Tiger Server as PDC

[mosx86]

I know that not many people are doing this, but we’re a majority Mac shop with a smithering of PCs requiring authentication and we’d like to use our OD master as PDC to do this. In attempting to set up and troubleshoot a PDC on our OD master I am having a few issues that don’t quite add up. Essentially I’m seeing three problems, but first the setup:

PDC config:

*General*
Role: PDC
Description: set to match host – domain suffix
Computer Name: set to match host – domain suffix
Domain: xxxxx

*Access*
Guest Access OFF
Client Connections: Unlimited
Authentication: NTLMv2 & Kerberos, NTLM

*Logging*
High

*Advanced*
Code Page: Latin US (437)
Services: Workgroup Master Browser, Domain Master Browser
WINS Registration: Enable WINS server
Homes: Enable virtual share points

We also have a BDC set up on our OD replica with the following settings:

BDC config:

*General*
Role: PDC
Description: set to match host – domain suffix
Computer Name: set to match host – domain suffix
Domain: xxxxx

*Access*
Guest Access OFF
Client Connections: Unlimited
Authentication: NTLMv2 & Kerberos, NTLM

*Logging*
Low

*Advanced*
Code Page: Latin US (437)
Services: Workgroup Master Browser
WINS Registration: Enable WINS server
Homes: Enable virtual share points

Here is the smb.conf file of our PDC:
[quote][global]
encrypt passwords = yes
workgroup = xxxxx
display charset = UTF-8-MAC
security = user
deadtime = 5
guest account = unknown
add machine script = /usr/bin/opendirectorypdbconfig -c create_computer_account -r %u -n “/LDAPv3/127.0.0.1”
add user script = /usr/bin/opendirectorypdbconfig -c create_user_account -r %u -n “/LDAPv3/127.0.0.1”
client ntlmv2 auth = no
preferred master = yes
defer sharing violations = no
allow trusted domains = no
netbios name = set to match host – domain suffix
lanman auth = NO
vfs objects = darwin_acls
wins support = yes
interfaces = w.x.y.z/26
brlm = yes
max smbd processes = 0
server string = od
logon drive = H:
os level = 20
domain logons = yes
passdb backend = opendirectorysam guest
dos charset = CP437
bind interfaces only = yes
unix charset = UTF-8-MAC
auth methods = guest opendirectory
local master = yes
domain master = yes
map to guest = Never
use spnego = yes
printer admin = @admin, @staff
logon path = \\%N\profiles\%u
ntlm auth = YES
log level = 2
[netlogon]
oplocks = yes
path = /etc/netlogon
strict locking = no
browseable = no
write list = @admin
[homes]
root preexec = /usr/sbin/inituser %U
read only = no
comment = User Home Directories
browseable = no
create mode = 0750
[profiles]
oplocks = yes
path = /Users/Profiles
read only = no
strict locking = no
browseable = no
[printers]
printable = yes
path = /tmp[/quote]

Questions about conf file:

I have NTLMv2 enabled in the GUI, why is it off in the smb.conf file?

Problems

1. Connected users fail to appear in the Connections view or the Overview view. Occasionally, you’ll see a user appear in the Graphs view. Logs show users as properly authenticating and opening/closing login.bat, and IFMEMBER.EXE.

2. When connected users DO show up in the Connections view their connection time is 00:00. This does not change. Users typically disappear from view within 5 minutes.

3. XP clients are able to bind to the domain. When users attempt to authenticate an error is returned that the domain is unavailable.

4. Related to problem 3. Some hosts that are able to authenticate users occasionally lose this ability. Typically a restart will correct the issue.

Please let me know if you need any further info.

Many thanks!

[mosx86]

[QUOTE]3. XP clients are able to bind to the domain. When users attempt to authenticate an error is returned that the domain is unavailable.

4. Related to problem 3. Some hosts that are able to authenticate users occasionally lose this ability. Typically a restart will correct the issue.
[/QUOTE]

This may help some people down the road… After doing some more research on SAMBA PDC’s I’ve learned that PDCs don’t like it when there are workgroups on the network with the same name as the domain. Also, netbios names that match the domain can cause the PDC to act up as well.

[Author]

Posts