Op woensdag 11 februari 2015 19:56:54 schreef Rowland Penny:> On 11/02/15 19:25, duportail wrote: > > Op woensdag 11 februari 2015 19:09:48 schreef Rowland Penny: > >> On 11/02/15 18:29, duportail wrote: > >>> ( could not post complete reply, message too large?) > >>> > >>> > >>> I think that's why I have a lot of black screens on the clients. > >>> Here debian pdc smb.conf: > >>> root at fai:~# cat /etc/samba/smb.conf > >>> # This is the main Samba configuration file. You should read the > >>> # smb.conf(5) manual page in order to understand the options listed > >>> # here. Samba has a huge number of configurable options (perhaps too > >>> # many!) most of which are not shown in this example > >>> # > >>> # For a step to step guide on installing, configuring and using samba, > >>> # read the Samba-HOWTO-Collection. This may be obtained from: > >>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf > >>> # > >>> # Many working examples of smb.conf files can be found in the > >>> # Samba-Guide which is generated daily and can be downloaded from: > >>> # http://www.samba.org/samba/docs/Samba-Guide.pdf > >>> # > >>> # Any line which starts with a ; (semi-colon) or a # (hash) > >>> # is a comment and is ignored. In this example we will use a # > >>> # for commentry and a ; for parts of the config file that you > >>> # may wish to enable > >>> # > >>> # NOTE: Whenever you modify this file you should run the command "testparm" > >>> # to check that you have not made any basic syntactic errors. > >>> # > >>> #======================= Global Settings ====================================> >>> [global] > >>> > >>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH > >>> workgroup = fai > >>> > >>> # server string is the equivalent of the NT Description field > >>> server string = Samba Server > >>> > >>> # Security mode. Defines in which mode Samba will operate. Possible > >>> # values are share, user, server, domain and ads. Most people will want > >>> # user level security. See the Samba-HOWTO-Collection for details. > >>> security = user > >>> > >>> # This option is important for security. It allows you to restrict > >>> # connections to machines which are on your local network. The > >>> # following example restricts access to two C class networks and > >>> # the "loopback" interface. For more examples of the syntax see > >>> # the smb.conf man page > >>> ; hosts allow = 192.168.1. 192.168.2. 127. > >>> > >>> # If you want to automatically load your printer list rather > >>> # than setting them up individually then you'll need this > >>> load printers = yes > >>> > >>> # you may wish to override the location of the printcap file > >>> ; printcap name = /etc/printcap > >>> > >>> # on SystemV system setting printcap name to lpstat should allow > >>> # you to automatically obtain a printer list from the SystemV spool > >>> # system > >>> ; printcap name = lpstat > >>> > >>> # It should not be necessary to specify the print system type unless > >>> # it is non-standard. Currently supported print systems include: > >>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx > >>> ; printing = cups > >>> > >>> # Uncomment this if you want a guest account, you must add this to /etc/passwd > >>> # otherwise the user "nobody" is used > >>> ; guest account = pcguest > >>> > >>> # this tells Samba to use a separate log file for each machine > >>> # that connects > >>> log file = /var/log/samba/log.%m > >>> > >>> # Put a capping on the size of the log files (in Kb). > >>> max log size = 50 > >>> > >>> # Use password server option only with security = server > >>> # The argument list may include: > >>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] > >>> # or to auto-locate the domain controller/s > >>> # password server = * > >>> ; password server = <NT-Server-Name> > >>> > >>> # Use the realm option only with security = ads > >>> # Specifies the Active Directory realm the host is part of > >>> ; realm = MY_REALM > >>> > >>> # Backend to store user information in. New installations should > >>> # use either tdbsam or ldapsam. smbpasswd is available for backwards > >>> # compatibility. tdbsam requires no further configuration. > >>> passdb backend = tdbsam > >>> > >>> # Using the following line enables you to customise your configuration > >>> # on a per machine basis. The %m gets replaced with the netbios name > >>> # of the machine that is connecting. > >>> # Note: Consider carefully the location in the configuration file of > >>> # this line. The included file is read at that point. > >>> ; include = /usr/local/samba/lib/smb.conf.%m > >>> > >>> # Configure Samba to use multiple interfaces > >>> # If you have multiple network interfaces then you must list them > >>> # here. See the man page for details. > >>> # interfaces = 192.168.12.2/24 192.168.5.2/24 > >>> > >>> # Browser Control Options: > >>> # set local master to no if you don't want Samba to become a master > >>> # browser on your network. Otherwise the normal election rules apply > >>> ; local master = no > >>> > >>> # OS Level determines the precedence of this server in master browser > >>> # elections. The default value should be reasonable > >>> ; os level = 33 > >>> > >>> # Domain Master specifies Samba to be the Domain Master Browser. This > >>> # allows Samba to collate browse lists between subnets. Don't use this > >>> # if you already have a Windows NT domain controller doing this job > >>> domain master = yes > >>> > >>> # Preferred Master causes Samba to force a local browser election on startup > >>> # and gives it a slightly higher chance of winning the election > >>> preferred master = yes > >>> > >>> # Enable this if you want Samba to be a domain logon server for > >>> # Windows95 workstations. > >>> domain logons = yes > >>> > >>> # if you enable domain logons then you may want a per-machine or > >>> # per user logon script > >>> # run a specific logon batch file per workstation (machine) > >>> logon script = %m.bat > >>> # run a specific logon batch file per username > >>> logon script = %U.bat > >>> > >>> # Where to store roving profiles (only for Win95 and WinNT) > >>> # %L substitutes for this servers netbios name, %U is username > >>> # You must uncomment the [Profiles] share below > >>> logon path = \\%L\Profiles\%U > >>> > >>> # Windows Internet Name Serving Support Section: > >>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server > >>> ; wins support = yes > >>> > >>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client > >>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both > >>> ; wins server = 192.168.5.1 > >>> > >>> # WINS Proxy - Tells Samba to answer name resolution queries on > >>> # behalf of a non WINS capable client, for this to work there must be > >>> # at least one WINS Server on the network. The default is NO. > >>> wins proxy = yes > >>> > >>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names > >>> # via DNS nslookups. The default is NO. > >>> dns proxy = no > >>> > >>> # These scripts are used on a domain controller or stand-alone > >>> # machine to add or delete corresponding unix accounts > >>> add user script = /usr/sbin/useradd %u > >>> add group script = /usr/sbin/groupadd %g > >>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u > >>> delete user script = /usr/sbin/userdel %u > >>> delete user from group script = /usr/sbin/deluser %u %g > >>> delete group script = /usr/sbin/groupdel %g > >>> > >>> > >>> #============================ Share Definitions =============================> >>> [homes] > >>> comment = Home Directories > >>> browseable = yes > >>> read only = no > >>> guest ok = yes > >>> create mask = 0700 > >>> directory mask = 0700 > >>> valid users = %S > >>> invalid users = root > >>> # Un-comment the following and create the netlogon directory for Domain Logons > >>> [netlogon] > >>> comment = Network Logon Service > >>> path = /usr/local/samba/lib/netlogon > >>> guest ok = yes > >>> writable = no > >>> #share modes = yes > >>> > >>> > >>> # Un-comment the following to provide a specific roving profile share > >>> # the default is to use the user's home directory > >>> ;[Profiles] > >>> ; path = /usr/local/samba/profiles > >>> ; browseable = no > >>> ; guest ok = yes > >>> > >>> > >>> # NOTE: If you have a BSD-style print system there is no need to > >>> # specifically define each individual printer > >>> [printers] > >>> comment = All Printers > >>> path = /usr/spool/samba > >>> browseable = no > >>> # Set public = yes to allow user 'guest account' to print > >>> guest ok = no > >>> writable = no > >>> printable = yes > >>> > >>> # This one is useful for people to share files > >>> ;[tmp] > >>> ; comment = Temporary file space > >>> ; path = /tmp > >>> ; read only = no > >>> ; public = yes > >>> > >>> # A publicly accessible directory, but read only, except for people in > >>> # the "staff" group > >>> ;[public] > >>> ; comment = Public Stuff > >>> ; path = /home/samba > >>> ; public = yes > >>> ; writable = no > >>> ; printable = no > >>> ; write list = @staff > >>> > >>> # Other examples. > >>> # > >>> # A private printer, usable only by fred. Spool data will be placed in fred's > >>> # home directory. Note that fred must have write access to the spool directory, > >>> # wherever it is. > >>> ;[fredsprn] > >>> ; comment = Fred's Printer > >>> ; valid users = fred > >>> ; path = /homes/fred > >>> ; printer = freds_printer > >>> ; public = no > >>> ; writable = no > >>> ; printable = yes > >>> > >>> # A private directory, usable only by fred. Note that fred requires write > >>> # access to the directory. > >>> ;[fredsdir] > >>> ; comment = Fred's Service > >>> ; path = /usr/somewhere/private > >>> ; valid users = fred > >>> ; public = no > >>> ; writable = yes > >>> ; printable = no > >>> > >>> # a service which has a different directory for each machine that connects > >>> # this allows you to tailor configurations to incoming machines. You could > >>> # also use the %U option to tailor it by user name. > >>> # The %m gets replaced with the machine name that is connecting. > >>> ;[pchome] > >>> ; comment = PC Directories > >>> ; path = /usr/pc/%m > >>> ; public = no > >>> ; writable = yes > >>> > >>> # A publicly accessible directory, read/write to all users. Note that all files > >>> # created in the directory by users will be owned by the default user, so > >>> # any user with access can delete any other user's files. Obviously this > >>> # directory must be writable by the default user. Another user could of course > >>> # be specified, in which case all files would be owned by that user instead. > >>> ;[public] > >>> ; path = /usr/somewhere/else/public > >>> ; public = yes > >>> ; only guest = yes > >>> ; writable = yes > >>> ; printable = no > >>> > >>> # The following two entries demonstrate how to share a directory so that two > >>> # users can place files there that will be owned by the specific users. In this > >>> # setup, the directory should be writable by both users and should have the > >>> # sticky bit set on it to prevent abuse. Obviously this could be extended to > >>> # as many users as required. > >>> ;[myshare] > >>> ; comment = Mary's and Fred's stuff > >>> ; path = /usr/somewhere/shared > >>> ; valid users = mary fred > >>> ; public = no > >>> ; writable = yes > >>> ; printable = no > >>> ; create mask = 0765 > >>> > >>> > >> OK, after wading through the commented lines, I end up with: > >> > >> PDC smb.conf: > >> > >> [global] > >> workgroup = fai > >> server string = Samba Server > >> security = user > >> load printers = yes > >> log file = /var/log/samba/log.%m > >> max log size = 50 > >> passdb backend = tdbsam > >> domain master = yes > >> preferred master = yes > >> domain logons = yes > >> logon script = %m.bat > >> logon script = %U.bat > >> logon path = \\%L\Profiles\%U > >> wins proxy = yes > >> dns proxy = no > >> add user script = /usr/sbin/useradd %u > >> add group script = /usr/sbin/groupadd %g > >> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d > >> /var/lib/samba -s /bin/false %u > >> delete user script = /usr/sbin/userdel %u > >> delete user from group script = /usr/sbin/deluser %u %g > >> delete group script = /usr/sbin/groupdel %g > >> > >> [homes] > >> comment = Home Directories > >> browseable = yes > >> read only = no > >> guest ok = yes > >> create mask = 0700 > >> directory mask = 0700 > >> valid users = %S > >> invalid users = root > >> > >> [netlogon] > >> comment = Network Logon Service > >> path = /usr/local/samba/lib/netlogon > >> guest ok = yes > >> writable = no > >> > >> [printers] > >> comment = All Printers > >> path = /usr/spool/samba > >> browseable = no > >> guest ok = no > >> writable = no > >> printable = yes > >> > >> > >> Client smb.conf > >> > >> [global] > >> workgroup = fai > >> server string = %h server (Samba, Ubuntu) > >> wins server = 172.20.68.14 > >> winbind separator = / > >> winbind use default domain = Yes > >> dns proxy = no > >> winbind uid = 10000-20000 > >> winbind gid = 10000-20000 > >> template shell = /bin/bash > >> allow trusted domains = yes > >> name resolve order = lmhosts host wins bcast > >> name resolve order = wins lmhosts host bcast > >> log file = /var/log/samba/log.%m > >> max log size = 1000 > >> syslog = 0 > >> panic action = /usr/share/samba/panic-action %d > >> security = domain > >> password server = 172.20.68.14 > >> encrypt passwords = true > >> passdb backend = tdbsam > >> obey pam restrictions = yes > >> unix password sync = yes > >> passwd program = /usr/bin/passwd %u > >> passwd chat = *Enter\snew\s*\spassword:* %n\n > >> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > >> pam password change = yes > >> map to guest = bad user > >> add user script = /usr/sbin/adduser --quiet --disabled-password > >> --gecos "" %u > >> add machine script = /usr/sbin/useradd -g machines -c "%u machine > >> account" -d /var/lib/samba -s /bin/false %u > >> add group script = /usr/sbin/addgroup --force-badname %g > >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > >> template shell = /bin/bash > >> template homedir = /home/%U > >> usershare allow guests = yes > >> > >> #======================= Share Definitions ======================> >> > >> valid users = %S > >> > >> [printers] > >> comment = All Printers > >> browseable = no > >> path = /var/spool/samba > >> printable = yes > >> guest ok = no > >> read only = yes > >> create mask = 0700 > >> > >> [print$] > >> comment = Printer Drivers > >> path = /var/lib/samba/printers > >> browseable = yes > >> read only = yes > >> guest ok = no > >> > >> There are a few lines that are duplicated in each smb.conf. > >> > >> I take it that you only use the PDC for authentication and don't let the > >> users login. > >> > >> It has been sometime since I setup and used a linux client with a PDC, > >> but I don't actually remember having all those passwd & script lines in > >> the client smb.conf. > >> > >> Do the users exist as unix users on both machines ? > >> > >> Rowland > >> > > No, the users are created on the debian pdc. that is the long number (as their username). > > Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. > > The long number (as their username) comes from a smartcard). > > I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. > > As I was debugging, i tried to su the user on a client machine, and got another user instead: > > root at blank005:~# su 59031614949 > > 98121524292 at blank005:/root$ > > > > I never seen this . > > Is it a problem with long usernames and winbind? > > > > > > > > > > > > Well, the portion of the logfile you posted is full of lines like this: > > Failed to find a Unix account for 92101633919 > > OK, just what part of that line do you not understand ?? :-) > > You need a unix user for '92101633919' > > Rowland >Correct, but there was this user: on debian pdc: root at fai:~# cat /var/log/auth.log | grep 92101633919 Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access'
On 11/02/15 20:13, duportail wrote:> Op woensdag 11 februari 2015 19:56:54 schreef Rowland Penny: >> On 11/02/15 19:25, duportail wrote: >>> Op woensdag 11 februari 2015 19:09:48 schreef Rowland Penny: >>>> On 11/02/15 18:29, duportail wrote: >>>>> ( could not post complete reply, message too large?) >>>>> >>>>> >>>>> I think that's why I have a lot of black screens on the clients. >>>>> Here debian pdc smb.conf: >>>>> root at fai:~# cat /etc/samba/smb.conf >>>>> # This is the main Samba configuration file. You should read the >>>>> # smb.conf(5) manual page in order to understand the options listed >>>>> # here. Samba has a huge number of configurable options (perhaps too >>>>> # many!) most of which are not shown in this example >>>>> # >>>>> # For a step to step guide on installing, configuring and using samba, >>>>> # read the Samba-HOWTO-Collection. This may be obtained from: >>>>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf >>>>> # >>>>> # Many working examples of smb.conf files can be found in the >>>>> # Samba-Guide which is generated daily and can be downloaded from: >>>>> # http://www.samba.org/samba/docs/Samba-Guide.pdf >>>>> # >>>>> # Any line which starts with a ; (semi-colon) or a # (hash) >>>>> # is a comment and is ignored. In this example we will use a # >>>>> # for commentry and a ; for parts of the config file that you >>>>> # may wish to enable >>>>> # >>>>> # NOTE: Whenever you modify this file you should run the command "testparm" >>>>> # to check that you have not made any basic syntactic errors. >>>>> # >>>>> #======================= Global Settings ====================================>>>>> [global] >>>>> >>>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH >>>>> workgroup = fai >>>>> >>>>> # server string is the equivalent of the NT Description field >>>>> server string = Samba Server >>>>> >>>>> # Security mode. Defines in which mode Samba will operate. Possible >>>>> # values are share, user, server, domain and ads. Most people will want >>>>> # user level security. See the Samba-HOWTO-Collection for details. >>>>> security = user >>>>> >>>>> # This option is important for security. It allows you to restrict >>>>> # connections to machines which are on your local network. The >>>>> # following example restricts access to two C class networks and >>>>> # the "loopback" interface. For more examples of the syntax see >>>>> # the smb.conf man page >>>>> ; hosts allow = 192.168.1. 192.168.2. 127. >>>>> >>>>> # If you want to automatically load your printer list rather >>>>> # than setting them up individually then you'll need this >>>>> load printers = yes >>>>> >>>>> # you may wish to override the location of the printcap file >>>>> ; printcap name = /etc/printcap >>>>> >>>>> # on SystemV system setting printcap name to lpstat should allow >>>>> # you to automatically obtain a printer list from the SystemV spool >>>>> # system >>>>> ; printcap name = lpstat >>>>> >>>>> # It should not be necessary to specify the print system type unless >>>>> # it is non-standard. Currently supported print systems include: >>>>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx >>>>> ; printing = cups >>>>> >>>>> # Uncomment this if you want a guest account, you must add this to /etc/passwd >>>>> # otherwise the user "nobody" is used >>>>> ; guest account = pcguest >>>>> >>>>> # this tells Samba to use a separate log file for each machine >>>>> # that connects >>>>> log file = /var/log/samba/log.%m >>>>> >>>>> # Put a capping on the size of the log files (in Kb). >>>>> max log size = 50 >>>>> >>>>> # Use password server option only with security = server >>>>> # The argument list may include: >>>>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] >>>>> # or to auto-locate the domain controller/s >>>>> # password server = * >>>>> ; password server = <NT-Server-Name> >>>>> >>>>> # Use the realm option only with security = ads >>>>> # Specifies the Active Directory realm the host is part of >>>>> ; realm = MY_REALM >>>>> >>>>> # Backend to store user information in. New installations should >>>>> # use either tdbsam or ldapsam. smbpasswd is available for backwards >>>>> # compatibility. tdbsam requires no further configuration. >>>>> passdb backend = tdbsam >>>>> >>>>> # Using the following line enables you to customise your configuration >>>>> # on a per machine basis. The %m gets replaced with the netbios name >>>>> # of the machine that is connecting. >>>>> # Note: Consider carefully the location in the configuration file of >>>>> # this line. The included file is read at that point. >>>>> ; include = /usr/local/samba/lib/smb.conf.%m >>>>> >>>>> # Configure Samba to use multiple interfaces >>>>> # If you have multiple network interfaces then you must list them >>>>> # here. See the man page for details. >>>>> # interfaces = 192.168.12.2/24 192.168.5.2/24 >>>>> >>>>> # Browser Control Options: >>>>> # set local master to no if you don't want Samba to become a master >>>>> # browser on your network. Otherwise the normal election rules apply >>>>> ; local master = no >>>>> >>>>> # OS Level determines the precedence of this server in master browser >>>>> # elections. The default value should be reasonable >>>>> ; os level = 33 >>>>> >>>>> # Domain Master specifies Samba to be the Domain Master Browser. This >>>>> # allows Samba to collate browse lists between subnets. Don't use this >>>>> # if you already have a Windows NT domain controller doing this job >>>>> domain master = yes >>>>> >>>>> # Preferred Master causes Samba to force a local browser election on startup >>>>> # and gives it a slightly higher chance of winning the election >>>>> preferred master = yes >>>>> >>>>> # Enable this if you want Samba to be a domain logon server for >>>>> # Windows95 workstations. >>>>> domain logons = yes >>>>> >>>>> # if you enable domain logons then you may want a per-machine or >>>>> # per user logon script >>>>> # run a specific logon batch file per workstation (machine) >>>>> logon script = %m.bat >>>>> # run a specific logon batch file per username >>>>> logon script = %U.bat >>>>> >>>>> # Where to store roving profiles (only for Win95 and WinNT) >>>>> # %L substitutes for this servers netbios name, %U is username >>>>> # You must uncomment the [Profiles] share below >>>>> logon path = \\%L\Profiles\%U >>>>> >>>>> # Windows Internet Name Serving Support Section: >>>>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server >>>>> ; wins support = yes >>>>> >>>>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client >>>>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both >>>>> ; wins server = 192.168.5.1 >>>>> >>>>> # WINS Proxy - Tells Samba to answer name resolution queries on >>>>> # behalf of a non WINS capable client, for this to work there must be >>>>> # at least one WINS Server on the network. The default is NO. >>>>> wins proxy = yes >>>>> >>>>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names >>>>> # via DNS nslookups. The default is NO. >>>>> dns proxy = no >>>>> >>>>> # These scripts are used on a domain controller or stand-alone >>>>> # machine to add or delete corresponding unix accounts >>>>> add user script = /usr/sbin/useradd %u >>>>> add group script = /usr/sbin/groupadd %g >>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u >>>>> delete user script = /usr/sbin/userdel %u >>>>> delete user from group script = /usr/sbin/deluser %u %g >>>>> delete group script = /usr/sbin/groupdel %g >>>>> >>>>> >>>>> #============================ Share Definitions =============================>>>>> [homes] >>>>> comment = Home Directories >>>>> browseable = yes >>>>> read only = no >>>>> guest ok = yes >>>>> create mask = 0700 >>>>> directory mask = 0700 >>>>> valid users = %S >>>>> invalid users = root >>>>> # Un-comment the following and create the netlogon directory for Domain Logons >>>>> [netlogon] >>>>> comment = Network Logon Service >>>>> path = /usr/local/samba/lib/netlogon >>>>> guest ok = yes >>>>> writable = no >>>>> #share modes = yes >>>>> >>>>> >>>>> # Un-comment the following to provide a specific roving profile share >>>>> # the default is to use the user's home directory >>>>> ;[Profiles] >>>>> ; path = /usr/local/samba/profiles >>>>> ; browseable = no >>>>> ; guest ok = yes >>>>> >>>>> >>>>> # NOTE: If you have a BSD-style print system there is no need to >>>>> # specifically define each individual printer >>>>> [printers] >>>>> comment = All Printers >>>>> path = /usr/spool/samba >>>>> browseable = no >>>>> # Set public = yes to allow user 'guest account' to print >>>>> guest ok = no >>>>> writable = no >>>>> printable = yes >>>>> >>>>> # This one is useful for people to share files >>>>> ;[tmp] >>>>> ; comment = Temporary file space >>>>> ; path = /tmp >>>>> ; read only = no >>>>> ; public = yes >>>>> >>>>> # A publicly accessible directory, but read only, except for people in >>>>> # the "staff" group >>>>> ;[public] >>>>> ; comment = Public Stuff >>>>> ; path = /home/samba >>>>> ; public = yes >>>>> ; writable = no >>>>> ; printable = no >>>>> ; write list = @staff >>>>> >>>>> # Other examples. >>>>> # >>>>> # A private printer, usable only by fred. Spool data will be placed in fred's >>>>> # home directory. Note that fred must have write access to the spool directory, >>>>> # wherever it is. >>>>> ;[fredsprn] >>>>> ; comment = Fred's Printer >>>>> ; valid users = fred >>>>> ; path = /homes/fred >>>>> ; printer = freds_printer >>>>> ; public = no >>>>> ; writable = no >>>>> ; printable = yes >>>>> >>>>> # A private directory, usable only by fred. Note that fred requires write >>>>> # access to the directory. >>>>> ;[fredsdir] >>>>> ; comment = Fred's Service >>>>> ; path = /usr/somewhere/private >>>>> ; valid users = fred >>>>> ; public = no >>>>> ; writable = yes >>>>> ; printable = no >>>>> >>>>> # a service which has a different directory for each machine that connects >>>>> # this allows you to tailor configurations to incoming machines. You could >>>>> # also use the %U option to tailor it by user name. >>>>> # The %m gets replaced with the machine name that is connecting. >>>>> ;[pchome] >>>>> ; comment = PC Directories >>>>> ; path = /usr/pc/%m >>>>> ; public = no >>>>> ; writable = yes >>>>> >>>>> # A publicly accessible directory, read/write to all users. Note that all files >>>>> # created in the directory by users will be owned by the default user, so >>>>> # any user with access can delete any other user's files. Obviously this >>>>> # directory must be writable by the default user. Another user could of course >>>>> # be specified, in which case all files would be owned by that user instead. >>>>> ;[public] >>>>> ; path = /usr/somewhere/else/public >>>>> ; public = yes >>>>> ; only guest = yes >>>>> ; writable = yes >>>>> ; printable = no >>>>> >>>>> # The following two entries demonstrate how to share a directory so that two >>>>> # users can place files there that will be owned by the specific users. In this >>>>> # setup, the directory should be writable by both users and should have the >>>>> # sticky bit set on it to prevent abuse. Obviously this could be extended to >>>>> # as many users as required. >>>>> ;[myshare] >>>>> ; comment = Mary's and Fred's stuff >>>>> ; path = /usr/somewhere/shared >>>>> ; valid users = mary fred >>>>> ; public = no >>>>> ; writable = yes >>>>> ; printable = no >>>>> ; create mask = 0765 >>>>> >>>>> >>>> OK, after wading through the commented lines, I end up with: >>>> >>>> PDC smb.conf: >>>> >>>> [global] >>>> workgroup = fai >>>> server string = Samba Server >>>> security = user >>>> load printers = yes >>>> log file = /var/log/samba/log.%m >>>> max log size = 50 >>>> passdb backend = tdbsam >>>> domain master = yes >>>> preferred master = yes >>>> domain logons = yes >>>> logon script = %m.bat >>>> logon script = %U.bat >>>> logon path = \\%L\Profiles\%U >>>> wins proxy = yes >>>> dns proxy = no >>>> add user script = /usr/sbin/useradd %u >>>> add group script = /usr/sbin/groupadd %g >>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d >>>> /var/lib/samba -s /bin/false %u >>>> delete user script = /usr/sbin/userdel %u >>>> delete user from group script = /usr/sbin/deluser %u %g >>>> delete group script = /usr/sbin/groupdel %g >>>> >>>> [homes] >>>> comment = Home Directories >>>> browseable = yes >>>> read only = no >>>> guest ok = yes >>>> create mask = 0700 >>>> directory mask = 0700 >>>> valid users = %S >>>> invalid users = root >>>> >>>> [netlogon] >>>> comment = Network Logon Service >>>> path = /usr/local/samba/lib/netlogon >>>> guest ok = yes >>>> writable = no >>>> >>>> [printers] >>>> comment = All Printers >>>> path = /usr/spool/samba >>>> browseable = no >>>> guest ok = no >>>> writable = no >>>> printable = yes >>>> >>>> >>>> Client smb.conf >>>> >>>> [global] >>>> workgroup = fai >>>> server string = %h server (Samba, Ubuntu) >>>> wins server = 172.20.68.14 >>>> winbind separator = / >>>> winbind use default domain = Yes >>>> dns proxy = no >>>> winbind uid = 10000-20000 >>>> winbind gid = 10000-20000 >>>> template shell = /bin/bash >>>> allow trusted domains = yes >>>> name resolve order = lmhosts host wins bcast >>>> name resolve order = wins lmhosts host bcast >>>> log file = /var/log/samba/log.%m >>>> max log size = 1000 >>>> syslog = 0 >>>> panic action = /usr/share/samba/panic-action %d >>>> security = domain >>>> password server = 172.20.68.14 >>>> encrypt passwords = true >>>> passdb backend = tdbsam >>>> obey pam restrictions = yes >>>> unix password sync = yes >>>> passwd program = /usr/bin/passwd %u >>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>> pam password change = yes >>>> map to guest = bad user >>>> add user script = /usr/sbin/adduser --quiet --disabled-password >>>> --gecos "" %u >>>> add machine script = /usr/sbin/useradd -g machines -c "%u machine >>>> account" -d /var/lib/samba -s /bin/false %u >>>> add group script = /usr/sbin/addgroup --force-badname %g >>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>>> template shell = /bin/bash >>>> template homedir = /home/%U >>>> usershare allow guests = yes >>>> >>>> #======================= Share Definitions ======================>>>> >>>> valid users = %S >>>> >>>> [printers] >>>> comment = All Printers >>>> browseable = no >>>> path = /var/spool/samba >>>> printable = yes >>>> guest ok = no >>>> read only = yes >>>> create mask = 0700 >>>> >>>> [print$] >>>> comment = Printer Drivers >>>> path = /var/lib/samba/printers >>>> browseable = yes >>>> read only = yes >>>> guest ok = no >>>> >>>> There are a few lines that are duplicated in each smb.conf. >>>> >>>> I take it that you only use the PDC for authentication and don't let the >>>> users login. >>>> >>>> It has been sometime since I setup and used a linux client with a PDC, >>>> but I don't actually remember having all those passwd & script lines in >>>> the client smb.conf. >>>> >>>> Do the users exist as unix users on both machines ? >>>> >>>> Rowland >>>> >>> No, the users are created on the debian pdc. that is the long number (as their username). >>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. >>> The long number (as their username) comes from a smartcard). >>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. >>> As I was debugging, i tried to su the user on a client machine, and got another user instead: >>> root at blank005:~# su 59031614949 >>> 98121524292 at blank005:/root$ >>> >>> I never seen this . >>> Is it a problem with long usernames and winbind? >>> >>> >>> >>> >>> >> Well, the portion of the logfile you posted is full of lines like this: >> >> Failed to find a Unix account for 92101633919 >> >> OK, just what part of that line do you not understand ?? :-) >> >> You need a unix user for '92101633919' >> >> Rowland >> > Correct, but there was this user: > > on debian pdc: > root at fai:~# cat /var/log/auth.log | grep 92101633919 > Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 > Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' >OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd 92101633919' return anything ? If they both are true, then you may have run into this bug: https://bugzilla.samba.org/show_bug.cgi?id=11044 Rowland
Op woensdag 11 februari 2015 20:18:57 schreef Rowland Penny:> On 11/02/15 20:13, duportail wrote: > > Op woensdag 11 februari 2015 19:56:54 schreef Rowland Penny: > >> On 11/02/15 19:25, duportail wrote: > >>> Op woensdag 11 februari 2015 19:09:48 schreef Rowland Penny: > >>>> On 11/02/15 18:29, duportail wrote: > >>>>> ( could not post complete reply, message too large?) > >>>>> > >>>>> > >>>>> I think that's why I have a lot of black screens on the clients. > >>>>> Here debian pdc smb.conf: > >>>>> root at fai:~# cat /etc/samba/smb.conf > >>>>> # This is the main Samba configuration file. You should read the > >>>>> # smb.conf(5) manual page in order to understand the options listed > >>>>> # here. Samba has a huge number of configurable options (perhaps too > >>>>> # many!) most of which are not shown in this example > >>>>> # > >>>>> # For a step to step guide on installing, configuring and using samba, > >>>>> # read the Samba-HOWTO-Collection. This may be obtained from: > >>>>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf > >>>>> # > >>>>> # Many working examples of smb.conf files can be found in the > >>>>> # Samba-Guide which is generated daily and can be downloaded from: > >>>>> # http://www.samba.org/samba/docs/Samba-Guide.pdf > >>>>> # > >>>>> # Any line which starts with a ; (semi-colon) or a # (hash) > >>>>> # is a comment and is ignored. In this example we will use a # > >>>>> # for commentry and a ; for parts of the config file that you > >>>>> # may wish to enable > >>>>> # > >>>>> # NOTE: Whenever you modify this file you should run the command "testparm" > >>>>> # to check that you have not made any basic syntactic errors. > >>>>> # > >>>>> #======================= Global Settings ====================================> >>>>> [global] > >>>>> > >>>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH > >>>>> workgroup = fai > >>>>> > >>>>> # server string is the equivalent of the NT Description field > >>>>> server string = Samba Server > >>>>> > >>>>> # Security mode. Defines in which mode Samba will operate. Possible > >>>>> # values are share, user, server, domain and ads. Most people will want > >>>>> # user level security. See the Samba-HOWTO-Collection for details. > >>>>> security = user > >>>>> > >>>>> # This option is important for security. It allows you to restrict > >>>>> # connections to machines which are on your local network. The > >>>>> # following example restricts access to two C class networks and > >>>>> # the "loopback" interface. For more examples of the syntax see > >>>>> # the smb.conf man page > >>>>> ; hosts allow = 192.168.1. 192.168.2. 127. > >>>>> > >>>>> # If you want to automatically load your printer list rather > >>>>> # than setting them up individually then you'll need this > >>>>> load printers = yes > >>>>> > >>>>> # you may wish to override the location of the printcap file > >>>>> ; printcap name = /etc/printcap > >>>>> > >>>>> # on SystemV system setting printcap name to lpstat should allow > >>>>> # you to automatically obtain a printer list from the SystemV spool > >>>>> # system > >>>>> ; printcap name = lpstat > >>>>> > >>>>> # It should not be necessary to specify the print system type unless > >>>>> # it is non-standard. Currently supported print systems include: > >>>>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx > >>>>> ; printing = cups > >>>>> > >>>>> # Uncomment this if you want a guest account, you must add this to /etc/passwd > >>>>> # otherwise the user "nobody" is used > >>>>> ; guest account = pcguest > >>>>> > >>>>> # this tells Samba to use a separate log file for each machine > >>>>> # that connects > >>>>> log file = /var/log/samba/log.%m > >>>>> > >>>>> # Put a capping on the size of the log files (in Kb). > >>>>> max log size = 50 > >>>>> > >>>>> # Use password server option only with security = server > >>>>> # The argument list may include: > >>>>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] > >>>>> # or to auto-locate the domain controller/s > >>>>> # password server = * > >>>>> ; password server = <NT-Server-Name> > >>>>> > >>>>> # Use the realm option only with security = ads > >>>>> # Specifies the Active Directory realm the host is part of > >>>>> ; realm = MY_REALM > >>>>> > >>>>> # Backend to store user information in. New installations should > >>>>> # use either tdbsam or ldapsam. smbpasswd is available for backwards > >>>>> # compatibility. tdbsam requires no further configuration. > >>>>> passdb backend = tdbsam > >>>>> > >>>>> # Using the following line enables you to customise your configuration > >>>>> # on a per machine basis. The %m gets replaced with the netbios name > >>>>> # of the machine that is connecting. > >>>>> # Note: Consider carefully the location in the configuration file of > >>>>> # this line. The included file is read at that point. > >>>>> ; include = /usr/local/samba/lib/smb.conf.%m > >>>>> > >>>>> # Configure Samba to use multiple interfaces > >>>>> # If you have multiple network interfaces then you must list them > >>>>> # here. See the man page for details. > >>>>> # interfaces = 192.168.12.2/24 192.168.5.2/24 > >>>>> > >>>>> # Browser Control Options: > >>>>> # set local master to no if you don't want Samba to become a master > >>>>> # browser on your network. Otherwise the normal election rules apply > >>>>> ; local master = no > >>>>> > >>>>> # OS Level determines the precedence of this server in master browser > >>>>> # elections. The default value should be reasonable > >>>>> ; os level = 33 > >>>>> > >>>>> # Domain Master specifies Samba to be the Domain Master Browser. This > >>>>> # allows Samba to collate browse lists between subnets. Don't use this > >>>>> # if you already have a Windows NT domain controller doing this job > >>>>> domain master = yes > >>>>> > >>>>> # Preferred Master causes Samba to force a local browser election on startup > >>>>> # and gives it a slightly higher chance of winning the election > >>>>> preferred master = yes > >>>>> > >>>>> # Enable this if you want Samba to be a domain logon server for > >>>>> # Windows95 workstations. > >>>>> domain logons = yes > >>>>> > >>>>> # if you enable domain logons then you may want a per-machine or > >>>>> # per user logon script > >>>>> # run a specific logon batch file per workstation (machine) > >>>>> logon script = %m.bat > >>>>> # run a specific logon batch file per username > >>>>> logon script = %U.bat > >>>>> > >>>>> # Where to store roving profiles (only for Win95 and WinNT) > >>>>> # %L substitutes for this servers netbios name, %U is username > >>>>> # You must uncomment the [Profiles] share below > >>>>> logon path = \\%L\Profiles\%U > >>>>> > >>>>> # Windows Internet Name Serving Support Section: > >>>>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server > >>>>> ; wins support = yes > >>>>> > >>>>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client > >>>>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both > >>>>> ; wins server = 192.168.5.1 > >>>>> > >>>>> # WINS Proxy - Tells Samba to answer name resolution queries on > >>>>> # behalf of a non WINS capable client, for this to work there must be > >>>>> # at least one WINS Server on the network. The default is NO. > >>>>> wins proxy = yes > >>>>> > >>>>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names > >>>>> # via DNS nslookups. The default is NO. > >>>>> dns proxy = no > >>>>> > >>>>> # These scripts are used on a domain controller or stand-alone > >>>>> # machine to add or delete corresponding unix accounts > >>>>> add user script = /usr/sbin/useradd %u > >>>>> add group script = /usr/sbin/groupadd %g > >>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u > >>>>> delete user script = /usr/sbin/userdel %u > >>>>> delete user from group script = /usr/sbin/deluser %u %g > >>>>> delete group script = /usr/sbin/groupdel %g > >>>>> > >>>>> > >>>>> #============================ Share Definitions =============================> >>>>> [homes] > >>>>> comment = Home Directories > >>>>> browseable = yes > >>>>> read only = no > >>>>> guest ok = yes > >>>>> create mask = 0700 > >>>>> directory mask = 0700 > >>>>> valid users = %S > >>>>> invalid users = root > >>>>> # Un-comment the following and create the netlogon directory for Domain Logons > >>>>> [netlogon] > >>>>> comment = Network Logon Service > >>>>> path = /usr/local/samba/lib/netlogon > >>>>> guest ok = yes > >>>>> writable = no > >>>>> #share modes = yes > >>>>> > >>>>> > >>>>> # Un-comment the following to provide a specific roving profile share > >>>>> # the default is to use the user's home directory > >>>>> ;[Profiles] > >>>>> ; path = /usr/local/samba/profiles > >>>>> ; browseable = no > >>>>> ; guest ok = yes > >>>>> > >>>>> > >>>>> # NOTE: If you have a BSD-style print system there is no need to > >>>>> # specifically define each individual printer > >>>>> [printers] > >>>>> comment = All Printers > >>>>> path = /usr/spool/samba > >>>>> browseable = no > >>>>> # Set public = yes to allow user 'guest account' to print > >>>>> guest ok = no > >>>>> writable = no > >>>>> printable = yes > >>>>> > >>>>> # This one is useful for people to share files > >>>>> ;[tmp] > >>>>> ; comment = Temporary file space > >>>>> ; path = /tmp > >>>>> ; read only = no > >>>>> ; public = yes > >>>>> > >>>>> # A publicly accessible directory, but read only, except for people in > >>>>> # the "staff" group > >>>>> ;[public] > >>>>> ; comment = Public Stuff > >>>>> ; path = /home/samba > >>>>> ; public = yes > >>>>> ; writable = no > >>>>> ; printable = no > >>>>> ; write list = @staff > >>>>> > >>>>> # Other examples. > >>>>> # > >>>>> # A private printer, usable only by fred. Spool data will be placed in fred's > >>>>> # home directory. Note that fred must have write access to the spool directory, > >>>>> # wherever it is. > >>>>> ;[fredsprn] > >>>>> ; comment = Fred's Printer > >>>>> ; valid users = fred > >>>>> ; path = /homes/fred > >>>>> ; printer = freds_printer > >>>>> ; public = no > >>>>> ; writable = no > >>>>> ; printable = yes > >>>>> > >>>>> # A private directory, usable only by fred. Note that fred requires write > >>>>> # access to the directory. > >>>>> ;[fredsdir] > >>>>> ; comment = Fred's Service > >>>>> ; path = /usr/somewhere/private > >>>>> ; valid users = fred > >>>>> ; public = no > >>>>> ; writable = yes > >>>>> ; printable = no > >>>>> > >>>>> # a service which has a different directory for each machine that connects > >>>>> # this allows you to tailor configurations to incoming machines. You could > >>>>> # also use the %U option to tailor it by user name. > >>>>> # The %m gets replaced with the machine name that is connecting. > >>>>> ;[pchome] > >>>>> ; comment = PC Directories > >>>>> ; path = /usr/pc/%m > >>>>> ; public = no > >>>>> ; writable = yes > >>>>> > >>>>> # A publicly accessible directory, read/write to all users. Note that all files > >>>>> # created in the directory by users will be owned by the default user, so > >>>>> # any user with access can delete any other user's files. Obviously this > >>>>> # directory must be writable by the default user. Another user could of course > >>>>> # be specified, in which case all files would be owned by that user instead. > >>>>> ;[public] > >>>>> ; path = /usr/somewhere/else/public > >>>>> ; public = yes > >>>>> ; only guest = yes > >>>>> ; writable = yes > >>>>> ; printable = no > >>>>> > >>>>> # The following two entries demonstrate how to share a directory so that two > >>>>> # users can place files there that will be owned by the specific users. In this > >>>>> # setup, the directory should be writable by both users and should have the > >>>>> # sticky bit set on it to prevent abuse. Obviously this could be extended to > >>>>> # as many users as required. > >>>>> ;[myshare] > >>>>> ; comment = Mary's and Fred's stuff > >>>>> ; path = /usr/somewhere/shared > >>>>> ; valid users = mary fred > >>>>> ; public = no > >>>>> ; writable = yes > >>>>> ; printable = no > >>>>> ; create mask = 0765 > >>>>> > >>>>> > >>>> OK, after wading through the commented lines, I end up with: > >>>> > >>>> PDC smb.conf: > >>>> > >>>> [global] > >>>> workgroup = fai > >>>> server string = Samba Server > >>>> security = user > >>>> load printers = yes > >>>> log file = /var/log/samba/log.%m > >>>> max log size = 50 > >>>> passdb backend = tdbsam > >>>> domain master = yes > >>>> preferred master = yes > >>>> domain logons = yes > >>>> logon script = %m.bat > >>>> logon script = %U.bat > >>>> logon path = \\%L\Profiles\%U > >>>> wins proxy = yes > >>>> dns proxy = no > >>>> add user script = /usr/sbin/useradd %u > >>>> add group script = /usr/sbin/groupadd %g > >>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d > >>>> /var/lib/samba -s /bin/false %u > >>>> delete user script = /usr/sbin/userdel %u > >>>> delete user from group script = /usr/sbin/deluser %u %g > >>>> delete group script = /usr/sbin/groupdel %g > >>>> > >>>> [homes] > >>>> comment = Home Directories > >>>> browseable = yes > >>>> read only = no > >>>> guest ok = yes > >>>> create mask = 0700 > >>>> directory mask = 0700 > >>>> valid users = %S > >>>> invalid users = root > >>>> > >>>> [netlogon] > >>>> comment = Network Logon Service > >>>> path = /usr/local/samba/lib/netlogon > >>>> guest ok = yes > >>>> writable = no > >>>> > >>>> [printers] > >>>> comment = All Printers > >>>> path = /usr/spool/samba > >>>> browseable = no > >>>> guest ok = no > >>>> writable = no > >>>> printable = yes > >>>> > >>>> > >>>> Client smb.conf > >>>> > >>>> [global] > >>>> workgroup = fai > >>>> server string = %h server (Samba, Ubuntu) > >>>> wins server = 172.20.68.14 > >>>> winbind separator = / > >>>> winbind use default domain = Yes > >>>> dns proxy = no > >>>> winbind uid = 10000-20000 > >>>> winbind gid = 10000-20000 > >>>> template shell = /bin/bash > >>>> allow trusted domains = yes > >>>> name resolve order = lmhosts host wins bcast > >>>> name resolve order = wins lmhosts host bcast > >>>> log file = /var/log/samba/log.%m > >>>> max log size = 1000 > >>>> syslog = 0 > >>>> panic action = /usr/share/samba/panic-action %d > >>>> security = domain > >>>> password server = 172.20.68.14 > >>>> encrypt passwords = true > >>>> passdb backend = tdbsam > >>>> obey pam restrictions = yes > >>>> unix password sync = yes > >>>> passwd program = /usr/bin/passwd %u > >>>> passwd chat = *Enter\snew\s*\spassword:* %n\n > >>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > >>>> pam password change = yes > >>>> map to guest = bad user > >>>> add user script = /usr/sbin/adduser --quiet --disabled-password > >>>> --gecos "" %u > >>>> add machine script = /usr/sbin/useradd -g machines -c "%u machine > >>>> account" -d /var/lib/samba -s /bin/false %u > >>>> add group script = /usr/sbin/addgroup --force-badname %g > >>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > >>>> template shell = /bin/bash > >>>> template homedir = /home/%U > >>>> usershare allow guests = yes > >>>> > >>>> #======================= Share Definitions ======================> >>>> > >>>> valid users = %S > >>>> > >>>> [printers] > >>>> comment = All Printers > >>>> browseable = no > >>>> path = /var/spool/samba > >>>> printable = yes > >>>> guest ok = no > >>>> read only = yes > >>>> create mask = 0700 > >>>> > >>>> [print$] > >>>> comment = Printer Drivers > >>>> path = /var/lib/samba/printers > >>>> browseable = yes > >>>> read only = yes > >>>> guest ok = no > >>>> > >>>> There are a few lines that are duplicated in each smb.conf. > >>>> > >>>> I take it that you only use the PDC for authentication and don't let the > >>>> users login. > >>>> > >>>> It has been sometime since I setup and used a linux client with a PDC, > >>>> but I don't actually remember having all those passwd & script lines in > >>>> the client smb.conf. > >>>> > >>>> Do the users exist as unix users on both machines ? > >>>> > >>>> Rowland > >>>> > >>> No, the users are created on the debian pdc. that is the long number (as their username). > >>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. > >>> The long number (as their username) comes from a smartcard). > >>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. > >>> As I was debugging, i tried to su the user on a client machine, and got another user instead: > >>> root at blank005:~# su 59031614949 > >>> 98121524292 at blank005:/root$ > >>> > >>> I never seen this . > >>> Is it a problem with long usernames and winbind? > >>> > >>> > >>> > >>> > >>> > >> Well, the portion of the logfile you posted is full of lines like this: > >> > >> Failed to find a Unix account for 92101633919 > >> > >> OK, just what part of that line do you not understand ?? :-) > >> > >> You need a unix user for '92101633919' > >> > >> Rowland > >> > > Correct, but there was this user: > > > > on debian pdc: > > root at fai:~# cat /var/log/auth.log | grep 92101633919 > > Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 > > Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' > > > > OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd > 92101633919' return anything ? > > If they both are true, then you may have run into this bug: > https://bugzilla.samba.org/show_bug.cgi?id=11044 > > Rowland > > >no, getent passwd 92101633919 gave nothing. It(s debian wheezy with: root at fai:~# smbd --version Version 3.6.6 part of the script that create the user: script to extract username from eid smartcard: beid-tool -a -w wait username=`eidenv --exec /usr/local/sbin/eid.sh |tr '[A-Z]' '[a-z]' | sed 's/ //g'| sed 's/[???]/a/g; s/[???]/A/g; s/[????]/e/g; s/[????]/E/g; s/[??]/i/g; s/[??]/$ pass=`cat /dev/urandom| tr -dc a-z | head -c4` password=`cat /dev/urandom| tr -dc a-z | head -c4` surftijd=60 goes to another script: /usr/local/sbin/addunixsambaeid.sh $username $password $surftijd part of that script to create user: if [ $(id -u) -eq 0 ]; then username=$1 password=$2 surftijd=$3 if getent passwd | grep -w "$username" then zenity --warning --text="gebruiker bestaat al" exit 0 else pass=$(perl -e 'print crypt($ARGV[0], "password")' $password) /usr/sbin/useradd -m -p $pass $username (echo $password; echo $password ) | smbpasswd -s -a $username
Op woensdag 11 februari 2015 20:18:57 schreef Rowland Penny:> On 11/02/15 20:13, duportail wrote: > > Op woensdag 11 februari 2015 19:56:54 schreef Rowland Penny: > >> On 11/02/15 19:25, duportail wrote: > >>> Op woensdag 11 februari 2015 19:09:48 schreef Rowland Penny: > >>>> On 11/02/15 18:29, duportail wrote: > >>>>> ( could not post complete reply, message too large?) > >>>>> > >>>>> > >>>>> I think that's why I have a lot of black screens on the clients. > >>>>> Here debian pdc smb.conf: > >>>>> root at fai:~# cat /etc/samba/smb.conf > >>>>> # This is the main Samba configuration file. You should read the > >>>>> # smb.conf(5) manual page in order to understand the options listed > >>>>> # here. Samba has a huge number of configurable options (perhaps too > >>>>> # many!) most of which are not shown in this example > >>>>> # > >>>>> # For a step to step guide on installing, configuring and using samba, > >>>>> # read the Samba-HOWTO-Collection. This may be obtained from: > >>>>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf > >>>>> # > >>>>> # Many working examples of smb.conf files can be found in the > >>>>> # Samba-Guide which is generated daily and can be downloaded from: > >>>>> # http://www.samba.org/samba/docs/Samba-Guide.pdf > >>>>> # > >>>>> # Any line which starts with a ; (semi-colon) or a # (hash) > >>>>> # is a comment and is ignored. In this example we will use a # > >>>>> # for commentry and a ; for parts of the config file that you > >>>>> # may wish to enable > >>>>> # > >>>>> # NOTE: Whenever you modify this file you should run the command "testparm" > >>>>> # to check that you have not made any basic syntactic errors. > >>>>> # > >>>>> #======================= Global Settings ====================================> >>>>> [global] > >>>>> > >>>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH > >>>>> workgroup = fai > >>>>> > >>>>> # server string is the equivalent of the NT Description field > >>>>> server string = Samba Server > >>>>> > >>>>> # Security mode. Defines in which mode Samba will operate. Possible > >>>>> # values are share, user, server, domain and ads. Most people will want > >>>>> # user level security. See the Samba-HOWTO-Collection for details. > >>>>> security = user > >>>>> > >>>>> # This option is important for security. It allows you to restrict > >>>>> # connections to machines which are on your local network. The > >>>>> # following example restricts access to two C class networks and > >>>>> # the "loopback" interface. For more examples of the syntax see > >>>>> # the smb.conf man page > >>>>> ; hosts allow = 192.168.1. 192.168.2. 127. > >>>>> > >>>>> # If you want to automatically load your printer list rather > >>>>> # than setting them up individually then you'll need this > >>>>> load printers = yes > >>>>> > >>>>> # you may wish to override the location of the printcap file > >>>>> ; printcap name = /etc/printcap > >>>>> > >>>>> # on SystemV system setting printcap name to lpstat should allow > >>>>> # you to automatically obtain a printer list from the SystemV spool > >>>>> # system > >>>>> ; printcap name = lpstat > >>>>> > >>>>> # It should not be necessary to specify the print system type unless > >>>>> # it is non-standard. Currently supported print systems include: > >>>>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx > >>>>> ; printing = cups > >>>>> > >>>>> # Uncomment this if you want a guest account, you must add this to /etc/passwd > >>>>> # otherwise the user "nobody" is used > >>>>> ; guest account = pcguest > >>>>> > >>>>> # this tells Samba to use a separate log file for each machine > >>>>> # that connects > >>>>> log file = /var/log/samba/log.%m > >>>>> > >>>>> # Put a capping on the size of the log files (in Kb). > >>>>> max log size = 50 > >>>>> > >>>>> # Use password server option only with security = server > >>>>> # The argument list may include: > >>>>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] > >>>>> # or to auto-locate the domain controller/s > >>>>> # password server = * > >>>>> ; password server = <NT-Server-Name> > >>>>> > >>>>> # Use the realm option only with security = ads > >>>>> # Specifies the Active Directory realm the host is part of > >>>>> ; realm = MY_REALM > >>>>> > >>>>> # Backend to store user information in. New installations should > >>>>> # use either tdbsam or ldapsam. smbpasswd is available for backwards > >>>>> # compatibility. tdbsam requires no further configuration. > >>>>> passdb backend = tdbsam > >>>>> > >>>>> # Using the following line enables you to customise your configuration > >>>>> # on a per machine basis. The %m gets replaced with the netbios name > >>>>> # of the machine that is connecting. > >>>>> # Note: Consider carefully the location in the configuration file of > >>>>> # this line. The included file is read at that point. > >>>>> ; include = /usr/local/samba/lib/smb.conf.%m > >>>>> > >>>>> # Configure Samba to use multiple interfaces > >>>>> # If you have multiple network interfaces then you must list them > >>>>> # here. See the man page for details. > >>>>> # interfaces = 192.168.12.2/24 192.168.5.2/24 > >>>>> > >>>>> # Browser Control Options: > >>>>> # set local master to no if you don't want Samba to become a master > >>>>> # browser on your network. Otherwise the normal election rules apply > >>>>> ; local master = no > >>>>> > >>>>> # OS Level determines the precedence of this server in master browser > >>>>> # elections. The default value should be reasonable > >>>>> ; os level = 33 > >>>>> > >>>>> # Domain Master specifies Samba to be the Domain Master Browser. This > >>>>> # allows Samba to collate browse lists between subnets. Don't use this > >>>>> # if you already have a Windows NT domain controller doing this job > >>>>> domain master = yes > >>>>> > >>>>> # Preferred Master causes Samba to force a local browser election on startup > >>>>> # and gives it a slightly higher chance of winning the election > >>>>> preferred master = yes > >>>>> > >>>>> # Enable this if you want Samba to be a domain logon server for > >>>>> # Windows95 workstations. > >>>>> domain logons = yes > >>>>> > >>>>> # if you enable domain logons then you may want a per-machine or > >>>>> # per user logon script > >>>>> # run a specific logon batch file per workstation (machine) > >>>>> logon script = %m.bat > >>>>> # run a specific logon batch file per username > >>>>> logon script = %U.bat > >>>>> > >>>>> # Where to store roving profiles (only for Win95 and WinNT) > >>>>> # %L substitutes for this servers netbios name, %U is username > >>>>> # You must uncomment the [Profiles] share below > >>>>> logon path = \\%L\Profiles\%U > >>>>> > >>>>> # Windows Internet Name Serving Support Section: > >>>>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server > >>>>> ; wins support = yes > >>>>> > >>>>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client > >>>>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both > >>>>> ; wins server = 192.168.5.1 > >>>>> > >>>>> # WINS Proxy - Tells Samba to answer name resolution queries on > >>>>> # behalf of a non WINS capable client, for this to work there must be > >>>>> # at least one WINS Server on the network. The default is NO. > >>>>> wins proxy = yes > >>>>> > >>>>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names > >>>>> # via DNS nslookups. The default is NO. > >>>>> dns proxy = no > >>>>> > >>>>> # These scripts are used on a domain controller or stand-alone > >>>>> # machine to add or delete corresponding unix accounts > >>>>> add user script = /usr/sbin/useradd %u > >>>>> add group script = /usr/sbin/groupadd %g > >>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u > >>>>> delete user script = /usr/sbin/userdel %u > >>>>> delete user from group script = /usr/sbin/deluser %u %g > >>>>> delete group script = /usr/sbin/groupdel %g > >>>>> > >>>>> > >>>>> #============================ Share Definitions =============================> >>>>> [homes] > >>>>> comment = Home Directories > >>>>> browseable = yes > >>>>> read only = no > >>>>> guest ok = yes > >>>>> create mask = 0700 > >>>>> directory mask = 0700 > >>>>> valid users = %S > >>>>> invalid users = root > >>>>> # Un-comment the following and create the netlogon directory for Domain Logons > >>>>> [netlogon] > >>>>> comment = Network Logon Service > >>>>> path = /usr/local/samba/lib/netlogon > >>>>> guest ok = yes > >>>>> writable = no > >>>>> #share modes = yes > >>>>> > >>>>> > >>>>> # Un-comment the following to provide a specific roving profile share > >>>>> # the default is to use the user's home directory > >>>>> ;[Profiles] > >>>>> ; path = /usr/local/samba/profiles > >>>>> ; browseable = no > >>>>> ; guest ok = yes > >>>>> > >>>>> > >>>>> # NOTE: If you have a BSD-style print system there is no need to > >>>>> # specifically define each individual printer > >>>>> [printers] > >>>>> comment = All Printers > >>>>> path = /usr/spool/samba > >>>>> browseable = no > >>>>> # Set public = yes to allow user 'guest account' to print > >>>>> guest ok = no > >>>>> writable = no > >>>>> printable = yes > >>>>> > >>>>> # This one is useful for people to share files > >>>>> ;[tmp] > >>>>> ; comment = Temporary file space > >>>>> ; path = /tmp > >>>>> ; read only = no > >>>>> ; public = yes > >>>>> > >>>>> # A publicly accessible directory, but read only, except for people in > >>>>> # the "staff" group > >>>>> ;[public] > >>>>> ; comment = Public Stuff > >>>>> ; path = /home/samba > >>>>> ; public = yes > >>>>> ; writable = no > >>>>> ; printable = no > >>>>> ; write list = @staff > >>>>> > >>>>> # Other examples. > >>>>> # > >>>>> # A private printer, usable only by fred. Spool data will be placed in fred's > >>>>> # home directory. Note that fred must have write access to the spool directory, > >>>>> # wherever it is. > >>>>> ;[fredsprn] > >>>>> ; comment = Fred's Printer > >>>>> ; valid users = fred > >>>>> ; path = /homes/fred > >>>>> ; printer = freds_printer > >>>>> ; public = no > >>>>> ; writable = no > >>>>> ; printable = yes > >>>>> > >>>>> # A private directory, usable only by fred. Note that fred requires write > >>>>> # access to the directory. > >>>>> ;[fredsdir] > >>>>> ; comment = Fred's Service > >>>>> ; path = /usr/somewhere/private > >>>>> ; valid users = fred > >>>>> ; public = no > >>>>> ; writable = yes > >>>>> ; printable = no > >>>>> > >>>>> # a service which has a different directory for each machine that connects > >>>>> # this allows you to tailor configurations to incoming machines. You could > >>>>> # also use the %U option to tailor it by user name. > >>>>> # The %m gets replaced with the machine name that is connecting. > >>>>> ;[pchome] > >>>>> ; comment = PC Directories > >>>>> ; path = /usr/pc/%m > >>>>> ; public = no > >>>>> ; writable = yes > >>>>> > >>>>> # A publicly accessible directory, read/write to all users. Note that all files > >>>>> # created in the directory by users will be owned by the default user, so > >>>>> # any user with access can delete any other user's files. Obviously this > >>>>> # directory must be writable by the default user. Another user could of course > >>>>> # be specified, in which case all files would be owned by that user instead. > >>>>> ;[public] > >>>>> ; path = /usr/somewhere/else/public > >>>>> ; public = yes > >>>>> ; only guest = yes > >>>>> ; writable = yes > >>>>> ; printable = no > >>>>> > >>>>> # The following two entries demonstrate how to share a directory so that two > >>>>> # users can place files there that will be owned by the specific users. In this > >>>>> # setup, the directory should be writable by both users and should have the > >>>>> # sticky bit set on it to prevent abuse. Obviously this could be extended to > >>>>> # as many users as required. > >>>>> ;[myshare] > >>>>> ; comment = Mary's and Fred's stuff > >>>>> ; path = /usr/somewhere/shared > >>>>> ; valid users = mary fred > >>>>> ; public = no > >>>>> ; writable = yes > >>>>> ; printable = no > >>>>> ; create mask = 0765 > >>>>> > >>>>> > >>>> OK, after wading through the commented lines, I end up with: > >>>> > >>>> PDC smb.conf: > >>>> > >>>> [global] > >>>> workgroup = fai > >>>> server string = Samba Server > >>>> security = user > >>>> load printers = yes > >>>> log file = /var/log/samba/log.%m > >>>> max log size = 50 > >>>> passdb backend = tdbsam > >>>> domain master = yes > >>>> preferred master = yes > >>>> domain logons = yes > >>>> logon script = %m.bat > >>>> logon script = %U.bat > >>>> logon path = \\%L\Profiles\%U > >>>> wins proxy = yes > >>>> dns proxy = no > >>>> add user script = /usr/sbin/useradd %u > >>>> add group script = /usr/sbin/groupadd %g > >>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d > >>>> /var/lib/samba -s /bin/false %u > >>>> delete user script = /usr/sbin/userdel %u > >>>> delete user from group script = /usr/sbin/deluser %u %g > >>>> delete group script = /usr/sbin/groupdel %g > >>>> > >>>> [homes] > >>>> comment = Home Directories > >>>> browseable = yes > >>>> read only = no > >>>> guest ok = yes > >>>> create mask = 0700 > >>>> directory mask = 0700 > >>>> valid users = %S > >>>> invalid users = root > >>>> > >>>> [netlogon] > >>>> comment = Network Logon Service > >>>> path = /usr/local/samba/lib/netlogon > >>>> guest ok = yes > >>>> writable = no > >>>> > >>>> [printers] > >>>> comment = All Printers > >>>> path = /usr/spool/samba > >>>> browseable = no > >>>> guest ok = no > >>>> writable = no > >>>> printable = yes > >>>> > >>>> > >>>> Client smb.conf > >>>> > >>>> [global] > >>>> workgroup = fai > >>>> server string = %h server (Samba, Ubuntu) > >>>> wins server = 172.20.68.14 > >>>> winbind separator = / > >>>> winbind use default domain = Yes > >>>> dns proxy = no > >>>> winbind uid = 10000-20000 > >>>> winbind gid = 10000-20000 > >>>> template shell = /bin/bash > >>>> allow trusted domains = yes > >>>> name resolve order = lmhosts host wins bcast > >>>> name resolve order = wins lmhosts host bcast > >>>> log file = /var/log/samba/log.%m > >>>> max log size = 1000 > >>>> syslog = 0 > >>>> panic action = /usr/share/samba/panic-action %d > >>>> security = domain > >>>> password server = 172.20.68.14 > >>>> encrypt passwords = true > >>>> passdb backend = tdbsam > >>>> obey pam restrictions = yes > >>>> unix password sync = yes > >>>> passwd program = /usr/bin/passwd %u > >>>> passwd chat = *Enter\snew\s*\spassword:* %n\n > >>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > >>>> pam password change = yes > >>>> map to guest = bad user > >>>> add user script = /usr/sbin/adduser --quiet --disabled-password > >>>> --gecos "" %u > >>>> add machine script = /usr/sbin/useradd -g machines -c "%u machine > >>>> account" -d /var/lib/samba -s /bin/false %u > >>>> add group script = /usr/sbin/addgroup --force-badname %g > >>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > >>>> template shell = /bin/bash > >>>> template homedir = /home/%U > >>>> usershare allow guests = yes > >>>> > >>>> #======================= Share Definitions ======================> >>>> > >>>> valid users = %S > >>>> > >>>> [printers] > >>>> comment = All Printers > >>>> browseable = no > >>>> path = /var/spool/samba > >>>> printable = yes > >>>> guest ok = no > >>>> read only = yes > >>>> create mask = 0700 > >>>> > >>>> [print$] > >>>> comment = Printer Drivers > >>>> path = /var/lib/samba/printers > >>>> browseable = yes > >>>> read only = yes > >>>> guest ok = no > >>>> > >>>> There are a few lines that are duplicated in each smb.conf. > >>>> > >>>> I take it that you only use the PDC for authentication and don't let the > >>>> users login. > >>>> > >>>> It has been sometime since I setup and used a linux client with a PDC, > >>>> but I don't actually remember having all those passwd & script lines in > >>>> the client smb.conf. > >>>> > >>>> Do the users exist as unix users on both machines ? > >>>> > >>>> Rowland > >>>> > >>> No, the users are created on the debian pdc. that is the long number (as their username). > >>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. > >>> The long number (as their username) comes from a smartcard). > >>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. > >>> As I was debugging, i tried to su the user on a client machine, and got another user instead: > >>> root at blank005:~# su 59031614949 > >>> 98121524292 at blank005:/root$ > >>> > >>> I never seen this . > >>> Is it a problem with long usernames and winbind? > >>> > >>> > >>> > >>> > >>> > >> Well, the portion of the logfile you posted is full of lines like this: > >> > >> Failed to find a Unix account for 92101633919 > >> > >> OK, just what part of that line do you not understand ?? :-) > >> > >> You need a unix user for '92101633919' > >> > >> Rowland > >> > > Correct, but there was this user: > > > > on debian pdc: > > root at fai:~# cat /var/log/auth.log | grep 92101633919 > > Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 > > Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' > > > > OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd > 92101633919' return anything ? > > If they both are true, then you may have run into this bug: > https://bugzilla.samba.org/show_bug.cgi?id=11044 > > Rowland > > >Ok, getent on another works ok, but not on a user with numbers: root at fai:~# getent passwd ubu ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash root at fai:~# getent passwd 71101411853 root at fai:~# part of /etc/passwd ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash bind:x:111:120::/var/cache/bind:/bin/false fai$:x:1001:1003:Machine:/var/lib/samba:/bin/false test:x:1002:1004::/home/test:/bin/sh sshuser:x:1003:1005::/home/sshuser:/bin/sh ubuntu8053$:x:1008:1003:Machine:/var/lib/samba:/bin/false blank1$:x:1009:1003:Machine:/var/lib/samba:/bin/false blank3$:x:1011:1003:Machine:/var/lib/samba:/bin/false blank4$:x:1012:1003:Machine:/var/lib/samba:/bin/false blank5$:x:1013:1003:Machine:/var/lib/samba:/bin/false blank6$:x:1014:1003:Machine:/var/lib/samba:/bin/false linux:x:1026:1026::/home/linux:/bin/sh blank2$:x:1072:1003:blank2:/var/lib/nobody:/bin/false blank004$:x:1092:1003:Machine:/var/lib/samba:/bin/false blank001$:x:1093:1003:Machine:/var/lib/samba:/bin/false blank005$:x:1094:1003:Machine:/var/lib/samba:/bin/false blank002$:x:1095:1003:Machine:/var/lib/samba:/bin/false blank003$:x:1096:1003:Machine:/var/lib/samba:/bin/false blank006$:x:1097:1003:Machine:/var/lib/samba:/bin/false 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh ayke:x:1104:1104:60,,,:/home/ayke:/bin/sh blank0001$:x:1146:1003:Machine:/var/lib/samba:/bin/false could it be the 60 in the line: 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh I use this 60 to know on the client machines how long the can be logged in ( so that will be 60 minutes) I add this with : chfn -f 60 $username