samba - Apr 2002 - ARGH!!! Samba and Re-installing Windows 2000

Ok, I'll try the questions again and hopefully get
some help.

Current setup:

Samba 2.2.3a running on Solaris 8 set up as a PDC.
Various systems running Windows 95/98/NT 4.0.
TRYING to add new Windows 2000 machines.

Problem is, when I add the new machines to the domain,
the group "DOMAIN\unix_group.2147483404" gets added to
both the Administrators group and Users group.  So domain
users start with Administrator rights!  If I remove
the "DOMAIN\unix_group.2147483404" group from the Administrators
group, it mucks thinks up bad enough to require a reinstall
of Win2k.  I'd like to think that this is not a required
feature of using Samba with Win2k.  I would like to restrict
users to the same rights as normal users, so I can lock down
who can install software on each individual machine.  As it
stands now, I can't do that.

Now for the new part.  I've managed to get Win2k re-installed,
and I'm still having problems.  When I try to join the domain
is when I have problems.  I'm successful in joing the domain,
but after reboot is when weird things happen.  The
"DOMAIN\unix_group.2147483404" is back in the Administrators
group.  Whoever logs into the domain through THIS SPECIFIC
MACHINE gets logged on, and all of the mapped shares show up
with the "red x" through them.  This indicates that the shares
are not logged into.  However, the shares can be accessed.  If
I set log level = 3 (or greater) it shows a number of the following:

  [2002/04/15 19:21:53, 4] smbd/password.c:password_ok(602)
    Null passwords not allowed.

Followed by:

  [2002/04/15 19:21:53, 2] smbd/service.c:make_connection(328)
    Invalid username/password for share_name [samba]

These messages occur for each share I have, with the samba
user being my guest user.  Funny thing, the samba (guest) user
can log in and the same messages appear.  If I bump up the log level
high enough, I start getting the following:

  [2002/04/12 17:07:40, 2] smbd/service.c:make_connection(328)
    Invalid username/password for share_name [samba]
  [2002/04/12 17:07:40, 3] smbd/error.c:error_packet(103)
    error packet at smbd/reply.c(167) cmd=117 (SMBtconX)
NT_STATUS_WRONG_PASSWORD

I have my logs set up by machine (log file /samba/current/var/log.smbd.%m) and I
don't see this in any other
log file.  I've tried a number of things, including
dropping out of the domain and re-joining, and this still
occurs ONLY ON THIS ONE MACHINE!

I'm really pulling my hair out, because nothing seems to
work right.  I might add that this is the only problem
that I have had with samba that I haven't been able to
get solved by reading the newsgroup or emailing someone.
So far, I've had nothing but good luck using samba.

I'm including the global section of my smb.conf, if it
helps.

Thanks,

-Jim

*************************************************
Jim Kreuziger
jkreuzig@uci.edu
*************************************************

# Global parameters
[global]
#       include = /samba/current/lib/smb.conf.%U
        workgroup = <DOMAIN>
        preexec = csh -c `echo /usr/local/samba/bin/smbclient \
                                -M %m -I %I` &
        server string = Samba %v on (%L)
        security = user
        domain logons = yes
        encrypt passwords = Yes
        password level = 3
        log level = 1
        log file = /samba/current/var/log.smbd.%m
        wins support = Yes
        name resolve order = wins hosts lmhosts bcast
        dns proxy = yes
        deadtime = 30
        keepalive = 120
        client code page = 437
        os level = 65
        preferred master = Yes
        domain master = Yes
        guest account = samba
        invalid users = root daemon bin sys lp smtp uucp nuucp listen dcs
consult dumper nobody
#       invalid users = daemon bin sys lp smtp uucp nuucp listen dcs
consult dumper nobody
        veto oplock files = /*.mdb/*.dbm/*.doc/*.xls
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        getwd cache = yes
        logon script = %U.bat
        logon path = \\server\profile\%U
        remote announce = <IP ADDRESS>/<DOMAIN>
        utmp = True
#       utmp consolidate = yes
        username map = /samba/current/lib/usermap.txt
#       config file = /samba/current/lib/smb.conf.%U





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Dont know if this can solve you problem the description i have found was for
NT4 maybee
it is the same problem with Windows 2000. I hope this could solve your
problem
Greetings Rafael

Support knowledgebase (samba_crypt)

Symptom:

Dont know if this can solve you problem the description i have found was for
NT4 maybee
it is the same problem with Windows 2000. I hope this could solve your
problem
Greetings Rafael

Support knowledgebase (samba_crypt)

Symptom:

> group.  Whoever logs into the domain through THIS SPECIFIC
> MACHINE gets logged on, and all of the mapped shares show up
> with the "red x" through them.  This indicates that the shares
> are not logged into.  However, the shares can be accessed.  If
Just an FYI: I've seen this "red X" occur on many different
Windows machines
connecting in a native Windows environment.  I think it points to a problem
in Window's icon cache rather than any networking facility.

In other words, if you can legitimately access the share, the icon is
meaningless (in my experience).


Daemian Mack

> -----Original Message-----
> From: James Kreuziger [mailto:jkreuzig@massun.peds.mc.uci.edu]
> Sent: Monday, April 15, 2002 7:46 PM
> To: samba@lists.samba.org
> Subject: [Samba] ARGH!!! Samba and Re-installing Windows 2000
> 
> 
> Ok, I'll try the questions again and hopefully get
> some help.
> 
> Current setup:
> 
> Samba 2.2.3a running on Solaris 8 set up as a PDC.
> Various systems running Windows 95/98/NT 4.0.
> TRYING to add new Windows 2000 machines.
> 
> Problem is, when I add the new machines to the domain,
> the group "DOMAIN\unix_group.2147483404" gets added to
> both the Administrators group and Users group.  So domain
> users start with Administrator rights!  If I remove
> the "DOMAIN\unix_group.2147483404" group from the Administrators
> group, it mucks thinks up bad enough to require a reinstall
> of Win2k.  I'd like to think that this is not a required
> feature of using Samba with Win2k.  I would like to restrict
> users to the same rights as normal users, so I can lock down
> who can install software on each individual machine.  As it
> stands now, I can't do that.
> 
> Now for the new part.  I've managed to get Win2k re-installed,
> and I'm still having problems.  When I try to join the domain
> is when I have problems.  I'm successful in joing the domain,
> but after reboot is when weird things happen.  The
> "DOMAIN\unix_group.2147483404" is back in the Administrators
> group.  Whoever logs into the domain through THIS SPECIFIC
> MACHINE gets logged on, and all of the mapped shares show up
> with the "red x" through them.  This indicates that the shares
> are not logged into.  However, the shares can be accessed.  If
> I set log level = 3 (or greater) it shows a number of the following:
> 
>   [2002/04/15 19:21:53, 4] smbd/password.c:password_ok(602)
>     Null passwords not allowed.
> 
> Followed by:
> 
>   [2002/04/15 19:21:53, 2] smbd/service.c:make_connection(328)
>     Invalid username/password for share_name [samba]
> 
> These messages occur for each share I have, with the samba
> user being my guest user.  Funny thing, the samba (guest) user
> can log in and the same messages appear.  If I bump up the log level
> high enough, I start getting the following:
> 
>   [2002/04/12 17:07:40, 2] smbd/service.c:make_connection(328)
>     Invalid username/password for share_name [samba]
>   [2002/04/12 17:07:40, 3] smbd/error.c:error_packet(103)
>     error packet at smbd/reply.c(167) cmd=117 (SMBtconX) 
> NT_STATUS_WRONG_PASSWORD
> 
> I have my logs set up by machine (log file >
/samba/current/var/log.smbd.%m) and I don't see this in any other
> log file.  I've tried a number of things, including
> dropping out of the domain and re-joining, and this still
> occurs ONLY ON THIS ONE MACHINE!
> 
> I'm really pulling my hair out, because nothing seems to
> work right.  I might add that this is the only problem
> that I have had with samba that I haven't been able to
> get solved by reading the newsgroup or emailing someone.
> So far, I've had nothing but good luck using samba.
> 
> I'm including the global section of my smb.conf, if it
> helps.
> 
> Thanks,
> 
Jim,

  Did you run the Microsoft Personal Security Advisor (MPSA)
on this machine?  I seem to remember having problems with
shares after setting RestrictAnonymous=2. Setting it to
1 fixed the issues.

RestrictAnonymous Values and their basic effect:
0 None. Rely on default permissions
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions

The red X's are okay, I think;  Win2k restores mapped
drive links, but doesn't connect to them until you
explicitly do so.  This saves a lot of bandwidth by
not handhaking idle mappings, and speeds up shutdown
and sleeping by not having to handshake disconnections.
It's actually a good thing, I think.  Remember Win9x's
hang on shutdown?  That was due to mapped drive issues.

HTH
Jim