> 

<a href=" mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton    </a>
<a href=" http://cb1.com/~lkcl"  > Samba and Network Development   </a>
<a href=" http://samba.org"      > Samba Web site                  </a>
<a href=" http://www.iss.net"    > Internet Security Systems, Inc. </a>
<a href=" http://mcp.com"        > Macmillan Technical Publishing  </a>
 
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals

More information about the samba-ntdom mailing list