[Samba] PDC/BDC problem - clients not authenticating against BDC

ryan punt rpunt at good-sam.com
Fri Nov 24 15:49:14 GMT 2006 

Adrian,

Yes, I'm using LDAP for a backend. Both the PDC and BDC are using the same LDAP server, as my test environment only has one installed.

I've verified the the SIDs are the same, and they'll both authenticate the same users from smbclient.

The only differences between the two smb.conf files:

rpunt at rpunt:~/documents/Samba3/backup$ diff pdc.smb.conf bdc.smb.conf
3,4c3,4
<       netbios name = GSS-PDC
<       server string = Samba 3 PDC
---
>       netbios name = GSS-BDC
>       server string = Samba 3 BDC
13c13
<       os level = 255
---
>       os level = 200
15,16c15,16
<       domain master = yes
<       preferred master = yes
---
>       domain master = no
>       preferred master = no
18c18
<       wins support = yes
---
>       wins server = 172.21.24.5 # test-pdc's IP address

The same SID is returned for both machine and domain queries on the PDC and BDC: 

test-pdc:~# net getlocalsid GSS
SID for domain GSS is: S-1-5-21-1079125125-2089603153-XXXXXXXX
test-pdc:~# net getlocalsid
SID for domain GSS-PDC is: S-1-5-21-1079125125-2089603153-XXXXXXXX

test-bdc:~# net getlocalsid GSS
SID for domain GSS is: S-1-5-21-1079125125-2089603153-XXXXXXXX
test-bdc:~# net getlocalsid
SID for domain GSS-BDC is: S-1-5-21-1079125125-2089603153-XXXXXXXX


>>> "Adrian A. Sender" <adrians at tinistuffhosting.com> 11/22/2006 7:26:56 AM >>>
Hello Ryan,

As you are using PDC / BDC you are using LDAP arnt you?

You have not provided much information, so its very hard to know where to even start.

Assuming that users are been replicated to the BDC via LDAP slurpd, you may want to 
check the following; 

"net getlocalsid" on the PDC 
Verify that this matches the BDC "net getlocalsid" .. 
If not on the BDC "net setlocalsid S-1-5-21-x-y-z"

Failing this remove your ldap database on the BDC (backup first)

"slapcat -v -l transfer.ldif" on PDC
Copy to BDC

rm -rf /var/lib/ldap/*
On BDC

"slapadd -v -l transfer.ldif on BDC"

All this is clearly explained in the documentation available on the samba web site.

Let me know if this helps.

Cheers,

Adrian Sender



From: "ryan punt" <rpunt at good-sam.com> 
Subject: [Samba] PDC/BDC problem - clients not authenticating against BDC 
Date: Tue, 21 Nov 2006 09:17:41 -0600 
To: <samba at lists.samba.org> 
 
 
Hey list, 

I've got a problem with my PDC/BDC setup. They're both running 3.0.23c on Sarge, and 
I've verified that both the PDC and BDC will authenticate users. 

test-pdc:/etc/samba# testparm 
Load smb config files from /etc/samba/smb.conf 
Processing section "[netlogon]" 
Loaded services file OK. 
Server role: ROLE_DOMAIN_PDC 

test-bdc:/var/log/samba# testparm 
Load smb config files from /etc/samba/smb.conf 
Processing section "[netlogon]" 
Loaded services file OK. 
Server role: ROLE_DOMAIN_BDC 

My PDC is also my WINS server, and I've verified that XP clients on other subnets see 
two "DOMAIN#1c" records. 

The problem I'm having is this: When SMBD on the PDC stops, XP clients will no longer 
authenticate; the specific error is "the system cannot log you on now because the 
domain GSS is not available." NMBD is still running, and XP clients still see 2 "#1c" 
records. 

How can I ensure that XP clients will authenticate against the BDC if the PDC is 
unavailable? 

Thanks, 
Ryan 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba 

-------------- next part --------------
-------------------------------------------------

This email transmission and any documents, files or previous

email messages attached to it may contain information that is

confidential or legally privileged. If you are not the intended

recipient, you are hereby notified that any disclosure, copying,

printing, distributing or use of this transmission is strictly

prohibited. If you have received this transmission in error,

please immediately notify the sender by telephone or return

email and delete the original transmission and its attachments

without reading or saving in any manner.



The Evangelical Lutheran Good Samaritan Society.

---------------------------------------------------------

More information about the samba mailing list