[Samba] winbind and SBS 2003

Hugo hugo at salo-ag.de
Fri Sep 15 08:39:27 GMT 2006


Hi,

I want vpn clients which have a valid x509 Cert and a valid user account in the M$ domain can access to the LAN. The M$ DC is an SBS2003 Server in mixed mode.
I don't want to manage two user db's. I want the vpn server to ask the domain controller for a valid user account.So I've installed the nessecary stuff on the vpn server. The interresting things here are:
samba/winbind 3.0.22 samba-common.
After a while of testings and changes everything was working fine. Then one day the vpn/samba server became the same netbios name like the M$ DC  accidantily.Now every time the vpn server becomes online, the SBS Server is inaccessible for the internal M$ clients, but the vpn client can still access the LAN. On some machines are popups like "The IP you are using is already in use", but it isn't. Nevertheless the NIC is getting disabled. The DC is also the dhcp server.  I've renamed the samba netbios- name  of course and deleted the machine account on the DC. Also I've deleted the *.tdb's on the samba machine and the samba machine became another IP-address. Then I've let the samba server rejoin  the M$ Domain successfully. I can get the  DC accounts by using wbinfo -u and -g. getent is working also. ntlm_auth username=<> also. Everything seems to be fine, but the internal network is breaking down by DC strike. DC's system eventlog is saying:
The session could not be established, because the security database could not determine a trust account accordingly the asking computer. (Sorry, this is my translation from german. It may be not exactly the same word by word, like the original english event description. Event ID is: 5723, source: NETLOGON) That's it in the event logs.  A browstat status on DC is listing:
Status for domain DOMAIN on transport \Device\NetBT_Tcpip_{0D040CB9-B2E6-4BE5-BF6A-59E9C86B54EA}
    Browsing is active on domain.
    Master browser name is: TEST
        Master browser is running build 3790
    2 backup servers retrieved from master TEST
        \\UMS
        \\TEST
    There are 13 servers in domain DOMAIN on transport \Device\NetBT_Tcpip_{0D040CB9-B2E6-4BE5-BF6A-59E9C86B54EA}
    There are 2 domains in domain DOMAIN on transport \Device\NetBT_Tcpip_{0D040CB9-B2E6-4BE5-BF6A-59E9C86B54EA}
A nmblookup -M DOMAIN: TEST
When network is going down on the samba server, everything awakes...
The event log o n the local XP clients complains something like: There is no Domain Controller available by following reason: the RPC call was aborting Event ID:5719
The event log on UMS, the backup browser complains:The reading of the backuplist aborted because there is no master browser accessible The backup browser could not get a serverlist from the master browser on the network {... }Event ID:8021.
It looks like the SBS2003 machine can't 'forget' that a second machine with the same netbios name was appearing in the network. 
Perhaps the reason therefore is the special SBS license. 
However, perhaps someone has done the same experiences  and maybe, much more important, worked out a solution for this problem.  
The smb.conf:
[global]
workgroup = DOMAIN 
os level = 0
preferred master = No
local master = No
domain master = No
wins server = 172.16.5.60 
interfaces = eth1
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 6 
security = Domain 
passdb backend = tdbsam
obey pam restrictions = yes
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
;domain logons = yes 
;logon drive = H:
;logon home = \\%N\%U
;logon script = logon.cmd
socket options = TCP_NODELAY
winbind separator = + 
winbind enum users = yes
winbind enum groups = yes 
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false

Thanks for answer

Hugo


More information about the samba mailing list