Hello all, I'm setting up a domain using Samba 3.0 as PDC, with WinXP clients. One of these clients is a laptop, which should be able to use cached profiles of the domain users. Online logon is working fine, however when the domain server is not available it cannot logon, whereas it should be able to use cached credentials to access the cached profile. Windows says it cannot log on because the domain is unavailable. The policy setting controlling the number of cached credentials is set to 10 (which is the default), so that shouldn't be the problem. I'm using Windows XP with the latest updates, and Samba 3.0 on a fresh installation of Debian unstable. I've also tested Windows 2000 as a client: same problem. I've tested Windows NT Server as a domain controller: it works fine, so the problem appears to be something samba-related. I don't know if it's related, but the following message keeps appearing in the logs when I log off a domain user: get_domain_user_groups: primary gid of user [roel] is not a Domain group get_domain_user_groups: You should fix it, NT doesn't like that The UNIX user roel is a member of users (gid 100), and I've set up the group mapping as follows (using net groupmap): System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Users (S-1-5-21-3779735966-2028519041-1045582398-513) -> users Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Admins (S-1-5-21-3779735966-2028519041-1045582398-512) -> ntadmin Domain Guests (S-1-5-21-3779735966-2028519041-1045582398-514) -> nogroup Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> users Can anyone help me with these problems? I've searched the archives and the web, and found no indication that anyone is having similar problems. Thanks in advance, Roel van Os.
Roel, To the best of my knowledge, Samba does not trigger the Win XPP Caching of domain logon credentials. - John T. On Fri, 19 Dec 2003, Roel van Os wrote:> Hello all, > > I'm setting up a domain using Samba 3.0 as PDC, with WinXP clients. One > of these clients is a laptop, which should be able to use cached > profiles of the domain users. Online logon is working fine, however when > the domain server is not available it cannot logon, whereas it should be > able to use cached credentials to access the cached profile. Windows > says it cannot log on because the domain is unavailable. > > The policy setting controlling the number of cached credentials is set > to 10 (which is the default), so that shouldn't be the problem. > > I'm using Windows XP with the latest updates, and Samba 3.0 on a fresh > installation of Debian unstable. I've also tested Windows 2000 as a > client: same problem. I've tested Windows NT Server as a domain > controller: it works fine, so the problem appears to be something > samba-related. > > > I don't know if it's related, but the following message keeps appearing > in the logs when I log off a domain user: > > get_domain_user_groups: primary gid of user [roel] is not a Domain group > get_domain_user_groups: You should fix it, NT doesn't like that > > The UNIX user roel is a member of users (gid 100), and I've set up the > group mapping as follows (using net groupmap): > > System Operators (S-1-5-32-549) -> -1 > Replicators (S-1-5-32-552) -> -1 > Guests (S-1-5-32-546) -> -1 > Domain Users (S-1-5-21-3779735966-2028519041-1045582398-513) -> users > Power Users (S-1-5-32-547) -> -1 > Print Operators (S-1-5-32-550) -> -1 > Administrators (S-1-5-32-544) -> -1 > Account Operators (S-1-5-32-548) -> -1 > Domain Admins (S-1-5-21-3779735966-2028519041-1045582398-512) -> ntadmin > Domain Guests (S-1-5-21-3779735966-2028519041-1045582398-514) -> nogroup > Backup Operators (S-1-5-32-551) -> -1 > Users (S-1-5-32-545) -> users > > Can anyone help me with these problems? I've searched the archives and > the web, and found no indication that anyone is having similar problems. > > Thanks in advance, > Roel van Os. >-- John H Terpstra Email: jht@samba.org
Friday, December 19, 2003, 4:15:40 PM, John wrote:> Roel,> To the best of my knowledge, Samba does not trigger the Win XPP Caching of > domain logon credentials.Hi, Is there any way to ask samba to trigger caching domain logon? i have many (>20) laptop users, so it would be headache if caching is not many (>possibel. Tks.> - John T.--beast
On Fri, 26 Dec 2003, Beast wrote:> Friday, December 19, 2003, 4:15:40 PM, John wrote: > > > Roel, > > > To the best of my knowledge, Samba does not trigger the Win XPP Caching of > > domain logon credentials. > > Hi, > > Is there any way to ask samba to trigger caching domain logon? i have > many (>20) laptop users, so it would be headache if caching is not > many (>possibel. > Tks.The caching involves the use of pure kerberos based authentication. Samba does not do that as this is solely supported by Active Directory. I know of no way to incite a Windows XP client to do this when Samba is providing the Domain control. - John T. -- John H Terpstra Email: jht@samba.org
Friday, December 26, 2003, 11:07:54 AM, John wrote:> On Fri, 26 Dec 2003, Beast wrote:>> Friday, December 19, 2003, 4:15:40 PM, John wrote: >> >> > Roel, >> >> > To the best of my knowledge, Samba does not trigger the Win XPP Caching of >> > domain logon credentials. >> >> Hi, >> >> Is there any way to ask samba to trigger caching domain logon? i have >> many (>20) laptop users, so it would be headache if caching is not >> many (>possibel. >> Tks.> The caching involves the use of pure kerberos based authentication. Samba > does not do that as this is solely supported by Active Directory.Caching is working on Win NT4.0 domain which (afaik) did not use kerberos. Tested clients: Win 2000 (SP0-SP3) WinXP (SP0-SP1). --beast
On Fri, 2003-12-26 at 15:47, Beast wrote:> Friday, December 26, 2003, 11:07:54 AM, John wrote: > > > On Fri, 26 Dec 2003, Beast wrote: > > >> Friday, December 19, 2003, 4:15:40 PM, John wrote: > >> > >> > Roel, > >> > >> > To the best of my knowledge, Samba does not trigger the Win XPP Caching of > >> > domain logon credentials. > >> > >> Hi, > >> > >> Is there any way to ask samba to trigger caching domain logon? i have > >> many (>20) laptop users, so it would be headache if caching is not > >> many (>possibel. > >> Tks. > > > The caching involves the use of pure kerberos based authentication. Samba > > does not do that as this is solely supported by Active Directory. > > Caching is working on Win NT4.0 domain which (afaik) did not use kerberos. > Tested clients: Win 2000 (SP0-SP3) WinXP (SP0-SP1).So now you just need to figure out what we do differently :-) Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20031227/d400b030/attachment.bin