Michele Santucci
2002-Oct-31 09:21 UTC
[Samba] PDC Problems (read this the first one is incomplete)
Sorry but I've posted an incomplete message before that:
I've got a big problem with my PDC (Mandrake 8.2 with samba 2.2.5):
when I try to join the domain from a W2KPRO (sp3) workstation the procedure
goes on well until it require to create a local account for a Domain user
... the system let me browse all
the user account on the domain controller but when I try to add it reports
this error:
"The trust relationship between this workstation and the primary domain is
failed" (probably the english text is different but this should be the
meaning since
I'm traslating it from italian).
In the machine specific log file if found this:
[2002/10/31 10:14:32, 0] smbd/password.c:authorise_login(863)
authorise_login: rejected invalid user guest
[2002/10/31 10:14:32, 0] smbd/password.c:authorise_login(863)
authorise_login: rejected invalid user guest
I already set the w2k workstations to send non encrypted password to third
parties smb server.
I checked /etc/passwd, group and /etc/samba/smbpasswd file and they're
correcly updated with machine and user accounts.
Anyway these are smb.conf, group,passwd and smbpasswd interested rows:
---------------------------------------
SMB.CONF -------------------------------------------------
# Samba config file created using SWAT
# from 0.0.0.0 (0.0.0.0)
# Date: 2002/10/31 10:15:15
# Global parameters
[global]
coding system client code page = 850
code page directory = /var/lib/samba/codepages
workgroup = CCGM-DOM
netbios name = SERVER-CCGM
netbios aliases netbios scope server string = CCGM Samba Server
interfaces = eth0
bind interfaces only = No
security = USER
encrypt passwords = Yes
update encrypted = No
allow trusted domains = Yes
hosts equiv min passwd length = 5
map to guest = Never
null passwords = No
obey pam restrictions = No
password server smb passwd file = /etc/samba/smbpasswd
root directory pam password change = No
passwd program = /usr/bin/passwd
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
username map password level = 0
username level = 0
unix password sync = Yes
restrict anonymous = No
lanman auth = Yes
use rhosts = No
admin log = No
log level = 0
syslog = 1
syslog only = No
log file = /var/log/samba/log.%m
max log size = 50
timestamp logs = Yes
debug hires timestamp = No
debug pid = No
debug uid = No
protocol = NT1
large readwrite = No
max protocol = NT1
min protocol = CORE
read bmpx = No
read raw = Yes
write raw = Yes
nt smb support = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.5
announce as = NT
max mux = 50
max xmit = 65535
name resolve order = lmhosts host wins bcast
max packet = 65535
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = No
change notify timeout = 60
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 10
max smbd processes = 0
max disk size = 0
max open files = 10000
read size = 16384
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
stat cache size = 50
use mmap = Yes
total print jobs = 0
load printers = Yes
printcap name = lpstat
disable spoolss = No
enumports command addprinter command deleteprinter command show add printer
wizard = Yes
os2 driver map strip dot = No
mangling method = hash
character set mangled stack = 50
stat cache = Yes
domain admin group = @ccgm-admin
domain guest group = @guest
machine password timeout = 604800
add user script = /usr/sbin/adduser -n -g machines -c Machine -d
/dev/null -s /bin/false %m$
delete user script logon script logon path = \\%N\%U\profile
logon drive logon home = \\%N\%U
domain logons = Yes
os level = 65
lm announce = Auto
lm interval = 60
preferred master = True
local master = Yes
domain master = True
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = Yes
wins server wins support = Yes
wins hook kernel oplocks = Yes
lock spin count = 3
lock spin time = 10
oplock break wait time = 0
add share command change share command delete share command config file
preload lock dir = /var/cache/samba
pid directory = /var/run/samba
utmp directory wtmp directory utmp = No
default service message command dfree command valid chars remote announce
remote browse sync socket address = 0.0.0.0
homedir map = auto.home
time offset = 0
NIS homedir = No
source environment panic action hide local users = No
host msdfs = No
winbind uid winbind gid template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 15
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
comment path alternate permissions = No
username guest account = guest
invalid users valid users = @ccgm-admin, @ccgm, @satya
admin users = @ccgm-admin
read list write list printer admin force user force group read only = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = 00
inherit permissions = No
inherit acls = No
guest only = No
guest ok = No
only user = No
hosts allow hosts deny status = Yes
nt acl support = Yes
block size = 1024
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
write cache size = 0
max print jobs = 1000
printable = No
postscript = No
printing = cups
print command = lpr -r -P%p %s
lpq command = lpq -P%p
lprm command = lprm -P%p %j
lppause command lpresume command queuepause command queueresume command
printer name use client driver = No
default devmode = No
printer driver printer driver file = /etc/samba/printers.def
printer driver location default case = lower
case sensitive = No
preserve case = Yes
short preserve case = Yes
mangle case = No
mangling char = ~
hide dot files = Yes
hide unreadable = No
delete veto files = No
veto files hide files veto oplock files map system = No
map hidden = No
map archive = Yes
mangled names = Yes
mangled map browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = No
share modes = Yes
copy include exec preexec close = No
postexec root preexec root preexec close = No
root postexec available = Yes
volume fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend magic script magic output delete readonly = No
dos filemode = No
dos filetimes = No
dos filetime resolution = No
fake directory create times = No
vfs object vfs options msdfs root = No
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
print command = lpr-cups -P %p -o raw %s -r # using client side printer
drivers.
browseable = No
[print$]
comment = Printers
path = /var/lib/samba/printers
write list = @ccgm-admin root
[CCGM Folder]
comment = CCGM Private Folder
path = /home/local/samba-private/ccgm
valid users = @ccgm-admin, @ccgm
write list = @ccgm
read only = No
[Satya Folder]
comment = Satya Gr? Private Folder
path = /home/local/samba-private/SatyaGra
guest account valid users = @ccgm-admin, @satya
write list = @satya
read only = No
[public]
comment = CCGM Folder
path = /home/local/samba-public
guest account valid users = @ccgm-admin, @ccgm
write list = @ccgm
read only = No
[netlogon]
comment = NETLogon share
path = /home/local/samba-netlogon
guest account write list = @ccgm-admin
----------------------------------------------------------------------------
--------------------
---------------------------------------
/etc/group ---------------------------------------------
users:x:100:michele,maurizio,alessandra,carmen,daniela,elisabetta,francesco,
adfm,massimo,barbara,alessandro,cristiana,elenamarengo,elenamele,roberto,mau
rizioleonardi,pietro,gianfranco,alessandrobronzini,alessandrabellantone,Admi
nistrator
machines:x:421:
ccgm:x:1001:AlessandraBellantone,AlessandroBronzini,MaurizioLeonardi,adfm,al
essandra,barbara,carmen,daniela,elisabetta,francesco,massimo,maurizio,michel
e,roberto,Administrator
satya:x:1002:Alessandro,Cristiana,ElenaMarengo,ElenaMele,Pietro,gianfranco,A
dministrator
ccgm-admin:*:1003:root,Administrator
guest:*:1004:guest
----------------------------------------------------------------------------
--------------------
---------------------------------------
/etc/passwd --------------------------------------------
Administrator:x:1001:1003:CCGM Administrator:/dev/null:/dev/null
gfx$:x:1023:421:Machine:/dev/null:/bin/false
video$:x:1024:421:Machine:/dev/null:/bin/false
----------------------------------------------------------------------------
--------------------
---------------------------------------
smbpasswd --------------------------------------------
root:0:9CB2795322349CF325AD3B83FA6627C7:2970FEAECE5435706A17AA53D1E86D61:[UX
]:LCT-3DBE7F6A:
Administrator:1001:9CB2795322349CF325AD3B83FA6627C7:2970FEAECE5435706A17AA53
D1E86D61:[UX ]:LCT-3DBE7F75:
gfx$:1023:AB7EB63BE1377FC2A53E3836B071424C:CAF8B678F29AE6C27FC89DBCE5D022A9:
[W ]:LCT-3DC0E683:
video$:1024:17175EDD437D111CB9D7C7EF311D7A24:36FCE0043276E6C6ECD022A70F45FDC
4:[W ]:LCT-3DC0E8BD:
----------------------------------------------------------------------------
--------------------
Mike Rambo
2002-Oct-31 12:39 UTC
[Samba] PDC Problems (read this the first one is incomplete)
Michele Santucci wrote:> > I've got a big problem with my PDC (Mandrake 8.2 with samba 2.2.5): > when I try to join the domain from a W2KPRO (sp3) workstation the procedure > goes on well until it require to create a local account for a Domain user > ... the system let me browse all > the user account on the domain controller but when I try to add it reports > this error: > "The trust relationship between this workstation and the primary domain is > failed" (probably the english text is different but this should be the > meaning since > I'm traslating it from italian). > > security = USER > add user script = /usr/sbin/adduser -n -g machines -c Machine -d > /dev/null -s /bin/false %m$According to the smb.conf man page security has to be DOMAIN or SERVER to use the add user script option. man smb.conf Search for add user script for details. -- Mike Rambo mrambo@lsd.k12.mi.us
Buchan Milne
2002-Oct-31 15:45 UTC
[Samba] PDC Problems (read this the first one is incomplete)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Message: 3 > From: "Michele Santucci" <tux@shiny.it> > To: <samba@lists.samba.org> > Date: Thu, 31 Oct 2002 10:25:34 +0100 > Subject: [Samba] PDC Problems (read this the first one is incomplete) > > Sorry but I've posted an incomplete message before that: > > I've got a big problem with my PDC (Mandrake 8.2 with samba 2.2.5): > when I try to join the domain from a W2KPRO (sp3) workstation theprocedure> goes on well until it require to create a local account for a Domain user > ... the system let me browse all > the user account on the domain controller but when I try to add it reports > this error:Sorry, I just want to clarify, does it fail when adding a computer account in the domain?> "The trust relationship between this workstation and the primary domain is > failed" (probably the english text is different but this should be the > meaning since > I'm traslating it from italian). > > In the machine specific log file if found this: > > [2002/10/31 10:14:32, 0] smbd/password.c:authorise_login(863) > authorise_login: rejected invalid user guest > [2002/10/31 10:14:32, 0] smbd/password.c:authorise_login(863) > authorise_login: rejected invalid user guest >When you were trying to do what?> I already set the w2k workstations to send non encrypted password to third > parties smb server. > I checked /etc/passwd, group and /etc/samba/smbpasswd file and they're > correcly updated with machine and user accounts. >You cannot join a windows 2000 machine to a domain if you have set it to use clear text passwords, and you smb.conf is set for encrypted passwords.> Anyway these are smb.conf, group,passwd and smbpasswd interested rows: >Which show that you have successfully added machines with the name video and gfx to the domain. FYI, if you have any pre-sp3 machines, please test with those first ... And, with the default smb.conf (such as http://ranger.dnsalias.com/mandrake/samba/smb.conf), you only have to uncomment about 10 lines to get a working smb.conf for a domain controller (such as this file http://ranger.dnsalias.com/mandrake/samba/smb-domain-controller.conf) on any recent version of Mandrake linux. Can you be more clear on exactly which "procedure" you are using? And to answer Mike Rambo's replies, when samba runs in 'security user', add user script is used when samba creates a new machine account. Mandrake ships with the following example for a domain controller not using LDAP backend: # Script for domain controller for adding machines: ; add user script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M %u Regards, Buchan (PDC runs Mandrake 8.2 / samba-2.2.6). - -- |----------------Registered Linux User #182071-----------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9wVCnrJK6UGDSBKcRAkCVAKDG2nBdlKZa2fgDyYlmwgM1eGow1gCfRCfp fNQBqm1r6+AMhgk25iRwy7g=YKzg -----END PGP SIGNATURE-----