AD Bound Directory Host Stability

[milos]

I am having some real issues with a 10.4.2 Server that is bound to AD to host home directories and have hit a wall trying to find solutions. Any suggestions would be greatly appreciated as these problems have been in effect for over four months and the xserves long term future on the network is in doubt.

The server is hosting home folders in a school environment for 40 XP Clients and 70 10.4.2 Clients. It is only bound to AD as we have a second machine running OD to manage the Mac clients. I can see no difference than what is suggested in the AD – OD Integration white paper and would really appreciate if anyone else using 10.4.2 Server in this way can suggest if they have it running at a satisfactory level.

1. The first issue is a frequent failure to mount the home folder location and group folder at login on the PC clients. This is corrected by stopping and starting the Windows service in Server Admin. PC Clients that are already logged in do not appear to be disconnected but new logins will fail to mount the shares. The following error is logged but I can not find anything further to suggest the cause. Sometimes this will occur once a week, other times several times a day. The home location is mapped in AD and the group volume is mounted at login via a script. When the fault occurs neither share mounts.

[2005/10/10 09:32:16, 0] /SourceCache/samba/samba-92.9/samba/source/nmbd/nmbd.c:terminate(56)
Got SIGTERM: going down…
[2005/10/11 14:44:47, 0] /SourceCache/samba/samba-92.9/samba/source/nmbd/nmbd.c:terminate(56)
Got SIGTERM: going down…
[2005/10/13 10:18:25, 0] /SourceCache/samba/samba-92.9/samba/source/nmbd/nmbd.c:terminate(56)
Got SIGTERM: going down…

I have experimented with a cron that starts the service up every hour which made some improvement but if the fault occurs early in the hour it is not an adequate solution and I am hesitant to run it any more frequently. (/system/library/startupitems/Samba/Samba start)

2. The second issue is effecting PC that are not bound to the AD domain but require file access to the server. At times the clients are running fine and then at other times can not navigate or authenticate to the server. In this case the following error is logged.

[2005/10/18 21:09:20, 1] auth_ods.c:opendirectory_auth_user(212)
User "milstil" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14987) 🙁
[2005/10/18 21:09:20, 1] auth_ods.c:opendirectory_smb_pwd_check_ntlmv1(427)
opendirectory_smb_pwd_check_ntlmv1: [-14987]opendirectory_auth_user
[2005/10/18 21:09:20, 2] /SourceCache/samba/samba-92.9/samba/source/auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [milstil] -> [milstil] FAILED with error NT_STATUS_WRONG_PASSWORD
[2005/10/18 21:09:26, 2] /SourceCache/samba/samba-92.9/samba/source/smbd/server.c:exit_server(595)
Closing connections

Clean install of 10.4.2 Server (Dual xserve – 2GB) all current updates applied.

At this point I have made no changes to smb.conf other than to add "winbind separator = +" so otherwise it is running from the 10.4.2 default settings. The Windows service is set as a domain member and the RELM name is displayed. A kinit test appears to confirm that the Kerberos binding is working correctly. The Mac clients are mounting the home’s via AFP and are not experiencing the connection failures.

At this time I really need to know if these problems are due to my setup if they are inherent in 10.4.2 and can not be resolved until future updates.

Thanking you.

[Anonymous]

Sounds similar to the problem I’m having… If so.. you’re not alone…
see here –

https://www.afp548.com/forum/viewtopic.php?forum=24&showtopic=9476

[milos]

Ok, the second issue appears to be corrected by making a setting change on the XP clients.

Control Panel / Administrative Tools / Local Security Policy / Network Security: LAN Manager authentication level / Send NTLMv2 response only refuse LM & NTML.

These settings are present under the Windows Service in Server admin but unticking them does not appear to have the same effect and changing the client setting.

So changing this begs the questions should I perform the steps on all machines that login via the AD domain as well as unbound XP clients?

[Author]

Posts