i try to configure samba 3 as NT4 BDC or domain member with a whitebox linux
i follow
http://www.comp.hkbu.edu.hk/docs/s/samba30/htmldocs/howto/NT4Migration.html
but get following error
[root@whitebox root]# net rpc join -S serveur -w LSCOT -U Administrateur%xxx
Joined domain LSCOT.
[root@whitebox root]# net rpc vampire -S serveur -U Administrateur%xxx
Fetching DOMAIN database
Failed to fetch domain database: NT_STATUS_ACCESS_DENIED
NT4 log returns refused access and just before, complains about missing
trust relationship in the security database of the computer.
as for now, i mainly want this server to serve file (BDC is bonus), i
try to get it as domain member only but if joining domain works, user
auth doesn't (passwd server is defined)
local unix user and win domain user can't authentificate w or w/o group
mapping defined.
ideas ?
thanks
regards
julien
-------------- next part --------------
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not many any basic syntactic errors.
#
##
## links
## http://www.osnews.com/story.php?news_id=6684
## tuning
## http://www.oreilly.com/catalog/samba/chapter/book/appb_02.html
##
#======================= Global Settings
====================================[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
; workgroup = Win_test
workgroup = LSCOT
# server string is the equivalent of the NT Description field
server string = Samba Server
netbios name = whitebox
netbios aliases = fichiers
# netbios aliases = ntinstall
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
hosts deny = ALL
hosts allow = 192.168.1. 127.
; hosts allow = 192.168. EXCEPT 192.168.3.99
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes
# you may wish to override the location of the printcap file
; printcap name = /etc/printcap
# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
; printcap name = lpstat
# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
; printing = bsd
##
## printing
##
print command = /usr/bin/lpr -r -P%p %s
lpq command = /usr/bin/lpq -P%p %s
lprm command = /usr/bin/lprm -P%p %j
queuepause command = /usr/sbin/lpc -P%p stop
queueresume command = /usr/sbin/lpc -P%p start
## max print jobs allowed (0 no limit)
;total print jobs = 10
#lpq cache = 30
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
; %m NetBIOS name of the client machine
; log file = /var/log/smbd.%m
; %I IP
log file = /var/log/smbd.%I
# Default is 0
log level = 0
# Put a capping on the size of the log files (in Kb).
max log size = 500
# Security mode. Most people will want user level security. See
# security_level.txt for details.
;security = user
;security = member ???
security = domain
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; password server = <NT-Server-Name>
; password server = serveur_nt1
# Note: Do NOT use the now deprecated option of "domain controller"
# This option is no longer implemented.
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /usr/local/samba/lib/smb.conf.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
; socket options = TCP_NODELAY
socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
; socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=4096 SO_SNDBUF=4096
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
interfaces = 192.168.1.231/24
; interfaces = lo* rl0 eth*
bind interfaces only = yes
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
; local master = yes
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
os level = 64
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
domain master = no
## to act as a PDC
## need an account for each machine (needed for Win2k/NT
## not Win9x)
## treat it auto
add user script = /usr/sbin/useradd -g nogroup -s /sbin/nologin -d /dev/null -r
100..200 %u
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
logon script = netstart.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
logon path = \\%L\Profiles\
logon home = "\\%L\%U"
logon drive = H:
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
###
### Winbind
###
#
# # separate domain and username with '+', like DOMAIN+username
# ## testparm: 'winbind separator = +' might cause problems with group
membership
## winbind separator = +
# # use uids from 10000 to 20000 for domain users
# winbind uid = 100-200
# # use gids from 10000 to 20000 for domain groups
# winbind gid = 100-200
# # allow enumeration of winbind users and groups
# # might need to disable these next two for performance
# # reasons on the winbindd host
# winbind enum users = yes
# winbind enum groups = yes
# # give winbind users a real shell (only needed if they have
telnet/sshd/etc... access)
# template homedir = /home/winnt/%D/%U
# template shell = /bin/bash
## Some extras
#username map = /etc/samba/user.map
time server = yes
change notify timeout = 300
;character set = ISO8859-1
dont descend = /proc,/dev
## minutes before conn is considered dead
;deadtime = 300
follow symlinks = yes
hide dot files = yes
hide files = /.*/DesktopFolderDB/TrashFor%m/resource.frk/
;hide local users = yes
create mask = 0600
;create directory = 0700
directory mask = 0700
## nobody is used for anonymous connexion (like ipc$)
invalid users = root bin daemon named sys tty disk mem kmem users
## tuning
## cache size in bytes (here 256kB)
write cache size = 262144
level2 oplocks = yes
share modes = no
# Default
#read raw = no
read raw = yes
write raw = yes
oplocks = yes
kernel oplocks = no
max xmit = 65535
getwd cache = yes
## what command to run when the server receives a WinPopup style message.
message command = /bin/mail -s 'message from %f on %m' root < %s; rm
%s
;message command = csh -c 'xedit %s;rm %s' &
## samba 3 + unattended
;unix extensions = off
#=============================== Security ===================================
max smbd processes = 40
## type of auth
## If disabled, only clients which support NT password hashes
## (e.g. Windows NT/2000 clients, smbclient, etc... but not
## Windows 95/98 or the MS DOS network client) will be able to
## connect to the Samba host.
## need yes if using unattended.sourceforge.net ...
lanman auth = yes
;lanman auth = no
## Protocol
## CORE: Earliest version. No concept of user names.
## COREPLUS: Slight improvements on CORE for efficiency.
## LANMAN1: First modern version of the protocol. Long filename support.
## LANMAN2: Updates to Lanman1 protocol.
## NT1: Current up to date version of the protocol. Used by Windows NT. Known as
CIFS.
min protocol = LANMAN2
max protocol = NT1
lm announce = yes
;lm announce = no
;announce version = 4.2
;announce as = NT
## NLMv2 compat: yes, no, auto (=both) (samba 3 only)
#client NTLMv2 = yes
#server NTLMv2 = yes
## make samba chroot
root directory = /
#root directory = /homes/smb
## type of permission than win clients can change
security mask = 0770
## ssl support (need compile --with-ssl)
#ssl = yes
#ssl version = "ssl2or3"
## hosts which are NOT force in ssl
#ssl host resign = 192.168.2.
## hosts which are force in ssl
#ssl hosts
## Veto any files containing the word Security,
## any ending in .tmp, and any directory containing the
## word root.
## Note: slow performance ...
#veto files = /*Security*/*.tmp/*root*/
## Veto the Apple specific files that a NetAtalk server
## creates.
#veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
## Ldap (experimental + compile ...)
;ldap server = ldap.touche.www
;ldap ssl = on
;ldap ssl = start tls
;ldap admin = "cn=Samba Manager,ou=Samba,ou=NetFS,ou=Servvices,
dc=touche,dc=www"
;ldap suffix = "ou=Samba,ou=NetFS,ou=Services,dc=touche,dc=www"
# generally the default ldap search filter is ok
;ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"
#============================ Share Definitions =============================
## else always availavle, even to anonymous
## but block browsing
[ipc$]
hosts allow = 192.168.2.0/24 127.0.0.1
hosts deny = 0.0.0.0/0
guest ok = yes
## need for testparm
path = /nonexistent
[homes]
comment = Home Directories
browseable = yes
writable = yes
hide dot files = yes
# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/netlogon
# guest ok = yes
public = no
browseable = no
writable = no
share modes = no
case sensitive = no
default case =yes
locking = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
path = /usr/local/samba/profiles
browseable = no
writable = yes
guest ok = yes
create mask = 0700
;create directory = 0700
directory mask = 0700
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
# This one is useful for people to share files
;[tmp]
; comment = Temporary file space
; path = /tmp
; read only = no
; public = yes
# A publicly accessible directory, but read only, except for people in
# the "staff" group
;[public]
; comment = Public Stuff
; path = /home/samba
; public = yes
; writable = yes
; printable = no
; write list = @staff
# Other examples.
#
# A private printer, usable only by fred. Spool data will be placed in
fred's
# home directory. Note that fred must have write access to the spool directory,
# wherever it is.
;[fredsprn]
; comment = Fred's Printer
; valid users = fred
; path = /homes/fred
; printer = freds_printer
; public = no
; writable = no
; printable = yes
# A private directory, usable only by fred. Note that fred requires write
# access to the directory.
;[fredsdir]
; comment = Fred's Service
; path = /usr/somewhere/private
; valid users = fred
; public = no
; writable = yes
; printable = no
# a service which has a different directory for each machine that connects
# this allows you to tailor configurations to incoming machines. You could
# also use the %U option to tailor it by user name.
# The %m gets replaced with the machine name that is connecting.
;[pchome]
; comment = PC Directories
; path = /usr/pc/%m
; public = no
; writable = yes
# A publicly accessible directory, read/write to all users. Note that all files
# created in the directory by users will be owned by the default user, so
# any user with access can delete any other user's files. Obviously this
# directory must be writable by the default user. Another user could of course
# be specified, in which case all files would be owned by that user instead.
;[public]
; path = /usr/somewhere/else/public
; public = yes
; only guest = yes
; writable = yes
; printable = no
# The following two entries demonstrate how to share a directory so that two
# users can place files there that will be owned by the specific users. In this
# setup, the directory should be writable by both users and should have the
# sticky bit set on it to prevent abuse. Obviously this could be extended to
# as many users as required.
;[myshare]
; comment = Mary's and Fred's stuff
; path = /usr/somewhere/shared
; valid users = mary fred
; public = no
; writable = yes
; printable = no
; create mask = 0765
[export]
comment = Share
path = /export
public = yes
writable = yes
printable = no
browseable = yes
create mask = 0600
;create directory = 0700
directory mask = 0700
hide dot files = yes
oplocks = False
level2oplocks = False
## Alternately, you could disable oplocks on a per-file basis within the
share:
veto oplock files = /*.avi/*.mpg/*.divx/*.mov/
[install]
comment = Windows Install dir
path = /export/unattended/install
; valid users = touche, nobody
writable = no
