[Samba] Problem with Samba PDC, W2k SP4 + rollup clients, user accounts

Asier Baranguán abaranguan at elpagestion.com
Mon Apr 24 11:11:52 GMT 2006 

Asier Baranguan escribió:

>> try to see with wins resolution ...
> 
> That was the problem!
> 
>> do you have or had one WINS server ?

Bad news... the problem arises again. On friday, after enabling wins I can join the
domain. Now (monday) I can't. I thing it's a dns-related problem but I can't find why! I
think I could join the domain due dns caching, then changed something and due dns
progagation I didn't see it till today... but I'm not sure.

If I login with my "old" user everything works. If I enter with a newly created user 
windows login says it cannot login because the domain ELPABI doesn't exist.

I'm desesperate, because during a small amount of time it worked (joined two machines).

In the PDC:

| root at kasparov ~ # hostname
| kasparov
| root at kasparov ~ # hostname -f
| kasparov.elpabi
| root at kasparov ~ # cat /etc/hosts
| 127.0.0.1       localhost
| 192.168.1.99    kasparov.elpabi             kasparov
| 192.168.1.100   fischer.elpabi              fischer

fischer is one linux vserver guest inside kasparov. Normally its "offline".

 From the samba PDC I can't ping the windows machines, but nslookup works.

| root at kasparov ~ # ping kasparov
| PING kasparov.elpabi (192.168.1.99) 56(84) bytes of data.
| 64 bytes from kasparov.elpabi (192.168.1.99): icmp_seq=1 ttl=64 time=0.049 ms
| 64 bytes from kasparov.elpabi (192.168.1.99): icmp_seq=2 ttl=64 time=0.028 ms
| root at kasparov ~ # ping desarrollo6
| ping: unknown host desarrollo6
| root at kasparov ~ # nslookup desarrollo6
| Server:         127.0.0.1
| Address:        127.0.0.1#53
|
| Name:   desarrollo6.ELPABI
| Address: 192.168.1.6

 From the windows clients I can ping other clients and the PDC (dnsmasq adds the .elpabi
to the name of the machine)

| d:\>ipconfig /all
|
| Configuración IP de Windows 2000
|
|       Nombre del host . . . . . . . . . . . : desarrollo6
|       Sufijo DNS principal  . . . . . . . . :
|       Tipo de nodo. . . . . . . . . . . . . : Híbrido
|       Enrutamiento de IP habilitado . . . . : No
|       Proxy de WINS habilitado. . . . . . . : No
|       Lista de búsqueda de sufijos DNS. . . : elpabi
|
| Ethernet adaptador Conexión de área local:
|
|        Sufijo DNS específico de la conexión. : elpabi
|        Descripción . . . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
|        Dirección física. . . . . . . . . . . : 00-01-6C-C7-13-C6
|        DHCP habilitado . . . . . . . . . . . : Sí
|        Configuración automática habilitada . : Sí
|        Dirección IP. . . . . . . . . . . . . : 192.168.1.6
|        Máscara de subred . . . . . . . . . . : 255.255.255.0
|        Puerta de enlace predeterminada . . . : 192.168.1.1
|        Servidor DHCP . . . . . . . . . . . . : 192.168.1.99
|        Servidores DNS. . . . . . . . . . . . : 192.168.1.99
|        Servidor WINS principal . . . . . . . : 192.168.1.99
|        Concesión obtenida. . . . . . . . . . : lunes, 24 de abril de 2006 10:24:26
|        Concesión caduca. . . . . . . . . . . : sábado, 29 de abril de 2006 10:24:26

This is the dnsmasq configuration (/etc/dnsmasq.conf)
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# /etc/dnsmasq.conf - Configuration file for dnsmasq. 20060421 - Asier

# Never forward plain names (with a dot or domain part)
domain-needed
expand-hosts
domain=elpabi

# Never forward addresses in the non-routed address spaces.
bogus-priv

# Ajustes para los clientes windows
dhcp-range=192.168.1.200,192.168.1.253,120h
dhcp-option=1,255.255.255.0         # Netmask
dhcp-option=3,192.168.1.1           # Puerta de enlace
dhcp-option=6,192.168.1.99          # Servidor DNS
dhcp-option=44,192.168.1.99         # Servidor NetBIOS
dhcp-option=45,192.168.1.99         # netbios datagram distribution server
dhcp-option=46,8                    # netbios node type
dhcp-option=47                      # empty netbios scope.
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

And /etc/samba/smb.conf (testparm works OK)
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# /etc/samba/smb.conf - 2006-04-21 Asier

[global]
### Identificación de la máquina
     workgroup = ELPABI
     netbios name = KASPAROV
     server string = Debian Samba server
     wins support = yes
     dns proxy = yes

### PDC del dominio ELPABI
     domain master = yes
     domain logons = yes
     preferred master = yes
     os level = 64

# Log. Un log diferente por cada máquina que conecta
     log file = /var/log/samba/log.%m
     log level = 1
     max log size = 10000
     syslog = 0
     panic action = /usr/share/samba/panic-action %d
     utmp = yes

# Verificación de usuarios y seguridad
     security = user
     encrypt passwords = yes
     template shell = /bin/false
     enable privileges = yes
     obey pam restrictions = yes
     pam password change = no
     guest account = nobody
     map to guest = Bad User
     hosts allow = 192.168.1.0/24 127.0.0.1
     hosts deny = all
     interfaces = eth0 192.168.1.99
     bind interfaces only = yes

# Configuración para que Samba use LDAP
     passdb backend = ldapsam:ldap://192.168.1.99/
     ldap passwd sync = yes
     ldap delete dn = yes
     ldap suffix = dc=ELPA,dc=BI
     ldap admin dn = cn=samba,ou=DSA,dc=ELPA,dc=BI
     ldap user suffix = ou=Users
     ldap group suffix = ou=Groups
     ldap machine suffix = ou=Computers
     ldap idmap suffix = ou=Users
     ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
     ldap ssl = no
     idmap backend = ldap:ldap://192.168.1.99
     idmap uid = 10000-20000
     idmap gid = 10000-20000

### Sistema de archivos
     dos charset = CP850
     unix charset = ISO8859-15
     preserve case = yes
     short preserve case = yes
     case sensitive = no
     create mask = 0640
     directory mask = 0750
     nt acl support = yes
     map acl inherit = yes
     strict locking = yes
     veto oplock files = /*.doc/*.xls/*.mdb/
     level2 oplocks = yes
     hide dot files = yes
     veto files = /*.eml/*.nws/*.{*}/
     dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[netlogon]
     comment = Servicio de Logon en la red
     path = /home/samba/netlogon/
     browseable = no
     read only = yes

[shared]
     comment = Datos y carpetas comunes
     path = /home/samba/shared
     browseable = yes
     guest ok = yes
     valid users = @"Domain Users"
     writeable = yes
     create mask = 0664
     directory mask = 0775
     vfs objects = recycle
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

/etc/nsswitch.conf

  > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# /etc/nsswitch.conf - Modificado por Asier. 2005-08-19

passwd:     files ldap
shadow:     files ldap
group:      files ldap

hosts:      files dns

networks:   files
services:   files
protocols:  files
rpc:        files
ethers:     files

netmasks:   files
bootparams: files
publickey:  files
automount:  files

aliases:    files
netgroup:   files
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

More information about the samba mailing list