Understanding the guest account
I am new to both Linux & Samba. I am still running Samba 2.2.8a. I have just received new PCs and they are XP based. The rest of my network is Win98 boxes. I have studied Using Samba by O'Reilly press and cannot quite seem to grasp the following:
When the guest account is mapped to the default: "nobody" and my Win98 boxes log in, very frequently (but not always) their home directory will map to / on the Samba box and in "My Computer" it will show as: "nobody on S:" for the drive description. This is easily stopped - change the guest account to "what" and add "nobody" to invalid users. There is no "what" account. Now I have XP. With no valid guest account, I cannot log onto the Samba PDC. I vaguely understand that 98 and XP use different methods of joining a Domain. (98 really doesn't join) But I can't seem to translate this to how to have my cake and eat it too. Or in other words: guest account for XP and proper home drive mapping for 98. Can someone point me in the right direction? T.I.A. |
Logon order
Let's ask the question another way:
Why does 98 & XP use the guest account to initiate a session? |
because you haven't add 98 & XP usernames in samba valid users?
nobody is a built in username. make a new samba guest name. guest name is used when bad username or bad password. |
No. I added all of my users via smbpasswd -a username. And the XP boxes have machine accounts.
Looking at the log files the 98 boxes (when nobody is removed) initiate as my fake guest what, then default to Lanman password and then log on properly. When nobody is enabled, the XP boxes initiate as nobody and then roll over to the password/username/machine set and log on properly. I just don't get it. And I can't find anything on the web. I may just have to admit defeat and go back to share/no security now that I have a mixed environment. <sigh> |
Wasn't this rectified in SAMBA - nobody account maps /home to "nobody"?
Please post the contents of your smb.conf file. |
Sidmark! Good to hear from you!
The Win98 portion _was_ rectified in that thread. But to get the Win XP boxes to log onto the Domain, throws it back out of whack. I can't post my .conf file right now as I am at home, but I will post it up on Monday. This coming week is a holiday for the kids, so the network is all mine to twist with. <bwahhhahahah> I will also post, at log level 3, the differing results for the two OS' when the nobody account is disabled and enabled. |
Ok, I assume that the windows xp boxes are professional edition and are joined to the domain, right?
|
Yes. And they will log in wonderfully.. as long as the "nobody" account is enabled.
Of course, as soon as I do this I'm back to nobody"s" logging in and improper home drive mapping for those logging in on 98. Very frustrating. |
Well, I guess, we will have to wait for you to post the smb.conf file.
Sid |
smb.conf file
# Samba config file created using SWAT
# from localhost (127.0.0.1) # Date: 2003/10/20 16:30:34 # Global parameters [global] workgroup = ACORN netbios name = CAP encrypt passwords = Yes log level = 2 log file = /etc/samba/smblog-%m.txt logon path = \\%L\profiles\%u\%m logon script = logon.bat logon home = \\%L\%u\.win_profile\%m time server = Yes add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u preferred master = Yes domain master = Yes local master = Yes os level = 65 security = user domain logons = yes domain admin group = root wins support = Yes guest account = nobody invalid users = bin daemon adm sync shutdown << this is the difference! the above two lines allow my XP boxes to log on, but Win98 clients to map to "nobody". When I want my 98 boxes to log on properly, I change the guest account to "what" and put "nobody" in the invalid users list>> oplocks = No level2 oplocks = No [netlogon] path = /usr/local/samba/lib/netlogon create mask = 0600 directory mask = 0700 browseable = No [profiles] path = /ovs/home/samba-ntprof browsable = no writable = yes create mask = 0600 directory mask = 0700 [homes] read only = No browseable = No [faculty] comment = OVS Faculty Directory writable = yes valid users = @faculty path = /ovs/faculty create mode = 0660 directory mode = 0770 browseable = No [move] comment = Move the files writable = yes path = /ovs/move browseable = Yes guest ok = Yes |
What do you have for a logon script?
Did you ever try my suggestion from the last thread? Quote:
I had to explicitly put: logon drive = logon home = in my smb.conf file and manually map it from the logon script. |
Yes. I did try that suggestion. It did not change the behavior.
I have noticed that when Samba people have a Win98 farm they do not seem to run a PDC. I think this is why I can't find info on this. Here is what we definitely know: a valid guest user account causes Win98, when logging into a Samba PDC to incorrectly be identified as that user on a seemingly Random basis. I can turn this behavior on and off at will. Every time. So, now since I can't believe that it is just me.. that means that something is _not_ configured properly. Since Samba, itself, seems to be config'd properly, what Linux configuration could affect user login? Permissions? Guest account setup? I don't know any of the answers to this, I'm just throwing it out. Tomorrow, I will introduce a lag time into the logon.bat file when mapping the home directory. That may stop the behavior, but it still won't explain it.. I'll let you know what happens. |
calabash, I appologise for not replying sooner. I have been trying to play catch up with work and other stuff. I will build a box and try your config file. Have you tried setting "map to guest = never"?
Also, do the following: paste the content of: getent passwd getent group You don't need to paste everything, but make sure you paste at least 5 users from the 1st command, 3 workstations from the 1st, the group the students are in or if they have user private groups, the corresponding entries and the group the machine accounts belong to. You can just type in user1 user2 user3 etc if want, but make sure you match the corresponding user and group entries when you do. |
My turn to apologize.. I had to put out 19 PCs so by Monday I was beat.
Passwords stuff: 5 users facuser1:x:851:800:name:/ovs/home/facuser1:/bin/bash facuser2:x:852:800:name:/ovs/home/facuser2:/bin/bash student1:x:608:700:name:/ovs/home/student1:/bin/bash student2:x:609:700:name:/ovs/home/student2:/bin/bash student3:x:610:700:name:/ovs/home/student3:/bin/bash 3 workstations 09$:x:1017:100::/dev/null:/bin/false 12$:x:1018:100::/dev/null:/bin/false 13$:x:1019:100::/dev/null:/bin/false Group stuff: student:x:700:and then the usernames delimited by , faculty:x:800:odd here, only two usernames, but I have a lot of fac-users in my db properly saying 800. machines:x:100: I have more to update, but I have to run. I will post more tomorrow. More problems have resulted from the deployment, of course. Mainly that unless I elevate my logged in domain user to Administrator, MS Publisher (2003) won't run! Auughh! -Moondance |
Well, tracked down the problem w/permissions on XP for Domain Users.
Roaming Profiles I had copied a profile that I set up to the server, then created symlinks for the students and copied that profile into the WinXP directory. Then Chowned. Remove the symlinks (un-roam) and the user logs in properly and can use Publisher. So we will un-roam until I can track down what the heck is going on. <sigh> Back to guest account: no, I will add map to guest = nobody to my smb.conf. Apparently yesterday, I was showing a lot of "nobody"s on my smbstatus listing, but the student's home drives were properly mapped. Go figure. I really just want to know why my clients are logging in as nobody first, then defaulting to Lanman in the logs. Why is this? Is it my setup? Or is that the way it works for everyone? Cheers, Moondance |
All times are GMT -5. The time now is 08:36 PM. |