Bug 5081 - Incorrect client ( Win 2000 ) name reported during joining Samba domain.
Incorrect client ( Win 2000 ) name reported during joining Samba domain.
Status: RESOLVED WORKSFORME
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
3.0.24
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-14 11:23 UTC by Mike Starov
Modified: 2007-11-26 15:13 UTC (History)
0 users

See Also:


Attachments
Samba log for joining of the client during installation (73.10 KB, text/plain)
2007-11-14 11:29 UTC, Mike Starov
no flags Details
Samba log for joining of the installed client (84.36 KB, text/plain)
2007-11-14 11:30 UTC, Mike Starov
no flags Details
Ethereal sniff for joining client during installation (39.51 KB, application/octet-stream)
2007-11-14 11:33 UTC, Mike Starov
no flags Details
Ethereal sniff for joining installed client (38.35 KB, application/octet-stream)
2007-11-14 11:34 UTC, Mike Starov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Starov 2007-11-14 11:23:25 UTC
Environment:
Clients: Win 2000
Server: Suse Linux Enterprise Server 10.1
Package: Prebuild Samba 3.0.24-2.23

I have a situation where joining Samba domain works just fine when I am joining an installed client but it fails with a "User name not found" error when joining a client during OS installation. After looking at the logs I found that when a client is joined during installation the Samba does not receive correct clients NetBios name ( the value thats bound to %m ). Instead of actual name it receives a literal string "machinename". My "add machine script" faithfully adds an account for "machinename$" but when client tries to join it is unable to find the right account. Thus the dreaded "user name not found". Of course if I add the correct account before the join attempt everything works like on butter. 

This behavior goes not occur when I join already installed workstations. The Samba receives the correct NetBios name and the computer account is created successfully. 

I don't think this is the Clients fault because if its a non Samba DC then everything works. I am using Unattended for installation but I don't thing that it matters. Unattended only generates the standard file for Windows unattended installation.

smb.conf.

[global]
	log file = /var/log/samba/samba.log
	log level = 3
        #syslog = 3
	workgroup = NETCE.com
	printing = cups
	printcap name = cups
	printcap cache time = 750
	cups options = raw
	map to guest = Bad User
	include = /etc/samba/dhcp.conf
	logon path = \\%L\profiles\%U\Profile
	logon drive = H:
        logon home = ""
	# Sending more information than needed to the script for logging purposes.
	add machine script = /cluster/samba-ntprofiles/create_computer_account2 %M %m %U
	domain logons = Yes
	domain master = Yes
	local master = Yes
	os level = 65
	passdb backend = ldapsam:ldap://###############
	preferred master = Yes
	security = user
	usershare max shares = 100
	logon script = scripts\logon.bat %U %G %m samba 1>>\\%L\profiles\.log\logon.log 2>>&1
	netbios name = samba
	ldap admin dn = ##################################
	ldap passwd sync = Yes
	ldap suffix = dc=netce,dc=com
	ldap group suffix = ou=group
	ldap user suffix = ou=people
	wins support = Yesinstal
	idmap backend = ldap:ldap://################
	ldap idmap suffix = ou=idmap
	ldap machine suffix = ou=machine
	ldap ssl = Off
	hide dot files = Yes
	hide special files = Yes
	hide unreadable = Yes
	username map = /etc/samba/smbusers
	guest account = nobody
	server string = Samba NETServer
	host msdfs = Yes
	#interfaces = eth1 eth0
        interfaces = 192.168.8.2 192.168.9.2 127.0.0.1
	bind interfaces only = yes
	time server = Yes
	dos filetimes = Yes
	usershare allow guests = No
        winbind enum users = yes
        winbind enum groups = yes
        #winbind expand groups = 3
      	browseable = Yes
	map archive = No

When joining the client during installation the log contains a line:

[2007/11/13 16:03:41, 3] passdb/pdb_interface.c:pdb_default_create_user(368)
  _samr_create_user: Running the command `/cluster/samba-ntprofiles/create_computer_account2 192.168.9.99 machinename netce.admin' gave 0

This is a copy from the log. "MachineName" is what samba thinks is the NetBios of the client when in fact it is something like "test_comp..." When an installed client is being joined the same line is as followes.

[2007/11/14 09:20:07, 3] passdb/pdb_interface.c:pdb_default_create_user(368)
  _samr_create_user: Running the command `/cluster/samba-ntprofiles/create_computer_account2 192.168.9.97 testcomp01 netce.admin' gave 0

I'll try to attach sniffs and full logs later.
Comment 1 Mike Starov 2007-11-14 11:29:21 UTC
Created attachment 2968 [details]
Samba log for joining of the client during installation
Comment 2 Mike Starov 2007-11-14 11:30:31 UTC
Created attachment 2969 [details]
Samba log for joining of the installed client
Comment 3 Mike Starov 2007-11-14 11:33:56 UTC
Created attachment 2970 [details]
Ethereal sniff for joining client during installation
Comment 4 Mike Starov 2007-11-14 11:34:28 UTC
Created attachment 2971 [details]
Ethereal sniff for joining installed client
Comment 5 Gerald (Jerry) Carter 2007-11-26 08:14:28 UTC
Set "smb ports = 139"
Comment 6 Mike Starov 2007-11-26 12:50:52 UTC
(In reply to comment #5)
> Set "smb ports = 139"
> 

Yes that fixed the problem. But it seems like a hack, not a solution. Do you really think that blocking port 445 is the final solution. Actually, port 455 supposed to be the newer implementation of SMB protocol. Wouldn't I loose some functionality by blocking it?

I believe there is a bug in the samba code that prevents it from getting correct clients name. According to sniffs the name is in the packets. Samba just don't see it.

Please explain to me if you think that I am wrong. I am not familiar with how exactly Samba works internally, but have experience setting up company level network.
Comment 7 Gerald (Jerry) Carter 2007-11-26 12:57:41 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > Set "smb ports = 139"
> > 
> 
> Yes that fixed the problem. But it seems like a hack, not a solution. Do you
> really think that blocking port 445 is the final solution. 

YYes I do.  In fact, the useradd (and machine add) should use %u and 
not %m.  %m is the NetBIOS machine name and is only reliably available
when the client establishes a NetBIOS session (which it does not on port 445).
Comment 8 Mike Starov 2007-11-26 15:13:23 UTC
(In reply to comment #5)
> Set "smb ports = 139"
> 

(In reply to comment #7)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > Set "smb ports = 139"
> > > 
> > 
> > Yes that fixed the problem. But it seems like a hack, not a solution. Do you
> > really think that blocking port 445 is the final solution. 
> 
> YYes I do.  In fact, the useradd (and machine add) should use %u and 
> not %m.  %m is the NetBIOS machine name and is only reliably available
> when the client establishes a NetBIOS session (which it does not on port 445).
> 

(In reply to comment #7)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > Set "smb ports = 139"
> > > 
> > 
> > Yes that fixed the problem. But it seems like a hack, not a solution. Do you
> > really think that blocking port 445 is the final solution. 
> 
> YYes I do.  In fact, the useradd (and machine add) should use %u and 
> not %m.  %m is the NetBIOS machine name and is only reliably available
> when the client establishes a NetBIOS session (which it does not on port 445).
> 

Thanks. Using %u instead of %m is definitely a better solution than blocking the port. Thanks for the explanation too.