trouble with Samba and Win2K

spike0 · 08-23-2004, 10:05 PM

I am trying to connect my fedora core2 box with my win2k box.

Being new, I am trying to follow the KISS principal, I copied the following as smb.conf:
[global]
workgroup = WORKGROUP
[homes]
guest ok = no
read only = no

my win2k box is also WORKGROUP. When trying from windows, i browse the network neighborhood and timeout to "Workgroup is not accessable". More troubling is when on the fedora box, smbclient //MachineName/Username asks for a password and then responds "NT_STATUS_LOGIN_FAILURE" with the same error message for smbclient -L machineName. ps shows that smbd is running. I have double checked the password.

I've been browsing other Samba posts without any luck. Any troubleshooting ideas?

synaptical · 08-23-2004, 10:20 PM

http://www.oreilly.com/catalog/samba...ook/index.html

AeonDevil · 08-24-2004, 01:44 AM

if a user and password box comes up you'll probably have to log in as a guest or any account you have on your win2k machine.
I usually log in as administrator so I can access all my files.

spike0 · 08-24-2004, 09:12 AM

yes, the user name I am using is a valid administrator on Win2k. However, I still get the error.

Mathieu · 08-24-2004, 10:46 AM

To log-in to a Samba server, your windows user must have a valid Linux account and a Samba account with the same username and password.
Unless the share has a "guest ok = yes" option.

To add a Samba user:

Code:

smbpasswd -a username

Here is a small sample smb.conf file.

Code:

#======================= Global Settings =====================================
[global]
  workgroup = WORKGROUP
  netbios name = Linux
  server string = My Linux PC

# Security
  security = user
  encrypt passwords = yes
  map to guest = Bad User
  hide local users = yes
  invalid users = root

# Logging
  log file = /var/log/samba/%m.log
  max log size = 1000

# Files
  unix extensions = Yes

# Services
  os level = 36
  time server = no
  domain master = no
  domain logons = no
  local master = yes
  preferred master = yes
  wins support = yes
  dns proxy = no

#============================ Share Definitions ==============================
[homes]
  comment = Home Directorie for %u
  valid users = %u
  browseable = yes
  writable = yes
  create mask = 0640
  directory mask = 0750

synaptical posted a link to the "Using Samba" book.
However, you may to take a look at Using Samba, 2nd Edition
http://www.oreilly.com/openbook/

synaptical · 08-24-2004, 10:52 AM

>edit: it looks like Mathieu beat me to it, but it's basically all the same idea. and you need to

the o'reilly book.

~~~~~~~~~~~~~~~~~~
here's part of my smb.conf (with some comments added), maybe this will help for comparison.

Code:

[global]
netbios name = HOMER
server string = Samba %v
workgroup = WORKGROUP

# [choose which one you want :study:]:
# security = share
security = user 


log file = /var/log/samba.log
wins support = yes 
# domain master = yes

encrypt passwords = yes # [don't forget that option :study:]
invalid users = root bin daemon adm sync shutdown halt mail news operator

# Networking configuration options [these are optional :study:]
hosts allow = 192.168.0. localhost
hosts deny = 192.168.0.110 192.168.0.111

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [probably optional -- :study:]

[home]
path = /home/sero
comment = arch home dir
valid users = olv26 sero
guest ok = no
writeable = yes

[mp3]
path = /mnt/media/gift/completed
comment = gift completed files
valid users = olv26 sero
guest ok = no
writeable = yes

Quote:

7. Windows XP/2000

You'll need to enable TCP/IP on your system, as well as configure a
WINS server, from the control panel. The IP address of the WINS server
should be your Samba server (where the nmbd daemon is running).

To map a drive using the Windows GUI, open My Computer. On the toolbar
are many options; look for one that provides a list that includes the
phrase Map Network Drive (under Windows XP this option is under the
Tools menu). Once selected, a new box will open up. In the Drive box,
click a drive letter that you wish to use. In the Folder box, type the
path for the server and path that you wish to connect to.

Alternately, from a Command Prompt, you can type:

NET USE F: \\MYSERVER\PUB /YES

Quote:

Samba has no knowledge of Windows 2000/XP Local Accounts; as far as it
is concerned, there are only multiple users (defined in smbpasswd) and
a single Administrator named root (if defined in smbpasswd). Samba
also has no knowledge(nor does it care) about Windows 2000/XP Local
Groups; all Samba group memberships are defined in /etc/groups.The
reverse is also true -- Windows 2000/XP has no direct knowledge of
Samba Domain Users or the /etc/groups file on the Samba box.
Therefore,it is possible to log into the domain as root (not advised
for the security conscious) yet not have any administrative authority
over the Windows 2000/XP box!Under Windows NT/2000/2003 Servers, you
can add Local Users, Global Users, and Global Groups to Local Groups.
With Samba, you can add Local Users and Global Users to Local Groups.
However, with both Windows NT/2000/2003 Servers and Samba Servers, you
cannot add Local Users and Local Groups to Global Groups.One option to
get around this is to select one account from Samba to add it to each
Windows 2000/XP workstation's Administrators Local Group. This needs
to be done on a per-workstation basis since Local Groups are just that
-- local to the box itself, and to no one else.There is no way to do
this from the Samba server (nor should there be) or even from a
Windows 2000 Server.

To join a Samba Domain, you'll need to first enable a Samba password
for the root account on your Samba box. Make sure to choose a secure
password! You can accomplish this with something like the following
(below). Note that if you have a directive like 'invalid users = root'
in your smb.conf file, you're guilty of not thinking with your head!
Make make the following changes to your /etc/passwd file:

myworkstation$:x:5000:5000::/dev/null:/bin/false

Make make the following changes to your /etc/shadow file:

myworkstation$:*:9797:0:::::

Note: In the above two examples, it is critical to add the dollar sign
($) at the end of each and every workstation name!

Next, make make the following changes to your /etc/group file:

workstation::5000

Finally, run the following commands on your server. Note the lack
of a dollar-sign ($) at the end of the workstation name! This is
frequently overlooked and a cause of many headaches...

$ smbpasswd -a root
$ smbpasswd -m -a myworkstation

On your Windows machine, make the following changes to your registry
and reboot:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000

Next, log on to your Windows workstation with a local account that
does not have the same name as any account on your Samba server.
Administrator is a popular choice. Next, make sure that there are no
lingering connections to the Samba server with:

NET USE * /DELETE /YES

Finally, open up the Windows Control Panel and activate the System
icon (sysdm.cpl). Find the tab labeled Computer Name section and
activate it. Then, click Change. Finally, you will be able to change
the computer from belonging to a workgroup to belonging to a domain.

After clicking 'Change', you can join your Samba domain (which is the
"workgroup" parameter from your smb.conf file). You'll be prompted for
a name and password of an account with permissions to join the domain;
only the user account "root" will work here, and the account must
exist in your smbpasswd file (and not be disabled either - FYI!).

If you can't seem to get your workstation to join your Samba domain,
make sure you've reviewed the following checklist:

1. Make sure that there is not a firewall between you and your Samba
server.

2. Make sure that your Samba server is not blocking traffic between
you and it. This includes ports 137/udp, 138/udp, 139/tcp,
445/tcp, and ICMP types 3 and 4.

3. Stop and restart your Samba server by hand -- not by any fancy
script or graphical administration tool. If in doubt, you'll need
to read up on either man 1 kill or man 1 killall.

4. Restart your Windows workstation -- this cannot be overstated
enough.

If all of this still fails, increase the log level of your Samba
server to either 2 or 3, and review the output. You don't need to
understand everything the log is saying; but you do need to know
enough about your server to be able to look for error messages.

http://fluffygerbil.com/unofficial-samba.txt

an easier way to make user accounts in samba (i put this right in my smb.conf file so i don't have to remember it each time i add a user):

### add user to /etc/samba/private/smbpasswd
### user:1001:32Xs:32Xs:[U1234567890]:LCT-00000000:
### then change passwd with smbpasswd user

some amplification:

-- in the second line, replace "1001" with the actual user number (found in /etc/passwd).
-- "32Xs" means just that: you enter 32 upper case X, followed by a colon, then 32 more X.
-- [U1234567890] means a U followed by 10 blank spaces
-- LCT-00000000: is literal
-- this method presupposes you have made the user (e.g., with adduser), and that the user exists on the windows box
-- make sure the password is the same as the password for that user on the windows computer

gl, it's all in the o'reilly and unoffical books (except for my custom user-making procedure), but if you'd rather read it here than in the books, be my guest.

spike0 · 08-24-2004, 11:54 AM

I used Mathieu's config file and am almost there. Now I can browse from the win2k machine via and see the linux machine. However, it asks for user name and password and refuses any response I give.

currently win2k username/password = linux username/password = samba username/password. I tried adding the share parameter = OK as suggested, but that had no effect.

Any ideas? Additionally, I think I should be able to change the linux password, leaving the samba and windows passwords equal. is that correct?

synaptical · 08-24-2004, 02:43 PM

did you restart windows after making the samba changes? also check the permissions on the directories you're trying to access. if you don't have at least read permissions for users who don't own the directories who are trying to access from win2k, access will fail.

spike0 · 08-24-2004, 03:33 PM

synaptical,

Excellent suggestions. However, yes, I did reboot. I used chmod 777 on my home directory as there were no r/w permissions for others. Another reboot on the win2k box. But still the same result.

synaptical · 08-24-2004, 05:43 PM

not to be annoying, but you are restarting samba after making the changes, right? otherwise, i would just strip down the shares in smb.conf as much as possible, something like:

[share]
path = /your/path
valid users = user
browseable = yes
writable = yes

while you're at it, strip out all extraneous options for now until you get it working, e.g. all the stuff in the services section (except wins -- keep wins support = yes), map to guest, unix extensions (obsolete in samba 3.0), the permission masks, etc. the key to samba is to strip it down as much as possible, then only add things one at a time once it's working (unless you totally know what you're doing, which i don't, so i do it the "foolproof" way

). and don't forget to restart samba after each change.

spike0 · 08-24-2004, 09:56 PM

synaptical,

you are obviously very, very, wise. I thought I had been doing this (indeed, I know I've rebooted the machines involved) but after a /etc/init.d/smb restart, it's working!

Thank you very much! Now, I'm off to tackle adding a printer!