[Samba] Re: Windows clients losing connection to Samba 3.0.27 PDC on FC7 i386

[Patrick Rynhart]

Hi Rubin,

Do you have any trusted domains and (if so) are users logging into a 
trusted domain ?  If this is the case, I would start smbd, nmbd normally 
(i.e. as daemons) but then run a single winbindd process in interactive 
mode, debug level 10.

i.e.

winbind -i -d 10

Check beforehand that no other winbindd processes are running (i.e. ps 
aux |grep winbindd).  Then I would attempt to logon from a member 
workstaion.  View the debug output to see if you can track any problems. 
  Ctrl-Z (i.e. background) may help here ("fg" to resume) as there could 
be a lot of output.

If you don't have any trusted domains (and therefore aren't running 
winbindd) then the approach I take is very similar. Start nmbd normally 
(i.e. as a background daemon) but then run smbd as an interactive 
process, again in debug level 10 mode.

i.e.

smbd -i -d 10

 From what you're describing, there may be a problem with the machine 
account for the affected machines.  Look for something like 
NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE or some other NT STATUS code 
(these are defined in source/include/nterr.h if you happen to have the 
Samba source on your domain controller).

Regards,

Patrick

Rubin Bennett wrote:
> Hello all...
> 
> I have a site of about 50 pcs connected to a Samba domain controller.
> The domain has been running flawlessly for several years through several
> upgrades, and the last one (From Fedora Core 4/ Samba 3.0.23a to FC7/
> Samba 3.0.27) seems to have caused something to come unglued.
> 
> The Workstations are periodically booting up in the morning and being
> unable to contact the domain controller.  The Samba server is giving
> failed authentication errors for the workstation itself (not the
> username/ password) in log.{workstation}.
> 
> The upgrade was done nearly a month ago, and roughly 1/2 of the
> workstations in the network were unable to connect the following
> morning.  It happened again last week and about 10 more workstations
> were affected.  And it happened again today, where 1 workstation and a
> member server (Win2003r2) lost their credentials.  This time it was a
> really bad deal because the member server runs an application that is
> mission critical and therefore no one was able to work until it was
> fixed.
> 
> In all cases, the users are able to log in by disconnecting their
> network cable and rebooting, then logging in with the cached credentials
> on the workstations.  Reconnecting the NIC after login allowed the users
> to connect to network resources on the Samba PDC, and work until a
> reboot.  A 'permanent' fix is to unjoin the PC from the domain and
> rejoin again.
> 
> I had assumed that the issue was caused by the upgrade somehow, and that
> once every system had been re-joined it would go away.  However, the
> workstation from this morning had been unjoined and rejoined once before
> and now I fear that the issue will keep cropping up all over the place.
> 
> Ideas, suggestions, flames?  I've copied my smb.conf below for your
> review as well.
> 
> Thanks very much in advance,
> Rubin
> 
> /etc/samba/smb.conf
> [global]
>   workgroup = WORKGROUP
>   netbios name = Server
>   server string = Network File Server
>   printcap name = cups
>   enable privileges = yes
>   load printers = yes
>   printcap cache time = 60
>   printing = cups
>   keepalive = 10000
>   log file = /var/log/samba/log.%m
>   max log size = 50
> 
>   log level = 3
>   security = user
>   encrypt passwords = Yes
>   map to guest = bad user
>   os level = 65
>   domain master = yes
>   preferred master = yes
>   passdb backend = tdbsam
> 
>   pam password change = yes
>   socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
>   add machine script = /usr/sbin/useradd -d /dev/null -g 200
> -s /bin/false -M  %u
> 
>   oplocks = no
>   level2 oplocks = no
>   domain logons = Yes
>   logon script = login%G.bat
>   logon drive = Z:
>   logon home = \\server\%U
>   logon path = \\server\profiles\%U
>   wins support = Yes
>   name resolve order = wins hosts bcast
>   hide unreadable = Yes
> 
> # Added in an attempt to fix broken tdbsam backend...
>   idmap uid = 10000-20000
>   idmap gid = 10000-20000
> 
>   dns proxy = yes
> 
> #============================ Share Definitions
> ==============================
> [homes]
>   comment = Home Directories
>   create mask = 0700
>   directory mask = 0700
>   browseable = No
>   writable = yes
> 
>  [netlogon]
>    comment = Netlogon Scripts
>    path = /var/lib/samba/netlogon
>    comment = Network Logon Service
>    path = /var/lib/samba/netlogon
>    guest ok = yes
>    writable = no
> 
> [printers]
>   comment = All Printers
>   path = /var/spool/samba
>   browseable = no
>   guest ok = yes
>   writable = no
>   printable = yes
>   create mode = 0700
>   ;print command = lpr-cups -P %p -o raw %s -r
>    use client driver = yes
> 
> [print$]
>   path = /var/lib/samba/printers
>   read only = yes
>   browseable = yes
>   force group = noyle
>   write list = @noyle root
>   guest ok = yes
>   inherit permissions = yes
> 
> [profiles]
>   path = /var/lib/samba/profiles
>   browseable = no
>   read only = No
>   guest ok = yes
>   writable = yes
>   create mask = 0600
>   directory mask = 0700
>   root preexec = PROFILE='/var/lib/samba/profiles/%u'; if [ ! -e
> $PROFILE ]; \
>                 then mkdir -pm700 $PROFILE; chown '%u':'%g' $PROFILE;fi
> 
>