[Samba] Domain Logins across VPN

Rob Hall rob at desynched.net
Thu May 25 12:39:52 GMT 2006

----- Original Message ----- 
rob at desynched.net wrote:
>> rob at desynched.net wrote:
>>> I've been trying to get this to work for a few days now. I read that
>>> domain requests are sent via broadcast, and to use WINS to get around
>>> it.
>>> Well, I've enabled the WINS server on my Samba PDC, and told the BDC's
>>> on
>>> each VPN segment that the PDC is a WINS server. WINS resolution works
>>> apparently, I can sit on a VPN'd network segment and ping machines
>>> across
>>> the VPN via their NETBIOS name, but I can't log into the domain. Windows
>>> tells me it can't find the domain. Is there something I'm missing?
>> sorry rob, i forgot to reply-to-all the first time.
>> do you have
>> domain master = no
>> domain logons = yes
>> that set up works for me. and i also use
>> local master = yes
>> though i don't think the local master is required for bdc functionality.
>> --
>> Anthony
> Yeah, I have that in my conf. Actually, I got it working earlier, but I
> had to tell samba to use my master LDAP server to do it - I was hoping I
> could make samba read off of the local slave server so if the connection
> to the master was severed, domain logins would still be functional. I'll
> tool around with it some more tomorrow and see if I can make it work the
> way I intend.

hmmm...  i also use a replicated ldap server on the bdc localhost.
could you post your smb.conf and any errors you see in your samba log?


sure, here's my smb.conf:
netbios name = <servername here>
workgroup = WORKGROUP
server string = Server String
security = user
hosts allow = 192.168.0. 127.
load printers = no
log file = var/log/samba.%m
max log size = 50
log level = 1
passdb backend = ldapsam:ldap://<master LDAP IP>
socket options = TCP_NODELAY
interfaces = <localnet ip/netmask>
os level = 64
domain master = no
preferred master = auto
domain logons = yes

#LDAP stuff:
ldap admin dn = cn=<ID>,dc=<domain>,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap passwd sync = yes
ldap suffix = dc=<domain>,dc=com
ldap user suffix = ou=Users
idmap backend = ldap:ldap://127.0.01
idmap uid = 10000-20000
idmap gid = 10000-20000

logon script = logon.bat
logon path =
logon drive = H:
wins server = <PDC LAN>
wins proxy = yes
dns proxy = no

# domain user stuff:
  add user script = /usr/local/sbin/smbldap-useradd -a '%u'
  add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
  add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
  delete user script = /usr/local/sbin/smbldap-userdel '%u'
  delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' 
  set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
  add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
  delete group script = /usr/local/sbin/smbldap-groupdel '%g'

This configuration works. If I change passdb to instead of the 
Master LDAP's IP, this pops up in samba.smbd:

[2006/05/24 14:53:30, 1] lib/smbldap_util.c:add_new_domain_info(198)
  failed to add domain dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com 
with: Server is unwilling to perform
        shadow context; no update referral
[2006/05/24 14:53:30, 0] lib/smbldap_util.c:smbldap_search_domain_info(258)
  Adding domain info for ATWORK failed with NT_STATUS_UNSUCCESSFUL

That's the only error I see popping up. Ideas?


More information about the samba mailing list