[Samba] NT4 machine trust breaks on a Samba-BDC

Andrew Bartlett abartlet at samba.org
Sat Nov 2 11:29:01 GMT 2002


Mikko Kortelainen wrote:
> 
> >> We have Samba (2.2.5) running on three servers, each in a different
> >> subnet.  One of them is a PDC (domain master = yes). The Samba PDC is
> 
> >> also the NIS master. The smbpasswd is replicated using rsync to the
> >> other machines that act as Samba BDCs (domain master = no). They are
> >> also NIS slave servers. The smbpasswd synchronization takes place
> >> automatically every time smbpasswd is updated, and the NIS maps are
> >> updated and pushed automatically to the slaves whenever a machine
> >> joins the domain.
> 
> >> Anybody have any ideas or suggestions? Where should I start
> debugging?
> 
> > Check that the domain SID is the same.  Sync secrets.tdb, or use the
> > new smbpasswd option (2.2.6) to 'suck' the SID from PDC to each BDC.
> 
> I understood that you can't just copy the secrets.tdb to the BDCs,
> because it contains some host specific information. I've ran "smbpasswd
> -S <domain>" on both BDCs before starting smbd on them (It seems that if
> you start smbd on the local host with option "workgroup = <the domain,
> the sid of which you're trying to retrieve>" in smb.conf, and run
> smbpasswd -S after that, it will retrieve the sid from the local smbd.
> At least in my configuration where the PDC is in a different subnet...?)

certainly in HEAD's varient of this command, you can specify the host -
try the -r option.

> Anyhow, I checked the secrets.tdb databases, and the 48 bytes following
> the string "SECRETS/SID/<domain>" match on every host (and more, there's
> a lot of zeroes). I'm not sure it that's the right place to look? Is
> there a way of printing out the domain SID in cleartext?

tdbtool can help there.

> Plus, shouldn't the other OSes complain also, if my domain SIDs were
> wrong? But it's just the NT4. What does it do differently than W2k and
> WXP...?

Hmm, that's werid - it should affect any host that contacts the 'wrong'
DC.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net



More information about the samba mailing list