Avatar of Lelio Michele Lattari
Lelio Michele Lattari
 asked on

Samba as PDC - DOMAIN is invisible to Windows machines

Hi!

I have configured samba as PDC for the domain LATTARI. Windows machines cannot find the domain controller.

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[public]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
        workgroup = LATTARI
        server string = Lunar Lander Software
        interfaces = lo, 192.168.0.6
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = No
        add user script = /usr/sbin/useradd "%u" -n -g users
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
        logon script = %u.bat
        logon path = \\%L\Profiles\%u
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        idmap config * : backend = tdb
        hosts allow = 127., 192.168.0.
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S
        read only = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon

[public]
        comment = Public Stuff
        path = /home/samba
        write list = +staff
        read only = No
        guest ok = Yes

Please help!
LinuxLinux DistributionsLinux Networking

Avatar of undefined
Last Comment
Lelio Michele Lattari

8/22/2022 - Mon
slubek

Some thoughts:
1. Is the time on Windows machines and samba controller in sync?
2. Can you ping samba server from clients?
3. Do you have firewall on server enabled?
4. What is your dhcpd configuration?
5. Do you have DNS configured?
Lelio Michele Lattari

ASKER
Hi!

1. Yes - the clocks are in sync

2. I cannot ping the netbios name LATTARI but YES I can ping the DNS server name filemon1 on wich the PDC is active and I can nslookup the DNS record for the serwer

C:\Users\XNOTE>nslookup filemon1
Server:  UnKnown
Address:  192.168.0.7

Name:    filemon1.intranet.lattari.pl
Address:  192.168.0.6

ohhh... really I CAN ping the server:

C:\Users\XNOTE>ping filemon1

Pinging filemon1.intranet.lattari.pl [192.168.0.6] with 32 bytes of data:
Reply from 192.168.0.6: bytes=32 time=2ms TTL=64
Reply from 192.168.0.6: bytes=32 time=1ms TTL=64
Reply from 192.168.0.6: bytes=32 time=1ms TTL=64
Reply from 192.168.0.6: bytes=32 time=2ms TTL=64

Ping statistics for 192.168.0.6:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

4. No firewall on the PDC machine
5. DNS is on another server on the same network (192.168.0.7)
6. dhcpd runs on another server on the same network (192.168.0.7), it has option wins server configured with samba PDC address

Windows machines network settings:
Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : intranet.lattari.pl
   Description . . . . . . . . . . . : Intel(R) Wireless-N 7260
   Physical Address. . . . . . . . . : 0C-8B-FD-82-33-18
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.158(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 19 listopada 2014 16:21:31
   Lease Expires . . . . . . . . . . : 19 listopada 2014 16:51:32
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.7
   DNS Servers . . . . . . . . . . . : 192.168.0.7
   Primary WINS Server . . . . . . . : 192.168.0.6
   NetBIOS over Tcpip. . . . . . . . : Enabled
Lelio Michele Lattari

ASKER
Sorry! firewalld was active.... I have made a quick test without firewall and nothing changes.... :-(

Tomorrow I will try to run bind on the same machine as samba and I let You know what happens...

Thanks for the help
Your help has saved me hundreds of hours of internet surfing.
fblack61
slubek

One more thought - have you configured and enabled Kerberos?
BTW, on that wiki above I found that samba should provide sysvol share - maybe thats your problem?

PS. Pozdrawiam z Warszawy :^)
Lelio Michele Lattari

ASKER
Hi again!

Really I am trying to run samba as simple old style PDC without AD services. I have made some changes in the configuration. Now, when I try to join the domain LATTARI from a Windows 8.1 PRO machine, the username and password window appears but the login process fails.

Here some info about what is happening:

====================================

smb.conf

====================================

Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
        workgroup = LATTARI
        server string = Lunar Lander Software
        interfaces = lo, enp3s6
        log file = /var/log/samba/log.%m
        max log size = 50
        load printers = No
        printcap name = lpstat
        add user script = /usr/sbin/useradd "%u" -n -g users
        delete user script = /usr/sbin/userdel "%u"
        add group script = /usr/sbin/groupadd "%g"
        delete group script = /usr/sbin/groupdel "%g"
        delete user from group script = /usr/sbin/userdel "%u" "%g"
        add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
        logon script = %u.bat
        logon path = \\%L\Profiles\%u
        logon drive = H:
        domain logons = Yes
        os level = 64
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        idmap config * : backend = tdb
        invalid users = apache, bin, daemon, adm, sync, shutdown, halt, mail, news, uucp, operator
        admin users = root, @admin
        hosts allow = 127.0.0.1, 192.168.0.0/24
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        print ok = Yes
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        guest ok = Yes

[Profiles]
        path = /home/samba/Profiles
        read only = No
        create mask = 0600
        directory mask = 0700
        guest ok = Yes
        profile acls = Yes
        browseable = No

=============================================

/var/lib/samba

=============================================


[root@filemon1 samba]# ls -al /var/lib/samba
total 2832
drwxr-xr-x  5 root root    4096 Nov 21 08:55 .
drwxr-xr-x 31 root root    4096 Nov 21 07:59 ..
-rw-------  1 root root  421888 Nov 20 23:24 account_policy.tdb
-rw-r--r--  1 root root   40200 Nov 21 08:43 brlock.tdb
-rw-r--r--  1 root root     150 Nov 21 08:43 browse.dat
-rw-------  1 root root     696 Nov 21 08:47 dbwrap_watchers.tdb
-rw-r--r--  1 root root  421888 Nov 21 08:47 gencache_notrans.tdb
-rw-r--r--  1 root root  425984 Nov 21 08:47 gencache.tdb
-rw-------  1 root root  430080 Nov 20 23:19 group_mapping.tdb
-rw-r--r--  1 root root   40200 Nov 21 08:43 locking.tdb
-rw-------  1 root root     696 Nov 21 08:43 messages.tdb
-rw-------  1 root root     696 Nov 19 10:14 mutex.tdb
-rw-r--r--  1 root root   13859 Nov 21 08:43 namelist.debug
drwxrwxr-x  2 root admin      6 Nov 20 16:40 netlogon
-rw-r--r--  1 root root     696 Nov 21 08:43 notify_index.tdb
-rw-r--r--  1 root root     696 Nov 21 08:43 notify.tdb
-rw-r--r--  1 root root   12288 Nov 21 08:44 printer_list.tdb
drwxr-xr-x  2 root root      25 Nov 19 10:25 printing
drwx------  2 root root      66 Nov 19 11:00 private
-rw-------  1 root root  528384 Nov 19 10:25 registry.tdb
-rw-r--r--  1 root root    8192 Nov 21 08:47 serverid.tdb
-rw-------  1 root root  421888 Nov 19 10:25 share_info.tdb
-rw-------  1 root root     696 Nov 21 08:43 smbXsrv_open_global.tdb
-rw-------  1 root root   32768 Nov 21 08:47 smbXsrv_session_global.tdb
-rw-------  1 root root   16384 Nov 21 08:47 smbXsrv_tcon_global.tdb
-rw-------  1 root root   16384 Nov 21 08:43 smbXsrv_version_global.tdb
-rw-r--r--  1 root root    1608 Nov 21 08:55 wins.dat
-rw-------  1 root root   24576 Nov 21 08:55 wins.tdb

=====================================

/home/samba

=====================================

[root@filemon1 samba]# ls -al /home/samba
total 0
drwxrwxrwx 3 root admin 21 Nov 21 08:21 .
drwxr-xr-x 6 root root  61 Nov 21 08:20 ..
drwxrwxrwx 2 root admin  6 Nov 21 08:21 Profiles

=======================================

samba net

=======================================

net groupmap add ntgroup="Domain Admins" unixgroup=admin rid=512 type=d
net rpc rights grant -U m.lattari LATTARI\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege Se
RemoteShutdownPrivilege

=======================================

log.smbd trying to join the domain

=======================================

[2014/11/21 09:02:50,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/libsmb/nmblib.c:108(debug_nmb_packet)
  nmb packet from 192.168.0.150(137) header: id=53066 opcode=Query(0) response=No
      header: flags: bcast=Yes rec_avail=No rec_des=Yes trunc=No auth=No
      header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0
      question: q_name=WPAD<00> q_type=32 q_class=1
[2014/11/21 09:02:50, 10, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_winsserver.c:524(packet_is_for_wins_server)
  packet_is_for_wins_server: failing WINS test #1.
[2014/11/21 09:02:50,  3, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_incomingrequests.c:459(process_name_query_request)
  process_name_query_request: Name query from 192.168.0.150 on subnet 192.168.0.6 for name WPAD<00>
[2014/11/21 09:02:50,  9, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_namelistdb.c:141(find_name_on_subnet)
  find_name_on_subnet: on subnet 192.168.0.6 - name WPAD<00> NOT FOUND
[2014/11/21 09:02:50,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet 192.168.0.6: found.
[2014/11/21 09:02:50, 10, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_sendannounce.c:386(announce_myself_to_domain_master_browser)
  announce_myself_to_domain_master_browser: t (1416556969) - last(1416556952) < 900
[2014/11/21 09:02:50,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet UNICAST_SUBNET: found.
[2014/11/21 09:02:50,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet UNICAST_SUBNET: found.
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet 192.168.0.6: found.
[2014/11/21 09:03:00, 10, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_sendannounce.c:386(announce_myself_to_domain_master_browser)
  announce_myself_to_domain_master_browser: t (1416556970) - last(1416556952) < 900
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:276(dump_workgroups)
  dump_workgroups()
   dump workgroup on subnet     192.168.0.6: netmask=  255.255.255.0:
        LATTARI(1) current master browser = FILEMON1
                FILEMON1 408c9b0b (Lunar Lander Software)
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:276(dump_workgroups)
  dump_workgroups()
   dump workgroup on subnet  UNICAST_SUBNET: netmask=    192.168.0.6:
        LATTARI(1) current master browser = UNKNOWN
                FILEMON1 40899b0b (Lunar Lander Software)
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)
  find_workgroup_on_subnet: workgroup search for LATTARI on subnet UNICAST_SUBNET: found.
[2014/11/21 09:03:00,  4, pid=3047, effective(0, 0), real(0, 0)] ../source3/nmbd/nmbd_workgroupdb.c:165(find_workgroup_on_subnet)


I would appreciate Your suggestions.

P.S. Pozdrawiam z 05-500 Piaseczno :-)
Lelio Michele Lattari

ASKER
[root@filemon1 BOINC]# smbclient //FILEMON1/netlogon -U root
Enter root's password:
Domain=[LATTARI] OS=[Unix] Server=[Samba 4.1.1]
smb: \>

============================================

[root@filemon1 BOINC]#  smbtree

 \\FILEMON1\root                 Home Directories
 \\FILEMON1\IPC$                 IPC Service (Lunar Lander Software)
 \\FILEMON1\netlogon             Network Logon Service

=======================================================

[root@filemon1 BOINC]# net domain
Enter root's password:

Enumerating domains:

        Domain name          Server name of Browse Master
        -------------        ----------------------------
        LATTARI              FILEMON1

==========================================================================

And I can map server shares as network drives from windows machines, but I cannot join the domain :-(
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
slubek

1.
dump workgroup on subnet     192.168.0.6: netmask=  255.255.255.0:
seems OK, but
dump workgroup on subnet  UNICAST_SUBNET: netmask=    192.168.0.6:
not.
It seems like you have two workgroups on different subnets. How many network interfaces are on?

2.
packet_is_for_wins_server: failing WINS test #1.
means troubles with wins server configuration. Download nblookup and see what is the output of
nblookup filemon1

Open in new window

Lelio Michele Lattari

ASKER
Thank You for the suggestions!

1.  I have only 1 network card on the Samba machine:

[root@filemon1 samba]# ifconfig
enp3s6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.6  netmask 255.255.255.0  broadcast 192.168.0.255
        ether 00:1e:58:48:6a:23  txqueuelen 1000  (Ethernet)
        RX packets 195515  bytes 230444340 (219.7 MiB)
        RX errors 0  dropped 7  overruns 0  frame 0
        TX packets 112380  bytes 14192784 (13.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Local Loopback)
        RX packets 1095  bytes 355836 (347.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1095  bytes 355836 (347.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2a. nslookup on the samba machine

[root@filemon1 samba]# nslookup filemon1
Server:         192.168.0.6
Address:        192.168.0.6#53

filemon1.intranet.lattari.pl    canonical name = ns1.intranet.lattari.pl.
Name:   ns1.intranet.lattari.pl
Address: 192.168.0.6

2b. nslookup on the windows client

C:\Users\XNOTE>nslookup filemon1
Server:  UnKnown
Address:  192.168.0.6

Name:    ns1.intranet.lattari.pl
Address:  192.168.0.6
Aliases:  filemon1.intranet.lattari.pl
slubek

nslookup queries DNS, nblookup queries WINS - these are not the same. :^)
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Lelio Michele Lattari

ASKER
I understand...

This is the output of nblookup filemon1:

C:\Users\XNOTE\AppData\Local\Temp>nblookup

NBLookup Interactive Mode

Type 'help' for a list of commands

Default Server: 192.168.0.6

Current option values:
   timeout=2 seconds
   retry=0 retries
   suffix=20
   recursion is on (recurse)
> filemon1
Recursion is on

Querying WINS Server: 192.168.0.6
NetBIOS Name: filemon1
Suffix: 20

Name returned: FILEMON1
Record type: Unique
IP Address: 192.168.0.6
ASKER CERTIFIED SOLUTION
Lelio Michele Lattari

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Lelio Michele Lattari

ASKER
I have found the solution to my problem