[Samba] Samba LDAP PDC BDC quit working

Philip Washington phwashington at comcast.net
Mon Feb 20 17:04:27 GMT 2006


mallapadi niranjan wrote:

> Hi all
>
>
> I too have the same problem , i am also using samba 3.0.21 with 
> openldap  version 2.2.13 on Redhat Enterprise Linux 4 enterprise server.
> if the samba PDC gets rebooted aburuptly,  some of my clients 
> workstations (Windows 2000 professional) have to rejoin.
> i was asked to check whether RID of the computer name is correct(uid*2 
> + 1000) , ans whether
> computer names have SambaSAMAccount object class.
> eventhough my computernames' exist in the database with correct object 
> class and rid, the clients
> have to be rejoined. this happens only when samba PDC with ldap gets 
> rebooted abruptly.
> having said that, so i assume that LDAP is unable to maintain 
> consistency when it gets rebooted.
>
> so i had kept DB_CONFIG file in /var/lib/ldap(this is where all bdb 
> files are there) and use db_recover
> in case of any crash of ldap.
>
> But if we take backup in LDIF file and restore it, but still my 
> computer accounts are not getting back, i had to rejoin.
>
> this is the problem that i am having, but still could not find the 
> correct solution.
>
> Regards
> Niranjan
>
Do you have a BDC?  If not then this is very interesting information.

> On 2/19/06, *Philip Washington* <phwashington at comcast.net 
> <mailto:phwashington at comcast.net>> wrote:
>
>     Craig White wrote:
>
>     >On Sat, 2006-02-18 at 11:11 -0600, Philip Washington wrote:
>     >
>     >
>     >>We have had a Samba LDAP-PDC-BDC system setup for close to 3
>     months with
>     >>about 60 computers in the domain.  Earlier we had a power outage
>     and
>     >>about 30 computers no longer were able to log into the domain or
>     >>authenticate.  Some were NT Workstations and some were W2k.  But
>     not all
>     >>NT or W2K workstations were affected.
>     >>If we went to network neighborhood we would see the error message
>     >>" "The trust relationship between this workstation and the
>     primary domain
>     >>failed"
>     >>When someone tries to login to these computers then they get the
>     error
>     >>"The system cannot log you on to this domain because the system's
>     >>computer account in it's primary domain is missing or the
>     password on
>     >>that account is incorrect".
>     >>
>     >>We were able to fix the problem on the computers by taking the
>     computers
>     >>out of the domain and re-entering them into the domain.    Went into
>     >>System->Network Identification-> put the machine in a workgroup ->
>     >>reboot -> Go back in and put the machine back into the domain.  No
>     >>manual deletion on the PDC was done.  This was all done on the
>     client.
>     >>
>     >>I reviewed LDAP backups and thus far have not found any
>     descrepancies
>     >>with the systems profiles before or after the power outage.  The
>     records
>     >>indicate that there has not been any change in the LDAP
>     information in
>     >>the last 2 months for the machines which have the problem.  Of
>     course
>     >>once the systems have been relogged into the domain the
>     SambaNTPassword
>     >>changes.
>     >>
>     >>I am currently both baffled and concerned as to how or why this
>     would
>     >>happen.  If anybody could shed more light on what could have
>     happened I
>     >>would appreciate it.
>     >>I would also like to know if there is a way to re-add or add a
>     client on
>     >>the Samba-LDAP-PDC instead of going to each individual client.
>     >>
>     >>
>     >----
>     >probably would be a good idea to figure out how to troubleshoot your
>     >setup as one could only conjecture about what your problem is as you
>     >describe it.
>     >
>     >I do know that there is some faulty logic in your assumptions above
>     >since the workstations will automatically change their password
>     with the
>     >passdb approximately once each month and I am quite certain that
>     this is
>     >documented in the samba documentation.
>     >
>     >
>     >
>     Yep, this does throw a bad domino into the logic.  ( I wonder if
>     MS will
>     give me my money back for all of those MCSE classes).  Once I
>     fixed that
>     domino and started looking at the BDC again, I realized that it's
>     samba
>     configuration files look identical to the ones on the PDC with the
>     exception that  ldap is pointing to the ldap on the BDC.   So it
>     currently looks like the BDC is misconfigured (Basically I'm seeing a
>     configuration that deviates quite a bit from what I see in Samba-3 by
>     Example).
>     I shutdown the BDC for now and put the PDC on a UPS (Yeah it
>     should have
>     been on one in the first place, but money is tight and we're operating
>     under, if it ain't broke don't pay money to fix it).   This should
>     hold
>     us over until the BDC is configured correctly.
>
>     Thanks for the enlightenment.
>
>
>     >So in view of your faulty assumption, my guess would be that your
>     >PDC/BDC setup in LDAP probably isn't working properly as there
>     should be
>     >evidence in some log somewhere when the workstations change their
>     >password and that the password changes propagate from LDAP server to
>     >LDAP server and assuming that you are using something like
>     'slurpd' to
>     >replicate changes in LDAP, there should be evidence of some failures
>     >(aka rejects) unless you are allowing changes directly to the 'slave'
>     >LDAP server in which case, you have a lot to fix.
>     >
>     >Craig
>     >
>     >
>     >
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions:  https://lists.samba.org/mailman/listinfo/samba
>     <https://lists.samba.org/mailman/listinfo/samba>
>
>



More information about the samba mailing list