LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 07-05-2005, 09:17 PM   #1
Red Squirrel
Member
 
Registered: Dec 2003
Distribution: FC9 on main server
Posts: 750

Rep: Reputation: 36
samba domain controller


I set samba as domain controller and I can get win2k machines to get to the login screen when you first add it to the domain, so I type in the root username and root password, but it won't authenticate. I added root in the smbpasswd database as well and set a password, but it still won't work.

I also created the machinename$ account. Really not sure what I could have missed. any advice would be apreciated, thanks.
 
Old 07-06-2005, 04:10 AM   #2
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Can you post your smb.conf so we can see how it's set up.
 
Old 07-06-2005, 05:03 PM   #3
Red Squirrel
Member
 
Registered: Dec 2003
Distribution: FC9 on main server
Posts: 750

Original Poster
Rep: Reputation: 36
Here it is

Code:
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not many any basic syntactic 
# errors. 
#

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = galaxy
domain logons = yes

# server string is the equivalent of the NT Description field
   server string = BORG File Server
   netbios name = borg


# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
;   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
;   name resolve order = lmhosts host wins bcast


#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
#log level = 10
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
;   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc
# package for details.
  security = user
  
  #domain logon stuff
  local master = yes
  os level = 65
  preferred master = yes
  domain master = yes

# You may wish to use password encryption.  See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
   encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam guest

   obey pam restrictions = yes

;   guest account = nobody
   invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
;   unix password sync = no

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Augustin Luton <aluton@hybrigenics.fr> for
# sending the correct chat script for the passwd program in Debian Potato).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
;   pam password change = no


########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
;   load printers = yes

# lpr(ng) printing. You may wish to override the location of the
# printcap file
;   printing = bsd
;   printcap name = /etc/printcap

# CUPS printing.  See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
;   printing = cups
;   printcap name = cups

# When using [print$], root is implicitly a 'printer admin', but you can
# also give this right to other users to add drivers and set printer
# properties
;   printer admin = @ntadmin


######## File sharing ########

# Name mangling options
;   preserve case = yes
;   short preserve case = yes


############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
# for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
;   domain master = auto

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

#======================= Share Definitions =======================
[netlogon]
path = /data/samba/netlogon/
comment = The Domain logon service
public = no
writeable = no



[data2_rom]
path = /data2
browseable = yes
writeable = no
comment = Root of Data2 DRV
public = yes
create mode = 555
directory mode = 755
guest ok = no
valid users = administrator

[public]
path = /data/samba/public
comment = Public read only share
write list = administrator
public = yes
guest ok = yes
create mode = 777
directory mode = 777


[shared]
path = /data/samba/shared
comment = main share
browseable = yes
writable = yes
create mode = 777
directory mode 777
guest ok = no
valid users=administrator,ryan


[customers]
path = /data/samba/shared/customers
comment = Customer Share
browseable = yes
create mode = 777
directory mode 777
guest ok = yes
writable = yes


[auclair]
path = /data/samba/shared/auclair
comment = Auclair
browseable = yes
create mode = 777
directory mode = 777
writable = yes
valid users=administrator, auclair


[intranet]
path = /data/intranet
comment = Intranet files
browseable = yes
writable = yes
create mode = 777
directory mode = 777
guest ok = no
valid users=administrator, ryan


[backup]
path = /data/samba/backup
comment = backup deposit directory
browseable = yes
writable = yes
create mode = 777
directory mode 777
guest ok = no
valid users=administrator,ryan

[backup_rom]
path = /data/samba/backup_rom
browseable = yes
writable = no
guest ok =no
valid users=administrator,ryan


[homes]
path = /home
browseable = yes
writable = yes
guest ok = no
valid users = administrator, ryan





[data3_rom]
path = /data3/samba
comment = data3 samba root
browseable = yes
writable = no
create mode = 777
directory mode 777
guest ok = yes
valid users = administrator, ryan


[guest]
path = /data3/samba/guests
comment = Guest accessable share
browseable = yes
writable = yes
create mode = 777
directory mode 777
guest ok = yes


[ryan]
path = /data3/samba/ryan
comment = ryans share
browseable = yes
writable = yes
create mode = 777
directory mode 777
guest ok = no
valid users = administrator, ryan









#[homes]
#   comment = Home Directory
#   browseable = yes

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
 #  writable = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
  # create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   writable = no
;   share modes = no

#[printers]
#   comment = All Printers
#   browseable = no
#   path = /tmp
#   printable = yes
#   public = no
#   writable = no
#   create mode = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
#[print$]
#   comment = Printer Drivers
#   path = /var/lib/samba/printers
#   browseable = yes
#   read only = yes
#   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
;   write list = root, @ntadmin

# A sample share for sharing your CD-ROM with others.
[cdrom]
   comment = Samba server's CD-ROM
   writable = no
   locking = no
   path = /cdrom
   valid users = administrator

# The next two parameters show how to auto-mount a CD-ROM when the
#        cdrom share is accesed. For this to work /etc/fstab must contain
#        an entry like this:
#
#       /dev/scd0   /cdrom  iso9660 defaults,noauto,ro,user   0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
#        is mounted on /cdrom
#
;   preexec = /bin/mount /cdrom
;   postexec = /bin/umount /cdrom
 
Old 07-06-2005, 07:21 PM   #4
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Sounds possibly like a permission problem for the machine account, try adding this line to your global settings, this will add an account for each machine on-the-fly. This means you wont have to add an manully each time you wish to add a machine to the domain controller. This is much more secure than adding one maually, you always need root to add a machine account for the first time, after that any user will be able to connect to the domain from that machine.

add machine script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u

You may need to delete the account you made maually first to get it to add this account on-the-fly. Also you need to add this line to help sync passwords between unix and samba.

unix password sync = yes
 
Old 07-06-2005, 08:44 PM   #5
Red Squirrel
Member
 
Registered: Dec 2003
Distribution: FC9 on main server
Posts: 750

Original Poster
Rep: Reputation: 36
Still getting same thing. I also checked to see if any entry was added to the logs for the machine I'm trying to add, and nothing.

Here's the exact error I get in windows: "logon failure: unknown user name or bad password"

So perhaps it may even be not reconizing root as being a domain admin, when I try to add the machine?

Also, do I need to put anything in the netlogon directory for things to work? If I understand domains correctly, this folder is required for config, login scripts, etc.
 
Old 07-07-2005, 02:48 AM   #6
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Still having problems....Just going over your smb.conf again and i missed one thing, you have:

invalid users = root

remove root otherwise root wont be able to connect to samba, I think this is why you are getting the permission error.

Yes you have it right, netlogon directory is for startup scripts, you can also copy the 'Default Users' folder from any xp machine to the netlogon directory, and when each user logs on to the domain controller, it will have a default profile for them and when they logoff it will automatically save their profile to the pofiles directory under a folder with the users name.

Samba automatically loads home folders for users when they logon, but other shares you will need to write a little script to load them when they logon. For the netlogon and profiles you also need to add a few lines to the global settings of smb.conf to point to the profiles and netlogon directory, here is my smb.conf so you can get an idea. I have been running a domain controller at home for 2 years now and have no problems ever with it.

[global]

netbios name = pdc
workgroup = workgroup
server string = Primary Domain Controller
smb passwd file = /etc/samba/smbpasswd
passwd chat = *New*password* %n\n *Please*retype*new*password* %n\n *password*successfully*updated*
passwd program = /usr/bin/passwd %u
socket options = TCP_NODELAY
security = user
encrypt passwords = yes
allow hosts = 192.168.1., 127.
deny hosts = ALL
max log size = 50
time server = yes
unix password sync = yes
load printers = yes
#################################################################################################### #########
# To setup a domain controller use the following configuration for the global settings
#
domain master = yes
domain logons = yes
local master = yes
logon script = netlogon.bat
logon drive = H:
logon home = \\%L\%U
logon path = \\%L\profiles\%U
os level = 65
add machine script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u
add user script = /usr/local/samba/bin/add_user %u
delete user script = /usr/local/samba/bin/del_user %u
add user to group script = /usr/sbin/adduser %u %g
delete user from group script = /usr/sbin/deluser %u %g
remote browse sync = 192.168.1.255
browse list = yes
read raw = no
write cache size = 262144


[homes]
comment = Users Home Folder
browseable = no
writeable = yes
public = no
valid users = %S

[netlogon]
comment = Network Logon
browseable = no
writeable = no
path = /home/netlogon
public = yes

[profiles]
comment = Users Roaming Profiles
path = /home/profiles
browseable = no
writeable = yes
public = yes

[share]
comment = Public Share
browseable = yes
writeable = yes
path = /home/share
public = yes

[printers]
printable = yes
path = /var/spool/samba
public = yes
browseable = no
print command = lpr-cups -P %p -o raw %s -r
lpq command = lpstat -o %p
lprm command = cancel %p-%j

[movies]
comment = Movies
path = /home/movies
browseable = yes
writeable = yes
public = yes


Hope this helps in some way this time
 
Old 07-07-2005, 08:46 AM   #7
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 230Reputation: 230Reputation: 230
I wish I could be more helpful -- I am deeply interested in Samba, but I am not as expert as I would like, yet.
Your problem is right at the limits of my knowledge.

1. We have a Samba group here in Houston at HAL-PC, any chance you can participate?

2. Do you have/use either of the official books from the Samba team?
They are available on the web as well as in print. They are deep but excellent.
You can find links to them here:
http://www.adamsinfoserv.com/twiki/bin/view.cgi/Samba/SambaTexts

2a. http://us2.samba.org/samba/docs/man/...ide/small.html
may be especially relevant

3. Do you have an /etc/samba/smbusers file? Could you post it?

4. When you "get win2k machines to get to the login screen" you are referring to a Samba login screen,
but how have you already logged in to the W2k box? I.E. as what user?

I am thinking your trouble could be the mapping between the 2 kinds of users "NT", i.e. Windows, & Unix.

Good luck, I am following this w/ great interest.
 
Old 07-07-2005, 11:54 AM   #8
Red Squirrel
Member
 
Registered: Dec 2003
Distribution: FC9 on main server
Posts: 750

Original Poster
Rep: Reputation: 36
Woot it worked! I'm on my lunch hour so don't have time to test anything else, but I got up to the "welcome to the galaxy domain" screen so I'llplay with stuff when I get home after work.

My smbusers file only has root and administrator in it, but yet I used smbpasswd on many more users, so really not sure where these users are actually ending up, but it works.

But with the password sync option I think I won't have to use the smbpasswd option, but I'll have to play more with that. I can't wait to see samba's potential as a domain controller in terms of policies, etc. Samba never ceases to amaze me, really, there's always new stuff it can do, that I don't know about.


Edit: oh and for clarification the login screen I mentioned was the one you get when you try to add the machine to the domain, as you need to enter the admin password in order to add the machine. I did get errors regarding profiles but this is something I will look at when I get home, as I did not setup anything yet such as roming profiles, and what not.

Last edited by Red Squirrel; 07-07-2005 at 03:22 PM.
 
Old 07-07-2005, 08:35 PM   #9
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Quote:
Originally posted by Red Squirrel
Woot it worked! I'm on my lunch hour so don't have time to test anything else, but I got up to the "welcome to the galaxy domain" screen so I'llplay with stuff when I get home after work.
Great! what did you change to get it to work?

Quote:
Originally posted by Red Squirrel
But with the password sync option I think I won't have to use the smbpasswd option, but I'll have to play more with that
It changes the samba password when you change the unix password, If there is no sync i'm not sure if it may cause any permissions errors for that user.

Some useful information that you may like to use, if you would like to mount the shares on your xp machines as mounted drives. just go to Start-->Run and then type the following:

net use j: \\server-name\share-name

do this for all your shares, just use a different drive for each share like k: l: m: etc...you can also put these into a .bat file and load these evertime the machine boots up, this way samba doesn't have to be setup as a domain controller. If it is setup as a domain controller, you can add these lines to the notlogon.bat file and will mount all drives when a user logs onto the domain.


Quote:
Originally posted by archtoad6
1. We have a Samba group here in Houston at HAL-PC, any chance you can participate? [/B]
Hi archtoad6! Is this question for me or Red Squirrel
 
Old 07-10-2005, 06:18 PM   #10
Red Squirrel
Member
 
Registered: Dec 2003
Distribution: FC9 on main server
Posts: 750

Original Poster
Rep: Reputation: 36
I just took out the "invalid users" line.

As for mapped drives windows remembers them so that's not a problem. Mind you, something broke in my setup so I'll have to play around to get everything working.
 
Old 07-11-2005, 04:21 AM   #11
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Quote:
Originally posted by Red Squirrel
I just took out the "invalid users" line.

As for mapped drives windows remembers them so that's not a problem. Mind you, something broke in my setup so I'll have to play around to get everything working.
Great is was that! If you don't sort out your new problem don't hesitate to ask.
 
Old 07-11-2005, 04:12 PM   #12
Red Squirrel
Member
 
Registered: Dec 2003
Distribution: FC9 on main server
Posts: 750

Original Poster
Rep: Reputation: 36
I think I got it working but I can only work on it a few hours a night, if that.

Just wondering though, how do policies and such work? Since by default all users, even root, have restricted user access to the machine. (which is a good thing, as you only want to set certain users to have full access)
 
Old 07-12-2005, 10:29 PM   #13
Red Squirrel
Member
 
Registered: Dec 2003
Distribution: FC9 on main server
Posts: 750

Original Poster
Rep: Reputation: 36
Everything seems to be smooth. Adding users to be local admins required to do it through the local management console, so it's a machine per machine basis.

That said, now I know how to give myself admin access at work, since I have admin access by logging in as admin, but not as my domain account, but all I have to do is add myself.
 
Old 07-13-2005, 09:54 PM   #14
Red Squirrel
Member
 
Registered: Dec 2003
Distribution: FC9 on main server
Posts: 750

Original Poster
Rep: Reputation: 36
One problem I noticed is that out of nowhere, I'll go to log in and it sas the domain is unavailable. So I wait about 1 minute, then it lets me in again. Also, I noticed after a while shared drives have an X on them so I have to open them all up to "refresh" them. Just gets annoying. What's up with that?
 
Old 07-14-2005, 04:45 AM   #15
fotoguy
Senior Member
 
Registered: Mar 2003
Location: Brisbane Queensland Australia
Distribution: KirraMail Live Email Server
Posts: 1,276

Rep: Reputation: 61
Quote:
Originally posted by Red Squirrel
One problem I noticed is that out of nowhere, I'll go to log in and it sas the domain is unavailable. So I wait about 1 minute, then it lets me in again. Also, I noticed after a while shared drives have an X on them so I have to open them all up to "refresh" them. Just gets annoying. What's up with that?
Never had that problem before, maybe it could be a firewall dropping the connection. Are you running iptables on the samba server, or are any of the windows clients running a firewall might be if your running service pack 2 on them. If they do have a firewall running turn one of them off and see if it drops the share off. One other thing I can think of is, any machines running in power saving mode. They may be turning of the network card to save power, thus dropping the connection.

About the only things I can think of.

Sorry for it being late, about your other question on samba policies and hope i have understood you correctly, basically samba only has permission to write/read/execute across the network to shares that are declared in the script, so other system directories samba itself doesn't have permission to write too. For the shares themselves even if you allow someone through samba to read/write/execute to the share, unix permissions set on the directories and files can stop you depending on what permissions are set, this is were setting permissions becomes important. it's also good security practice to make the samba root password different from the unix root password.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
samba as a domain controller paul_mat Linux - Networking 1 02-08-2005 11:43 AM
help with new samba domain controller bladrag Linux - Networking 5 05-04-2004 09:52 PM
Samba as a Domain Controller mfeoli Linux - Networking 0 01-13-2004 09:32 AM
samba as a domain controller elements Linux - Networking 1 01-02-2004 06:17 PM
samba as a domain controller ilumin8d Linux - Networking 9 04-29-2003 12:55 PM


All times are GMT -5. The time now is 11:50 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration