[Samba] NT4 machine trust breaks on a Samba-BDC
Andrew Bartlett
abartlet at samba.org
Sat Nov 2 11:29:01 GMT 2002
Mikko Kortelainen wrote:
>
> >> We have Samba (2.2.5) running on three servers, each in a different
> >> subnet. One of them is a PDC (domain master = yes). The Samba PDC is
>
> >> also the NIS master. The smbpasswd is replicated using rsync to the
> >> other machines that act as Samba BDCs (domain master = no). They are
> >> also NIS slave servers. The smbpasswd synchronization takes place
> >> automatically every time smbpasswd is updated, and the NIS maps are
> >> updated and pushed automatically to the slaves whenever a machine
> >> joins the domain.
>
> >> Anybody have any ideas or suggestions? Where should I start
> debugging?
>
> > Check that the domain SID is the same. Sync secrets.tdb, or use the
> > new smbpasswd option (2.2.6) to 'suck' the SID from PDC to each BDC.
>
> I understood that you can't just copy the secrets.tdb to the BDCs,
> because it contains some host specific information. I've ran "smbpasswd
> -S <domain>" on both BDCs before starting smbd on them (It seems that if
> you start smbd on the local host with option "workgroup = <the domain,
> the sid of which you're trying to retrieve>" in smb.conf, and run
> smbpasswd -S after that, it will retrieve the sid from the local smbd.
> At least in my configuration where the PDC is in a different subnet...?)
certainly in HEAD's varient of this command, you can specify the host -
try the -r option.
> Anyhow, I checked the secrets.tdb databases, and the 48 bytes following
> the string "SECRETS/SID/<domain>" match on every host (and more, there's
> a lot of zeroes). I'm not sure it that's the right place to look? Is
> there a way of printing out the domain SID in cleartext?
tdbtool can help there.
> Plus, shouldn't the other OSes complain also, if my domain SIDs were
> wrong? But it's just the NT4. What does it do differently than W2k and
> WXP...?
Hmm, that's werid - it should affect any host that contacts the 'wrong'
DC.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba
mailing list