Results 1 to 5 of 5

Thread: Login problem with Windows 7 local profile and Samba as an NT4-style domain controller

  1. #1

    Default Login problem with Windows 7 local profile and Samba as an NT4-style domain controller

    Hi,

    I'm having some issues with Samba and Windows 7 and would very much appreciate some help on this

    When trying to login on a Windows 7 machine I get the following error:
    "There are currently no logon servers available to service the logon".

    I get this error most of the time, but occasionally I'm actually able to login when trying
    multiple times and rebooting the client machine. Additionally, this problem only seems to happen
    on some of the machines when trying to login with the same user (using a local profile on each machine).
    This would suggest that the server configuration is not completely messed up?
    I was able to join all these machines to the domain without a problem.

    Also, when able to login to Windows, I can use the samba shares without any problems.

    A related problem is that on none of the machines I'm able to login without a network
    connection using a local profile (that is, caching of credentials doesn't seem to work).
    Does anybody have an idea how to fix this
    (I understand that solving this should also solve the problem mentioned above)?

    Previously I also had the problem of Windows using only temporary profiles on these same machines,
    but this I was able to fix by setting logon path to empty string in smb.conf.

    I've done these registry changes to Windows clients:
    https://wiki.samba.org/index.php/Reg...-style_domains

    I've also added the Samba server to the Windows lmhosts-file, disabled IPv6 on client, tried to increase
    the number of logins that Windows caches to 50 and enforced Windows not to wait for the network on a login using gpedit.msc.

    I'm using OpenSUSE 13.1 and Samba 4.1.6-3.18.1-3208-SUSE-oS13.1-x86-64

    Here's the relevant part of my smb.conf file. I'm really not a Samba or a Windows networking expert
    so there really might be something basic wrong here... Any help is greatly apprecieated!

    Code:
    [global]
        workgroup = MYDOMAIN
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        logon path =  
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain logons = Yes
        domain master = Yes
        local master = Yes
        netbios name = myname
        os level = 65
        preferred master = Yes
        security = user
        wins support = Yes
    [homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
    [profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
    [users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
    [groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
    [printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
    [print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775    
    [netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = root

  2. #2
    Join Date
    Sep 2012
    Location
    Canada
    Posts
    112

    Default Re: Login problem with Windows 7 local profile and Samba as an NT4-style domain controller

    Hi japa and Welcome to the openSUSE community forum!

    Hi,

    I'm having some issues with Samba and Windows 7 and would very much appreciate some help on this

    When trying to login on a Windows 7 machine I get the following error:
    "There are currently no logon servers available to service the logon".
    The error suggests that the domain controller couldn't be found by Windows when querying the network. When you use a NT4 domain controller, the domain controller is found using NetBIOS browsing. Is NetBIOS browsing allowed through the firewalls of the Windows 7 workstations? I already have issues with domain logon because of firewalls which suddenly block everything after a Windows/Microsoft update.

    I get this error most of the time, but occasionally I'm actually able to login when trying
    multiple times and rebooting the client machine. Additionally, this problem only seems to happen
    on some of the machines when trying to login with the same user (using a local profile on each machine).
    This would suggest that the server configuration is not completely messed up?
    I was able to join all these machines to the domain without a problem.

    Also, when able to login to Windows, I can use the samba shares without any problems.
    So Samba authentication isn't the problem.

    A related problem is that on none of the machines I'm able to login without a network
    connection using a local profile (that is, caching of credentials doesn't seem to work).
    Does anybody have an idea how to fix this
    (I understand that solving this should also solve the problem mentioned above)?
    I'm not sure how this problem can be related to the error "There are currently no logon servers available to service the logon". If you already logged in on a WIndows 7 workstation, caching credentials should work.

    Previously I also had the problem of Windows using only temporary profiles on these same machines,
    but this I was able to fix by setting logon path to empty string in smb.conf.

    I've done these registry changes to Windows clients:
    https://wiki.samba.org/index.php/Reg...-style_domains

    I've also added the Samba server to the Windows lmhosts-file, disabled IPv6 on client, tried to increase
    the number of logins that Windows caches to 50 and enforced Windows not to wait for the network on a login using gpedit.msc.
    I'm not a Windows expert, but I think you should configure your Windows workstations so they wait for the network on login so they can find the domain controler.

    I'm using OpenSUSE 13.1 and Samba 4.1.6-3.18.1-3208-SUSE-oS13.1-x86-64

    Here's the relevant part of my smb.conf file. I'm really not a Samba or a Windows networking expert
    so there really might be something basic wrong here... Any help is greatly apprecieated!

    [...]
    I see nothing wrong with your smb.conf file.

    Let's first check that your domain controller is advertised correctly on your network. On your domain controller, please execute the following command line and share with us the ouput:

    Code:
    $ nmblookup 'MYDOMAIN#1b' 'MYDOMAIN#1c'
    This will list the IP address of the domain master (<0x1b>) and the domain controlers (<0x1c>) of the MYDOMAIN domain. If your Samba domain controller is advertised correctly, you sould see its IP address.

    The next step is to check the same thing but on the client side. From a Windows 7 workstation having the issue you described, please execute and share with us the ouput the following command line:

    Code:
    C:\> nbtstat -a myname
    This will list the NetBIOS resources registered by the computer with the NetBIOS name myname.
    Kalten

  3. #3
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: Login problem with Windows 7 local profile and Samba as an NT4-style domain controller

    Kaiten's post is correct but I would recommend a few different things to look at.

    Understanding the fundamental problem is likely "finding" the DC, you then need to look at how you're set up.

    Although a NetBIOS (WINS) nameserver isn't required, it's highly recommended for reliable name resolution. You need to understand that NetBIOS Name Resolution is not the same as Hostname resolution, unless special fallback configurations exist as necessary you need to provide this parallel name resolution service.

    So, the typical steps
    - Deploy a NetBIOS Name Server
    - Be sure that DHCP is configuring client machines in the network to <know> that NetBIOS Nameservers exist and what are their IP addresses.

    Another good alternative to deploying a NetBIOS Nameserver is to insert the network's NetBIOS names mapped to IP addresses in a LMhosts file on each machine, this works the same as the more commonly discussed Hosts file. If you don't want to run around configuring this file on every machine in your network, you can configure DHCP to push a custom LMhosts file to every client.

    The worst solution because it's unreliable and probably what you are doing is to just ignore configuring a reliable NetBIOS name resolution solution. In that case, you'd have to open the NetBIOS Nameserver broadcast port on every machine and rely on broadcasts. In this case your solution is no better than a Workgroup and one of the main reason why people deploy Domain based network security instead of Workgroups.

    HTH,
    TSU

  4. #4

    Default Re: Login problem with Windows 7 local profile and Samba as an NT4-style domain controller

    OK, I was finally able to fix this.

    For some reason the user had MYSAMBASERVER instead of MYDOMAIN as their domain, as was evident by running pdbedit -L -v .

    After realising this the fix was embarrasingly simple: just removing the samba user and adding him again with smbpasswd -x and smbpasswd -a (and making sure the settings/files are copied to the new local profiles).

    Now it all seems to work fine, credentials cache and everything.

    What I still don't understand is why the user was able to login consistently on one of the machines and occasionally on two of the other machines. I would expect the user not to be able login to the domain at all unless the user belongs to that domain (the machine accounts however belonged to the domain also according to pdbedit -L -v). This led me to thinking that the problem would have to be something computer/samba-related rather than user related. (There were also other users with similar problems but it turned out these too had a similar problem). Being mislead by these facts - and especially being such a newbie in samba/networking - it just took me way too much time to realise to check this.

    Thanks kalten and tsu2 for you replies. And most importantly apologies to you and to anyone else who put effort to this for missing such a basic fix.

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: Login problem with Windows 7 local profile and Samba as an NT4-style domain controller

    Cached credentials (ones that worked at least once) can continue to permit authentication if not properly expired.

    This is because cached credentials are utilized when the Authenticator can't be reached. Or, poorly written software can permit locally cached authentication if normal authentication denies, it's the difference between returning a proper "deny" or responding with a null for instance.

    Glad you found your solution, they sometimes are the most simply overlooked or mis-configured.

    TSU

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •