[Samba] Domain logins not working

Gary Dale garydale at rogers.com
Tue Jan 6 04:32:18 GMT 2009 

Gary Dale wrote:
> Adam Tauno Williams wrote:
>>> ile sharing is working well after I remapped the drives on a running
>>> XP/Pro workstation. However, I can't get logins to work. I've set up
>>> machine accounts for each XP/Pro workstation and used SWAT to create 
>>> the
>>> new Samba accounts and enable them (with the same password as before)
>>> but XP/Pro refuses to allow the logins. I also tried mapping a share on
>>> the old server to a directory on the new and I get the same problem -
>>> it's having problems finding a DC.
>>> Here's my smb.conf (minus most of the shares), if that helps (ps, I 
>>> will
>>> set the log level higher as part of my debugging so don't suggest I do
>>> that. However, any suggestions on what may be going wrong are welcome.
>>> :)  ):
>>>     
>>
>> Do you have a box handling WINS?  Also make sure the SID of your net
>> domain controller is the same as the SID of your old domain controller
>> (net getlocalsid/setlocalsid, I think)?
>>   
>
> Thanks. I've been through all that. I've been using the SWAT wizard to
> tell the new box to be a WINS server after telling the old box to stop
> being a WINS server. Also, copied the SID between the two machine
> manually after simply setting the new machine up as a (non-master)
> domain controller in the old domain failed to work - I had tried the net
> rpc vampire route without luck.
>
> I'm not quite sure what's going on but it now seems to have something to
> do with the machine accounts.
>
> I've stripped out samba (not easy - Debian seems to keep most of it
> around for some reason - even after deleting the .tdb files they can
> come back intact) and reinstalled it so that pdbedit -L shows nothing.
> However, I can't seem to add machine accounts with either smbpasswd or
> pdbedit. I get the messages:
>    tdb_update_sam: struct samu (hyperzip$) with no RID!
>    Unable to add machine! (does it already exist?)
> Interestingly, I can't add machines on either my old or new server
> anymore - although I had that ability a couple of days ago - at least on
> the new one. However, earlier today I did bring my old server back up as
> a PDC and could log in from XP. This was as part of the net rpc vampire
> bit. Testing on my old server shows that pdbedit -L should be showing
> the machine accounts.
>
> I can do an smbclient -L whenim64 -U% and also an authenticated one
> (without the -U%) from my Linux workstation (which doesn't use the
> server for account management) but can't map any shares from one of my
> XP workstations (I have a couple shares on it to make work transfer
> easier - it has more free disk space than my server). Also, I can't log
> in to any XP/Pro workstation using a domain account. This latter problem
> may (now) be because of the lack of machine accounts.
>
> This is quite frustrating. I've never had this much trouble setting
> samba up before. Anyway, my current status is that my new server isn't
> allowing network logins or the creation of machine accounts. The old
> server has samba shut down but I keep it turned on so I can compare
> things on it.
>

OK, I figured out the problem with the machine accounts. For some reason 
Samba wants the machines to have Unix accounts too!  I don't recall this 
behaviour previously, and I note my old server didn't have them - 
although that could be because I vampired the account information from 
an even older server.

However, even with the machine accounts added I still cannot log in. My 
old server is shut down, my new one has the same sid as the old one with 
root added and the user accounts recreated since I couldn't vampire 
them. I used the initGrps.sh script from the Samba by example (with the 
extra groups removed) to create the basic windows user groups. I have 
root mapped to administrator. I've got the machine accounts set up. All 
this was done yet again from scratch.

Still no logins.

Here's the output from my Linux workstation smbclient -L whenim64 
command. I can also run it anonymously with greatly truncated results, 
so it is doing something. It's just not allowing Windows logins. I've 
followed the complete Samba by example chapter 2 howto but something 
isn't working.

Domain=[RAHIM-DALE] OS=[Unix] Server=[Samba 3.0.24]

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    archives        Disk     
    profiles        Disk     
    netlogon        Disk     
    backup          Disk     
    communications  Disk     
    dosstuff        Disk     
    games           Disk     
    graphics        Disk     
    hardware        Disk     
    install         Disk     
    office          Disk     
    tools           Disk     
    utility         Disk     
    media$          Disk     
    webpages$       Disk     
    aleysha         Disk     
    shafeena        Disk     
    garydale        Disk     
    ML-1210         Printer   Samsung ML-1210 laser printer
    2400W           Printer   Konica-Minolta Magicolor 2400W
    IPC$            IPC       IPC Service (whenim64 server)
Domain=[RAHIM-DALE] OS=[Unix] Server=[Samba 3.0.24]

    Server               Comment
    ---------            -------
    HYPERZIP            
    WHENIM64             whenim64 server

    Workgroup            Master
    ---------            -------
    RAHIM-DALE           WHENIM64

More information about the samba mailing list