Migrating a working Samba 2.2.8a Domain Controller to 3.0.2a
Using smbpasswd file
compiled using gcc 3.2.2
----------------------------------------------------------------------------
--------
Used working 2.2.8 configuration
----------------------------------------------------------------------------
--------
#authentication as PDC
workgroup = XNET
domain logons = yes
domain master = yes
preferred master = yes
security = user
password level = 8
username level = 8
smb passwd file = /usr/local/samba/lbin/smbpasswd
logon script = logon.bat
encrypt passwords = yes
----------------------------------------------------------------------------
--------
Added automation scripts
----------------------------------------------------------------------------
--------
#user group scripts
add user script=/usr/sbin/useradd -d /dev/null -g machines -c
"Machine a
ccount %u" -s /bin/false -M %u
delete user script=/usr/sbin/userdel -r %u
add group script=/usr/sbin/groupadd %g
delete group script=/usr/sbin/groupdel %g
add user to group script=/usr/sbin/usermod -G %g %u
add machine script=/usr/sbin/useradd -s /bin/false -d /dev/null %u
----------------------------------------------------------------------------
--------
Disabled the following items in the Local Security Policy
----------------------------------------------------------------------------
--------
Domain member: Digitally encrypt or sign secure channel data (Always)
domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Require strong (Windows 2000 or later) session key
----------------------------------------------------------------------------
--------
Added the following Registry Hacks
----------------------------------------------------------------------------
--------
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"RequireSignOrSeal"=dword:00000000 If you still have changes, you may
want
to change the following
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"sealsecurechannel"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"signsecurechannel"=dword:00000000
----------------------------------------------------------------------------
--------
Deleted existing machine entries in smbpasswd
----------------------------------------------------------------------------
--------
vi smbpasswd
delete machine user line
restart smb
----------------------------------------------------------------------------
--------
Added machine entries
----------------------------------------------------------------------------
--------
smbpasswd -a -m WORKSTATION_NAME
----------------------------------------------------------------------------
--------
SYMPTOMS
----------------------------------------------------------------------------
--------
CAN authenticate from domain members added prior to migration
CAN use shares from 95/XP/Samba using share based authentication
username/password
CAN join domain form another Samba3 box
CANNOT join domain from XP
XP client reports: Access is denied
(logged in on XP as Administrator)
Samba reports (level 10 logging): _samr_open_domain: ACCESS DENIED
Both root and nobody appear to authenticate
Logs indicate insufficient privilege to continue
Looks like it might be something on the client?? There are no warnings or
errors in any of the XP logs.
Symptoms are the same from multiple installs of XP to multiple installs of
samba
I have racked my brain for the last week and have even resorted to reading
the manual.
Thank you for any guidance in advance!
Hello,> CANNOT join domain from XP > XP client reports: Access is denied > (logged in on XP as Administrator) > Samba reports (level 10 logging): _samr_open_domain: ACCESS DENIED > Both root and nobody appear to authenticate > Logs indicate insufficient privilege to continueOnly root (User-ID 0) can add machines to a domain. Root must also exists in your Samba-userlist. matze
Should have included this information Smbpassword already includes a root user with uid of 0. Tried to join domain as XNET\root with root/samba root password ( unix and smb passwords are the same). Successfully joined domain using credentials from a different samba3 box. Thanks for you quick reply -----Original Message----- From: Matthias Spork [SMTP:hallo@matthiasspork.de] Sent: Wednesday, April 14, 2004 2:17 PM To: gpalmer@lganet.com Cc: samba@lists.samba.org Subject: Re: [Samba] XP Client cannot join Samba3 PDC Hello, > CANNOT join domain from XP > XP client reports: Access is denied > (logged in on XP as Administrator) > Samba reports (level 10 logging): _samr_open_domain: ACCESS DENIED > Both root and nobody appear to authenticate > Logs indicate insufficient privilege to continue Only root (User-ID 0) can add machines to a domain. Root must also exists in your Samba-userlist. matze
I have found the same problem no and again especially if you remove a
machine and then want to rejoin I'm assuming that you use root to for the
account and that is exists in you samba setup.
I found that when it happens to me that quickest and easiest way to resolve
the issue is to rebuild the machine I found the problem with XP and 2003
don't know what causes the issue and I think lots of people have the same
problem as it is not the first time this has come up on the posts.
Cheers
Chris Tepaske
-----Original Message-----
From: gpalmer@lganet.com [mailto:gpalmer@lganet.com]
Sent: Thursday, 15 April 2004 4:47 AM
To: samba@lists.samba.org
Subject: [Samba] XP Client cannot join Samba3 PDC
Migrating a working Samba 2.2.8a Domain Controller to 3.0.2a
Using smbpasswd file
compiled using gcc 3.2.2
----------------------------------------------------------------------------
--------
Used working 2.2.8 configuration
----------------------------------------------------------------------------
--------
#authentication as PDC
workgroup = XNET
domain logons = yes
domain master = yes
preferred master = yes
security = user
password level = 8
username level = 8
smb passwd file = /usr/local/samba/lbin/smbpasswd
logon script = logon.bat
encrypt passwords = yes
----------------------------------------------------------------------------
--------
Added automation scripts
----------------------------------------------------------------------------
--------
#user group scripts
add user script=/usr/sbin/useradd -d /dev/null -g machines -c
"Machine a
ccount %u" -s /bin/false -M %u
delete user script=/usr/sbin/userdel -r %u
add group script=/usr/sbin/groupadd %g
delete group script=/usr/sbin/groupdel %g
add user to group script=/usr/sbin/usermod -G %g %u
add machine script=/usr/sbin/useradd -s /bin/false -d /dev/null %u
----------------------------------------------------------------------------
--------
Disabled the following items in the Local Security Policy
----------------------------------------------------------------------------
--------
Domain member: Digitally encrypt or sign secure channel data (Always)
domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Require strong (Windows 2000 or later) session key
----------------------------------------------------------------------------
--------
Added the following Registry Hacks
----------------------------------------------------------------------------
--------
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"RequireSignOrSeal"=dword:00000000 If you still have changes, you may
want
to change the following
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"sealsecurechannel"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"signsecurechannel"=dword:00000000
----------------------------------------------------------------------------
--------
Deleted existing machine entries in smbpasswd
----------------------------------------------------------------------------
--------
vi smbpasswd
delete machine user line
restart smb
----------------------------------------------------------------------------
--------
Added machine entries
----------------------------------------------------------------------------
--------
smbpasswd -a -m WORKSTATION_NAME
----------------------------------------------------------------------------
--------
SYMPTOMS
----------------------------------------------------------------------------
--------
CAN authenticate from domain members added prior to migration
CAN use shares from 95/XP/Samba using share based authentication
username/password
CAN join domain form another Samba3 box
CANNOT join domain from XP
XP client reports: Access is denied
(logged in on XP as Administrator)
Samba reports (level 10 logging): _samr_open_domain: ACCESS DENIED
Both root and nobody appear to authenticate
Logs indicate insufficient privilege to continue
Looks like it might be something on the client?? There are no warnings or
errors in any of the XP logs.
Symptoms are the same from multiple installs of XP to multiple installs of
samba
I have racked my brain for the last week and have even resorted to reading
the manual.
Thank you for any guidance in advance!
Resolved problem: Had decided to use global force user/force group options for the shares. It worked like a charm. All my shares now had default groups and users. I did not realize how truly global these settings were. After a careful review of the logs, I noticed that root indeed logged in. However, the effective user always morphed into nobody. At that time, I thought this was nominal behavior. NOT! The global settings for: FORCE USER = unix user FORCE GROUP= unix group Sets the Effective User ID to those forced ID's for EVERYTHING, including non share oriented communications. Check your configs and eliminate these GLOBAL settings. 30 hours! DOH! -----Original Message----- From: Chris Tepaske [SMTP:chris@lincom.net.au] Sent: Thursday, April 15, 2004 5:43 AM To: gpalmer@lganet.com; samba@lists.samba.org Subject: RE: [Samba] XP Client cannot join Samba3 PDC I have found the same problem no and again especially if you remove a machine and then want to rejoin I'm assuming that you use root to for the account and that is exists in you samba setup. I found that when it happens to me that quickest and easiest way to resolve the issue is to rebuild the machine I found the problem with XP and 2003 don't know what causes the issue and I think lots of people have the same problem as it is not the first time this has come up on the posts. Cheers Chris Tepaske -----Original Message----- From: gpalmer@lganet.com [mailto:gpalmer@lganet.com] Sent: Thursday, 15 April 2004 4:47 AM To: samba@lists.samba.org Subject: [Samba] XP Client cannot join Samba3 PDC Migrating a working Samba 2.2.8a Domain Controller to 3.0.2a Using smbpasswd file compiled using gcc 3.2.2 ---------------------------------------------------------------------------- -------- Used working 2.2.8 configuration ---------------------------------------------------------------------------- -------- #authentication as PDC workgroup = XNET domain logons = yes domain master = yes preferred master = yes security = user password level = 8 username level = 8 smb passwd file = /usr/local/samba/lbin/smbpasswd logon script = logon.bat encrypt passwords = yes ---------------------------------------------------------------------------- -------- Added automation scripts ---------------------------------------------------------------------------- -------- #user group scripts add user script=/usr/sbin/useradd -d /dev/null -g machines -c "Machine a ccount %u" -s /bin/false -M %u delete user script=/usr/sbin/userdel -r %u add group script=/usr/sbin/groupadd %g delete group script=/usr/sbin/groupdel %g add user to group script=/usr/sbin/usermod -G %g %u add machine script=/usr/sbin/useradd -s /bin/false -d /dev/null %u ---------------------------------------------------------------------------- -------- Disabled the following items in the Local Security Policy ---------------------------------------------------------------------------- -------- Domain member: Digitally encrypt or sign secure channel data (Always) domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Require strong (Windows 2000 or later) session key ---------------------------------------------------------------------------- -------- Added the following Registry Hacks ---------------------------------------------------------------------------- -------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "RequireSignOrSeal"=dword:00000000 If you still have changes, you may want to change the following [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "sealsecurechannel"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "signsecurechannel"=dword:00000000 ---------------------------------------------------------------------------- -------- Deleted existing machine entries in smbpasswd ---------------------------------------------------------------------------- -------- vi smbpasswd delete machine user line restart smb ---------------------------------------------------------------------------- -------- Added machine entries ---------------------------------------------------------------------------- -------- smbpasswd -a -m WORKSTATION_NAME ---------------------------------------------------------------------------- -------- SYMPTOMS ---------------------------------------------------------------------------- -------- CAN authenticate from domain members added prior to migration CAN use shares from 95/XP/Samba using share based authentication username/password CAN join domain form another Samba3 box CANNOT join domain from XP XP client reports: Access is denied (logged in on XP as Administrator) Samba reports (level 10 logging): _samr_open_domain: ACCESS DENIED Both root and nobody appear to authenticate Logs indicate insufficient privilege to continue Looks like it might be something on the client?? There are no warnings or errors in any of the XP logs. Symptoms are the same from multiple installs of XP to multiple installs of samba I have racked my brain for the last week and have even resorted to reading the manual. Thank you for any guidance in advance!
[global]
#server naming
netbios name = CHARON
workgroup = GPNET
server string = GPNET PDC Server
#authentication as PDC
domain logons = yes
domain master = yes
security = user
password level = 8
username level = 8
smb passwd file=/usr/local/samba/private/smbpasswd
logon script = logon.bat
encrypt passwords = yes
domain admin group = @root
username map = /usr/local/samba/lbin/map.user
#user group scripts
add user script=/usr/sbin/useradd -d /dev/null -c "Samba account
%u"
-s /bin/false -M %u
add machine script =/usr/sbin/useradd -d /dev/null -g machines -c
"Machine account %u" -s /bin/false -M %u
#wins server
wins support = yes
time server = yes
local master = yes
lm announce = yes
lm interval = 120
browse list = yes
remote announce = 192.168.201.127/GPNET 192.168.12.255/GPNET
192.168.201.135/GPNET 192.168.201.139/GPNET 192.168.201.143/GPNET
os level = 64
preferred master = yes
#wins client
name resolve order = wins bcast lmhosts
wins proxy = yes
dns proxy = yes
#IP Networking
interfaces = 192.168.201.1/25 192.168.201.129/29 192.168.201.137/30
192.168.201.141/30
hosts allow = 192.168.201. 192.168.202. 127. 192.168.12.
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
#printing
printer = pshplj5
load printers = yes
printcap name = /etc/printcap
#log files
log level = 0
max log size = 50
log file = /var/log/samba/log.%m
#default share
map archive = yes
map system = yes
map hidden = yes
browseable = yes
writable = yes
public = yes
----------------------------------------------------------------------------
----------
# items that prevent domain join-must be removed for successful operations
force group=nobody
force user = nobody
----------------------------------------------------------------------------
----------
[homes]
comment = Home Directory for %U
browseable = no
write list = %U
valid users= %U
path = /home/%U
force user=%U
force group=%U
[profiles]
browseable = no
path=/home/%U/profile
write list = %U
valid users= %U
force user=%U
force group=%U
[netlogon]
comment = Network Logon Service
path = /home/netlogon
writable = no
public = no
write list=administrator root
[exe]
comment = Network Public Executables
path = /home/exe
[movie]
comment = Movie files
path = /home/movie
[audio]
comment = Audio files
path = /home/audio
-----Original Message-----
From: Jose Martinez [SMTP:jvm_vi@bellsouth.net]
Sent: Friday, April 23, 2004 12:47 PM
To: gpalmer@lganet.com; chris@lincom.net.au;
samba@lists.samba.org
Subject: RE: [Samba] XP Client cannot join Samba3 PDC
When u used these FORCE user and group settings, you didn't have to
tell it
which user and group to force?
Can you send a copy of your smb.conf file.
The problem I am having is that sometimes a machine that is
connected to the
domain will not allow a user to authenticate.. but it allows other
users to
authenticate.. Im wondering if this could be related...
Jose
-----Original Message-----
From: samba-bounces+jmartinez=bellsouth.net@lists.samba.org
[mailto:samba-bounces+jmartinez=bellsouth.net@lists.samba.org] On
Behalf Of
gpalmer@lganet.com
Sent: Friday, April 23, 2004 1:26 PM
To: chris@lincom.net.au; gpalmer@lganet.com; samba@lists.samba.org
Subject: RE: [Samba] XP Client cannot join Samba3 PDC
Resolved problem:
Had decided to use global force user/force group options for the
shares.
It worked like a charm. All my shares now had default groups and
users.
I did not realize how truly global these settings were. After a
careful
review of the logs, I noticed that root indeed logged in. However,
the
effective user always morphed into nobody. At that time, I thought
this was
nominal behavior. NOT!
The global settings for:
FORCE USER = unix user
FORCE GROUP= unix group
Sets the Effective User ID to those forced ID's for EVERYTHING,
including
non share oriented communications.
Check your configs and eliminate these GLOBAL settings.
30 hours! DOH!
What does the Force user and Force Group option do under the homes and profiles section of the smb.conf file do? Jose
Jose Martinez schrieb:> What does the Force user and Force Group option do under the homes and > profiles section of the smb.conf file do? > > Jose >hi, per "default" a file is created with the permissions of the creator in a samba share, with force user you can force the creator to be a different user or group, this is helpfull in a few cases i.e if youre using a smb share for apache ( user wwwrun etc ), but use this parameter with care it can break your security and result in miracle permissions behavior. i recommend to read the samba faq, and man smb.conf Regards