[Samba] PDC/BDC trouble
ryan punt
rpunt at good-sam.com
Mon Dec 4 19:56:50 GMT 2006
All,
I'm using an LDAP backend for a test PDC/BDC setup. Both the PDC and BDC are using the same LDAP server. Both the PDC and BDC are running 3.0.23c on Sarge, and I've verified that both the PDC and BDC will authenticate users via smbclient. XP clients are able to login to the domain fine, and all is generally swell.
My PDC is also my WINS server, and I've verified that XP clients on other subnets see two "DOMAIN#1c" records, so both DCs are being presented to clients.
The problem I'm having is this: When SMBD on the PDC stops, XP clients will no longer authenticate; the specific error is "the system cannot log you on now because the domain GSS is not available." NMBD is still running, and XP clients still see 2 "#1c" records. Why don't my XP clients fail over to my BDC?
Both the PDC and BDC are operating in their designated roles:
test-pdc:/etc/samba# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
test-bdc:/var/log/samba# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Loaded services file OK.
Server role: ROLE_DOMAIN_BDC
smb.conf is pretty similar on both machines; the full file is included below. Here are the differences:
rpunt at rpunt:~/documents/Samba3/backup$ diff pdc.smb.conf bdc.smb.conf
3,4c3,4
< netbios name = GSS-PDC
< server string = Samba 3 PDC
---
> netbios name = GSS-BDC
> server string = Samba 3 BDC
13c13
< os level = 255
---
> os level = 200
15,16c15,16
< domain master = yes
< preferred master = yes
---
> domain master = no
> preferred master = no
18c18
< wins support = yes
---
> wins server = 172.21.24.5 # test-pdc's IP address
The same SID is returned for both machine and domain queries on the PDC and BDC:
test-pdc:~# net getlocalsid GSS
SID for domain GSS is: S-1-5-21-1079125125-2089603153-XXXXXXXX
test-pdc:~# net getlocalsid
SID for domain GSS-PDC is: S-1-5-21-1079125125-2089603153-XXXXXXXX
test-bdc:~# net getlocalsid GSS
SID for domain GSS is: S-1-5-21-1079125125-2089603153-XXXXXXXX
test-bdc:~# net getlocalsid
SID for domain GSS-BDC is: S-1-5-21-1079125125-2089603153-XXXXXXXX
How can I ensure that XP clients will authenticate against the BDC if the PDC is unavailable?
Thanks,
Ryan
### smb.conf on the PDC ###
[global]
workgroup = GSS
netbios name = GSS-PDC
server string = Samba 3 PDC
passwd program = /opt/ChangePasswordSecure %u
passwd chat timeout = 60000
passwd chat = *new*password* %n\n *new*password* %n\n *successfully* .
unix password sync = Yes
log level = 1
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 255
domain logons = yes
domain master = yes
preferred master = yes
dns proxy = no
wins support = yes
preexec = sh -c 'echo Welcome to GSS domain | /usr/bin/smbclient -M "%m" -I "%i" ' &
enable privileges = yes
passdb backend = ldapsam:"ldap://ldapserver.1240.good-sam.com"
ldap admin dn = cn=Directory Manager
ldap suffix = o=good-sam.com
add machine script = /usr/sbin/smbldap-useradd -w %u >/tmp/smbldap-useradd-machine.log 2>&1
rename user script = /usr/sbin/rename.pl %unew %uold >/tmp/smbldap-rename-machine.log 2>&1
[netlogon]
comment = Network Logon Service
path = /opt/netlogon
write list = user1, user2
guest ok = Yes
-------------- next part --------------
-------------------------------------------------
This email transmission and any documents, files or previous
email messages attached to it may contain information that is
confidential or legally privileged. If you are not the intended
recipient, you are hereby notified that any disclosure, copying,
printing, distributing or use of this transmission is strictly
prohibited. If you have received this transmission in error,
please immediately notify the sender by telephone or return
email and delete the original transmission and its attachments
without reading or saving in any manner.
The Evangelical Lutheran Good Samaritan Society.
---------------------------------------------------------
More information about the samba
mailing list