[Samba] problems with login and browsing on 3.5.4 LDAP PDC

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Oct 19 11:49:10 MDT 2010 

Maybe I missed it-  but do you have problems if the client and server 
are on the same network segment?

Are all the local WINS servers samba servers or something else?




On 10/19/2010 12:45 PM, Eric A. Hall wrote:
> On 10/19/2010 9:47 AM, Gaiseric Vandal wrote:
>    
>> Is your samba server also a WINS server?  That may help browsing issues.
>>      
> The nodes don't have any problems finding or communicating with the
> server, the server just does not want to provide data. I have three
> distinct networks that are interconnected by routers. Each segment has a
> local DHCP/DNS/WINS/etc server that assigns H-Node WINS options to the
> local clients, and in addition the broadcasts on 137/138 are also
> forwarded from each segment to the WINS servers on the other segments.
> What this means is clients try to resolve a name by asking the local
> server, then will broadcast a query which is forwarded to the other
> servers, which they answer. If a TCP session is required (such as fetching
> a browse list via port 139) then that also happens as expected, once the
> client knows the server to contact. This works for local and remote nodes
> alike.
>
>  From a client on network A that is trying to browse Windows 2003 domain on
> network B, I can see the TCP session established, the challenge and
> response negotiation, the Tree Connect AndX Request and Response, the
> LANMAN server enumeration exchange, and orderly shutdown.
>
> When using the same client to browse the Samba domain on network C, I can
> see the TCP session established, the challenge and response negotiation,
> the Tree Connect AndX Request and Response, but then the client shuts down
> the session without trying to enumerate the LANMAN servers. This cycle
> repeats 4 times for every failed browse attempt indicating that the client
> believes it should be able to get an answer from the server.
>
> Both responses show STATUS_SUCCESS in the SMB message. The only potential
> difference that I can see between them is that the Samba response shows
> "Security signatures are not supported" in the reply message. Perhaps this
> is preventing the client from following up with the LANMAN request to
> enumerate the servers? Also I have long since set the registry options
> needed for signatures, and this same configuration was working before the
> upgrade. Did something about this change recently?
>
>    
>> Do you have "smb ports" defined in smb.conf?
>>      
> I don't have it defined and am using the defaults. It does not seem to be
> causing any problems.
>
>    
>> wiki.samba.org should have the registry settings required to let Windows
>> 7 machines join on a Samba domain.
>>      
> I have already made those changes and like I said I am able to join the
> Win7 client to the domain and can view \\SERVER shares, but cannot browse
> the domain or login to the server.
>
>    
>> I would concentrate on the XP machines first since they don't need the
>> registry changes.
>>      
> Yes that is what I'm doing. I have XP/SP3, Windows Server 2003 (and R2),
> and Windows 7, but am focusing on XP/SP3.
>
>    
>> Also, make sure that you do have correct group mappings for the key well
>> know windows groups  (including Administrators, Domain Admins, Users)
>>       # net groupmap list
>>      
> [ 12:39:47 -- bulldog:/root/ ]
> [ root# ] net groupmap list
> Domain Admins (S-1-5-21-[...]-512) ->  Domain Admins
> Domain Users (S-1-5-21-[...]-513) ->  Domain Users
> Domain Guests (S-1-5-21-[...]-514) ->  Domain Guests
> Domain Computers (S-1-5-21-[...]-515) ->  Domain Computers
> Local Admins (S-1-5-32-544) ->  Local Admins
> Local Users (S-1-5-32-545) ->  users
> Local Guests (S-1-5-32-546) ->  nobody
>
> For a while I thought it might be related to guest/nobody mapping but I
> have exhausted all of the permutations there. I have tried smbusers
> mapping, putting guest into LDAP, etc., and none of it seems to make much
> any difference in the logs or with the problem at hand.
>
>    
>> Also, the windows diagnostic tools (netdiag, dcdiag, nbtstat ?)  may
>> help you determine which domain controller and master browser the client
>> is using.
>>      
> nbtstat is able to display remote data but it does not use the SMB/LANMAN
> enumeration over IPC$ which is where the problem seems to lie.
>
> Local utilities on the Samba server also seem to express normally although
> I am happy to try specific things if somebody will name them.
>
> I am able to use USRMGR.EXE to connect to the server and view/modify user
> accounts successfully.
>
> I have not looked at the others yet.
>
> Thanks for the help
>
>
>    
>> On 10/19/2010 02:02 AM, Eric A. Hall wrote:
>>      
>>> I was running 3.0.25c (I think) LDAP PDC for a couple of years and just
>>> tried swapping in a new 3.5.4 setup. I had some problems so I wiped all
>>> the entries and *.tdb files, and started from scratch.
>>>
>>> Problem in a nutshell: I can't browse the domain normally, nor can I logon
>>> to the domain. However I can access the server shares fine if I point to
>>> the server specifically. SOMETIMES this will then cause browsing to
>>> succeed as well.
>>>
>>> Normally I can see the domain in network neighborhood but if I click on I
>>> get the "domain is not accessible error". From a command prompt "net view
>>> /domain:DOMAIN" also typically produces an error 59. However if I "net
>>> view \\SERVER" then that works fine, and THEN I am sometimes able to
>>> successfully view the domain (about half the time sometimes more).
>>>
>>> I am able to successfully join machines to the domain (they show up in
>>> LDAP) but am unable to login to the domain from any of them. On XP/SP3
>>> boxes the error is "the system cannot log you on now because the domain
>>> DOMAIN is not available", while Windows 7 says "there are currently no
>>> logon servers available to service the logon request"
>>>
>>> I have looked at the smb/nmb/winbind logs at level 3 and near as I can
>>> tell everything is operating correctly although something seems to be
>>> crashing a lot--there are many entries about brl and lock database after
>>> unclean shutdown.
>>>
>>> I don't know SMB protocol very well but from watching some wireshark
>>> traces and reading the corresponding logs it looks like the nodes are
>>> negotiating IPC$ connection but not getting data. Client asks for copy 4,
>>> server offers copy 1, client negotiates TCP/IP session then closes, and
>>> everything starts over again. Perhaps once they authenticate (enough to
>>> view \\SERVER shares) the negotiation is reused and this is what works?
>>>
>>> Are there security permissions on IPC$ that need to be set?
>>>
>>> Where should I be looking and what should I be looking for?
>>>
>>> Thanks
>>>
>>>
>>>        
>>      
>

More information about the samba mailing list