[Samba] problems with login and browsing on 3.5.4 LDAP PDC

Daniel Müller mueller at tropenklinik.de
Wed Oct 20 02:42:09 MDT 2010


I think yor problem is netbios especially nmbd. What about your
wins-servers?
I have 4 subnets with 2 samba domains acting without error with one and
only wins: samba4wins.
If you have problems to resolve hostnames you pherhaps need a dns-server,
so a ping hostname must
be successfull from all clients.
Or you try remote announce = a.b.c.d [e.f.g.h] ...
Where a.b.c.d ist the master browser in your other subnet


On Tue, 19 Oct 2010 13:49:10 -0400, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:
> Maybe I missed it-  but do you have problems if the client and server 
> are on the same network segment?
> 
> Are all the local WINS servers samba servers or something else?
> 
> 
> 
> 
> On 10/19/2010 12:45 PM, Eric A. Hall wrote:
>> On 10/19/2010 9:47 AM, Gaiseric Vandal wrote:
>>    
>>> Is your samba server also a WINS server?  That may help browsing
issues.
>>>      
>> The nodes don't have any problems finding or communicating with the
>> server, the server just does not want to provide data. I have three
>> distinct networks that are interconnected by routers. Each segment has
a
>> local DHCP/DNS/WINS/etc server that assigns H-Node WINS options to the
>> local clients, and in addition the broadcasts on 137/138 are also
>> forwarded from each segment to the WINS servers on the other segments.
>> What this means is clients try to resolve a name by asking the local
>> server, then will broadcast a query which is forwarded to the other
>> servers, which they answer. If a TCP session is required (such as
>> fetching
>> a browse list via port 139) then that also happens as expected, once
the
>> client knows the server to contact. This works for local and remote
nodes
>> alike.
>>
>>  From a client on network A that is trying to browse Windows 2003
domain
>>  on
>> network B, I can see the TCP session established, the challenge and
>> response negotiation, the Tree Connect AndX Request and Response, the
>> LANMAN server enumeration exchange, and orderly shutdown.
>>
>> When using the same client to browse the Samba domain on network C, I
can
>> see the TCP session established, the challenge and response
negotiation,
>> the Tree Connect AndX Request and Response, but then the client shuts
>> down
>> the session without trying to enumerate the LANMAN servers. This cycle
>> repeats 4 times for every failed browse attempt indicating that the
>> client
>> believes it should be able to get an answer from the server.
>>
>> Both responses show STATUS_SUCCESS in the SMB message. The only
potential
>> difference that I can see between them is that the Samba response shows
>> "Security signatures are not supported" in the reply message. Perhaps
>> this
>> is preventing the client from following up with the LANMAN request to
>> enumerate the servers? Also I have long since set the registry options
>> needed for signatures, and this same configuration was working before
the
>> upgrade. Did something about this change recently?
>>
>>    
>>> Do you have "smb ports" defined in smb.conf?
>>>      
>> I don't have it defined and am using the defaults. It does not seem to
be
>> causing any problems.
>>
>>    
>>> wiki.samba.org should have the registry settings required to let
Windows
>>> 7 machines join on a Samba domain.
>>>      
>> I have already made those changes and like I said I am able to join the
>> Win7 client to the domain and can view \\SERVER shares, but cannot
browse
>> the domain or login to the server.
>>
>>    
>>> I would concentrate on the XP machines first since they don't need the
>>> registry changes.
>>>      
>> Yes that is what I'm doing. I have XP/SP3, Windows Server 2003 (and
R2),
>> and Windows 7, but am focusing on XP/SP3.
>>
>>    
>>> Also, make sure that you do have correct group mappings for the key
well
>>> know windows groups  (including Administrators, Domain Admins, Users)
>>>       # net groupmap list
>>>      
>> [ 12:39:47 -- bulldog:/root/ ]
>> [ root# ] net groupmap list
>> Domain Admins (S-1-5-21-[...]-512) ->  Domain Admins
>> Domain Users (S-1-5-21-[...]-513) ->  Domain Users
>> Domain Guests (S-1-5-21-[...]-514) ->  Domain Guests
>> Domain Computers (S-1-5-21-[...]-515) ->  Domain Computers
>> Local Admins (S-1-5-32-544) ->  Local Admins
>> Local Users (S-1-5-32-545) ->  users
>> Local Guests (S-1-5-32-546) ->  nobody
>>
>> For a while I thought it might be related to guest/nobody mapping but I
>> have exhausted all of the permutations there. I have tried smbusers
>> mapping, putting guest into LDAP, etc., and none of it seems to make
much
>> any difference in the logs or with the problem at hand.
>>
>>    
>>> Also, the windows diagnostic tools (netdiag, dcdiag, nbtstat ?)  may
>>> help you determine which domain controller and master browser the
client
>>> is using.
>>>      
>> nbtstat is able to display remote data but it does not use the
SMB/LANMAN
>> enumeration over IPC$ which is where the problem seems to lie.
>>
>> Local utilities on the Samba server also seem to express normally
>> although
>> I am happy to try specific things if somebody will name them.
>>
>> I am able to use USRMGR.EXE to connect to the server and view/modify
user
>> accounts successfully.
>>
>> I have not looked at the others yet.



>>
>> Thanks for the help
>>
>>
>>    
>>> On 10/19/2010 02:02 AM, Eric A. Hall wrote:
>>>      
>>>> I was running 3.0.25c (I think) LDAP PDC for a couple of years and
just
>>>> tried swapping in a new 3.5.4 setup. I had some problems so I wiped
all
>>>> the entries and *.tdb files, and started from scratch.
>>>>
>>>> Problem in a nutshell: I can't browse the domain normally, nor can I
>>>> logon
>>>> to the domain. However I can access the server shares fine if I point
>>>> to
>>>> the server specifically. SOMETIMES this will then cause browsing to
>>>> succeed as well.
>>>>
>>>> Normally I can see the domain in network neighborhood but if I click
>>>> on I
>>>> get the "domain is not accessible error". From a command prompt "net
>>>> view
>>>> /domain:DOMAIN" also typically produces an error 59. However if I
"net
>>>> view \\SERVER" then that works fine, and THEN I am sometimes able to
>>>> successfully view the domain (about half the time sometimes more).
>>>>
>>>> I am able to successfully join machines to the domain (they show up
in
>>>> LDAP) but am unable to login to the domain from any of them. On
XP/SP3
>>>> boxes the error is "the system cannot log you on now because the
domain
>>>> DOMAIN is not available", while Windows 7 says "there are currently
no
>>>> logon servers available to service the logon request"
>>>>
>>>> I have looked at the smb/nmb/winbind logs at level 3 and near as I
can
>>>> tell everything is operating correctly although something seems to be
>>>> crashing a lot--there are many entries about brl and lock database
>>>> after
>>>> unclean shutdown.
>>>>
>>>> I don't know SMB protocol very well but from watching some wireshark
>>>> traces and reading the corresponding logs it looks like the nodes are
>>>> negotiating IPC$ connection but not getting data. Client asks for
copy
>>>> 4,
>>>> server offers copy 1, client negotiates TCP/IP session then closes,
and
>>>> everything starts over again. Perhaps once they authenticate (enough
to
>>>> view \\SERVER shares) the negotiation is reused and this is what
works?
>>>>
>>>> Are there security permissions on IPC$ that need to be set?
>>>>
>>>> Where should I be looking and what should I be looking for?
>>>>
>>>> Thanks
>>>>
>>>>
>>>>        
>>>      
>>


More information about the samba mailing list