samba - Mar 2002 - Samba PDC on FreeBSD problem?

Problem: Samba running as a PDC on a FreeBSD, the clients can connect 
without computer accounts and browse the shares in the domain.

Should the PDC allow that?
As far as i have understood the PDC should refuse since the computer 
does not have a account in the domain regardless that the user have a 
user account?
Can it somehow be that i have named the computers as the users, user bob 
with computer bob
But samba shuld not do that since it require a $ and W istead of U in 
smbpasswd file?

Also i get this in the samba.log???
[2002/03/13 16:08:49, 0] smbd/password.c:domain_client_validate(1517)
  domain_client_validate: could not fetch trust account password for 
domain DOMAIN

/Erik Ran?

--copy of  smb.conf--
[global]
   log level = 10
 
   message command = cat %s | logger -t message-%U@%f -p local3.notice &
   netbios name = PDC
   workgroup = DOMAIN
   server string = Samba server
   hosts allow =  10.0.0.0/255.0.0.0 172.16.0.0/255.248.0.0 
192.168.0.0/255.255.0.0
 
 
;  for NT domain
   domain master = yes
   preferred master = yes
   os level = 64
   local master = yes
   domain logons = yes
 
   wins support = no
   wins server = 10.0.0.12
   wins proxy = yes
 
   security = domain
   null passwords = no
 
;  Preparation for encrypted passwords
   smb passwd file = /etc/samba/smbpasswd
   update encrypted = no
   encrypt passwords = yes
 
   guest account = nobody
   passwd program = /usr/local/bin/smbpasswd
 

   socket options = TCP_NODELAY
 
   printing = BSD
   print command = lpr -h -r -P%p %s >> /tmp/print.log
   load printers = yes
 
;2.2.2 new functions
;disable spoolss
;Setting this parameter causes Samba to go back to the old 2.0.x
;LANMAN printing behaviour, for people who wish to disable the
;new SPOOLSS pipe.
 
;2.2.2 new functions
   use client driver = yes
;Causes Windows NT/2000 clients to need have a local printer driver
;installed and to treat the printer as local.
 
   # protection against nimbda virus
   # This can break Administration installations of Office2k.
   # in that case, don't veto the riched20.dll
   veto files = /*.eml/*.nws/riched20.dll/
  
   #protection agains files with CLSID in their filename
   veto files = /*.{*}/
 
   log file = /var/log/samba.log
   log level = 1
  
   lock directory = /usr/local/samba/var/locks
 
   character set = ISO8859-1
 
   mangle case = no
   case sensitive = no
   preserve case = yes
   short preserve case = yes
 
   wide links = no
 
   time server = yes
 
   oplocks = yes
   level2 oplocks = yes
 
;  logon path = \\%N\%U\.profiles\%U
;logon path ?r f?r roaming profiles
   logon drive = h:
   logon home = \\%N\%U\.profile\%U
   logon script = /etc/samba/netlogon/netlogon.bat
 
;necessary share for domain controller
   [netlogon]
   path = /usr/local/samba/lib/netlogon
   read only = yes
   write list = @ntadmin

 
[www]
   comment = Web files at www.mydomain.com
   browseable = yes
   path = /backup/http/www.mydomain.com
   public = no
   read only = no
   force group = webmasters
   force create mode = 0664
   force directory mode = 0775
 
[homes]
   comment = My webpage
   browseable = no
   path = %H/.html
   public = no
   read only = no

At 03:30 PM 3/14/02 +0100, Erik Ran? wrote:
>Problem: Samba running as a PDC on a FreeBSD, the clients can connect 
>without computer accounts and browse the shares in the domain.
>
>Should the PDC allow that?
>As far as i have understood the PDC should refuse since the computer does 
>not have a account in the domain regardless that the user have a user
account?
>Can it somehow be that i have named the computers as the users, user bob 
>with computer bob
>But samba shuld not do that since it require a $ and W istead of U in 
>smbpasswd file?
That's not quite true - if a machine does not have an account in the 
domain, that computer cannot join the domain.  Users, on the other hand can 
access files on the server.  This is the way M$ implemented it, and there's 
no way around it.  You are getting exactly the same behavior as if you had 
a Windows-based Domain server.
>Also i get this in the samba.log???
>[2002/03/13 16:08:49, 0] smbd/password.c:domain_client_validate(1517)
>  domain_client_validate: could not fetch trust account password for 
> domain DOMAIN
Don't know about that one, maybe one of the team can comment.
>/Erik Ran?
--------------
Martyn Ranyard

I am not a member of the samba team,
and anything that I say may not be as
accurate as a response from one of the
team.  I reply to save those more
qualified time, which can more usefully
be spent developing SAMBA further.

Erik Ran? wrote:
> Problem: Samba running as a PDC on a FreeBSD, the clients can connect 
> without computer accounts and browse the shares in the domain. 
>
> Should the PDC allow that? 

Depends on how you set it up.  I'm assuming that you're using NT/W2K/XP 
stations.
Remember that W95/98/ME machines don't have the proper security system 
to honestly
log into a Domain.  If you're using one of those Wintendo systems, 
you'll not have near
the security you have with the real operating systems.
> As far as i have understood the PDC should refuse since the computer 
> does not have a account in the domain regardless that the user have a 
> user account? 

Yes, assuming the workstation is NT/W2k/XP.
> Can it somehow be that i have named the computers as the users, user 
> bob with computer bob 

No
> But samba shuld not do that since it require a $ and W istead of U in 
> smbpasswd file? 

Exactly.
> Also i get this in the samba.log???
> [2002/03/13 16:08:49, 0] smbd/password.c:domain_client_validate(1517)
>  domain_client_validate: could not fetch trust account password for 
> domain DOMAIN 

See below:
>
>
> /Erik Ran?
>
> --copy of  smb.conf--
> [global]
>   log level = 10
>
>   message command = cat %s | logger -t message-%U@%f -p local3.notice &
>   netbios name = PDC
>   workgroup = DOMAIN
>   server string = Samba server
>   hosts allow =  10.0.0.0/255.0.0.0 172.16.0.0/255.248.0.0 
> 192.168.0.0/255.255.0.0
>
>
> ;  for NT domain
>   domain master = yes
>   preferred master = yes
>   os level = 64
>   local master = yes
>   domain logons = yes
>
>   wins support = no
>   wins server = 10.0.0.12
>   wins proxy = yes
>
>   security = domain 

If you want this to be a PDC, you need to use "security = user".  The 
"domain" setting
is only if this machine is part of a domain hosted by a Windows PDC.

<SNIP ADDITIONAL CONFIG>

We had a problem since we upgraded our samba from i belive 2.0.x or1.9.x 
to 2.2.0x

The problem is that with our HP LaserJet 8000DN it has been impossible 
to install a driver and get A4 as default papersize in the printer 
driver. It was always Letter that was choosen as default. With the 
result that everytime the printer is installed the user have to change 
the printer setting.
The printer intelligence is not soo good that it can adminitratively 
ignore papersize and always set A4 as papersize for the printjob. But 
that might be an bug in the printer.

Recently i found a tip back in the archives of samba-technical
http://marc.theaimsgroup.com/?l=samba-technical&m=99041993818094&w=2

I tryed it out and suprisingly i found that it helped! :-)
But it feels not good that i have to modify source and recompile just so 
i can set that default papersize should be something else then letter.

Can smb.conf get some sort of addition where a definition is set either 
global or per printer?
Just for what the default choice is. Not set it so the user can not change.
It would help alot since sometimes windows seems to remember that 
default was letter at the time it installed the printer and use that in 
the printerdriver. :-(

About the samba howto collection about printing. (This might be off topic?)
On the top of the page 31 (36 of 86) as shown in acrobat reader.
There is an instruction how to create folders so samba can upload 
printer drivers.
The instruction is with grey backround and look identical to the config 
examples to smb.conf.
That confused me since im not a experienced user in *nix enviroments to 
belive that it should say something like that in the config file, when 
it accutaly dislpays an directory tree.
Can it be changed to some else backround color and more like an 
directory listning?
And i think it should probably say more clearly that it is sub 
directorys of  the parameter  "path = /usr/local/samba/printers "

Is there some example about how to create an "add printer command"
that
can hook into printcap and make the modifications?
I can successfully upload the driver but it can not finish the wizard 
since it cant add the printer. Not even if it is already existing in 
printcap file?

And just a little question, how can i get in contact if anyone is 
writing some fast guides to samba?

With Regards
/Erik