[Samba] netlogon sometimes works (corrected with smb.conf
attached)
Kurt Weiss
input.maillists at kwnet.at
Fri Jan 31 07:00:52 GMT 2003
hello jason,
we are using successful netlogon over years. - at first we had similar
problems. the reason lied in the batch file:
1) the batch was written on linux, so the CR was missing at the end of
the line...
2) we used "net use" without the /y flag -> windows did not rebind the
drive, but deleted the old link. (so onetimes the link was here, next
times it missed...)
hardware:
if u have not the possibility/experience to look at the network packets,
so u can test your stability in a simple way:
use ping with a big packet size, and u will find out, if there is a
problem with your network connection:
in windows (stop with ctrl-c):
ping -t -l 65000 XXX.XXX.XXX.XXX
should look like this:
==================================================================
Ping wird ausgeführt für 192.168.10.1 mit 65000 Bytes Daten:
Antwort von 192.168.10.1: Bytes=65000 Zeit=16ms TTL=255
Antwort von 192.168.10.1: Bytes=65000 Zeit=16ms TTL=255
Antwort von 192.168.10.1: Bytes=65000 Zeit=16ms TTL=255
Antwort von 192.168.10.1: Bytes=65000 Zeit=16ms TTL=255
Antwort von 192.168.10.1: Bytes=65000 Zeit<10ms TTL=255
Antwort von 192.168.10.1: Bytes=65000 Zeit<10ms TTL=255
Antwort von 192.168.10.1: Bytes=65000 Zeit=15ms TTL=255
Antwort von 192.168.10.1: Bytes=65000 Zeit=15ms TTL=255
Antwort von 192.168.10.1: Bytes=65000 Zeit=15ms TTL=255
Antwort von 192.168.10.1: Bytes=65000 Zeit=15ms TTL=255
Ping-Statistik für 192.168.10.1:
Pakete: Gesendet = 10, Empfangen = 10, Verloren = 0 (0% Verlust),
Ca. Zeitangaben in Millisek.:
Minimum = 0ms, Maximum = 16ms, Mittelwert = 12ms
==================================================================
in linux (stop with ctrl-c):
mail:~ # ping -fs 65000 XXX.XXX.XXX
should look like this:
==================================================================
PING 192.168.10.10 (192.168.10.10) from 192.168.10.1 : 65000(65028)
bytes of data.
.
--- 192.168.10.10 ping statistics ---
458 packets transmitted, 457 received, 0% loss, time 6461ms
rtt min/avg/max/mdev = 12.748/12.875/17.226/0.242 ms, pipe 2, ipg/ewma
14.139/12.880ms
==================================================================
i hope it helped...
gk
jason.walton at nomadsoft.com schrieb:
> John,
> I have no success with packet sniffing, the netlogon share either works or
> it doesn't.
> Our boxes are not overly loaded, but I took your advice and tinkered with
> the loading.
> Over the passed week, it gets the netlogon share executed more times than
> not (at the moment) but it still isn't perfect (100% record is what I'd
> expect from a PDC).
> I suspect it is a problem within samba in terms of how fast it looks at
> certainincoming network packets, as the password logon works fine every
> single time, but connecting to the PDC and executing the NETLOGON share
> are problematic..
> Anyway, thanks for your help. Hopefully, a bit more load balancing will
> get it working 100% of the time.
>
> Jason Walton
> Nomad Software Ltd
> 186 Regent Street
> London W1B 5TN
> Tel. +44 (20) 7292 2459
> Fax. +44 (20) 7292 2401
> www.nomadsoft.com
>
>
>
>
> John H Terpstra <jht at samba.org>
> 25/01/2003 05:05
>
>
> To: jason.walton at nomadsoft.com
> cc: samba at lists.samba.org
> Subject: Re: [Samba] netlogon sometimes works (corrected with smb.conf attached)
>
>
> Jason,
>
> Apologies for the dealy, I was at LinuxWorld Expo New York all week and
> just got home.
>
> You should use a network sniffer (like Ethereal) to capture a trace of a
> logon that works correctly and one that does not. Then examine the
> differences to find what went wrong. It should tell you where things broke
> down. If timing is the issue t hen your authentication server may be
> problematic. In this case you would need to either isolate the problem, or
> move the authentication (netlogon) service to another machine that is more
> responsive.
>
> - John T.
>
> On Wed, 22 Jan 2003 jason.walton at nomadsoft.com wrote:
>
>
>>John,
>>thanks for your help thus far.
>>I switched switches that the PDC is plugged into and it almost had me
>>believing that it worked, I managed to log in three times in quick
>>succession and each time it executed the netlogon script.
>>Alas, inconsistency reared its ugly head once more and now I either get
>
> a
>
>>successful logon (netlogon script runs) or a plain logon (validates my
>>password, creates my profile share (z drive), but fails to run the
>>netlogon share).
>>Which brings me to ask the question, is the netlogon share affected by
>>network acvtivity? The PDC server is running fileservices, domino, and
>>other items. Password validation isn't a problem, but getting samba to
>>process the netlogon, is a pain.
>>Everything that did run on the NT server has been migrated to the
>
> solaris
>
>>machine and works better and faster than before. The PDC is the last
>
> item
>
>>left, I'm wondering if Samba needs a more dedicated host to invoke
>>netlogon? Domino can be quite intensive on network activity when
>>replicating between sites, so would this network deluge put samba off
>
> from
>
>>the 'less critical' execution of the netlogon share?
>>
>>FYI our NT server is an old Pentium, 64Mb RAM, 10M network card.
>>our solaris PDC server is a dual PIII, 1Gb RAM, 100M network card.
>>
>>
>>Jason Walton
>>Nomad Software Ltd
>>186 Regent Street
>>London W1B 5TN
>>Tel. +44 (20) 7292 2459
>>Fax. +44 (20) 7292 2401
>>www.nomadsoft.com
>>
>>
>>
>>
>>John H Terpstra <jht at samba.org>
>>21/01/2003 03:46
>>
>>
>> To: jason.walton at nomadsoft.com
>> cc: samba at lists.samba.org
>> Subject: Re: [Samba] netlogon sometimes works (corrected
>
> with smb.conf attached)
>
>>
>>Jason,
>>
>>We have gone over a few things already. You are using WINS, that means
>>your MS Windows clients should not have any trouble finding your samba
>>server and the services that run on it.
>>
>>The only time I have seen similar behaviour, given that everything is
>>correctly configured from a Samba and MS Windows networking perspective,
>>has been where there has been a jabbering network card or a defective
>
> HUB.
>
>>Have you tried replacing the NICs in a client and the server? Have you
>>tried a cross-over cable between the two to validate that you the
>
> network
>
>>login process correctly completes EVERY time. If with known working NICs
>>and a cross-over cable you can reproduce the failure to execute the
>>network logon process correctly, then it might be time to turn back to
>>blaming the Samba or MS Windows configuration.
>>
>>- John T.
>>
>>On Mon, 20 Jan 2003 jason.walton at nomadsoft.com wrote:
>>
>>
>>>Could anybody please help? I have tried all sorts and nothing will fix
>>
>>the
>>
>>>problem permamently.
>>>I have a samba PDC which on occasion happily logs a user on and
>>
>>processes
>>
>>>the NETLOGON share. However, it doesn't always run this service.
>>>I have placed preexec commands in both the profiles and netlogon
>>
> shares,
>
>>>only the profiles preexec is executed.
>>>Reboots don't make any difference, only determed logout / logins will
>>>eventually get the netlogon share executed.
>>>I have included the full smb.conf file, samba is now running 2.2.7a,
>>
>>each
>>
>>>upgrade results in the same problem.
>>>
>>>We have two domains, one controlled by an old NT PDC (this is to be
>>>retired) and one by a new samba PDC (to be the main PDC for all
>>
>>machines,
>>
>>>once they are migrated). I have noticed that trying to join the samba
>>>domain over a VPN is impossible, whereas joining the NT domain, works
>>>first time. I don't know if this last bit is relevant to the problem
>>
> or
>
>>>not.
>>>
>>>
>>># This is the main Samba configuration file. You should read the
>>># smb.conf(5) manual page in order to understand the options listed
>>># here. Samba has a huge number of configurable options (perhaps too
>>># many!) most of which are not shown in this example
>>>#
>>># Any line which starts with a ; (semi-colon) or a # (hash)
>>># is a comment and is ignored. In this example we will use a #
>>># for commentry and a ; for parts of the config file that you
>>># may wish to enable
>>>#
>>># NOTE: Whenever you modify this file you should run the command
>>>"testparm"
>>># to check that you have not many any basic syntactic errors.
>>>#
>>>#======================= Global Settings
>>>=====================================
>>>[global]
>>>
>>>##
>>>## Basic Server Settings
>>>##
>>> netbios name = PDC
>>> netbios aliases = FILESERVER
>>># netbios name = PDCM
>>>
>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
>>> workgroup = NOMAD
>>># workgroup = PDC1
>>>
>>> # server string is the equivalent of the NT Description field
>>> server string = Nomad PDC (Samba %v)
>>>#JOW server string = Samba Server 2.2.6
>>>
>>> # This option is important for security. It allows you to
>>
>>restrict
>>
>>> # connections to machines which are on your local network. The
>>> # following example restricts access to two C class networks
>>
> and
>
>>> # the "loopback" interface. For more examples of the syntax
>>
> see
>
>>> # the smb.conf man page
>>> hosts allow = 192.168.2. 192.168.1. 127.0.0.1
>>>
>>> # Uncomment this if you want a guest account, you must add
>>
> this
>
>>to
>>
>>>/etc/passwd
>>> # otherwise the user "nobody" is used
>>> ; guest account = pcguest
>>>
>>> # this tells Samba to use a separate log file for each machine
>>> # that connects
>>> log file = /var/log/samba/log.%m
>>>
>>> # How much information do you want to see in the logs?
>>> # default is only to log critical messages
>>> log level = 1
>>>
>>> # Put a capping on the size of the log files (in Kb).
>>> max log size = 10250
>>>
>>> # Security mode. Most people will want user level security.
>>
> See
>
>>> # security_level.txt for details.
>>> security = user
>>># JOW domain admin group = root @wheel
>>> domain admin group = root administrator @sysadm
>>>
>>> # Using the following line enables you to customise your
>>>configuration
>>> # on a per machine basis. The %m gets replaced with the
>>
> netbios
>
>>>name
>>> # of the machine that is connecting.
>>> # Note: Consider carefully the location in the configuration
>>
>>file
>>
>>>of
>>> # this line. The included file is read at that point.
>>> ; include = /usr/local/samba/lib/smb.conf.%m
>>>
>>> # Most people will find that this option gives better
>>
>>performance.
>>
>>> # See speed.txt and the manual pages for details
>>> # You may want to add the following on a Linux system:
>>> # SO_RCVBUF=8192 SO_SNDBUF=8192
>>> ; socket options = TCP_NODELAY
>>>
>>> # Configure Samba to use multiple interfaces
>>> # If you have multiple network interfaces and want to limit
>>
> smbd
>
>>>will
>>> # use, list the ones desired here. Otherwise smbd & nmbd will
>>>bind to all
>>> # active interfaces on the system. See the man page for
>>
>>details.
>>
>>> ; interfaces = 192.168.12.2/24 192.168.13.2/24
>>>
>>> # Should smbd report that it has MS-DFS Capabilities? Only
>>>available
>>> # if --with-msdfs was passed to ./configure
>>> ; host msdfs = yes
>>>
>>>##
>>>## Network Browsing
>>>##
>>> # set local master to no if you don't want Samba to become a
>>>master
>>> # browser on your network. Otherwise the normal election rules
>>>apply
>>> local master = yes
>>>
>>> # OS Level determines the precedence of this server in master
>>>browser
>>> # elections. The default value (20) should be reasonable
>>> os level = 99
>>>
>>> # Domain Master specifies Samba to be the Domain Master
>>
> Browser.
>
>>>This
>>> # allows Samba to collate browse lists between subnets. Don't
>>
>>use
>>
>>>this
>>> # if you already have a Windows NT domain controller doing
>>
> this
>
>>>job
>>> domain master = yes
>>>
>>> # Preferred Master causes Samba to force a local browser
>>
>>election
>>
>>>on startup
>>> # and gives it a slightly higher chance of winning the
>>
> election
>
>>> preferred master = yes
>>>
>>> # added by JOW 2002/11/19 to enable us to see riga network
>>> remote browse sync = 192.168.1.3
>>>#JOW remote browse sync = 192.168.2.255 192.168.1.3
>>>
>>>##
>>>## WINS & Name Resolution
>>>##
>>> # Windows Internet Name Serving Support Section:
>>> # WINS Support - Tells the NMBD component of Samba to enable
>>
>>it's
>>
>>>WINS Server
>>> wins support = yes
>>>
>>> # WINS Server - Tells the NMBD components of Samba to be a
>>
> WINS
>
>>>Client
>>> # Note: Samba can be either a WINS Server, or a WINS
>>
>>Client,
>>
>>>but NOT both
>>> ; wins server = w.x.y.z
>>>
>>> # WINS Proxy - Tells Samba to answer name resolution queries
>>
> on
>
>>> # behalf of a non WINS capable client, for this to work there
>>
>>must
>>
>>>be
>>> # at least one WINS Server on the network. The default is NO.
>>> ; wins proxy = yes
>>>
>>> # DNS Proxy - tells Samba whether or not to try to resolve
>>
>>NetBIOS
>>
>>>names
>>> # via DNS nslookups.
>>> dns proxy = no
>>>
>>>
>>>##
>>>## Passwords & Authentication
>>>##
>>> add user script = /usr/sbin/useradd -d /dev/null -g 400 -s
>>>/bin/false %u
>>> # Use password server option only with security = server
>>> # The argument list may include:
>>> # password server = My_PDC_Name [My_BDC_Name]
>>
>>[My_Next_BDC_Name]
>>
>>> # or to auto-locate the domain controller/s
>>> ; password server = *
>>> ; password server = <NT-Server-Name>
>>>
>>> # You may wish to use password encryption. Please read
>>> # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba
>>>documentation.
>>> # Do not enable this option unless you have read those
>>
> documents
>
>>> encrypt passwords = yes
>>>
>>> # Should smbd obey the session and account lines in
>>>/etc/pam.d/samba ?
>>> # only available if --with-pam was used at compile time
>>> ; obey pam restrictions = yes
>>>
>>> # When using encrypted passwords, Samba can synchronize the
>>
>>local
>>
>>> # UNIX password as well. You will also need the "passwd chat"
>>>parameters
>>> unix password sync = yes
>>>
>>> # how should smbd talk to the local system when changing a
>>
> UNIX
>
>>> # password? See smb.conf(5) for details
>>> passwd program = /usr/bin/passwd -r nis %u
>>>#JOW passwd program = /usr/bin/passwd %u
>>>
>>> # define this as a standard, as it bloody moves around!
>>> smb passwd file = /opt/private/smbpasswd
>>># define how the password is mapped via NIS
>>># JOW NIS stuff, but doesn't work according to samba bods passwd
>>>chat = Enter*login(NIS)*password:* %n\n \nNew*password:* %n\n
>>>\n*Re-enter*new*password:* %n\n \n*NIS*passwd/attributes*changed*on**
>>># now define the NIS MASTER method
>>> passwd chat = New*password:* %n\n \n*Re-enter*new*password:*
>>
>>%n\n
>>
>>>\n*NIS*passwd/attributes*changed*on**
>>>
>>># passwd chat = New*password:* %n\n \n*Re-enter*new*password:*
>>
>>%n\n
>>
>>>\n*passwd*(SYSTEM):*passwd*successfully*changed*for*%u*
>>># end of define the NIS MASTER method
>>> passwd chat debug = no
>>>
>>> # This is only available if you compiled Samba to include
>>>--with-pam
>>> # Use PAM for changing the password
>>> ; pam password change = yes
>>>
>>>##
>>>## Domain Control
>>>##
>>># JOW added for PDC
>>> admin users = root
>>>
>>> # Enable this if you want Samba act as a domain controller.
>>> # make sure you have read the Samba-PDC-HOWTO included in the
>>>documentation
>>> # before enabling this parameter
>>> domain logons = yes
>>>
>>> # if you enable domain logons then you may want a per-machine
>>
> or
>
>>> # per user logon script
>>> # run a specific logon batch file per workstation (machine)
>>> ; logon script = client.bat
>>> #JOW make this based on the group the person is in, most are
>>
> in
>
>>>staff or cortex
>>> logon script = %G.bat
>>> # run a specific logon batch file per username
>>> ; logon script = %U.bat
>>>
>>> # Where to store roving profiles (only for Win95 and WinNT)
>>> # %L substitutes for this servers netbios name, %U is
>>>username
>>> # You must uncomment the [Profiles] share below
>>> logon path = \\%L\Profiles\%U
>>>
>>> # UNC path specifying the network location of the user's home
>>>directory
>>> # only used when acting as a DC for WinNT/2k/XP. Ignored by
>>
>>Win9x
>>
>>>clients
>>>#JOW put back in when staff.bat is global logon home =
>>>\\%L\%U\windows
>>>
>>> # What drive should the "logon home" be mounted at upon login
>>
> ?
>
>>> # only used when acting as a DC for WinNT/2k/XP. Ignored by
>>
>>Win9x
>>
>>>clients
>>>#JOW comment out till every one in staff logon drive = U:
>>>
>>>##
>>>## Printing
>>>##
>>>
>>> # If you want to automatically load your printer list rather
>>> # than setting them up individually then you'll need this
>>> load printers = yes
>>>
>>> # you may wish to override the location of the printcap file
>>> ; printcap name = /etc/printcap
>>>
>>> # on SystemV system setting printcap name to lpstat should
>>
> allow
>
>>> # you to automatically obtain a printer list from the SystemV
>>>spool
>>> # system
>>> ; printcap name = lpstat
>>>
>>> # It should not be necessary to specify the print system type
>>>unless
>>> # it is non-standard. Currently supported print systems
>>
> include:
>
>>> # bsd, sysv, plp, lprng, aix, hpux, qnx
>>> ; printing = bsd
>>>
>>> # Enable this to make Samba 2.2 behavior just like Samba 2.0
>>> # not recommended nuless you are sure of what you are doing
>>> ; disable spoolss = yes
>>>
>>> # list of users and groups which should be able to remotely
>>
>>manage
>>
>>> # printer drivers installed on the server
>>> ; printer admin = root, +ntadmin
>>>
>>>
>>>##
>>>## Winbind
>>>##
>>>
>>> # specify the uid range which can be used by winbindd
>>> # to allocate uids for Windows users as necessary
>>> ; winbind uid = 10000-65000
>>>
>>> # specify the uid range which can be used by winbindd
>>> # to allocate uids for Windows users as necessary
>>> ; winbind gid = 10000-65000
>>>
>>> # Define a home directory to be given to passwd(5) style
>>
> entries
>
>>> # generated by libnss_winbind.so. You can use variables here
>>> ; winbind template homedir = /home/%D/%U
>>>
>>> # Specify a shell for all winbind user entries return by the
>>> # libnss_winbind.so library.
>>> ; winbind template shell = /bin/sh
>>>
>>> # What character should be used to separate the DOMAIN and
>>>Username
>>> # for a Windows user. The default is DOMAIN\user, but many
>>
>>people
>>
>>> # prefer DOMAIN+user
>>> ; winbind separator = +
>>>
>>># preload = NETLOGON
>>>
>>>#============================ Share Definitions
>>>==============================
>>>[peter]
>>> browseable = no
>>> valid users = peter, lhmphrey
>>> path = /share/homes/peter
>>>
>>>[homes]
>>> create mode = 0600
>>> directory mode = 0700
>>> comment = Home Directories
>>> browseable = no
>>> writable = yes
>>>;JOW20021113 valid users = %S
>>> path = /share/homes/%U
>>>; path = %H
>>>
>>># Un-comment the following and create the netlogon directory for
>>
> Domain
>
>>>Logons
>>>#[netlogon]
>>>[NETLOGON]
>>> path = /profiles/netlogon
>>> comment = Network Logon Service
>>> guest ok = yes
>>> writeable = yes
>>>#JOW2003/01/15 writable = no
>>> share modes = yes
>>># share modes = no
>>> write list = administrator, @sysadm
>>>preexec = echo %u %H %U %G >> /tmp/logon.netlogon
>>>
>>>
>>># Un-comment the following to provide a specific roving profile share
>>># the default is to use the user's home directory
>>>#[profiles]
>>>[Profiles]
>>> path = /profiles
>>> writeable = yes
>>> read only = No
>>> browseable = yes
>>> guest ok = yes
>>> profile acls = yes
>>>preexec = echo %u %H %U %G >> /tmp/logon.profiles
>>>
>>>[images]
>>> comment = system images that are not to be made visible
>>> path = /share/images
>>> valid users = sahmed, jwalton, root, administrator
>>> read only = No
>>>
>>>[helpdesk]
>>> comment = helpdesk - see Peter Brent
>>> read only = No
>>> path = /share/homes/preserve/helpdesk
>>>
>>>[NMR_DEBUG]
>>> comment = NMR_DEBUG - see Peter Brent
>>> read only = No
>>> path = /share/homes/preserve/NMR_DEBUG
>>>
>>>[codereview]
>>> comment = codereview - see dave bunbury
>>> path = /share/homes/preserve/codereview
>>> read only = No
>>>
>>>[publicimages]
>>> comment = system images that are freely available
>>> path = /share/images/public
>>> read only = No
>>>
>>>[archived]
>>> comment = user view of archived files that will be deleted
>>
> after
>
>>>30 days
>>> path = /share/archived/share/homes/%U
>>> read only = No
>>>[archived_all]
>>> comment = global view of archived files that will be deleted
>>
>>after
>>
>>>30 days
>>> path = /share/archived
>>> read only = No
>>>
>>># NOTE: If you have a BSD-style print system there is no need to
>>># specifically define each individual printer
>>>[printers]
>>> # Set public = yes to allow user 'guest account' to print
>>> comment = printers in london
>>> path = /var/spool/samba
>>> guest ok = Yes
>>> printable = Yes
>>> browseable = No
>>>
>>>[5thfloortmp]
>>> path = /var/spool/samba
>>> read only = No
>>> guest ok = Yes
>>> printable = Yes
>>> printing = nt
>>> printer name = 5thfloor
>>> use client driver = Yes
>>> oplocks = No
>>>
>>>[2ndfloor]
>>> path = /var/spool/samba
>>> read only = No
>>> guest ok = Yes
>>> printable = Yes
>>> printing = nt
>>> printer name = 2ndfloor
>>> use client driver = Yes
>>> oplocks = No
>>>
>>>[print$]
>>> path = /opt/samba/printers
>>> write list = @administrator,root
>>>
>>>
>>
>>
>
More information about the samba
mailing list