Savage, Elijah
2002-Jun-25 13:43 UTC
[Samba] Samba PDC, Win9x, 2k, XP domain logon problem
I hope this doc below helps out. But from what I have seen it looks like you created the machines accounts but did not create the smbpasswd for the machine accounts. See docs below Machine accounts: the manual approach As noted, Samba will not allow you to add an entry to the smbpasswd file (user or machine) unless there is a existing UNIX account for that user. So the first step is to create an entry for the client in /etc/passwd: Page 18 of 29 Using Samba as a PDC [root@phoenix root]# /usr/sbin/useradd -g machines -d /dev/null -c "machine id" -s [root@phoenix root]# passwd -l machine_name$ Changing password for user machine_name$ Locking password for user machine_name$ The first command creates the user machine_name (don't forget the dollar-sign; it's required and identifies the entry as a trust account)), as a member of the group machines (-g), with no home directory (-d /dev/null), a descriptive entry (-c; for example, "Tom's Notebook"), and no shell access (-s /bin/false). The second command creates a "secret" for the machine to authenticate against. With the UNIX account created, we can now add the machine to /etc/samba/smbpasswd as shown below: [root@phoenix root]# smbpasswd -a -m machine_name Added user machine_name$ Two things to note in the above command: One, if you installed Samba under /usr/local/samba, you'll probably have to provide the complete path (ie, /usr/local/samba/bin/smbpasswd). Two, when entering the machine_name, do not append a dollar-sign; it's not required with smbpasswd. WARNING: Once a trust account has been created on the PDC, it's good policy to connect the client ASAP (which, in effect, changes the machine "password" and syncs the secret between the server and the client). Until the client formally connects to the PDC, the domain is vulnerable to another machine connecting with the same netbios name. Machine accounts: an automated approach The second approach to creating machine/trust account on the PDC is to allow Samba to create them as needed when the client first joins the domain. This little bit of magic is accomplished by adding an add user script option to smb.conf. This creates the UNIX trust account, and tells Samba to automatically create a corresponding entry in smbpasswd. The following is an example of an entry based on a Redhat distribution: [global] ... add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false -M %u ... The important thing to note in the above command is that the command to add users may vary across operating systems and/or distributions, so tweak accordingly. -----Original Message----- From: Daniel Fenwick [mailto:dfenwick@unr.edu] Sent: Tuesday, June 25, 2002 4:01 PM To: samba@lists.samba.org Subject: [Samba] Samba PDC, Win9x, 2k, XP domain logon problem I am running Redhat 6.2 on a Dell PowerEdge 4400 with the Perk 3di Raid controller. (That's why still 6.2). I currently have Samba 2.2.4 installed. The campus environment is such that my users are spread over 5 subnets, the server has NIC's on 3 of them. There are other departments also running work groups on the same subnets. I have Windows 95, 98, ME, 2k and XP workstations on the network. Currently the W9x machines work fine. The 2k and XP machines can not log in. I can get them to connect to join the domain, intermittently, but can not log in once they are joined. I just rejoined the domain and get the following log entries when I try joining (which win2k says was successful) and when I try to log in: Joining: [2002/06/25 09:53:54, 0] rpc_server/srv_samr.c:api_samr_set_userinfo(670) api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO. [2002/06/25 09:54:08, 0] rpc_server/srv_netlog_nt.c:get_md4pw(188) get_md4pw: Workstation ed-test$: no account in domain Trying to log in: [2002/06/25 09:56:49, 0] rpc_server/srv_netlog_nt.c:get_md4pw(188) get_md4pw: Workstation ed-test$: no account in domain The smbpasswd entry for the machine is: ed-test$:9902:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXX:[ This problem is becoming a major one. Any suggestions or ideas? Thanks. Dan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Daniel Fenwick
2002-Jun-25 16:38 UTC
[Samba] Samba PDC, Win9x, 2k, XP domain logon problem
> I hope this doc below helps out. But from what I have seen it looks likeyou> created the machines accounts but did not create the smbpasswd for the > machine accounts. See docs belowThat worked great. Thank you. Dan