[Samba] Domain login across subnets
jdpaul at gocolumbiamo.com
Wed Feb 7 21:25:10 GMT 2007
My envrionment is Samba 3.0.23d as a PDC, password backend is OpenLDAP 2.3.27,
running on SuSE 10.1; workstations are Windows XP SP2, all recent patches
applied. All machines are on the same Class B private IP network. Domain
logons function perfectly, performance is very nice. For security and performance
reasons we are looking at dividing the network into many VLANS, each with
its own IP subnet.
On the testing network, a very strange thing is happening. When the workstation
is on the Class B subnet, all functions work perfectly - Adding machine to
domain, logging in, mapping drive to samba server, etc. However, when placed
on the test VLAN (a class C private IP subnet) some of this functionality
goes away. I can ping the DC (meaning the packets are correctly routed).
I can resolve the DC name to its IP (meaning name resolution across the subnet
is working), I can resolve my own workstation name to the correct IP. However,
when I try to add this machine to the domain, I get the following error:
The following error occurred attempting to join the domain "DOMAIN"
Logon Failure: unknown user name or bad password.
Of course I'm using the same user name and password (root) as I use when
on the Class B subnet. When I attempt to map a drive, I get "System error
1326 has occurred - Logon failure: unknown user name or bad password." Stranger
yet is that every 5 or so times, this all works perfectly.
I've considered problems with the switching hardware, however, I set the
worstation to ping the DC constantly for like 4 hours and not a single packet
was dropped. There is nothing strange about the setup, it's really very simple.
All other services function perfectly between the VLANs. I also tried adding
a VLAN on our prodcution network using the production DC with the exact same
I should add that on the testing network, although the logical layout is
similar, we do not have a DHCP server so all address assignments are done
by hand. However, when we move the workstation from one subnet to another,
we are careful to put the workstation in the correct subnet and make sure
that the WINS server is set correctly.
I've attached my smb.conf. If any party is interested in further diagnosing
the problem I'll be happy spend as much time as neccessary to provide the
information you might need.
Here's my smb.conf (names have been changed to protect the guilty)
interfaces = eth0 lo
bind interfaces only = yes
workgroup = DOMAIN
server string = "Domain Controller"
passdb backend = ldapsam:ldap://127.0.0.1
log level = 1
syslog = 0
log file = /usr/local/samba/var/log.%m
max log size = 2500
name resolve order = wins hosts bcast
time server = Yes
show add printer wizard = No
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g'
add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl
-m '%u' '%g'
delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl
-x '%u' '%g'
set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl
-g '%g' '%u'
add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
logon script = netlogon.cmd
logon path = \\dc\profiles\%U
logon home = \\dc\profiles\%U
domain logons = Yes
os level = 75
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Manager,dc=example,dc=org
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=people
ldap suffix = dc=example,dc=org
ldap user suffix = ou=people
idmap backend = ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
profile acls = Yes
map acl inherit = Yes
comment = "Net logon share"
path = /netlogon
write list = root
comment = "Roaming profile share"
path = /profiles
read only = No
hide files = /desktop.ini/Desktop.ini/DESKTOP.INI/
csc policy = disable
create mask = 0700
force create mode = 0700
directory mask = 0700
force directory mode = 0700
More information about the samba