Solved

Samba as PDC - DOMAIN is invisible to Windows machines

Posted on 2014-11-19
12
397 Views
Last Modified: 2014-11-26
Hi!

I have configured samba as PDC for the domain LATTARI. Windows machines cannot find the domain controller.

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[public]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
        workgroup = LATTARI
        server string = Lunar Lander Software
        interfaces = lo, 192.168.0.6
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = No
        add user script = /usr/sbin/useradd "%u" -n -g users
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
        logon script = %u.bat
        logon path = \\%L\Profiles\%u
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        idmap config * : backend = tdb
        hosts allow = 127., 192.168.0.
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S
        read only = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon

[public]
        comment = Public Stuff
        path = /home/samba
        write list = +staff
        read only = No
        guest ok = Yes

Please help!
0
Comment
Question by:Lelio Michele Lattari
  • 8
  • 4
12 Comments
 
LVL 7

Expert Comment

by:slubek
ID: 40452442
Some thoughts:
1. Is the time on Windows machines and samba controller in sync?
2. Can you ping samba server from clients?
3. Do you have firewall on server enabled?
4. What is your dhcpd configuration?
5. Do you have DNS configured?
0
 

Author Comment

by:Lelio Michele Lattari
ID: 40452567
Hi!

1. Yes - the clocks are in sync

2. I cannot ping the netbios name LATTARI but YES I can ping the DNS server name filemon1 on wich the PDC is active and I can nslookup the DNS record for the serwer

C:\Users\XNOTE>nslookup filemon1
Server:  UnKnown
Address:  192.168.0.7

Name:    filemon1.intranet.lattari.pl
Address:  192.168.0.6

ohhh... really I CAN ping the server:

C:\Users\XNOTE>ping filemon1

Pinging filemon1.intranet.lattari.pl [192.168.0.6] with 32 bytes of data:
Reply from 192.168.0.6: bytes=32 time=2ms TTL=64
Reply from 192.168.0.6: bytes=32 time=1ms TTL=64
Reply from 192.168.0.6: bytes=32 time=1ms TTL=64
Reply from 192.168.0.6: bytes=32 time=2ms TTL=64

Ping statistics for 192.168.0.6:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

4. No firewall on the PDC machine
5. DNS is on another server on the same network (192.168.0.7)
6. dhcpd runs on another server on the same network (192.168.0.7), it has option wins server configured with samba PDC address

Windows machines network settings:
Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : intranet.lattari.pl
   Description . . . . . . . . . . . : Intel(R) Wireless-N 7260
   Physical Address. . . . . . . . . : 0C-8B-FD-82-33-18
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.158(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 19 listopada 2014 16:21:31
   Lease Expires . . . . . . . . . . : 19 listopada 2014 16:51:32
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.7
   DNS Servers . . . . . . . . . . . : 192.168.0.7
   Primary WINS Server . . . . . . . : 192.168.0.6
   NetBIOS over Tcpip. . . . . . . . : Enabled
0
 

Author Comment

by:Lelio Michele Lattari
ID: 40453699
Sorry! firewalld was active.... I have made a quick test without firewall and nothing changes.... :-(

Tomorrow I will try to run bind on the same machine as samba and I let You know what happens...

Thanks for the help
0
 
LVL 7

Expert Comment

by:slubek
ID: 40454375
One more thought - have you configured and enabled Kerberos?
BTW, on that wiki above I found that samba should provide sysvol share - maybe thats your problem?

PS. Pozdrawiam z Warszawy :^)
0
 

Author Comment

by:Lelio Michele Lattari
ID: 40456793
Hi again!

Really I am trying to run samba as simple old style PDC without AD services. I have made some changes in the configuration. Now, when I try to join the domain LATTARI from a Windows 8.1 PRO machine, the username and password window appears but the login process fails.

Here some info about what is happening:

====================================

smb.conf

====================================

Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
        workgroup = LATTARI
        server string = Lunar Lander Software
        interfaces = lo, enp3s6
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = No
        printcap name = lpstat
        add user script = /usr/sbin/useradd "%u" -n -g users
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
        logon script = %u.bat
        logon path = \\%L\Profiles\%u
        logon drive = H:
        domain logons = Yes
        os level = 64
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        idmap config * : backend = tdb
        invalid users = apache, bin, daemon, adm, sync, shutdown, halt, mail, news, uucp, operator
        admin users = root, @admin
        hosts allow = 127.0.0.1, 192.168.0.0/24
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        guest ok = Yes

[Profiles]
        path = /home/samba/Profiles
        read only = No
        create mask = 0600
        directory mask = 0700
        guest ok = Yes
        profile acls = Yes
        browseable = No

=============================================

/var/lib/samba

=============================================


[root@filemon1 samba]# ls -al /var/lib/samba
total 2832
drwxr-xr-x  5 root root    4096 Nov 21 08:55 .
drwxr-xr-x 31 root root    4096 Nov 21 07:59 ..
-rw-------  1 root root  421888 Nov 20 23:24 account_policy.tdb
-rw-r--r--  1 root root   40200 Nov 21 08:43 brlock.tdb
-rw-r--r--  1 root root     150 Nov 21 08:43 browse.dat
-rw-------  1 root root     696 Nov 21 08:47 dbwrap_watchers.tdb
-rw-r--r--  1 root root  421888 Nov 21 08:47 gencache_notrans.tdb
-rw-r--r--  1 root root  425984 Nov 21 08:47 gencache.tdb
-rw-------  1 root root  430080 Nov 20 23:19 group_mapping.tdb
-rw-r--r--  1 root root   40200 Nov 21 08:43 locking.tdb
-rw-------  1 root root     696 Nov 21 08:43 messages.tdb
-rw-------  1 root root     696 Nov 19 10:14 mutex.tdb
-rw-r--r--  1 root root   13859 Nov 21 08:43 namelist.debug
drwxrwxr-x  2 root admin      6 Nov 20 16:40 netlogon
-rw-r--r--  1 root root     696 Nov 21 08:43 notify_index.tdb
-rw-r--r--  1 root root     696 Nov 21 08:43 notify.tdb
-rw-r--r--  1 root root   12288 Nov 21 08:44 printer_list.tdb
drwxr-xr-x  2 root root      25 Nov 19 10:25 printing
drwx------  2 root root      66 Nov 19 11:00 private
-rw-------  1 root root  528384 Nov 19 10:25 registry.tdb
-rw-r--r--  1 root root    8192 Nov 21 08:47 serverid.tdb
-rw-------  1 root root  421888 Nov 19 10:25 share_info.tdb
-rw-------  1 root root     696 Nov 21 08:43 smbXsrv_open_global.tdb
-rw-------  1 root root   32768 Nov 21 08:47 smbXsrv_session_global.tdb
-rw-------  1 root root   16384 Nov 21 08:47 smbXsrv_tcon_global.tdb
-rw-------  1 root root   16384 Nov 21 08:43 smbXsrv_version_global.tdb
-rw-r--r--  1 root root    1608 Nov 21 08:55 wins.dat
-rw-------  1 root root   24576 Nov 21 08:55 wins.tdb

=====================================

/home/samba

=====================================

[root@filemon1 samba]# ls -al /home/samba
total 0
drwxrwxrwx 3 root admin 21 Nov 21 08:21 .
drwxr-xr-x 6 root root  61 Nov 21 08:20 ..
drwxrwxrwx 2 root admin  6 Nov 21 08:21 Profiles

=======================================

samba net

=======================================

net groupmap add ntgroup="Domain Admins" unixgroup=admin rid=512 type=d
net rpc rights grant -U m.lattari LATTARI\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Se
RemoteShutdownPrivilege

=======================================

log.smbd trying to join the domain

=======================================

[2014/11/21 09:02:50,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/libsmb/nmblib.c:108(debug_nmb_packet)
  nmb packet from 192.168.0.150(137) header: id=53066 opcode=Query(0) response=No
      header: flags: bcast=Yes rec_avail=No rec_des=Yes trunc=No auth=No
      header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0
      question: q_name=WPAD<00> q_type=32 q_class=1
[2014/11/21 09:02:50, 10, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_winsserver.c:524(packet_is_for_wins_server)
  packet_is_for_wins_server: failing WINS test #1.
[2014/11/21 09:02:50,  3, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
  process_name_query_request: Name query from 192.168.0.150 on subnet 192.168.0.6 for name WPAD<00>
[2014/11/21 09:02:50,  9, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_namelistdb.c:141(find_name_on_subnet)
  find_name_on_subnet: on subnet 192.168.0.6 - name WPAD<00> NOT FOUND
[2014/11/21 09:02:50,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet 192.168.0.6: found.
[2014/11/21 09:02:50, 10, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_sendannounce.c:386(announce_myself_to_domain_master_browser)
  announce_myself_to_domain_master_browser: t (1416556969) - last(1416556952) < 900
[2014/11/21 09:02:50,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet UNICAST_SUBNET: found.
[2014/11/21 09:02:50,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet UNICAST_SUBNET: found.
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet 192.168.0.6: found.
[2014/11/21 09:03:00, 10, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_sendannounce.c:386(announce_myself_to_domain_master_browser)
  announce_myself_to_domain_master_browser: t (1416556970) - last(1416556952) < 900
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:276(dump_workgroups)
  dump_workgroups()
   dump workgroup on subnet     192.168.0.6: netmask=  255.255.255.0:
        LATTARI(1) current master browser = FILEMON1
                FILEMON1 408c9b0b (Lunar Lander Software)
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:276(dump_workgroups)
  dump_workgroups()
   dump workgroup on subnet  UNICAST_SUBNET: netmask=    192.168.0.6:
        LATTARI(1) current master browser = UNKNOWN
                FILEMON1 40899b0b (Lunar Lander Software)
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet UNICAST_SUBNET: found.
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)


I would appreciate Your suggestions.

P.S. Pozdrawiam z 05-500 Piaseczno :-)
0
 

Author Comment

by:Lelio Michele Lattari
ID: 40456911
[root@filemon1 BOINC]# smbclient //FILEMON1/netlogon -U root
Enter root's password:
Domain=[LATTARI] OS=[Unix] Server=[Samba 4.1.1]
smb: \>

============================================

[root@filemon1 BOINC]#  smbtree

 \\FILEMON1\root                 Home Directories
 \\FILEMON1\IPC$                 IPC Service (Lunar Lander Software)
 \\FILEMON1\netlogon             Network Logon Service

=======================================================

[root@filemon1 BOINC]# net domain
Enter root's password:

Enumerating domains:

        Domain name          Server name of Browse Master
        -------------        ----------------------------
        LATTARI              FILEMON1

==========================================================================

And I can map server shares as network drives from windows machines, but I cannot join the domain :-(
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 7

Expert Comment

by:slubek
ID: 40456915
1.
dump workgroup on subnet     192.168.0.6: netmask=  255.255.255.0:
seems OK, but
dump workgroup on subnet  UNICAST_SUBNET: netmask=    192.168.0.6:
not.
It seems like you have two workgroups on different subnets. How many network interfaces are on?

2.
packet_is_for_wins_server: failing WINS test #1.
means troubles with wins server configuration. Download nblookup and see what is the output of
nblookup filemon1

Open in new window

0
 

Author Comment

by:Lelio Michele Lattari
ID: 40457050
Thank You for the suggestions!

1.  I have only 1 network card on the Samba machine:

[root@filemon1 samba]# ifconfig
enp3s6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.6  netmask 255.255.255.0  broadcast 192.168.0.255
        ether 00:1e:58:48:6a:23  txqueuelen 1000  (Ethernet)
        RX packets 195515  bytes 230444340 (219.7 MiB)
        RX errors 0  dropped 7  overruns 0  frame 0
        TX packets 112380  bytes 14192784 (13.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Local Loopback)
        RX packets 1095  bytes 355836 (347.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1095  bytes 355836 (347.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2a. nslookup on the samba machine

[root@filemon1 samba]# nslookup filemon1
Server:         192.168.0.6
Address:        192.168.0.6#53

filemon1.intranet.lattari.pl    canonical name = ns1.intranet.lattari.pl.
Name:   ns1.intranet.lattari.pl
Address: 192.168.0.6

2b. nslookup on the windows client

C:\Users\XNOTE>nslookup filemon1
Server:  UnKnown
Address:  192.168.0.6

Name:    ns1.intranet.lattari.pl
Address:  192.168.0.6
Aliases:  filemon1.intranet.lattari.pl
0
 
LVL 7

Expert Comment

by:slubek
ID: 40457175
nslookup queries DNS, nblookup queries WINS - these are not the same. :^)
0
 

Author Comment

by:Lelio Michele Lattari
ID: 40457482
I understand...

This is the output of nblookup filemon1:

C:\Users\XNOTE\AppData\Local\Temp>nblookup

NBLookup Interactive Mode

Type 'help' for a list of commands

Default Server: 192.168.0.6

Current option values:
   timeout=2 seconds
   retry=0 retries
   suffix=20
   recursion is on (recurse)
> filemon1
Recursion is on

Querying WINS Server: 192.168.0.6
NetBIOS Name: filemon1
Suffix: 20

Name returned: FILEMON1
Record type: Unique
IP Address: 192.168.0.6
0
 

Accepted Solution

by:
Lelio Michele Lattari earned 0 total points
ID: 40458483
I have finally found the reason why it did not work. All my settings were correct on both machines but...


Windows registry changes:
https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains

Thank You for the help!
0
 

Author Closing Comment

by:Lelio Michele Lattari
ID: 40466453
I have found the solution to my problem
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now