Samba: Windows can't access linux. Password needed?!?

mcgoon · 06-04-2005, 09:48 PM

Hi all!
After 2 days of agonising pain, I have just about given up, but I thought you might be able to help. I am trying to give my win98 ("bob") and win xp ("annie") machines access to my fc2 with samba.
I have disabled my firewall and at the moment they can see my computer ("micah_fc2").

However, when they click on it, they're asked to type in password for IPC$ access.
I've purposely set it up so that there are no passwords.
Have I missed a step or something?
This is my smb.conf below:

[global]
workgroup = MSHOME
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
netbios name = micah_fc2

hosts allow = 192.168.1.100 192.168.1.104 192.168.1.1
security = USER
local master = YES
os level = 33
valid users = dell bob annie mjm

guest ok = yes

wins support = yes
dns proxy = no

create mask = 0644
directory mask = 0755

public = yes
server string=linux %v
client schannel = no
server schannel = no

log file = /var/log/samba/%m.log
max log size = 50

username map = /etc/samba/smbusers

[Shared]
comment = shared stuff
path = /home/mjm/pictures
read only = no
guest ok = yes
public = yes
browseable =yes
create mask = 0666
directory mask = 0777
valid users = dell, bob, annie, mjm

[mjmdir]
path = /mnt/G
valid users = mjm,bob,Annie
#public = yes
writable = yes
printable = no
guest ok = no
browseable = yes
create mask = 0666
directory mask = 0777
valid users = dell, bob, Annie, mjm

What have I missed?

Thanks!
Micah

randyding · 06-04-2005, 10:54 PM

Did you run smbpasswd? You need to add each user to samba and then set the passwd for each user.

As root, run the following for each user:
smbpasswd -a <username>
It will prompt you for a password, it does not have to be the same as the user's linux password. Once the account is added, each individual user can change their smb passwd with the same command, but no -a this time.

mcgoon · 06-04-2005, 11:05 PM

I did: useradd -c "annie" -d /home/annie -s /sbin/nologin annie",
then "smbpasswd -a annie"
(and the same for bob).

Do I need to actually give them a password? Or did I use the wrong parameters when adding them as users?

Thanks for the speedy reply.
Micah

randyding · 06-05-2005, 02:00 AM

The password that was set by smbpasswd is the password that has to be supplied by windows when connecting to the samba share. I think you can use the -n option with smbpasswd to set a blank password. If you don't know what password was supplied when smbpasswd asked for one then I'd say re-run smbpasswd and set a known password for each user that intends to connect via windows.

mcgoon · 06-05-2005, 09:15 PM

Thanks for the suggestion! I tried smbpasswd -n "bob" and added "null password = yes" in smb.conf. Unfortunately it didn't seem to work. I then tried it with an actual password (ie. smbpasswd -a bob and typed in a new password) but to no avail. Then I gave it a shot with security = share, smbpasswd -n bob. Still no luck.

I noticed when I "smbclient -L bob", it lists annie as its master (annie is an evil xp machine).
Could this be the cause of any problems given i got local master = yes?

randyding · 06-05-2005, 10:02 PM

Its probably time to backstep now and put back the original smb.conf file, I've always had that work for the normal user directories. Once that is verified working, go change things one at a time until it breaks again then you can figure out where things are going wrong.
What distro are you using and what version of samba?

ARC1450 · 06-05-2005, 10:44 PM

I would suggest, instead of reverting back to the original Samba file, comment out all the "valid user" lines, as they can be a pain in the butt if you don't watch it. Also, you might want to comment the "hosts allow" line.

Those are just my suggestions. A good rule of thumb I've learned is that if your security is too restrictive, keep commenting out the restrictions until stuff works to find out what caused it. Could be a mis-typed line, it could be a misunderstanding of what a setting does on a certain line.

And, if you really need, I can always post up a sample working smb.conf for you.

mcgoon · 06-05-2005, 10:45 PM

i'm using the latest version of samba (3.0.14a) and fedora core2. Know of any bugs with that combination?

But I'll take out all the unnecessary stuff I've put into smb.conf and give that shot. (My original smb.conf never actually worked but, in restrospect, that had more to do with the firewall I was using at the time.)
I'll let you know how it all goes.
Cheers!
Micah

ARC1450 · 06-05-2005, 10:55 PM

I think that's the same version I use, and the only Samba bug I know of is actually in the kernel code for the clients (caused hard-locking issues that I, and a lot of the Gentoo forums, were unsure about).

Best advice I can offer (as I've dealt with it myself); get the base config working, then start adding the security stuff into the mix. I've done a lot of

on the wrong config files which only ended up causing more issues in the end.

mcgoon · 06-06-2005, 12:01 AM

Thanks ARC1450. I will definitely be # any lines I don't know or need. But if you are able to post your smb.conf up on the site that'd be great (because at the very least it will be a good reference point for me.)
Appreciate all the help.

ARC1450 · 06-06-2005, 09:08 AM

Sure.

Code:

[global]
	log file = /var/log/samba/log.%m
	passdb backend = tdbsam
	smb passwd file = /etc/samba/private/smbpasswd
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	#logon drive = H:
	domain master = yes 
	#time server = yes
	encrypt passwords = yes
	wins support = yes
	dns proxy = yes
	netbios name = Apollo
	server string = Samba %v
	local master = yes
	#logon path = \\%L\Profiles\%U
	workgroup = cruea.net
	os level = 65
	#add user script = /usr/sbin/useradd -s /bin/false %u
	security = user
	max log size = 500
	#domain logons = yes
	unix extensions = no
	debuglevel = 2
	use sendfile = no
	
	printing = cups
	printcap name = cups
	load printers = yes

#[netlogon]
#  comment = Network Logon Service
##  path = /home/cruea.net/netlogon
#  guest ok = yes
#  writable = no
#  browsable = no
  
#[Profiles]
#    path = /home/cruea.net/profiles
#    browseable = no
#    guest ok = yes
#    writable = yes
#    create mode = 0600
#    force create mode = 0600
#    directory mask = 0700
#    force directory mode = 0700
 
#[print$]
#	comment = Printer Drivers
#	path = /var/lib/samba/printers
#	guest ok = no
#	browseable = yes
#	read only = yes
#	write list = arcruea, root

[HPDeskJet842C]
	valid users = arcruea, bmcruea, dacruea
	comment = HP DeskJet 842C
	path = /var/spool/samba
	browseable = yes
	guest ok = no
	public = no
	writable = no
	printable = yes
	create mode = 0750
	printer admin = arcruea, root
	
[printers]
	valid users = arcruea, bmcruea, dacruea
	path = /var/spool/samba
	comment = All Printers
	browseable = no
	guest ok = no
	public = no
	writable = no
	printable = yes
	printer admin = arcruea, root
		
[MP3]
	valid users = arcruea, bmcruea, dacruea
	comment = MP3's
	path = /MP3
	public = no
	read only = no
	writable = yes
	browseable = yes
	printable = no
	create mode = 0750
	force create mode = 0750
	directory mask = 0750
	force group = mp3
	
[Users]
	valid users = arcruea, bmcruea
	comment = User files
	path = /home/%U
	public = no
	read only = no
	writable = yes
	browseable = yes
	create mode = 0740
	force create mode = 0740
	directory mask = 0750
	force group = users

[CommonFiles]
	valid users = arcruea, bmcruea
	comment = Common Downloads and Other Files
	path = /home/common
	public = no
	read only = no
	writable = yes
	browseable = yes
	create mode = 0750
	force create mode = 0750
	directory mask = 0750
	force group = users
	
[ApacheDocs]
	valid users = arcruea, bmcruea
	comment = Web Page Folder
	path = /var/www/localhost/htdocs
	public = no
	writable = yes
	browseable = yes
	create mask = 0750
	force create mode = 0750
	directory mask = 0750
	force group = apache

[Video]
	valid users = arcruea, bmcruea
	comment = Movies/Music Vids
	path = /Video
	public = no
	writable = yes
	browseable = yes
	create mask = 0750
	force create mode = 0750
	directory mask = 0750
	force directory mode = 0750
	force group = vids

[XP Cab files]
	comment = Cab files for XP Pro
	path = /mnt/cdrom/
	public = yes
	writable = no
	browseable = yes

That's my smb.conf for my fileserver. Any questions, do ask.

mcgoon · 06-06-2005, 10:27 PM

Hi!

Thanks for that. I'll give it a shot when I get home. A quick question though (just so I understand what it all means):
What does the os level, passdb backend and debug level refer to?
Cheers!

ARC1450 · 06-06-2005, 10:52 PM

Quote:

Originally posted by mcgoon
Hi!

Thanks for that. I'll give it a shot when I get home. A quick question though (just so I understand what it all means):
What does the os level, passdb backend and debug level refer to?
Cheers!

The OS Level is for browser elections. 65 is the default value, I think. I just left it in there, because at the time I was fiddling with domain controllers and master browsers for the network.

Passdb backend is the Password Database Backend. Samba 3 uses a different one than Samba 2 did, but you don't have to put that in there. (To my knowledge).

Debug Level is the amount of information (basically, all info, warnings, errors, errors and warnings, stuff like that) it puts into is log file(s). man smb.conf should give you a lot more info on that one. I think you can go up to level 9 or something, which is REALLY verbose logging, if I remember properly. I think 3 was the default. Not sure on that. I'd have to peek in my Samba book.

mcgoon · 06-07-2005, 09:20 AM

Well I puched in the details for the smb.conf you gave me.
However, much to my utter disgust, it still wouldn't work (AGAIN)!

So, given it works for you, I went back to basics and looked at the samba log file.
In it, I found the same error every time I tried to start/restart winbindd:

[2005/06/07 23:45:37, 0] nsswitch/winbindd_util.c:winbindd_param_init(560)
winbindd: idmap uid range missing or invalid
[2005/06/07 23:45:37, 0] nsswitch/winbindd_util.c:winbindd_param_init(561)
winbindd: cannot continue, exiting.
[2005/06/07 23:45:37, 1] nsswitch/winbindd.c:main(897)
Could not init idmap -- netlogon proxy only

I then went through the startup logs and found that
1. winbindd wasn't starting up, and
2. there were a whole lot of errors in the logs about a file called /etc/gconf/gconf.xml. (I can post the errors up if you want)
Are these two things related?

When I installed samba from source, it dumped everything in /usr/local/samba - including smbd, nmbd and swat. (Weird?!)
It didn't create an /etc/init.d/smb file either.

So I think there may be some discrepencies that have arisen when I installed samba.

Are there any settings I need to change in specific files that can fix this?
I have found web pages that mention nsswitch.conf... does that have anything to do with it?

ARC1450 · 06-07-2005, 10:39 AM

Just out of curiosity, why didn't you use Yum (or whatever FC's package manager is) to get the latest and greatest Samba?

If you were trying to start the one you compiled from source, you should use something like smbd -D and nmbd -D to start it up.

I tried once to install Apache via source because I was ticked off at RH in the 7.0 days. GUess what. . .no go. I found out that RH did things their own special little way, just enough to piss off a source code compile of some packages.

gconf, AFAIK, is related to Gnome.

I have NO clue why that popped up in the error logs.
nsswitch. . .I've never touched it. You aren't trying to use the tdbsam for your password db backend, are you? If you are, you have to switch that stuff over to tdbsam before you can tell Samba to use it, as it'll default to the old way for compatibility purposes.

What do the web pages say about nsswitch.conf?

[edit]You can always run testparm to make sure the syntax in your smb.conf file is correct so as to rule out issues with that.