Monday, August 30, 2010

After a re-IP of an Xserver, XP clients could not log in using SMB

An office moved locations and in so doing upgraded their DC to Windows Server 2008 and also change the IP of their Tiger (10.4.11) Xserve.

After completing the process, XP users were unable to log into the Xserve using SMB.  AFP connections were unaffected.

After many long nights of troubleshooting and searching through server and WireShark logs we were still no closer to a solution.  A Leopard server was built at the location to test and it initially had the exact same problem.

To get the test Leopard server to work we had to follow the steps outlined below and replace the smb.conf file with the smb.conf.template file.  After doing these steps, SMB connections to the Leopard server were successful.

During the entire process we were working with Apple and they built Tiger, Leopard and Snow Leopard servers in their environment to see if they could reproduce the problem- the could not.

Apple felt that contrary to our initial assumptions, changing to a 2008 DC did not cause the problem.  Rather the re-IP of the Tiger server broke SMB authentication.  They could not pinpoint the problem exactly but suggested we follow these steps to resolve the problem:
1. Change the role of Windows to Standalone server.  Stop the Windows service.

2. Unbind from Active Directory.

3. Run the changeip script and change the IP address in System Preferences/Network.  Restart the server.

4. Run the command "sudo changeip -checkhostname".  If everything is correct, bind the server to Active Directory.

5. Change the role of Windows to Domain Member and start the Windows service.

6. Verify the SMB shares are configured correctly (I created a new share).

7. Have XP clients connect to the 10.4 server.
Unfortunately, the problematic Tiger server wouldn't allow us to complete the tasks- failing on step 5- changing the role back to a Domain Member. 

At that point it was decided to re-build the server as a 10.5.8 Leopard server.  14 hours later, we finished the job!  There were problems with the mirrored set in the Xserver which forced us to break the RAID and install on a single physical drive.

We were finally successful at re-building the server and when we were done XP clients could connect using SMB and get single-sign-on.

One nice thing: because we only rebuild the Xserver and not the fiber channel RAIDS attached to it, all the AD file and folder permissions were retained.  This saved us a huge amount of time by not having to re-perm all the shares!


No comments: