[Samba] Moved PDC now issues
Donny Brooks
dbrooks at mdah.state.ms.us
Wed Oct 13 08:26:50 MDT 2010
On 10/12/2010 5:02 PM, Donny Brooks wrote:
> This weekend we moved our samba PDC to a new machine. Now we are
> having a few issues with not being able to join new computers to the
> domain and some users cannot change their passwords. People can still
> login and such though. Here is a brief synopsis:
>
> Old server was named roark IP 10.8.2.3. It housed mail, ldap, samba,
> and a few other things. Was fedora 11 with samba samba-3.4.7.
> New server is Centos 5.5 with 3.0.33 originally but I upgraded it to
> the "samba3x" package and got a whopping 3.3.8 version. IP 10.8.3.4
> Both old and new have the BDC set at 10.8.2.2
>
> Everything worked until the move this weekend... I know.. famous last
> words. ;)
>
> This weekend we migrated all the user files to the new machine, copied
> over /etc/samba/*, edited the ldap portion of smb.conf accordingly,
> changed all the other servers (we have about a dozen or so home
> servers for various divisions) to reflect the new IP of the new server
> and updated DNS accordingly. All seemed fine as we were able to
> login/logout and get to all the shares just fine. the problem came
> when users went to change their passwords using the windows method
> (CTRL+ALT+DEL -> change password), which previously worked. Also we
> are unable to join new computers to the domain at all. Although, users
> on the same vlan (10.8.3.X) as roark are able to change their
> passwords it seems. This is odd since all but 3 of the users are on
> roark as their home server. The other 3 are on a seperate server but
> are still able to change their passwords. The error that users get
> when trying to change their password or join a new pc to the domain is
> "Domain ADMIN not found" or something along those lines.
>
> I have tried everything I can think of to get this resolved. I have
> made sure the SID stayed the same on roark, rejoined the outlying
> servers to the domain, reset the smbpasswd ldap password, and scoured
> every log file I can find. All to no avail. I am including a few
> configs in hopes that someone can help guide me into fixing this issue.
>
> I am also considering moving the PDC back to a fedora machine (fedora
> 13 to be exact) so that it is more like the original machine and can
> get the same branch of samba.
>
> I hope someone out there can guide me in the correct direction to fix
> this. :)
>
>
> Here is the CURRENT roark smb.conf:
>
> [root at roark ~]# cat /etc/samba/smb.conf
> # Samba config file created using SWAT
> # from UNKNOWN (0.0.0.0)
> # Date: 2001/07/31 13:51:02
>
> # Global parameters
> [global]
> netbios name = roark
> workgroup = ADMIN
> server string = Roark
> hosts allow = 10.8. 127.
> os level = 66
> preferred master = Yes
> domain master = Yes
> local master = Yes
> # oplocks = no
> # level2 oplocks = no
> interfaces = lo,eth0
>
> passdb backend = ldapsam:ldap://10.8.2.3
> ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
> ldap machine suffix = Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
> idmap backend = ldap:ldap://mdah.state.ms.us
> map acl inherit = Yes
> printer admin = root, dbrooks, smccoy, jomiles, sokolsky
>
> #winbind enum users = yes
> #winbind enum groups = yes
> name resolve order = wins bcast hosts
>
> security = user
> # passwd program = /usr/bin/passwd %u
> encrypt passwords = yes
> update encrypted = Yes
> unix password sync = no
> ldap passwd sync = yes
> update encrypted = yes
>
>
> password server = mail
> # passwd chat = *New*Password* %n\n *Re-enter*new*password* %n\n
> *Password*changed*
> # passwd chat = *New*UNIX*password* %n\n
> *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> # add user script = /usr/sbin/useradd -g smbbox -c "Machine
> Account" -d /dev/null -M -s /bin/false %U
> wins support = Yes
> wins proxy = yes
> domain logons = Yes
> logon path = \\%N\profiles\%U
> logon script = scripts\%U.bat
> logon drive = R:
> logon home = \\roark\%U
> time server = yes
> printing = cups
> load printers = yes
> guest account = nobody
> map to guest = bad user
> map to guest = bad password
> guest ok = yes
> dns proxy = No
>
> log file = /var/log/samba/log.%m
> max log size = 500
> log level = 3 vfs:2
> #log level = 10
> syslog = 0
> hide dot files = yes
> time server = yes
> template shell = /bin/false
> follow symlinks = yes
> username map = /etc/samba/smbusers
> profile acls = yes
> host msdfs = yes
> idmap uid = 20000-30000
> idmap gid = 20000-30000
> # winbind separator = +
> template homedir = /home/winnt/%D/%U
> template shell = /bin/bash
> # winbind offline logon = false
> # winbind use default domain = no
> allow trusted domains = yes
> unix charset = LOCALE
> enable privileges = yes
> printcap name = CUPS
> show add printer wizard = no
> # add user script = /usr/sbin/smbldap-useradd -a -m "%u"
> # delete user script = /usr/sbin/smbldap-userdel "%u"
> # add group script = /usr/sbin/smbldap-groupadd -p "%g"
> # delete group script = /usr/sbin/smbldap-groupdel "%g"
> # add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> # delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
> "%g"
> # set primary group script = /usr/sbin/smbldap-groupmod -g "%g" "%u"
> # add machine script = /usr/sbin/smbldap-useradd -w "%u"
> posix locking = No
> msdfs root = yes
> ldap ssl = Off
>
> [homes].....
>
>
> Here is the BDC (archives3) config:
>
> [root at archives3 ~]# cat /etc/samba/smb.conf
> [global]
> interfaces = eth0 lo
> domain master = no
> encrypt passwords = yes
> preferred master = no
> local master = no
> domain logons = yes
> msdfs root = yes
> workgroup = ADMIN
> netbios name = ARCHIVES3
> server string = ARCHIVES3
> printcap name = cups
> load printers = yes
> printing = cups
> log file = /var/log/samba/log.%m
> max log size = 50
> log level = 4
> security = user
> username map = /etc/samba/smbusers
> wins server = 10.8.3.4
> wins support = no
> name resolve order = wins bcast hosts
> ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
> ldap machine suffix = Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
> idmap backend = ldap:ldap://mdah.state.ms.us
> idmap uid = 20000-30000
> idmap gid = 20000-30000
> #winbind use default domain = yes
> #winbind nested groups = yes
> #winbind trusted domains only = Yes
> passdb backend = ldapsam:"ldap://mail.mdah.state.ms.us
> ldap://archives3.mdah.state.ms.us"
> enable privileges = yes
> local master = no
> preferred master = no
> os level = 40
> posix locking = No
> password server = mail
> ldap ssl = Off
>
> [homes]....
>
>
> and just one of the many outlying servers:
>
> cat /etc/samba/smb.conf
> # Samba config file created using SWAT
> # from 10.8.9.236 (10.8.9.236)
> # Date: 2005/05/26 04:39:37
>
> # Global parameters
> [global]
> workgroup = ADMIN
> netbios name = ARROWHEAD
> hosts allow = 10.8.
> server string = HP Samba Server %v
> encrypt passwords = Yes
> guest account = nobody
> map to guest = bad user
> guest ok = yes
> log file = /var/log/samba/log.%m
> max log size = 5000
> log level = 10
> # printcap name = cups
> printcap name = /etc/printcap
> os level = 30
> preferred master = Yes
> domain master = no
> local master = yes
> dns proxy = No
> # wins proxy = Yes
> wins support = no
> wins server = 10.8.3.4
> printing = cups
> name resolve order = wins hosts bcast
> time server = yes
> security = user
> passwd program = /usr/bin/passwd %u
> encrypt passwords = yes
> update encrypted = Yes
> # unix password sync = no
> password server = roark
> #passwd chat = *New*Password* %n\n *Re-enter*new*password*
> %n\n*Password*changed*
> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> add user script = /usr/sbin/useradd -g smbbox -c "MachineAccount" -d
> /dev/null -M -s /bin/false %U
> domain logons = Yes
> logon path = \\%N\profiles\%U
> logon script = scripts\%U.bat
> logon drive = R:
> logon home = \\arrowhead\%U
> load printers = yes
> hide dot files = yes
> template shell = /bin/false
> follow sym links = yes
>
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> winbind use default domain = no
> msdfs root = yes
> posix locking = No
>
> ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
> idmap backend = ldap:ldap://mdah.state.ms.us
> idmap uid = 20000 - 30000
> idmap gid = 20000 - 30000
> map acl inherit = Yes
> template shell = /sbin/nologin
> winbind use default domain = yes
> winbind nested groups = yes
> winbind enum groups = yes
> winbind enum users = yes
> ldap passwd sync = yes
> passdb backend = ldapsam:ldap://mail.mdah.state.ms.us
> ldap ssl = Off
>
> socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536
> SO_SNDBUF=65536 SO_KEEPALIVE READ_SIZE=65536
>
> use mmap = No
> use sendfile = Yes
> blocking locks = No
> read raw = no
> write raw = no
>
> kernel oplocks = no
> oplocks = yes
> level2 oplocks = yes
>
> [homes]
And this is odd, I bumped the logging level to 10 and did some digging.
I am getting this on ALL the machines. INCLUDING the PDC:
ADMIN(1) current master browser = UNKNOWN
I have googled for that error but to no avail. Seems others have asked
it but no one answered.
More information about the samba
mailing list