[Samba] Problems after replacing Domain Controller

Edmundo Carmona eantoranz at gmail.com
Tue Oct 3 21:39:06 GMT 2006

Hi! I hope you can help me here.

We replaced our only domain controller (W2K ActiveDirectory) with a
newer server. It was done by means promotion and everything was copied
correctly (acording to the guy who made the transfer of all the stuff
from the old service to the new one). As a matter of fact all services
provided by the old server are already being served by the new one.

Before the replacement was done I had a squid proxy server (running on
ubuntu) that authenticated users agains the old server. By the time
both servers where up and running I modified the krb5.conf file so
that it started using the new service.

But since the old server was shutdown there have been trust problems.

I can start a kerberos session (is that the right way to call it?):
$ kinit -V ecarmona
Password for ecarmona at FHEP.ORG:
Authenticated to Kerberos v5

But when I try to rejoin the proxy server to the domain, this is what I get:

$ sudo net ads join -U Administrator -d 4
[2006/10/03 17:31:51, 3] param/loadparm.c:lp_load(3910)
  lp_load: refreshing parameters
[2006/10/03 17:31:51, 3] param/loadparm.c:init_globals(1320)
  Initialising global parameters
[2006/10/03 17:31:51, 3] param/params.c:pm_process(566)
  params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2006/10/03 17:31:51, 3] param/loadparm.c:do_section(3403)
  Processing section "[global]"
  doing parameter workgroup = fhep
  doing parameter realm = FHEP.ORG
  doing parameter server string = %h servidor proxy auxiliar (Samba, Ubuntu)
  doing parameter netbios name = fhep_proxy
[2006/10/03 17:31:51, 4] param/loadparm.c:handle_netbios_name(2748)
  handle_netbios_name: set global_myname to: FHEP_PROXY
  doing parameter dns proxy = no
  doing parameter log file = /var/log/samba/log.%m
  doing parameter max log size = 1000
  doing parameter syslog = 0
  doing parameter panic action = /usr/share/samba/panic-action %d
  doing parameter security = domain
  doing parameter encrypt passwords = true
  doing parameter password server = *
  doing parameter passdb backend = tdbsam guest
  doing parameter obey pam restrictions = yes
  doing parameter invalid users = root
  doing parameter passwd program = /usr/bin/passwd %u
  doing parameter passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
  doing parameter socket options = TCP_NODELAY
[2006/10/03 17:31:51, 4] param/loadparm.c:lp_load(3941)
  pm_process() returned Yes
[2006/10/03 17:31:51, 2] lib/interface.c:add_interface(79)
  added interface ip= bcast= nmask=
[2006/10/03 17:31:51, 2] lib/interface.c:add_interface(79)
  added interface ip=x.x.x.x bcast=y.y.y.y nmask=z.z.z.z
Administrator's password:
[2006/10/03 17:32:00, 4] libsmb/namequery.c:get_dc_list(1332)
  get_dc_list: no servers found
[2006/10/03 17:32:00, 4] libsmb/namequery.c:get_dc_list(1406)
  get_dc_list: returning 1 ip addresses in an unordered list
[2006/10/03 17:32:00, 4] libsmb/namequery.c:get_dc_list(1407)
[2006/10/03 17:32:00, 3] libads/ldap.c:ads_connect(247)
  Connected to LDAP server
[2006/10/03 17:32:00, 1] libads/ldap.c:ads_connect(251)
  Failed to get ldap server info
[2006/10/03 17:32:00, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: No results returned
[2006/10/03 17:32:00, 2] utils/net.c:main(859)
  return code = -1

I have noticed that it's complaining about the ldap service in the AD
server and I have checked with konqueror and it is efectively behaving
weird: Sometimes I can't get an answer to a query, sometimes it
answers but takes forever to respond..... (I have just checked and it
seems to behave now, though the join fails miserably with the same

Does anyone have a clue about what I have to do, either with the
windows server of my GNU/linux server? Replacing AD with openLDAP is
not an option, so don't ask. :-D

Thanks in advance

PS Just to test, I tried joining by rpc and it worked:
$ sudo net rpc testjoin
Join to 'FHEP' is OK

But something tells me that it's not enough to get squid to
authenticate users with ntlm_auth, is it?

More information about the samba mailing list