Connecting XP to Samba domain contoller
 

I know this has been asked a million times, so I'm sorry for bringing it up again, but I've tried everything I've read to get this to work. I've got a RHLE4 server set up as a domain controller (will post my smb.conf below). I can map a drive from XP and copy data to/from with no problems. When I try to add the domain, it prompts me for ID/PW (which tells me it's at least *seeing the domain*) but when I enter my Samba ID/PW, I get "Access is Denied".

Now I've tried changing my registry on XP. I've tried adding my machine itself (which I may not have done correctly). Any ideas why it's not working?

Again, sorry for bringing it up again, but I'm a newb trying to learn. :(


#======================= Global Settings =====================================
[global]

# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = DMBACKUP

# server string is the equivalent of the NT Description field
server string = Samba Server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.

# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
; printing = cups

# This option tells cups that the data has already been rasterized
cups options = raw

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/%m.log
# all log information in one file
# log file = /var/log/samba/smbd.log

# Put a capping on the size of the log files (in Kb).
max log size = 50

# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
# Use password server option only with security = server
; password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
; username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24

# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 192.168.1.255 192.168.2.44

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
os level = 65

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
logon script = %m.bat
# run a specific logon batch file per username
logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U

# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no

# add machine script = /usr/sbin/useradd -g machines -c Machine -d /dev/null -s /bin/false %u

#============================ Share Definitions ==============================
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[homes]
comment = Home Directories
browseable = no
writable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /home/netlogon
writable = no
public = no


# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /home/profiles
; browseable = no
; guest ok = yes


# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes

# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes

# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; read only = yes
; write list = @staff

Same here
 

I'm having the exact same problem, except on the latest stable Debian (Sarge). I have even gone into my WinXP machine and disabled "Use simple file sharing" because of another error I was getting. After I rebooted, I'm back to "Access Denied". When prompted for UID/PWD to join the domain, I am entering "domainname\username" for the user. Here is my smb.conf:

first try to locate the problem
eck /etc/log/samba/nmbd.log file
this give allthe details

most frequent problem is with wins.you need to allow the host."host allow=192.16.1."

if the problem persist try with option the wins support=no

Dunno if this helps, but I did a service smb restart this morning and this is what's in my nmbd.log file:
I tried disabling wins, still get 'access is denied'. And tried the host allow option... same error. :(

along with the nmbd log file, check the system log file which you r checking.make sure root has a samba password.i had similar problem with that .i will try to post smb.conf file. linux has great advantage of log files.use these things any application

First off : Had you tried to add some users to Samba with smbpasswd?

Second : Had you opened Samba ports in your firewall/iptables (137-139 and 445)?

Trird : Had you allowed the Ip's of your network to connect in your firewall/iptables and configured NAT and masquerading (for extranet access)?

In my little experience the steps I'd follow to get a Samba domain running and up was:

* Install and configure Samba
* Add users to Samba with smbpasswd and machines and users with useradd
(users must exist in both Linux and Samba for properly running)
* Open Samba ports in my firewall
* Add IP's of my networked machines to my firewall
* Create user's home directories
* Create and config the shares


Well, that's all. I hope this helps.

well, i turned off wins support and i'm now able to connect to the domain when logging in as root (again, this is after i've done the 'registry hack' that people have posted about). I've read on some sites that once you've logged in as root, it has 'authenicated' your machine and you should be able to log in with any other valid samba id.. first question, how do you 'log out' of root? i mean, i've already connected to the domain, rebootedm have the option of logging back into my machine using that domain.. does that mean i should be able to log into windows itself with any valid samba id? if so, i can log into windows with my personal samba id, but.. second question, now obviously my entire windows desktop is different (i assume, because it's like i'm logging in with a different id). is there something i can disable so it will still load my normal windows workspace? or, would this not happen if my windows id and my samba id were the same (because they are currently different).

thanks for all the help so far :)

I am still unable to join my domain. Sarge's nmbd.log (/var/log/samba/log.nmbd) has no errors in it. Nothing failed to load and it shows that the server is running as Master browser, Domain Master and WINS server without issue. Just to be on the safe side, I went ahead and disabled WINS, just to see. Unfortunately, that had no effect. Syslog (/var/log/syslog) also is devoid of errors/failures. The same goes for my smbd logfile (/var/log/samba/log.smbd).

When I tried the "host allow=..." option, and then ran testparm, I got "Unknown parameter encountered: 'host allow' Ignoring unknown parameter 'host allow'" so I have removed it. I have added a root password to samba with "smbpasswd -a root" along with several other usernames and machine accounts. All accounts were first created using useradd, and then added to Samba.

The server is inside our network and behind our firewall/router. I wouldn't think that I would need to open the Samba ports in my firewall simply because I do not want any samba traffic passing through the firewall. Am I mistaken in that?

All user's shares and home directories have been created with permissions assigned. Of course, I'm unable to test that fully because I'm unable to have a single system join the domain still. If it helps any, my smb.conf was created using the "How To" available on Samba.org's site (Chapter 3: Secure Office Networking). The initial smb.conf was renamed to smb.conf.master and all modifications that take place are made to that file. When I'm done, testparm tells me whether or not I misspelled anything. I then use "testparm /etc/samba/smb.conf.master > /etc/samba/smb.conf" to create the main config file. If I make any changes, I then follow up with "smbd restart" and "nmbd restart". What am I missing?

Good for you. I hope to say the same soon.
This is technical inaccurate. You aren't really logging in as root. You are logged into your local machine as "localmachine\userA" when you ask to join the domain. Because the domain controller has a seperate list of users (domainuser\userA is a different user than localmachine\userA) it needs to know whether or not your machine has permission to become part of its domain. That is why you "Authenticate" to it with the domain admin (or root) username and password. Once it verifies that info, your machine becomes part of the domain and is given access to a new list of users: Domain Users.
Rebooting logs you out automatically. When it comes time to log in to windows again, you can now login with any valid samba id (Domain User).
CORRECT!!! You are logging in with a different id, one that your local computer has no history of.
No. Even if your old windows (aka: localmachine) id and your new samba id were the same username, they would still be different because of the reasons outlined above. One is a domain member and the other is not. If you now browse the hard drive of your Windows computer to the Documents and Settings folder, you will see a folder for your old localmachine account and a folder for your new samba domain user account. This is just another indication that Windows sees both users as seperate entities. One thing you can do is export all of your old settings from your localmachine account to your new domain user account using the "Files and Settings Transfer Wizard" - <Start> -> All Programs -> Accessories -> System Tools -> Files and Settings Transfer Wizard. Let me know if you need help using that tool. It should be fairly self-explanatory.

Hopefully, one day I'll have some *nix answers too (other than RTFM).;)

Update: Still unable to join domain
 

I added the "hosts allow = 127.0.0.1 10.1.1.0/24" line to my smb.conf and got a different error: "parameter incorrect". I modified that line to be "hosts allow = 127.0.0.1 10.1.1" and got the same error. I rebooted the server and now am getting "The network path was not found."

I really am lost here, so any help at all would be much appreciated. My log.nmbd is still showing that the server is running as the domain master browser and the local master browser. :confused:

If I remember correctly, you are supposed to have the machine accounts added too. Like a machine account for each workstation connecting to the server.

You can add these machines accounts on the fly in your smb.conf files, It has been over a year now since I had a domain controller up and runing. Here is my old smb.conf so you can have a look at it.

Also make sure you don't have a firewall running at the time of testing your connection. Also check your /etc/hosts.deny file if it has an entry of ALL:ALL then you will need to place and entry in your /etc/hosts.allow file to allow your network to connect.

I have those lines in my smb.conf (posted above) for creating machine accounts on the fly when the machine tries to join the domain. Just for GP's I went ahead and created an account in samba for a machine, but I'm still getting errors. In XP, when I try to join the domain, I get the pop up asking for credentials, then (about 30 seconds later) I get the error "The network path was not found" regardless of what I enter for credentials. This is even more confusing for me. If I try to join a non-existant domain (foobar.org) I don't even get the chance to authenticate. This tells me that XP is seeing the domain controller and is being asked to authenticate, inidicating two-way communiation between them. It's just not authenticating. What would cause this?

Once again, here is my info:

• All user accounts have been created in Debian (one for each domain user)

• Matching user accounts were then created in Samba (one for each domain user)

• Domain groups were created and users sorted into their groups

• Domain shares have been created with permissions assigned by group

• User shares have been created with permissions assigned by user

• Machine accounts are supposed to be created "on the fly" when the machine joins the domain

• I have edited the registry and security settings in XP from suggestions in other posts here on LQ concerning this problem

• Every change I make is followed by a restart of both smbd and nmbd

smb.conf
FYI: I copied fotoguy's smb.conf into mine, changed the domain name and path information to match my setup and restarted samba. Same problems.

OK I think I remember getting the same or similar error once before when I was trying to get a XP machine to join samba. If I remember correctly on the XP machine try changing the dns settings, set dns1 to the address of the samba server before trying to add it to the samba domain controller, I think you may need to restart the XP machine first before trying to add it.

That makes sense. Unfortunately, no effect. I rebooted XP, changed dns1 to my DC's IP (running bind9 for DNS), rebooted again and still got the "network path not found" error.

Ok. Quick update. One of my samba logs (/var/log/samba/log.10.1.1.132) just filled up with a bunch of stuff:
These are repeated for several lines (about 20 repeats of those two lines with only the time changing). 10.1.1.132 is the machine that I've been trying to get to join the domain.

I hope you are not trying to get XP Home Edition in a domain... you cannot get a PC with XP Home Edition to join a domain.
I also hope that you checked your third-party (not Windows default firewall) firewall that you maybe installed by yourself a while ago and forgot about it, or your ISP gave you a trial/express edition of a firewall that you just overlooked while picking through log files...

It is XP Pro SP2.
Our company uses all Windows clients running Zone Alarm for AV, Firewall, Spam filter, YADA, YADA, YADA. I have uninstalled it from the test system for the time being to make sure it's not interfering with the network communications.

The Debian install was a minimal install (not even a GUI) with packages added after the OS was fully installed. So far only DNS (bind9) has been installed and configured to work on our network. Once I get Samba working, Exim4 will be the last thing to install and configure for this server (as far as server services goes anyways). I have not found any information one way or the other on what firewall Debian might have installed during it's setup, but I have checked and am unable to find a PID for one running.

I notice you have root denied in the global settings, I wonder if that is stopping the machine from authenticating properly. Since it is denying root from connecting to samba, maybe try commenting it out for now and if it works just uncomment it once all the machines are connnected.

Comparing your smb.conf with the mine, I've found some diferences that could help you:

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
# In this case substitute 172... with your IP range and device
# This option enable samba to listen for connections
interfaces = 172.26.0.0/255.255.0.0 eth0

# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#
domain logons = yes
#

This is for domain logons :

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of the user's profile directory
# from the client point of view)
# The following required a [profiles] share to be setup on the
# samba server (see below)
logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
logon drive = H:
logon home = \\%N\%U

Could be important :

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY

I've nor use the host allow option in Samba. I've use /etc/host.allow for give access permissions.

Well, that's all. Hope it helps.

er......
What I know about this issue would fit behind a ferret's foreskin - but....

smb passwd file = /etc/samba/smbasswd??

B.

I commented out that line and saw no improvement. I was under the impression that the purpose of that line is to keep a user (admin included) from logging into a domain workstation with the root account. I did not think that it was a factor in the initial authentication for joining a machine to the domain. I haven't found any info one way or the other on that, so if anybody knows for certain, please post.
I tried those changes and have not had any luck so far. I'm kinda thinking DNS crapped out on this thing.
I completely missed that typo. Good eye for picking it up.

I am starting to suspect DNS because my clients are no longer able to see this server on the network. I can ping it from any client, but cannot browse to it using Explorer (not IE). I will post whatever I find regarding this issue. Thanks for everyone's help so far.

Isn't that just typical. DNS was kludged. I got it working and suddenly, Samba is in great shape. I can join the domain, run login scripts, share files and just have an all around good time. Thank you everyone for your help. I could not have gotten it working without all the excellent advice and leads.

Yeah stops anyone logging in through the root account, just wasn't sure if it affected the initial authentication since only root can add a machine to the domain, once the machine is added then any user can then log into the domain. Although you did create the initial account so probably didn't make a difference.

Good to hear it's all up and running, DNS can be fun sometimes. Glad to have help

have you try, to enter the as Username, the XP User you are loging with, and that Password ?? :)

DNS - Got it Working
 

This entire thread seems to describe the problems I'm having trying to join my XP machine to Samba.

I'm not sure what you meant or how you got DNS working?

I'll clarify "kludged" for you then.

I had installed bind9 on this server for DNS. Unfortunately, several of the configuration files for the main zone and reverse zones had typos and little hard to find mistakes in them. After going through all of the configuration files and correcting those mistakes, DNS then started working to resolve domain names. As an alternative, you can setup a cacheing only DNS server using the example provided here on the bind9 website (offsite link).

If you need more help then that, feel free to post your smb.conf here.

Just a quick note, you don't have to have a DNS server running to have clients connect to a samba domain controller.