[Samba] 3.4.5->3.5.3 breaks domain logons

Thomas Burkholder thomas.burkholder at hps.gatech.edu
Wed May 26 05:39:34 MDT 2010

At 08:45 AM 5/24/2010, you wrote:
>On Monday 24/05/2010 at 5:38 am, Thomas Burkholder   wrote:
>>At 11:30 AM 5/23/2010, you wrote:
>>>On Sunday 23/05/2010 at 6:44 am, Thomas Burkholder wrote:
>>>>I've been trying to upgrade from samba 3.4.5 to 3.5.x (currently 3.5.3) on
>>>>a Ubuntu 9.10 system where I compile my own Samba. The server is a PDC for
>>>>several win2000 clients and uses an LDAP backend hosted on the same
>>>>machine. After the upgrade, clients can connect to shares but can not
>>>>perform domain logons.
>>>So, when they log on to windows, they get "The domain does not exist or 
>>>trust account not found" message?
>>>If so, your machine accounts may be broken.  Try rejoining the machine 
>>>to the domain using the Windows network ID wizard.
>>Sorry, I should have given the text of the windows error: "Controller for 
>>the domain could not be found." This is at odds with the Samba log that 
>>shows the client does find the controller, but then stops talking.
>>Thanks for the suggestion.  Rejoining the domain does not help, and Samba 
>>still throws the "Scheduled cleanup brl and lock database after unclean 
>>shutdown" or "Cleaning up brl and lock database after unclean shutdown" 
>OK, this is going to sound a bit odd, but try this on the server:
>net rpc join <DOMAIN NAME> -U Administrator
>then, see if it is good
>net rpc testjoin.

Thanks very much for the suggestions: these work just fine.

>Also, since you might want to resave LDAP password
>passwd -w
>Often, when upgrading samba with an LDAP backend I've found it best to 
>blow out all the .tdb files and approach the upgrade like a replacement.

I re-did the LDAP password.  I hope there's a more simple solution than 
flushing and recreating the domain for each upgrade.  I've done upgrades 
with the LDAP backend before 3.4 and not had any issues, so I've been 
hoping this reflects some change in handling between 3.4 and 3.5.  I know 
the bind interfaces handling changed, so I've turned that off; somewhere I 
saw a rumor that machine names are now required to be upper case, so the 
re-joined machines all have upper case names.  There's nothing specific in 
3.5 that I need, but I'm looking forward to AD, and I want not to fall too 
many versions behind.

The re-joined machines still give domain-not-available during logins, 
"Unexpected error" during "net view /domain:DOMAIN", and after each try 
samba rebuilds its brl and lock databases.

If I log into the domain, then upgrade, so I sit at a windows computer with 
valid samba credentials, "net view /domain:DOMAIN" gives the expected 
result, so there may also be a privilege issue for nobody 

More information about the samba mailing list