[Samba] problems with login and browsing on 3.5.4 LDAP PDC

Daniel Müller mueller at tropenklinik.de
Wed Oct 20 02:42:09 MDT 2010

I think yor problem is netbios especially nmbd. What about your
I have 4 subnets with 2 samba domains acting without error with one and
only wins: samba4wins.
If you have problems to resolve hostnames you pherhaps need a dns-server,
so a ping hostname must
be successfull from all clients.
Or you try remote announce = a.b.c.d [e.f.g.h] ...
Where a.b.c.d ist the master browser in your other subnet

On Tue, 19 Oct 2010 13:49:10 -0400, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:
> Maybe I missed it-  but do you have problems if the client and server 
> are on the same network segment?
> Are all the local WINS servers samba servers or something else?
> On 10/19/2010 12:45 PM, Eric A. Hall wrote:
>> On 10/19/2010 9:47 AM, Gaiseric Vandal wrote:
>>> Is your samba server also a WINS server?  That may help browsing
>> The nodes don't have any problems finding or communicating with the
>> server, the server just does not want to provide data. I have three
>> distinct networks that are interconnected by routers. Each segment has
>> local DHCP/DNS/WINS/etc server that assigns H-Node WINS options to the
>> local clients, and in addition the broadcasts on 137/138 are also
>> forwarded from each segment to the WINS servers on the other segments.
>> What this means is clients try to resolve a name by asking the local
>> server, then will broadcast a query which is forwarded to the other
>> servers, which they answer. If a TCP session is required (such as
>> fetching
>> a browse list via port 139) then that also happens as expected, once
>> client knows the server to contact. This works for local and remote
>> alike.
>>  From a client on network A that is trying to browse Windows 2003
>>  on
>> network B, I can see the TCP session established, the challenge and
>> response negotiation, the Tree Connect AndX Request and Response, the
>> LANMAN server enumeration exchange, and orderly shutdown.
>> When using the same client to browse the Samba domain on network C, I
>> see the TCP session established, the challenge and response
>> the Tree Connect AndX Request and Response, but then the client shuts
>> down
>> the session without trying to enumerate the LANMAN servers. This cycle
>> repeats 4 times for every failed browse attempt indicating that the
>> client
>> believes it should be able to get an answer from the server.
>> Both responses show STATUS_SUCCESS in the SMB message. The only
>> difference that I can see between them is that the Samba response shows
>> "Security signatures are not supported" in the reply message. Perhaps
>> this
>> is preventing the client from following up with the LANMAN request to
>> enumerate the servers? Also I have long since set the registry options
>> needed for signatures, and this same configuration was working before
>> upgrade. Did something about this change recently?
>>> Do you have "smb ports" defined in smb.conf?
>> I don't have it defined and am using the defaults. It does not seem to
>> causing any problems.
>>> wiki.samba.org should have the registry settings required to let
>>> 7 machines join on a Samba domain.
>> I have already made those changes and like I said I am able to join the
>> Win7 client to the domain and can view \\SERVER shares, but cannot
>> the domain or login to the server.
>>> I would concentrate on the XP machines first since they don't need the
>>> registry changes.
>> Yes that is what I'm doing. I have XP/SP3, Windows Server 2003 (and
>> and Windows 7, but am focusing on XP/SP3.
>>> Also, make sure that you do have correct group mappings for the key
>>> know windows groups  (including Administrators, Domain Admins, Users)
>>>       # net groupmap list
>> [ 12:39:47 -- bulldog:/root/ ]
>> [ root# ] net groupmap list
>> Domain Admins (S-1-5-21-[...]-512) ->  Domain Admins
>> Domain Users (S-1-5-21-[...]-513) ->  Domain Users
>> Domain Guests (S-1-5-21-[...]-514) ->  Domain Guests
>> Domain Computers (S-1-5-21-[...]-515) ->  Domain Computers
>> Local Admins (S-1-5-32-544) ->  Local Admins
>> Local Users (S-1-5-32-545) ->  users
>> Local Guests (S-1-5-32-546) ->  nobody
>> For a while I thought it might be related to guest/nobody mapping but I
>> have exhausted all of the permutations there. I have tried smbusers
>> mapping, putting guest into LDAP, etc., and none of it seems to make
>> any difference in the logs or with the problem at hand.
>>> Also, the windows diagnostic tools (netdiag, dcdiag, nbtstat ?)  may
>>> help you determine which domain controller and master browser the
>>> is using.
>> nbtstat is able to display remote data but it does not use the
>> enumeration over IPC$ which is where the problem seems to lie.
>> Local utilities on the Samba server also seem to express normally
>> although
>> I am happy to try specific things if somebody will name them.
>> I am able to use USRMGR.EXE to connect to the server and view/modify
>> accounts successfully.
>> I have not looked at the others yet.

>> Thanks for the help
>>> On 10/19/2010 02:02 AM, Eric A. Hall wrote:
>>>> I was running 3.0.25c (I think) LDAP PDC for a couple of years and
>>>> tried swapping in a new 3.5.4 setup. I had some problems so I wiped
>>>> the entries and *.tdb files, and started from scratch.
>>>> Problem in a nutshell: I can't browse the domain normally, nor can I
>>>> logon
>>>> to the domain. However I can access the server shares fine if I point
>>>> to
>>>> the server specifically. SOMETIMES this will then cause browsing to
>>>> succeed as well.
>>>> Normally I can see the domain in network neighborhood but if I click
>>>> on I
>>>> get the "domain is not accessible error". From a command prompt "net
>>>> view
>>>> /domain:DOMAIN" also typically produces an error 59. However if I
>>>> view \\SERVER" then that works fine, and THEN I am sometimes able to
>>>> successfully view the domain (about half the time sometimes more).
>>>> I am able to successfully join machines to the domain (they show up
>>>> LDAP) but am unable to login to the domain from any of them. On
>>>> boxes the error is "the system cannot log you on now because the
>>>> DOMAIN is not available", while Windows 7 says "there are currently
>>>> logon servers available to service the logon request"
>>>> I have looked at the smb/nmb/winbind logs at level 3 and near as I
>>>> tell everything is operating correctly although something seems to be
>>>> crashing a lot--there are many entries about brl and lock database
>>>> after
>>>> unclean shutdown.
>>>> I don't know SMB protocol very well but from watching some wireshark
>>>> traces and reading the corresponding logs it looks like the nodes are
>>>> negotiating IPC$ connection but not getting data. Client asks for
>>>> 4,
>>>> server offers copy 1, client negotiates TCP/IP session then closes,
>>>> everything starts over again. Perhaps once they authenticate (enough
>>>> view \\SERVER shares) the negotiation is reused and this is what
>>>> Are there security permissions on IPC$ that need to be set?
>>>> Where should I be looking and what should I be looking for?
>>>> Thanks

More information about the samba mailing list