[Samba] Moved PDC now issues
Donny Brooks
dbrooks at mdah.state.ms.us
Tue Oct 12 16:02:57 MDT 2010
This weekend we moved our samba PDC to a new machine. Now we are
having a few issues with not being able to join new computers to the
domain and some users cannot change their passwords. People can still
login and such though. Here is a brief synopsis:
Old server was named roark IP 10.8.2.3. It housed mail, ldap, samba, and
a few other things. Was fedora 11 with samba samba-3.4.7.
New server is Centos 5.5 with 3.0.33 originally but I upgraded it to the
"samba3x" package and got a whopping 3.3.8 version. IP 10.8.3.4
Both old and new have the BDC set at 10.8.2.2
Everything worked until the move this weekend... I know.. famous last
words. ;)
This weekend we migrated all the user files to the new machine, copied
over /etc/samba/*, edited the ldap portion of smb.conf accordingly,
changed all the other servers (we have about a dozen or so home servers
for various divisions) to reflect the new IP of the new server and
updated DNS accordingly. All seemed fine as we were able to login/logout
and get to all the shares just fine. the problem came when users went to
change their passwords using the windows method (CTRL+ALT+DEL -> change
password), which previously worked. Also we are unable to join new
computers to the domain at all. Although, users on the same vlan
(10.8.3.X) as roark are able to change their passwords it seems. This is
odd since all but 3 of the users are on roark as their home server. The
other 3 are on a seperate server but are still able to change their
passwords. The error that users get when trying to change their password
or join a new pc to the domain is "Domain ADMIN not found" or something
along those lines.
I have tried everything I can think of to get this resolved. I have made
sure the SID stayed the same on roark, rejoined the outlying servers to
the domain, reset the smbpasswd ldap password, and scoured every log
file I can find. All to no avail. I am including a few configs in hopes
that someone can help guide me into fixing this issue.
I am also considering moving the PDC back to a fedora machine (fedora 13
to be exact) so that it is more like the original machine and can get
the same branch of samba.
I hope someone out there can guide me in the correct direction to fix
this. :)
Here is the CURRENT roark smb.conf:
[root at roark ~]# cat /etc/samba/smb.conf
# Samba config file created using SWAT
# from UNKNOWN (0.0.0.0)
# Date: 2001/07/31 13:51:02
# Global parameters
[global]
netbios name = roark
workgroup = ADMIN
server string = Roark
hosts allow = 10.8. 127.
os level = 66
preferred master = Yes
domain master = Yes
local master = Yes
# oplocks = no
# level2 oplocks = no
interfaces = lo,eth0
passdb backend = ldapsam:ldap://10.8.2.3
ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
ldap machine suffix = Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
idmap backend = ldap:ldap://mdah.state.ms.us
map acl inherit = Yes
printer admin = root, dbrooks, smccoy, jomiles, sokolsky
#winbind enum users = yes
#winbind enum groups = yes
name resolve order = wins bcast hosts
security = user
# passwd program = /usr/bin/passwd %u
encrypt passwords = yes
update encrypted = Yes
unix password sync = no
ldap passwd sync = yes
update encrypted = yes
password server = mail
# passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n
*Password*changed*
# passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
# add user script = /usr/sbin/useradd -g smbbox -c "Machine
Account" -d /dev/null -M -s /bin/false %U
wins support = Yes
wins proxy = yes
domain logons = Yes
logon path = \\%N\profiles\%U
logon script = scripts\%U.bat
logon drive = R:
logon home = \\roark\%U
time server = yes
printing = cups
load printers = yes
guest account = nobody
map to guest = bad user
map to guest = bad password
guest ok = yes
dns proxy = No
log file = /var/log/samba/log.%m
max log size = 500
log level = 3 vfs:2
#log level = 10
syslog = 0
hide dot files = yes
time server = yes
template shell = /bin/false
follow symlinks = yes
username map = /etc/samba/smbusers
profile acls = yes
host msdfs = yes
idmap uid = 20000-30000
idmap gid = 20000-30000
# winbind separator = +
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
# winbind offline logon = false
# winbind use default domain = no
allow trusted domains = yes
unix charset = LOCALE
enable privileges = yes
printcap name = CUPS
show add printer wizard = no
# add user script = /usr/sbin/smbldap-useradd -a -m "%u"
# delete user script = /usr/sbin/smbldap-userdel "%u"
# add group script = /usr/sbin/smbldap-groupadd -p "%g"
# delete group script = /usr/sbin/smbldap-groupdel "%g"
# add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
# delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
# set primary group script = /usr/sbin/smbldap-groupmod -g "%g" "%u"
# add machine script = /usr/sbin/smbldap-useradd -w "%u"
posix locking = No
msdfs root = yes
ldap ssl = Off
[homes].....
Here is the BDC (archives3) config:
[root at archives3 ~]# cat /etc/samba/smb.conf
[global]
interfaces = eth0 lo
domain master = no
encrypt passwords = yes
preferred master = no
local master = no
domain logons = yes
msdfs root = yes
workgroup = ADMIN
netbios name = ARCHIVES3
server string = ARCHIVES3
printcap name = cups
load printers = yes
printing = cups
log file = /var/log/samba/log.%m
max log size = 50
log level = 4
security = user
username map = /etc/samba/smbusers
wins server = 10.8.3.4
wins support = no
name resolve order = wins bcast hosts
ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
ldap machine suffix = Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
idmap backend = ldap:ldap://mdah.state.ms.us
idmap uid = 20000-30000
idmap gid = 20000-30000
#winbind use default domain = yes
#winbind nested groups = yes
#winbind trusted domains only = Yes
passdb backend = ldapsam:"ldap://mail.mdah.state.ms.us
ldap://archives3.mdah.state.ms.us"
enable privileges = yes
local master = no
preferred master = no
os level = 40
posix locking = No
password server = mail
ldap ssl = Off
[homes]....
and just one of the many outlying servers:
cat /etc/samba/smb.conf
# Samba config file created using SWAT
# from 10.8.9.236 (10.8.9.236)
# Date: 2005/05/26 04:39:37
# Global parameters
[global]
workgroup = ADMIN
netbios name = ARROWHEAD
hosts allow = 10.8.
server string = HP Samba Server %v
encrypt passwords = Yes
guest account = nobody
map to guest = bad user
guest ok = yes
log file = /var/log/samba/log.%m
max log size = 5000
log level = 10
# printcap name = cups
printcap name = /etc/printcap
os level = 30
preferred master = Yes
domain master = no
local master = yes
dns proxy = No
# wins proxy = Yes
wins support = no
wins server = 10.8.3.4
printing = cups
name resolve order = wins hosts bcast
time server = yes
security = user
passwd program = /usr/bin/passwd %u
encrypt passwords = yes
update encrypted = Yes
# unix password sync = no
password server = roark
#passwd chat = *New*Password* %n\n *Re-enter*new*password*
%n\n*Password*changed*
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
add user script = /usr/sbin/useradd -g smbbox -c "MachineAccount" -d
/dev/null -M -s /bin/false %U
domain logons = Yes
logon path = \\%N\profiles\%U
logon script = scripts\%U.bat
logon drive = R:
logon home = \\arrowhead\%U
load printers = yes
hide dot files = yes
template shell = /bin/false
follow sym links = yes
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = no
msdfs root = yes
posix locking = No
ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
idmap backend = ldap:ldap://mdah.state.ms.us
idmap uid = 20000 - 30000
idmap gid = 20000 - 30000
map acl inherit = Yes
template shell = /sbin/nologin
winbind use default domain = yes
winbind nested groups = yes
winbind enum groups = yes
winbind enum users = yes
ldap passwd sync = yes
passdb backend = ldapsam:ldap://mail.mdah.state.ms.us
ldap ssl = Off
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536
SO_SNDBUF=65536 SO_KEEPALIVE READ_SIZE=65536
use mmap = No
use sendfile = Yes
blocking locks = No
read raw = no
write raw = no
kernel oplocks = no
oplocks = yes
level2 oplocks = yes
[homes]
More information about the samba
mailing list