Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
A device attached to the system is not functioning
133 views
Skip to first unread message
Costa Georgiou
Sep 13, 2013, 8:13:32 AM9/13/13
to
'The following error occurred attempting to join the domain <domain>'
'A device attached to the system is not functioning'
Summary
-------
We are having a problem that has only been present on our network recently.The result of our problem is that we are not able to successfully add any new PCs to our domain (or old PCs if we exit them from the domain to a workgroup). The defining error message states:
"a device attached to the system is not functioning"
The error message occurs following the joining of the domain process and AFTER entering a domain administrators credentials. This has been done using an admin account on the local machine (Owner on Win7).
Our setup
---------
We are running:
2x Samba 3.6.6-0.129.el5 servers (one PDC and one BDC)
2x 64-bit Centos 5.8 platforms
openldap 2.3.43-12.el5_6.7
nss_ldap-253-25.el5
The smb.conf is a little bit unusual in that we use several includes to allow us to keep a common core config: machine.conf contains details specific to the installation (interfaces, names, descriptions etc). The servers are multi-personality and use an include statement to pick up a config for the personalities they are providing, with one of the personalities providing the domain master = yes when it is included.
LDAP is used as the master database for all accounts (users under ou=People, machines under ou=Computers) and nss_ldap is used for these to be the native users in linux (this works fine).
The only 'recent' change is configuration of winbind (for apache modules to Samba only, not used to map external domain users on linux, i.e. winbind is not referenced in nsswitch.conf) but it is impossible to tell if this corresponds to our 'losing' the ability to domain join.
Machines are added into ldap using the add machine script option to use smbldap-adduser.
The site is a 24x7 facility and these servers are hosting live applications in constant use, hence restarts are few and far between (that's why we don't use Windows Server....). Generally config changes are applied by ' kill -HUP $(< /var/run/smbd.pid)' so please feel free to highlight anything that needs a full restart.
Our attempts on the client-end
------------------------------
We have tested joining numerous PCs to the domain using a machines with the following major differences:
- 64-bit and 32-bit platforms
- Windows 7 (service pack 1) and Windows XP (service pack3)
We also deliberatly removed a fully functioning PC already an active member of our domain, then attempted to re-join the PC back into the domain – the result was unsuccessfull.
We have also tried renaming PCs workgroups before joining the domain – ensuring that the workgroup is not the same as the domain.
The LDAP entries were removed before joining the domain.
Renaming the computer names to join the domain (in case of any cached LDAP issues).
All Samba recommended registry settings have been standardised before attempting to join a PC to the domain and as previously stated a currently active domain PC was removed from the domain and attempted re-entry unsuccessfully.
All win7 network settings have been dumbed down for backwards comaptibility (encryption settings etc).
On attempting to join the domain, different and even newly created administrator user accounts both locally and samba mapped users have been used to join the domain.
Our attempts at the server-end
------------------------------
Attempting to join any PCs to the domain does successfully create/amend relative entries into the LDAP every time.
We have tweaked the 'add machine script' setting between -w and -W and this does not appear to resolve the issue (though you can see from the LDAP itself that it changes the nature of the entries created as expected).
We have also tried to resolve a situation we could see on Wireshark where (to our reading) the Win7 box tries to create a machine account by RPC, gets told it already exists then tries to change the account details (I assume PW) and gets an error that the user does not exist. Adding our ou=Computers branch into ldap.conf for nss removed this error but didn't solve the problem, hence the extra (conceptually undesirable) setting has been removed.
LDAP entries have been manually edited to remove leading spaces from the W flag in sambaAccountFlags (following a previous suggestion) but it did nothing.
Currently, the samba shares are being accessed successfully by PCs that had previously been joined to the domain. PCs that are not joined to the domain are also able to access the server network shares using domain user credentials.
Server configuration settings
-----------------------------
smb.conf + included files machine.conf, alias.d/DOMAINTOP.conf, alias.d/SERVER.conf
'A device attached to the system is not functioning'
Summary
-------
We are having a problem that has only been present on our network recently.The result of our problem is that we are not able to successfully add any new PCs to our domain (or old PCs if we exit them from the domain to a workgroup). The defining error message states:
"a device attached to the system is not functioning"
The error message occurs following the joining of the domain process and AFTER entering a domain administrators credentials. This has been done using an admin account on the local machine (Owner on Win7).
Our setup
---------
We are running:
2x Samba 3.6.6-0.129.el5 servers (one PDC and one BDC)
2x 64-bit Centos 5.8 platforms
openldap 2.3.43-12.el5_6.7
nss_ldap-253-25.el5
The smb.conf is a little bit unusual in that we use several includes to allow us to keep a common core config: machine.conf contains details specific to the installation (interfaces, names, descriptions etc). The servers are multi-personality and use an include statement to pick up a config for the personalities they are providing, with one of the personalities providing the domain master = yes when it is included.
LDAP is used as the master database for all accounts (users under ou=People, machines under ou=Computers) and nss_ldap is used for these to be the native users in linux (this works fine).
The only 'recent' change is configuration of winbind (for apache modules to Samba only, not used to map external domain users on linux, i.e. winbind is not referenced in nsswitch.conf) but it is impossible to tell if this corresponds to our 'losing' the ability to domain join.
Machines are added into ldap using the add machine script option to use smbldap-adduser.
The site is a 24x7 facility and these servers are hosting live applications in constant use, hence restarts are few and far between (that's why we don't use Windows Server....). Generally config changes are applied by ' kill -HUP $(< /var/run/smbd.pid)' so please feel free to highlight anything that needs a full restart.
Our attempts on the client-end
------------------------------
We have tested joining numerous PCs to the domain using a machines with the following major differences:
- 64-bit and 32-bit platforms
- Windows 7 (service pack 1) and Windows XP (service pack3)
We also deliberatly removed a fully functioning PC already an active member of our domain, then attempted to re-join the PC back into the domain – the result was unsuccessfull.
We have also tried renaming PCs workgroups before joining the domain – ensuring that the workgroup is not the same as the domain.
The LDAP entries were removed before joining the domain.
Renaming the computer names to join the domain (in case of any cached LDAP issues).
All Samba recommended registry settings have been standardised before attempting to join a PC to the domain and as previously stated a currently active domain PC was removed from the domain and attempted re-entry unsuccessfully.
All win7 network settings have been dumbed down for backwards comaptibility (encryption settings etc).
On attempting to join the domain, different and even newly created administrator user accounts both locally and samba mapped users have been used to join the domain.
Our attempts at the server-end
------------------------------
Attempting to join any PCs to the domain does successfully create/amend relative entries into the LDAP every time.
We have tweaked the 'add machine script' setting between -w and -W and this does not appear to resolve the issue (though you can see from the LDAP itself that it changes the nature of the entries created as expected).
We have also tried to resolve a situation we could see on Wireshark where (to our reading) the Win7 box tries to create a machine account by RPC, gets told it already exists then tries to change the account details (I assume PW) and gets an error that the user does not exist. Adding our ou=Computers branch into ldap.conf for nss removed this error but didn't solve the problem, hence the extra (conceptually undesirable) setting has been removed.
LDAP entries have been manually edited to remove leading spaces from the W flag in sambaAccountFlags (following a previous suggestion) but it did nothing.
Currently, the samba shares are being accessed successfully by PCs that had previously been joined to the domain. PCs that are not joined to the domain are also able to access the server network shares using domain user credentials.
Server configuration settings
-----------------------------
smb.conf + included files machine.conf, alias.d/DOMAINTOP.conf, alias.d/SERVER.conf
Costa Georgiou
Sep 13, 2013, 8:14:14 AM9/13/13
to
[global]
workgroup = DOMAIN
netbios aliases = domaintop
server string = DOMAIN Samba Server (venus)
interfaces = 192.168.sn.21/24
passdb backend = ldapsam:"ldap://ldap.domain ldap://slave.ldap.domain"
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
add machine script = /usr/sbin/smbldap-useradd -W "%u"
logon script = %U.bat
logon path = \\domaintop\Profile
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=Manager,dc=domain
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=domain
ldap ssl = no
message command = /srv/util/netmsg.sh '%s' '%f' '%m' &
host msdfs = No
winbind enum users = Yes
winbind enum groups = Yes
ldapsam:trusted = yes
idmap config * : backend = tdb
hosts allow = 192.168., 127.
cups options = raw
workgroup = DOMAIN
netbios aliases = domaintop
server string = DOMAIN Samba Server (venus)
interfaces = 192.168.sn.21/24
passdb backend = ldapsam:"ldap://ldap.domain ldap://slave.ldap.domain"
username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
add machine script = /usr/sbin/smbldap-useradd -W "%u"
logon script = %U.bat
logon path = \\domaintop\Profile
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=Manager,dc=domain
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=domain
ldap ssl = no
message command = /srv/util/netmsg.sh '%s' '%f' '%m' &
host msdfs = No
winbind enum users = Yes
winbind enum groups = Yes
ldapsam:trusted = yes
idmap config * : backend = tdb
hosts allow = 192.168., 127.
cups options = raw
Costa Georgiou
Sep 13, 2013, 8:25:16 AM9/13/13
to
0 new messages