I'm losing my mind trying to get Red Hat 9, build 2.4.20-19.9 to participate in my Windows 2000/NT mixed-mode domain. I have followed the instructions I found at data-based-systems.com/downloadables/LinuxSambaWithWindows2000 which shows how to configure Samba, deal with password encryption and getting the NT domain SID. Got the correct message indicating my machine has joined my domain, but still cannot see shares on either enviornment - no WIN from Linux smb:///, no Linux from Network Neighborhood areas anywhere. Went and made a couple more modifications manually to the smb.conf file, and now have a X-system that won't allow me to log in as root or my defined user. I get nothing except "Authentication Failed!" dialog...can anyone out there help me recover my system so I don't have to re-install it for a third time? Thanx in advance for any assistance...

I have followed the instructions I found at data-based-systems.com
I can't access the document you posted the URI for.

Went and made a couple more modifications
What you want to start with is track the changes you made and determine what their effect would be on authentication. Next up the verbosity on any PAM module involved adding "debug" statements where appropriate, try to use any debug and verbosity options in the apps you use, check your logs for clues and post any results. That would possibly help people to help you better.

//moderator.note: configuration issue, moving to Linux - Networking.

do this...reboot your system,
press e at the RH9 splash screen,
arrow down to the
kernel /vmlinuz-2.4.20.8 ro root=LABLE=/
and press e again
type "single" at the end of the line so that the line reads:
kernel /vmlinuz-2.4.20.8 ro root=LABLE=/ single
(make sure you put a space between the last / and single)
press enter to save the setting, and press b to boot with that selected option.

This will boot you into single user mode where you can remove ANY passwords.

once you are at an SU prompt, edit the /etc/shadow and remove all charachters between the first two colons for root. The rest of the root line should match all the other user entries.

example:
root::12256:0:99999:7:::
bin:*:12256:0:99999:7:::
and so on...

now when you reboot, root will not have a password. just make sure to go back and set a root password once you get back in.

This works for GRUB, I know there is a way to do it for lilo. It is simialr but there are subtle differences, that I would have to play around with to figure out. But my system uses grub...so if you use lilo, you just need to figure out how to pass the kernel the "single" switch during boot.

Thanks Dubman, actually I've tried that though. Well, not exactly that but... I was able to run the password change, but it had no effect. It wouldn't let me put in a null password. I was able to mount my /etc/samba and edit smb.conf to undo my manual changes to that, but it didn't help either. Will attempt what you have described next, thanks.
It appears to me to have something to do with my AD authentication, maybe...

Here's what I'm thinking, though I don't know if I'm on the right track on this... My system did successfully join my mixed-mode (NOT "true" Win2K) domain (not "true" since my DC is Win2k server sp4, but BDC is NT4 server sp6). Could it be that my Linux authentication is looking to the AD but is being blocked by network config error or forgotten firewall config maybe?

Something turned on "zebra" service also, don't think it was me...could that have any effect?


I couldn't overcome this hurdle a couple years ago on RH 6.2 and gave up, here it is back again to plague me!

maybe I can post the link I referred to now, couldn't before because I'm new here.
http://www.data-based-systems.com/do...indows2000.htm

zebra shouldn't make any difference, unless of coarse your linux box is acting as a router between two different networks.

firewall could definalty be an issue. what kind of firewall are you going through? or are you just running iptables locally. if you are running locally, just turn the service off
#service iptables stop
if it works now you will need to look at your rule set for iptables.

if you are running through an outside firewall you will need to configure allow statements for the traffic you are wanting to permit.

if you are routing between two different networks, you will also need to set up default gateways, or at least static routes so your return traffic can get back. for instance...if you send traffic from your linux box and it gets to your DC, if the DC dosn't have a route back to the linux box, the packets will get dropped. Simple packet trace with tcpdump will tell you were the packets are, and if they are getting back to the source. You would also need to turn on routing in /etc/sysctl.conf with the "net.ipv4.ip.forward = 1" option
to enable the linux routing.

I think I may be getting off on a rant here and pointing you in the wrong direcction...but if authentication is your issue...
make sure you have added a samba user and configured your samba user password correctly.

try posting your smb.conf file in here so i can take a look.

--dubman

I'm looking at my "shadow" right now

The root entry looks like it has a long encrypted string in front, looks little like your sample. Here it is:
root:$1%CwKHSdax$V0t9m0jMD0qBGEwau.EL51:12264:0:99999:7:::

also I see that all the rest of the lines in shadow have 12262, not 12264, and don't have the long string in front.

as for my smb.conf, I'll have to re-type sections of it for you, since I can't connect to my LAN from there...copying to a DOS floppy probably won't work, but I'm headed that way. What would you like to see?

On a whim, I tried to login as root, and as my user, at the sh-2.05b# prompt, in single mode. As root, I got:
pam_ldap: ldap_simple_bind Can't contact LDAP server.

As my other user, I got:
Authentication service cannot retrieve authentication info.

Don't know if this helps, but it still makes me think the problem might be Linux not getting information from the Win2k DC/domain.

Now I just did the correct edit on my shadow file to wipe out my root password, and tried to login without rebooting, got the same error as my "other" user above...

Rebooted, login at x-windows still produces "Authentication Failed!" Am heading for smb.conf, as well as turning off named and zebra, if possible from single mode.

you should be able to copy your whole smb.conf to a floppy and just open in wordpad on your windows box...that usually works for me. This would cause problems if you were trying to use that script on the linux box, but since we are just trying to get the data off it, it should be fine. Keep in mind that you can't create your smb file from windows and copy it over to Linux. this is where the dos/ext2 conversion will srew things up

what you should do is just remove the entire string between the first two colons. and match the rest of the root line with the other entries...so if your sting says:
root:$1%CwKHSdax$V0t9m0jMD0qBGEwau.EL51:12264:0:99999:
7:::

and all the other strings say:
blah:blah:12262:0:99999::7:::
then make your root string say:
root::12262:0:99999::7:::

this should clear out the root password and allow you to log on successfully.

--dubman

Here's my smb.conf
Note that my internal TCP/IP system doesn't use 192.168.0, it uses the routeable 198.170.0. series. Don't know if this matters, been using it since NT3.51 days.
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = BLAENG

# server string is the equivalent of the NT Description field
server string = Linux3 Laptop - Samba server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 198.170.0. 127.

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx, cups
printing = cups

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
# guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log

# Put a capping on the size of the log files (in Kb).
max log size = 0

# Security mode. Most people will want user level security. See
# security_level.txt for details.

# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

# The following is needed to keep smbclient from spouting spurious errors
# when Samba is built with support for SSL.
; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt

# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# You can use PAM's password change control flag for Samba. If
# enabled, then PAM will be used for password changes when requested
# by an SMB client instead of the program listed in passwd program.
# It should be possible to enable this without changing your passwd
# chat parameter for most setups.

pam password change = yes

# Unix users can map to different SMB User names
; username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m

# This parameter will control whether or not Samba should obey PAM's
# account and session management directives. The default behavior is
# to use PAM for clear text authentication only and to ignore any
# account or session management. Note that Samba always ignores PAM
# for authentication in the case of encrypt passwords = yes

obey pam restrictions = yes

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
; interfaces = 198.170.0.1/254 192.168.0.1/254

# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 192.168.1.255 192.168.2.44
remote announce = 198.170.0.255

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
wins server = <address withheld for security>

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
guest ok = yes
guest account = jam
password server = passsrv.innovativecontrolscorp.com
security = DOMAIN
dns proxy = no

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no

#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = yes
writeable = yes
valid users = %S
create mode = 0664
directory mode = 0775
# If you want users samba doesn't recognize to be mapped to a guest user
; map to guest = bad user


# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
guest ok = yes
writable = yes
share modes = yes


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /usr/local/samba/profiles
; browseable = no
; guest ok = yes


# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
printable = yes

# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff

# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /home/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes

# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no

# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/local/pc/%m
; public = no
; writable = yes

# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no

# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765

[jam]
comment = Linux3 CPQ PII-350 6GHD 128MRAM
path = /home/jam
writeable = yes

[public]
path = /public
writeable = yes
guest ok = no

can you wack wack to the linux share?

from a run line on the windows box...
\\linux_host_name\share_folder
or
\\Linux_IP_ADDR\share_folder

nope. Can't ping it either now, although I've gotten that far before trying to go from User authentication to Domain auth. in my setup. Have never been able to see Linux from NetNeighborhood, or Win machines in smb://, even when I could ftp://.

if you cant ping, you definatley wont be able to get share access. You need to get base connectivity first. then get domain connectivity, the worry about share conenctivity. Sounds liek you have some routing and/or dns problems.

Yeah, that's the whole difficult part of using AD, tight integration of domain w/DNS. how can I turn off routing, dns, & samba from the single-mode prompt on my Linux box, that should get me back in if I wipe the root password again, shouldn't it?

hmm, well maybe...

to diable routing do this:
edit /etc/sysctl.conf
set "met.ipv4.ip_forward = 0"

samba:
#chkconfig smb off

dns:
#chkconfig named off

this will disable routing, samba, and dns for your next boot.