Torsten.Wally@mewa.de
2002-Aug-12 23:06 UTC
AW: [Samba] add user script going Horribly Wrong (tm)
(Oups! I forgot to send it to the list so everyone could laugh about it. Sorry Vicky for disturbing directly) Good Morning, Vicky! Seems your smb.conf is messed up a little. As I can see you're using security = domain. With this configuration the smbpasswd-file/feature isn't need at all. Authentication is done encrypted with the domain user database, not with the smbpasswd file. The explanation of this parameter should make this more clear: --- encrypt passwords (G) This boolean controls whether encrypted passwords will be negotiated with the client. Note that Windows NT 4.0 SP3 and above and also Windows 98 will by default expect encrypted passwords unless a registry entry is changed. To use encrypted passwords in Samba see the file ENCRYPTION.txt in the Samba documentation directory docs/ shipped with the source code. In order for encrypted passwords to work correctly smbd(8) must either have access to a local smbpasswd(5) [this one you're thinking of you need it] file (see the smbpasswd(8) program for information on how to set up and maintain this file), or set the security = [server|domain] [this way it's configured at your site] parameter which causes smbd to authenticate against another server. Default: encrypt passwords = no --- As long as the the domain-users you're automatically creating with your script don't need to log on to the unix/linux machine, you don't need "unix password sync", "passwd program" and "passwd chat". Maybe you don't even need to create those users automatically? Maybe a guest account or a simple user-mapping to an existing unix-user would fulfill your needs? But if you want to create them (I expect you want to, because you're giving every user a home-directory that is mapped), don't forget deny access to unix directly, if they do not need it. But at this point, login should work either, aside of the misconfiguration. What exactly is the error message in the log-files when a user tries to connect? You should be aware that some unix-version do not allow usernames longer than eight characters. Our AIX doesn't like it at all. But as the addition of users to the passwd-file already works, this does not seem to affect you (or you simply have max eight character user names). I hope this helps you a litte bit?! Greetings from Germany! -Torsten ===================================== And the music's gonna make me fly = --- without fear and without pain = Meat Loaf - Heaven can wait ====================================> -----Urspr?ngliche Nachricht----- > Von: Vicky Clarke [mailto:vclarke@frontier.co.uk] > Gesendet am: Montag, 12. August 2002 18:04 > An: samba@lists.samba.org > Betreff: [Samba] add user script going Horribly Wrong (tm) > > Hi, > > I've tried to set up automated user addition and deletion on > our Samba > server, but something's going wrong. Users appear in > /etc/passwd, but not > in smbpasswd, so people are getting login errors and so on > when they try to > access the share. Have I missed a bit of config that's > supposed to tell > samba to set up smbpasswd's too? (smb.conf included below). > > Thanks! > Vicky Clarke > > [global] > workgroup = DOMAIN1 > > # The following is excessively paranoid, but until a solid > solution to the > network browsing and reliable > # mapping of network drives issue is arrived at we'll leave it be. > > domain master = no > local master = no > preferred master = no > > browseable = yes > os level = 2 > wins server = 172.17.1.2 > hosts allow = 172.17.1.2 172.17.3. 127. > interfaces = 172.17.1.3/255.255.0.0 > encrypt passwords = yes > guest account = Nobody > map to guest = never > add user script = /usr/sbin/useradd -d > /share/pchomes/%u -m %u > delete user script = /usr/sbin/userdel %u > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = "New password:*" %n\n "Re-enter new > password:*" %n\n > "Pas\ > sword changed*" > passwd chat debug = yes > > # This tells samba to write log files per machine. > log file = /var/log/samba/%m > # This sets an alternate log level. Default is 2. > log level = 8 > > # Uncomment the following, if you want to use an existing NT-Server to > # authenticate users, but don't forget that you also have to > create them > > # locally! > security = domain > password server = 172.17.1.2 > socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY > > local master = No > > interfaces = lo eth0 > > wins support = no > # 'yes' doesn't work; 'no' does work > > wins server = 172.17.1.2 > > character set = ISO8859-15 > client code page = 850 > > veto files = /*.eml/*.nws/riched20.dll/*.{*}/ > [vicky] > comment = Linux home directory for Vicky > browseable = no > valid users = vclarke root Administrator > path = /home/vclarke > read only = no > create mask = 0600 > directory mask = 0700 > > [homes] > comment = User home directory > path = /share/pchomes/%S > read only = No > create mask = 0640 > directory mask = 0750 > browseable = No > writeable = yes > # nt acl support = yes > > > # Create a general-purpose shared directory everyone can use > > [art] > comment = Art directories > path= /share/art > writeable = yes > create mask = 0666 > directory mask = 0775 > nt acl support = yes > admin users = arcserve > mangled names = yes > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
At 10:02 13/08/2002 +0200, you wrote:>Good Morning, Vicky!Good morning :)>Seems your smb.conf is messed up a little. > >As I can see you're using security = domain. With this configuration the >smbpasswd-file/feature isn't need at all. Authentication is done encrypted >with the domain user database, not with the smbpasswd file.This was the theory, yes, but it doesn't appear to be working; I _think_ I may have fixed it (see below) but I'm not quite certain yet.>[...] > >But at this point, login should work either, aside of the misconfiguration. >What exactly is the error message in the log-files when a user tries to >connect? You should be aware that some unix-version do not allow usernames >longer than eight characters. Our AIX doesn't like it at all. But as the >addition of users to the passwd-file already works, this does not seem to >affect you (or you simply have max eight character user names).We don't have 8-char user names, but the Unix passwd program we use is exceptionally bad-tempered and won't accept passwords which are too simple, longer than 8 characters or shorter than 6. As far as error messages go, I'm seeing a lot of this sort of thing: [2002/08/15 09:17:17, 5] rpc_parse/parse_prs.c:prs_ntstatus(588) 0024 status: NT_STATUS_NO_TRUST_SAM_ACCOUNT [2002/08/15 09:17:17, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT [2002/08/15 09:17:17, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74) cli_nt_setup_creds: auth2 challenge failed [2002/08/15 09:17:17, 0] rpc_client/cli_trust.c:modify_trust_password(142) modify_trust_password: unable to setup the PDC credentials to machine SERVER1. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. [2002/08/15 09:17:17, 6] lib/util_sock.c:write_socket(518) write_socket(22,45) Checking against the PDC, it seems to think there's an account for SAMBA, which was until quite recently the name advertised by the Samba server - I've reinstated the netbios name and the netlogon errors seem to have stopped, although now I'm seeing in the event log on the PDC an event ID 2006 with message 'The server received an incorrectly formatted request from \\SAMBA'. If I don't absolutely need them, should i remove the passwd-related entries from my smb.conf so as not to confuse Samba, or will it use NT passwords by default anyway? Thanks for the advice, Vicky