[Samba] Moved PDC now issues

Donny Brooks dbrooks at mdah.state.ms.us
Wed Oct 13 15:59:25 MDT 2010


  On 10/13/2010 4:43 PM, Gaiseric Vandal wrote:
> On windows machines  netdiag, dcdiag or nbtstat may help you determine 
> which DC your machine has authenticated to.  (dcdiag and netdiag 
> should be in the windows 2003 resource kit or something like that from 
> microsoft downloads.)  In general, Windows clients will want to 
> authenticate to a BDC rather than PDC
>
>
> Also, check the "net getlocalsid" and "net getdomainsid" on all the 
> DC's.  On a DC the localsid should be the same as the domainsid, and 
> all DC's should show the same local and domain sid.
>
> Did you run "smbpasswd -w" on the new DC to make sure it has 
> sufficient ldap privs?
>
> Does "net groupmap list" show the same thing on all DC's?
>
> Does "pdbedit -Lv" show the same output on all DC's?
>
>
> I had issues when I upgraded my PDC from 3.0.x to 3.4.x-  primarily 
> with group mapping.   I don't know if the changes were between 3.0.x 
> and 3.3.x or 3.3.x or 3.4.x.  But I found that samba stopped looking 
> at "ldap group suffix = ou=Group " and started looking through the 
> whole  "domain" branch of the LDAP tree.
>
>
>
> Can you recompile samba 3.4.x on FC11 to have consistent versions?
>
>
>
>
> On 10/13/2010 10:26 AM, Donny Brooks wrote:
>>  On 10/12/2010 5:02 PM, Donny Brooks wrote:
>>>  This weekend we moved our samba PDC to a new machine. Now we are 
>>> having a few issues with not being able to join new computers to the 
>>> domain and some users cannot change their passwords. People can 
>>> still login and such though. Here is a brief synopsis:
>>>
>>> Old server was named roark IP 10.8.2.3. It housed mail, ldap, samba, 
>>> and a few other things. Was fedora 11 with samba samba-3.4.7.
>>> New server is Centos 5.5 with 3.0.33 originally but I upgraded it to 
>>> the "samba3x" package and got a whopping 3.3.8 version. IP 10.8.3.4
>>> Both old and new have the BDC set at 10.8.2.2
>>>
>>> Everything worked until the move this weekend... I know.. famous 
>>> last words. ;)
>>>
>>> This weekend we migrated all the user files to the new machine, 
>>> copied over /etc/samba/*, edited the ldap portion of smb.conf 
>>> accordingly, changed all the other servers (we have about a dozen or 
>>> so home servers for various divisions) to reflect the new IP of the 
>>> new server and updated DNS accordingly. All seemed fine as we were 
>>> able to login/logout and get to all the shares just fine. the 
>>> problem came when users went to change their passwords using the 
>>> windows method (CTRL+ALT+DEL -> change password), which previously 
>>> worked. Also we are unable to join new computers to the domain at 
>>> all. Although, users on the same vlan (10.8.3.X) as roark are able 
>>> to change their passwords it seems. This is odd since all but 3 of 
>>> the users are on roark as their home server. The other 3 are on a 
>>> seperate server but are still able to change their passwords. The 
>>> error that users get when trying to change their password or join a 
>>> new pc to the domain is "Domain ADMIN not found" or something along 
>>> those lines.
>>>
>>> I have tried everything I can think of to get this resolved. I have 
>>> made sure the SID stayed the same on roark, rejoined the outlying 
>>> servers to the domain, reset the smbpasswd ldap password, and 
>>> scoured every log file I can find. All to no avail. I am including a 
>>> few configs in hopes that someone can help guide me into fixing this 
>>> issue.
>>>
>>> I am also considering moving the PDC back to a fedora machine 
>>> (fedora 13 to be exact) so that it is more like the original machine 
>>> and can get the same branch of samba.
>>>
>>> I hope someone out there can guide me in the correct direction to 
>>> fix this. :)
>>>
>>>
>>> Here is the CURRENT roark smb.conf:
>>>
>>> [root at roark ~]# cat /etc/samba/smb.conf
>>> # Samba config file created using SWAT
>>> # from UNKNOWN (0.0.0.0)
>>> # Date: 2001/07/31 13:51:02
>>>
>>> # Global parameters
>>> [global]
>>>         netbios name = roark
>>>    workgroup = ADMIN
>>>         server string = Roark
>>>         hosts allow = 10.8. 127.
>>>         os level = 66
>>>         preferred master = Yes
>>>         domain master = Yes
>>>         local master = Yes
>>> #       oplocks = no
>>> #       level2 oplocks = no
>>>         interfaces = lo,eth0
>>>
>>> passdb backend = ldapsam:ldap://10.8.2.3
>>>   ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
>>>   ldap machine suffix = Computers
>>>   ldap user suffix = ou=People
>>>   ldap group suffix = ou=Group
>>>   ldap idmap suffix = ou=Idmap
>>>   ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
>>>   idmap backend = ldap:ldap://mdah.state.ms.us
>>>   map acl inherit = Yes
>>>         printer admin = root, dbrooks, smccoy, jomiles, sokolsky
>>>
>>> #winbind enum users = yes
>>> #winbind enum groups = yes
>>> name resolve order = wins bcast hosts
>>>
>>>    security = user
>>> #       passwd program = /usr/bin/passwd %u
>>>         encrypt passwords = yes
>>>         update encrypted = Yes
>>>         unix password sync = no
>>>   ldap passwd sync = yes
>>>   update encrypted = yes
>>>
>>>
>>>    password server = mail
>>> #       passwd chat = *New*Password* %n\n *Re-enter*new*password* 
>>> %n\n *Password*changed*
>>> #        passwd chat = *New*UNIX*password* %n\n 
>>> *ReType*new*UNIX*password* %n\n 
>>> *passwd:*all*authentication*tokens*updated*successfully*
>>>
>>> #       add user script = /usr/sbin/useradd -g smbbox -c "Machine 
>>> Account" -d /dev/null -M -s /bin/false %U
>>>         wins support = Yes
>>>         wins proxy = yes
>>>         domain logons = Yes
>>>         logon path = \\%N\profiles\%U
>>>         logon script = scripts\%U.bat
>>>         logon drive = R:
>>>         logon home = \\roark\%U
>>>         time server = yes
>>>         printing = cups
>>>         load printers = yes
>>>         guest account = nobody
>>>         map to guest = bad user
>>>         map to guest = bad password
>>>         guest ok = yes
>>>         dns proxy = No
>>>
>>>         log file = /var/log/samba/log.%m
>>>         max log size = 500
>>>         log level = 3 vfs:2
>>>         #log level = 10
>>>         syslog = 0
>>>         hide dot files = yes
>>>         time server = yes
>>>         template shell = /bin/false
>>>         follow symlinks = yes
>>>         username map = /etc/samba/smbusers
>>>         profile acls = yes
>>>         host msdfs = yes
>>>    idmap uid = 20000-30000
>>>    idmap gid = 20000-30000
>>> #   winbind separator = +
>>>    template homedir = /home/winnt/%D/%U
>>>    template shell = /bin/bash
>>> #   winbind offline logon = false
>>> #   winbind use default domain = no
>>>         allow trusted domains = yes
>>>         unix charset = LOCALE
>>>         enable privileges = yes
>>>         printcap name = CUPS
>>>         show add printer wizard = no
>>> #  add user script = /usr/sbin/smbldap-useradd -a -m "%u"
>>> #  delete user script = /usr/sbin/smbldap-userdel "%u"
>>> #  add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>> #  delete group script = /usr/sbin/smbldap-groupdel "%g"
>>> #  add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>>> #  delete user from group script = /usr/sbin/smbldap-groupmod -x 
>>> "%u" "%g"
>>> #  set primary group script = /usr/sbin/smbldap-groupmod -g "%g" "%u"
>>> #  add machine script = /usr/sbin/smbldap-useradd -w "%u"
>>> posix locking = No
>>>         msdfs root = yes
>>> ldap ssl = Off
>>>
>>> [homes].....
>>>
>>>
>>> Here is the BDC (archives3) config:
>>>
>>> [root at archives3 ~]# cat /etc/samba/smb.conf
>>> [global]
>>>         interfaces = eth0 lo
>>>    domain master = no
>>>    encrypt passwords = yes
>>>    preferred master = no
>>>    local master = no
>>>    domain logons = yes
>>>     msdfs root = yes
>>>    workgroup = ADMIN
>>>    netbios name = ARCHIVES3
>>>    server string = ARCHIVES3
>>>    printcap name = cups
>>>    load printers = yes
>>>    printing = cups
>>>    log file = /var/log/samba/log.%m
>>>    max log size = 50
>>>  log level = 4
>>>    security = user
>>> username map = /etc/samba/smbusers
>>>   wins server = 10.8.3.4
>>>   wins support = no
>>> name resolve order = wins bcast hosts
>>>   ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
>>>   ldap machine suffix = Computers
>>>   ldap user suffix = ou=People
>>>   ldap group suffix = ou=Group
>>>   ldap idmap suffix = ou=Idmap
>>>   ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
>>>   idmap backend = ldap:ldap://mdah.state.ms.us
>>>    idmap uid = 20000-30000
>>>    idmap gid = 20000-30000
>>> #winbind use default domain = yes
>>> #winbind nested groups = yes
>>> #winbind trusted domains only = Yes
>>> passdb backend = ldapsam:"ldap://mail.mdah.state.ms.us 
>>> ldap://archives3.mdah.state.ms.us"
>>> enable privileges = yes
>>> local master = no
>>> preferred master = no
>>> os level = 40
>>> posix locking = No
>>> password server = mail
>>> ldap ssl = Off
>>>
>>> [homes]....
>>>
>>>
>>> and just one of the many outlying servers:
>>>
>>> cat /etc/samba/smb.conf
>>> # Samba config file created using SWAT
>>> # from 10.8.9.236 (10.8.9.236)
>>> # Date: 2005/05/26 04:39:37
>>>
>>> # Global parameters
>>> [global]
>>>         workgroup = ADMIN
>>>         netbios name = ARROWHEAD
>>>         hosts allow = 10.8.
>>>         server string = HP Samba Server %v
>>>         encrypt passwords = Yes
>>>         guest account = nobody
>>>         map to guest = bad user
>>>         guest ok = yes
>>>         log file = /var/log/samba/log.%m
>>>         max log size = 5000
>>>         log level = 10
>>> #       printcap name = cups
>>>         printcap name = /etc/printcap
>>>         os level = 30
>>>         preferred master = Yes
>>>         domain master = no
>>>         local master = yes
>>>         dns proxy = No
>>> #       wins proxy = Yes
>>>         wins support = no
>>>         wins server = 10.8.3.4
>>>         printing = cups
>>>         name resolve order = wins hosts bcast
>>>         time server = yes
>>>    security = user
>>>         passwd program = /usr/bin/passwd %u
>>>         encrypt passwords = yes
>>>         update encrypted = Yes
>>> #        unix password sync = no
>>>    password server = roark
>>> #passwd chat = *New*Password* %n\n *Re-enter*new*password* 
>>> %n\n*Password*changed*
>>> passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* 
>>> %n\n *passwd:*all*authentication*tokens*updated*successfully*
>>>
>>> add user script = /usr/sbin/useradd -g smbbox -c "MachineAccount" -d 
>>> /dev/null -M -s /bin/false %U
>>>        domain logons = Yes
>>>         logon path = \\%N\profiles\%U
>>>         logon script = scripts\%U.bat
>>>         logon drive = R:
>>>         logon home = \\arrowhead\%U
>>>         load printers = yes
>>>         hide dot files = yes
>>>    template shell = /bin/false
>>>         follow sym links = yes
>>>
>>>    idmap uid = 16777216-33554431
>>>    idmap gid = 16777216-33554431
>>>    winbind use default domain = no
>>>         msdfs root = yes
>>> posix locking = No
>>>
>>>   ldap suffix = dc=mdah,dc=state,dc=ms,dc=us
>>>   ldap machine suffix = ou=Computers
>>>   ldap user suffix = ou=People
>>>   ldap group suffix = ou=Group
>>>   ldap idmap suffix = ou=Idmap
>>>   ldap admin dn = cn=Manager,dc=mdah,dc=state,dc=ms,dc=us
>>>   idmap backend = ldap:ldap://mdah.state.ms.us
>>>    idmap uid = 20000 - 30000
>>>    idmap gid = 20000 - 30000
>>>   map acl inherit = Yes
>>>    template shell = /sbin/nologin
>>> winbind use default domain = yes
>>> winbind nested groups = yes
>>> winbind enum groups = yes
>>> winbind enum users = yes
>>>   ldap passwd sync = yes
>>> passdb backend = ldapsam:ldap://mail.mdah.state.ms.us
>>> ldap ssl = Off
>>>
>>> socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536 
>>> SO_SNDBUF=65536 SO_KEEPALIVE READ_SIZE=65536
>>>
>>>         use mmap = No
>>>         use sendfile = Yes
>>>         blocking locks = No
>>>         read raw = no
>>>         write raw = no
>>>
>>> kernel oplocks = no
>>>         oplocks = yes
>>>         level2 oplocks = yes
>>>
>>> [homes]
>> And this is odd, I bumped the logging level to 10 and did some 
>> digging. I am getting this on ALL the machines. INCLUDING the PDC:
>>
>> ADMIN(1) current master browser = UNKNOWN
>>
>> I have googled for that error but to no avail. Seems others have 
>> asked it but no one answered.
>
Thank you for the reply. All seems to be the same on all the BDC's. I 
will have to install the resource kit to get those tools to check the 
windows stuff.

However, at this juncture, we have decided to go ahead and setup a 
completely new domain (new pdc, new BDC, etc) and fully test it then 
migrate users to it rather than this current setup. The current setup 
just has way too many "hacks" to get it to work.

It still baffles me how no one seems to know how, or why, the current 
master browser = UNKNOWN error occurs. I realize now that I should have 
migrated the PDC to the new machine using the process rather than just 
simply copying the configs and such over. That is over and done with 
though and we can't go back, or could but it may be worse than staying 
where we are.

Donny B.


More information about the samba mailing list