[Samba] RE: samba Digest, Vol 42, Issue 6

adrian sender adrian_au1 at hotmail.com
Tue Jun 6 13:55:16 GMT 2006

Hi Scott,

Good to see 64bit, I would suggest doing something like this as follows>

logon to a BDC that is currently accepting domain logons and is replicating 
the database from the PDC.

as root > slapcat-v -l ldiif-transfer.txt ; to dump the database.
root >  scp ldif-transfer.txt root at RHE4BDC:/dir
root > net getlocalsid | cat sidtransfer.txt # vi and check the file for sid 
root > scp sidtransfer.txt root at RHE4BDC:/dir

logon to the RHE4 BDC as root

root> cd /dir # you should see ldif-transfer.txt & sidtransfer.txt
root > service ldap stop
root > cd /var/lib/ldap
root > rm -rf * # be sure to be in right dir "/var/lib/ldap"
root > cd /dir
root > slapadd -v -l ldif.transfer.txt

root > chown -R ldap.ldap /var/lib/ldap
root > service ldap start

root > smbpasswd -w secretpassword
root > net rpc getsid
root > net rpc join

at this stage restart samba & ldap on the RHE4BDC and do a

root > net getlocalsid # check that it matches ur sid from 
                               # if not cat sidtransfer.txt and "net 
setlocalsid sid-556S-1-5-21-3018044689..

Test again and let us know, make sure user names are been replicated from 
the pdc to all bdc;s.

Adrian Sender

>From: "Scott Moorhouse" <smoorhouse at ae-solutions.com>
>To: <samba at lists.samba.org>
>Subject: [Samba] 64-bit RHEL4 BDC doesn't allow workstation logons
>Date: Mon, 5 Jun 2006 12:22:07 -0500
>I'm trying to set up Samba on RHEL4 as a BDC for subnet  The
>PDC is located at another site and on another network. Its IP address is
> There are other BDCs on subnets,, and
> that all function fine.  This is the only one on RHEL and this
>is the only one on a 64 bit box.
>We are using ldapsam for the passdb.  The important config lines are:
>workgroup = AEI
>netbios name = APPDEVEL-BIS
>passdb backend = ldapsam:ldap://ldap.server.name
>local master = yes
>preferred master = no
>domain master = no
>os level = 33
>domain logons = yes
>wins server =
>I have used smbpasswd -w secret, as well as net rpc join with a successful
>domain join.
>Whenever someone logs in on a computer joined to the domain on this subnet
>(and all the computers in this domain were already joined to the domain AEI
>before this BDC was put into place) they get the:
>"Windows cannot connect to the domain, either because the domain controller
>is down or otherwise unavailable, or because your computer account was not
>found. Please try again later. [...]"
>Modifying the config file to say domain logons = no passes the logon to
>another DC and then the logon works.
>Logs at log level 5 say such scary things as:
>[token.log, a workstation trying to log in]
>[2006/06/05 12:13:07, 5] auth/auth_util.c:debug_nt_user_token(486)
>   NT user token: (NULL)
>[2006/06/05 12:13:07, 5] auth/auth_util.c:debug_unix_user_token(505)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
>[2006/06/05 12:13:07, 5] auth/auth_util.c:is_trusted_domain(1491)
>   is_trusted_domain: Checking for domain trust with [AEI]
>[2006/06/05 12:13:07, 5]
>   secrets_fetch failed!
>[2006/06/05 12:13:07, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>[2006/06/05 12:13:07, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
>   no entry for trusted domain AEI found.
>[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(133)
>   attempting to make a user_info for  ()
>[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(143)
>   making strings for 's user_info struct
>[2006/06/05 12:13:07, 5] auth/auth_util.c:make_user_info(185)
>   making blobs for 's user_info struct
>[2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(219)
>   check_ntlm_password:  Checking password for unmapped user []\[]@[TOKEN]
>with the new password interface
>[2006/06/05 12:13:07, 3] auth/auth.c:check_ntlm_password(222)
>   check_ntlm_password:  mapped user is: [AEI]\[]@[TOKEN]
>At which point it looks like it tries guest access by mapping null user to
>nobody, which isn't allowed, and fails.
>I'm convinced that the machine actually doesn't believe that it's a domain
>member.  For instance, in Printers and Faxes, it says the privileged user 
>APPDEVEL-BIS\Administrators, not AEI\Administrators. etc.  That would seem
>to make some sense with its behavior, but I don't know how else to convince
>it it's a domain member other than what I've already done with net rpc 
>which has been successful for me in the past.  But what's also bizarre is
>that after one gets logged in, you can browse APPDEVEL-BIS's shares fine
>without having to log in, and with seemingly the correct access levels.
>Is there a 64-bit issue going on here?  Or maybe a library version issue?
>Right now I'm using samba 3.0.10 which comes with RHEL4, but I have
>experienced the same problems with 3.0.22 built from source and I'm staying
>on 3.0.10 right now because I'm querying Red Hat support with this same
>question -- though they seem just as stumped as I am so far.
>Can someone please give me some pointers where I can look next?

More information about the samba mailing list