[Samba] Domain login across subnets

John Paul jdpaul at gocolumbiamo.com
Wed Feb 7 21:25:10 GMT 2007


My envrionment is Samba 3.0.23d as a PDC, password backend is OpenLDAP 2.3.27, 
running on SuSE 10.1; workstations are Windows XP SP2, all recent patches 
applied. All machines are on the same Class B private IP network. Domain 
logons function perfectly, performance is very nice. For security and performance 
reasons we are looking at dividing the network into many VLANS, each with 
its own IP subnet. 

On the testing network, a very strange thing is happening. When the workstation 
is on the Class B subnet, all functions work perfectly - Adding machine to 
domain, logging in, mapping drive to samba server, etc. However, when placed 
on the test VLAN (a class C private IP subnet) some of this functionality 
goes away. I can ping the DC (meaning the packets are correctly routed). 
I can resolve the DC name to its IP (meaning name resolution across the subnet 
is working), I can resolve my own workstation name to the correct IP. However, 
when I try to add this machine to the domain, I get the following error:

The following error occurred attempting to join the domain "DOMAIN"

Logon Failure: unknown user name or bad password.

Of course I'm using the same user name and password (root) as I use when 
on the Class B subnet. When I attempt to map a drive, I get "System error 
1326 has occurred - Logon failure: unknown user name or bad password." Stranger 
yet is that every 5 or so times, this all works perfectly.

I've considered problems with the switching hardware, however, I set the 
worstation to ping the DC constantly for like 4 hours and not a single packet 
was dropped. There is nothing strange about the setup, it's really very simple. 
All other services function perfectly between the VLANs. I also tried adding 
a VLAN on our prodcution network using the production DC with the exact same 

I should add that on the testing network, although the logical layout is 
similar, we do not have a DHCP server so all address assignments are done 
by hand. However, when we move the workstation from one subnet to another, 
we are careful to put the workstation in the correct subnet and make sure 
that the WINS server is set correctly.

I've attached my smb.conf. If any party is interested in further diagnosing 
the problem I'll be happy spend as much time as neccessary to provide the 
information you might need.

Here's my smb.conf (names have been changed to protect the guilty)

        interfaces = eth0 lo
        bind interfaces only = yes
        workgroup = DOMAIN
        server string = "Domain Controller"
        passdb backend = ldapsam:ldap://
        log level = 1
        syslog = 0
        log file = /usr/local/samba/var/log.%m
        max log size = 2500
        name resolve order = wins hosts bcast
        time server = Yes
        show add printer wizard = No
        add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
        delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
        add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
        delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g'
        add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl 
-m '%u' '%g'
        delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl 
-x '%u' '%g'
        set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl 
-g '%g' '%u'
        add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
        logon script = netlogon.cmd
        logon path = \\dc\profiles\%U
        logon home = \\dc\profiles\%U
        domain logons = Yes
        os level = 75
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=Manager,dc=example,dc=org
        ldap group suffix = ou=group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=people
        ldap suffix = dc=example,dc=org
        ldap user suffix = ou=people
        idmap backend = ldap://
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        profile acls = Yes
        map acl inherit = Yes

        comment = "Net logon share"
        path = /netlogon
        write list = root

        comment = "Roaming profile share"
        path = /profiles
        read only = No
        hide files = /desktop.ini/Desktop.ini/DESKTOP.INI/
        csc policy = disable
        create mask = 0700
        force create mode = 0700
        directory mask = 0700
        force directory mode = 0700

More information about the samba mailing list