LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-02-2004, 08:07 AM   #1
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Rep: Reputation: 31
Samba PDC can't authenticate root account.


Dsitro : RH9
Samba : 2.2.7a

Win XP Pro client can see PDC but can't authenticate root account. It says that this account is not present but is on the "smbpasswd" file. Root is created and as well as enabled and given a different password using "smbpasswd -a root" command.

Client has been registered to the domain controller because when its host name is checked its already appended on "smbpasswd" as - (hostname$......).

No errors when testparm is executed. The remote host shares can be seen by the samba server using "smbclient -L remotehost" and can be mounted on the RH9 server. I even tested it by transferring files.

Here is my smb.conf file:

[global]
netbios name = my_samba_server
workgroup = my_domain

encrypt passwords = yes

domain master = yes
local master = yes
preferred master = yes
os level = 65

security = user
domain logons = yes

logon path = \\%L\profiles\%u\%m

time server = yes

domain admin group = root

add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

[netlogon]
path = /usr/local/samba/lib/netlogon
writable = yes
browsable = no

[profiles]
path = /usr/local/samba/profiles
writable = yes
create mask = 0600
directory mask = 0700

[homes]
read only = no
browsable = no
guest = ok
map archive = yes

/usr/local/samba/lib/netlogon has 775 permission. /usr/local/samba/profiles has 777 permission.

.... Thanks!

- itg
 
Old 08-02-2004, 09:27 AM   #2
homey
Senior Member
 
Registered: Oct 2003
Posts: 3,057

Rep: Reputation: 59
I don't see anything that really sticks out about your config. Maybe you can have a look at my notes and see if anything helps.
I got a real kick start from a tutorial from this site....
http://www-106.ibm.com/servers/esdd/...mba/index.html

Here are the important areas which I use.

groupadd -g 200 admins
groupadd -g 201 machines

mkdir -m 0775 /home/netlogon
chown root.admins /home/netlogon

mkdir /home/samba /home/samba/profiles
chmod 1757 /home/samba/profiles

The automated approach for machine accounts is to add the following line to the /etc/smb.conf
( Note: that is supposed to be all one line )
add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u

_______________________________________________________________

In some cases, the Windows machine refuses to join the Samba domain. Then the manual approach is needed also. Use the following commands while logged in as the root user. In this example the machine name is mudd.

/usr/sbin/useradd -g machines -d /dev/null -s /bin/false mudd$

passwd -l mudd$
You should see something like this....
Locking password for user mudd$
passwd: Success

Now add a samba password for the machine.
smbpasswd -a -m mudd$
You should see something like this....
Added user mudd$

________________________________________________________________

Add the user accounts ( Fred in my case ) and set the passwords
useradd fred
passwd fred
New password:
Retype password:

smbpasswd -a fred
New SMB password:
Retype SMB password:

***************************************************************
This part is very important for joining the domain from Windows.
When you get to the part on a Windows computer where it asks for the person who is authorized to join computers to the domain, I use the root user and password.

Give the root / admin user a samba password!!
smbpasswd -a root
New SMB password:
Retype SMB password:

I don't know if this really has any need but I edit the /etc/samba/smbusers ...
root = root administrators admin


Below is my smb.conf which works very nicely with those instructions.

Code:
[global]
workgroup = mydomain.com
server string = Samba Server
hosts allow = 192.168.0. 192.168.1. 127.
printcap name = /etc/printcap
load printers = yes
printing = cups
log file = /var/log/samba/%m.log
max log size = 50
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

unix password sync = Yes
passwd program = /usr/bin/passwd %u
 passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

pam password change = yes
username map = /etc/samba/smbusers
include = /etc/samba/smb.conf.%m
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 64
domain master = yes
domain logons = yes

logon home = \\%L\%U
;  logon drive = H:
logon path = \\%L\Profiles\%U
add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u

 dns proxy = no

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   valid users = %S
   create mode = 0664
   directory mode = 0775
# If you want users samba doesn't recognize to be mapped to a guest user
;  map to guest = bad user

[netlogon]
   comment = Network Logon Service
   path = /home/netlogon
   read only = yes
   browseable = no
   write list = fred

[Profiles]
    path = /home/samba/profiles
    writeable = yes
    browseable = no
    create mask = 0600
    directory mask = 0700

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

Last edited by homey; 08-02-2004 at 10:32 PM.
 
Old 08-02-2004, 09:43 AM   #3
binidiot
Member
 
Registered: May 2004
Location: Spain
Distribution: Debian Woody, FreeBSD 5.2.1
Posts: 106

Rep: Reputation: 15
Are you logged on as "root" on your XP machine when you attempt to logon as "root" in Samba server machine?? ... If not, try adding new user account to Samba using exact same logon and password that you use to logon to XP machine....
 
Old 08-06-2004, 10:28 PM   #4
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Original Poster
Rep: Reputation: 31
It has allowed to join the Win XP machines. Its hostnames were added to the passwd and smbpasswd files but it can't still logon a user, even root, though its clear that the users I'm using are in smbpasswd and I even edited smbusers as: root = root administrators admins; gani = gani. I even consulted the samba documentation and compared it with the book I'm reading - they have the same procedures.

Does it have to do with the version of samba? I'm thinking that why be bothered with this old version since samba is now at 3.0.5.
 
Old 08-10-2004, 12:32 AM   #5
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Original Poster
Rep: Reputation: 31
I have browsed through this on samba.org Oficial HOWTO guide. But this covers v3.0 of samba.
---------------------------------------------------------------------------------------------
"Cannot Log onto Domain Member Workstation After Joining Domain"

After successfully joining the domain, user logons fail with one of two messages: one to the effect that the Domain Controller cannot be found; the other claims that the account does not exist in the domain or that the password is incorrect. This may be due to incompatible settings between the Windows client and the Samba-3 server for schannel (secure channel) settings or smb signing settings. Check your Samba settings for client schannel, server schannel, client signing, server signing by executing:

"testparm -v | more" and looking for the value of these parameters.

Also use the Microsoft Management Console Local Security Settings. This tool is available from the Control Panel. The Policy settings are found in the Local Policies/Security Options area and are prefixed by Secure Channel: ..., and Digitally sign .....
It is important that these be set consistently with the Samba-3 server setting
----------------------------------------------------------------------------------------------
It seems that these items are under "Domain Member" and "Microsoft Network Client" sections under Security Settings\Local Policies\Security Options by first going in to "Control Panel\Performance and Maintenance\Administrative Tools" then click on "Local Security Policy" icon.

I haven't tried this yet at this time becuase of my busy schedules. Try playing around with this settings and it will be highly appreciated if somebody can give feedbacks.

Thanks!!! Happy Linuxing....!
 
Old 08-16-2004, 10:46 PM   #6
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Original Poster
Rep: Reputation: 31
I made it work at this time on Slackware 10 and Samba 3.0.4. But I'm sure it will do the same also with other distros.

Refer to the oficial HOWTO guide in samba.org. Read through the "The Cure for the impatient Domain PDC" and regarding Unix to NT users and groups mapping. I would advice that you should test this on these latest release of Samba because this one fully supports NT Domain.
 
Old 08-24-2004, 07:34 AM   #7
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Original Poster
Rep: Reputation: 31
Here is now my test smb.conf NT PDC:

My test distro is Slackware 10 and Samba 3.0.4 and test clients are Win XP Pro.

# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
[global]

workgroup = NTDOMAIN
netbios name = fserver
server string = Samba Server %v
security = user
hosts allow = 192.168.0. 127.
load printers = yes
printcap name = cups
printing = cups
; guest account = pcguest
log file = /var/log/samba.%m
max log size = 50
passdb backend = tdbsam
; include = /usr/local/samba/lib/smb.conf.%m

# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY

local master = yes
os level = 35
domain master = yes
preferred master = yes
domain logons = yes

; logon script = %U.bat
logon path = \\%L\Profiles\%U
; wins support = yes
; wins server = w.x.y.z
; wins proxy = yes
dns proxy = no

# These scripts are used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
add user script = /usr/sbin/useradd %u
add group script = /usr/sbin/groupadd %g
add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false %u
delete user script = /usr/sbin/userdel %u
delete user from group script = /usr/sbin/userdel %u %g
delete group script = /usr/sbin/groupdel %g

idmap uid = 15000-20000
idmap gid = 15000-20000


#============================ Share Definitions ==============================
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
share modes = no
guest ok = yes

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
path = /usr/local/samba/profiles
browsable = no
writable = yes
create mask = 0600
directory mask = 0700

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes

# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes

[Common]
comment = Common Working Folder
path = /usr/local/samba/common
public = yes
browsable = yes
read only = no
force create mode = 0660
force directory mode = 0770

Running testparm should not return any syntax error. Then do the following as root user:

1. mkdir -p -m 775 /usr/local/samba/lib/netlogon
It will only open this directory for full access to root user and root group.

2. mkdir -m 1777 /usr/local/samba/profiles
This directory should be wide open to everyone and we added sticky bit on it - the "1".

3. Create the working directory for your windows users. In my case it's common.

mkdir -m 770 /usr/local/samba/common

In this type of directory mode, you will need to create functional groups in order to give appropriate access to users with their respective directories and files. Take note that the "world" users don't have any access. You will apply "chmod user.group" here. Else, if you don't need to apply access restrictions, just make this directory wide open to everybody by doing this:

chmod 1777 /usr/local/samba/common.

Then change the "force create mode to 0777" and "force directory mode to 0777".

Restart now your smbd and nmbd daemon! Then join to the domain your XP Pro machines.

Hope this works with you....
 
Old 08-27-2004, 08:20 PM   #8
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Original Poster
Rep: Reputation: 31
Quoted : " You will apply "chmod user.group" here. Else, if you don't need to apply access restrictions, just make this directory wide open to everybody by doing this: "

OOOPPS!!!......sorry... it should be "chown user.group" and don't forget to add the group "machines". Maybe you could use GID = 101 if available.

On redhat/fedora a "-M" option maybe needed before "%u" in the "add machines script" if incase you're having some troubles.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Samba won't authenticate against NT PDC gvaught Linux - Networking 3 01-29-2004 03:28 PM
Non-Root login on Samba 3 PDC jmoutdoors Linux - Networking 0 10-30-2003 09:40 PM
Authenticate to 2k3 PDC with winbind VertigoRay Linux - Software 0 09-27-2003 12:23 PM
Samba and LDAP in Linux to authenticate on Windows 2000 PDC Linh Linux - Networking 2 05-09-2003 07:24 AM
Samba Pdc & Account Logon Issues TheTrexx Linux - Networking 2 01-06-2003 09:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration