Van Sickler, Jim
2005-Apr-15 21:37 UTC
[Samba] Unable to join samba server to a NT4 style domain/Sam ba-Guide feedback
John, The restrictanonymous setting was the primary culprit in Ash's issue. I think he's using basically the same setup as I am; no winbind/LDAP involved. I'm thinking there's some initial handshaking that requires an anonymous connection to PDC, and it's being blocked if the restrictanonymous setting is too high. I sent a note to Ash (& the list) asking for the restrictanonymous settings on his server. They were 2 (no join) and 0 (successful join). His admin has changed it back to 2 now that the Samba server is a member server. The setting is dynamic; no NT4 server reboot is required. Can this be added to Chap 7 as a note for section 7.3.2.3? In the case of using "net rpc join -U administrator%xxxxxx" his result was "Unable to find a suitable server" which indicate Samba wasn't finding the PDC. In the case of using net rpc join -S NT4SERVER -U administrator net rpc join -S NT4SERVER -U administrator%'xxxxxxxx' net rpc join -W MYWORKGROUP -U administrator net rpc join -W MYWORKGROUP -U administrator%'xxxxxxxx' his results were "Unable to join domain <domain>" which indicate a connection to the PDC. He had the PDC entry in smb.conf and /etc/lmhosts, so I think the syntax for the example in the Guide should be revised to "net join rpc -S PDC -U root%not24get" (which are %not24et on pgs 241/242 in the current Guide) to aid in first-try success. Section 7.3.2 might be broken into 2 sections: 7.3.2.1 NT4/Samba Domain with Samba Domain Member Server - Using smbusers Detailing use of the /etc/samba/smbusers file for *nix/Domain users Incorporate the current Item 3 for joining the domain Using net rpc info/net rpc testjoin to validate membership This is for OS that support Samba but don't support Winbind 7.3.2.2 NT4/Samba Domain with Samba Domain Member Server - Using Winbind Containing the current 7.3.2 contents That's all for now... Jim Van Sickler Network Administrator Kaman Aerospace Corp
John H Terpstra
2005-Apr-15 23:28 UTC
[Samba] Unable to join samba server to a NT4 style domain/Sam ba-Guide feedback
Jim / Others, I have tried to deal with the issues raised in this email. I agree entirely with the suggestion. I hope it has been sufficiently dealt with in my latest update that should become visible on the Samba web servers within 24 hours. Please check over the changes to Section 7.3.2 and let me know if it missed the mark. Thanks for the feedback. - John T. On Friday 15 April 2005 15:36, Van Sickler, Jim wrote:> John, > > The restrictanonymous setting was the primary culprit > in Ash's issue. I think he's using basically the same > setup as I am; no winbind/LDAP involved. I'm thinking > there's some initial handshaking that requires an > anonymous connection to PDC, and it's being blocked > if the restrictanonymous setting is too high. > > I sent a note to Ash (& the list) asking for the > restrictanonymous settings on his server. They > were 2 (no join) and 0 (successful join). His > admin has changed it back to 2 now that the > Samba server is a member server. The setting > is dynamic; no NT4 server reboot is required. > Can this be added to Chap 7 as a note for section 7.3.2.3? > > In the case of using "net rpc join -U administrator%xxxxxx" > his result was "Unable to find a suitable server" > which indicate Samba wasn't finding the PDC. > > In the case of using > net rpc join -S NT4SERVER -U administrator > net rpc join -S NT4SERVER -U administrator%'xxxxxxxx' > net rpc join -W MYWORKGROUP -U administrator > net rpc join -W MYWORKGROUP -U administrator%'xxxxxxxx' > his results were "Unable to join domain <domain>" > which indicate a connection to the PDC. > > He had the PDC entry in smb.conf and /etc/lmhosts, > so I think the syntax for the example in the > Guide should be revised to "net join rpc -S PDC -U root%not24get" > (which are %not24et on pgs 241/242 in the current Guide) > to aid in first-try success. > > Section 7.3.2 might be broken into 2 sections: > > 7.3.2.1 NT4/Samba Domain with Samba Domain Member Server - Using smbusers > Detailing use of the /etc/samba/smbusers file for *nix/Domain users > Incorporate the current Item 3 for joining the domain > Using net rpc info/net rpc testjoin to validate membership > This is for OS that support Samba but don't support Winbind > > 7.3.2.2 NT4/Samba Domain with Samba Domain Member Server - Using Winbind > Containing the current 7.3.2 contents > > > That's all for now... > Jim Van Sickler > Network Administrator > Kaman Aerospace Corp-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.
Ashutosh Kamdar
2005-Apr-16 07:12 UTC
[Samba] Unable to join samba server to a NT4 style domain/Sam ba-Guide feedback
John / Jim, Thanks for the feedback. It appears that the restrictanonymous setting issue is a known one. Is there a workaround or patch for Samba that does not require the registry changes on the PDC? I would imagine network/system admins would have heartburn making registry changes in the production environment. In my case itself, making this change in the production environment to allow a Samba server to join the domain will invite a load of CRFs and questions. Any guidance would be appreciated. Regards, Ash ------Original Message----- -From: John H Terpstra [mailto:jht@Samba.Org] -Sent: Friday, April 15, 2005 11:27 PM -To: 'Van Sickler, Jim' -Cc: samba@lists.samba.org, 'jht@samba.org' -Subject: Re: [Samba] Unable to join samba server to a NT4 style domain/Sam ba-Guide feedback - -Jim / Others, - -I have tried to deal with the issues raised in this email. I agree entirely -with the suggestion. I hope it has been sufficiently dealt with in my latest -update that should become visible on the Samba web servers within 24 hours. - -Please check over the changes to Section 7.3.2 and let me know if it missed -the mark. Thanks for the feedback. - -- John T. - -On Friday 15 April 2005 15:36, Van Sickler, Jim wrote: -> John, -> -> The restrictanonymous setting was the primary culprit -> in Ash's issue. I think he's using basically the same -> setup as I am; no winbind/LDAP involved. I'm thinking -> there's some initial handshaking that requires an -> anonymous connection to PDC, and it's being blocked -> if the restrictanonymous setting is too high. -> -> I sent a note to Ash (& the list) asking for the -> restrictanonymous settings on his server. They -> were 2 (no join) and 0 (successful join). His -> admin has changed it back to 2 now that the -> Samba server is a member server. The setting -> is dynamic; no NT4 server reboot is required. -> Can this be added to Chap 7 as a note for section 7.3.2.3? -> -> In the case of using "net rpc join -U administrator%xxxxxx" -> his result was "Unable to find a suitable server" -> which indicate Samba wasn't finding the PDC. -> -> In the case of using -> net rpc join -S NT4SERVER -U administrator -> net rpc join -S NT4SERVER -U administrator%'xxxxxxxx' -> net rpc join -W MYWORKGROUP -U administrator -> net rpc join -W MYWORKGROUP -U administrator%'xxxxxxxx' -> his results were "Unable to join domain <domain>" -> which indicate a connection to the PDC. -> -> He had the PDC entry in smb.conf and /etc/lmhosts, -> so I think the syntax for the example in the -> Guide should be revised to "net join rpc -S PDC -U root%not24get" -> (which are %not24et on pgs 241/242 in the current Guide) -> to aid in first-try success. -> -> Section 7.3.2 might be broken into 2 sections: -> -> 7.3.2.1 NT4/Samba Domain with Samba Domain Member Server - Using smbusers -> Detailing use of the /etc/samba/smbusers file for *nix/Domain users -> Incorporate the current Item 3 for joining the domain -> Using net rpc info/net rpc testjoin to validate membership -> This is for OS that support Samba but don't support Winbind -> -> 7.3.2.2 NT4/Samba Domain with Samba Domain Member Server - Using Winbind -> Containing the current 7.3.2 contents -> -> -> That's all for now... -> Jim Van Sickler -> Network Administrator -> Kaman Aerospace Corp - --- -John H Terpstra -Samba-Team Member -Phone: +1 (650) 580-8668 - -Author: -The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 -Samba-3 by Example, ISBN: 0131472216 -Hardening Linux, ISBN: 0072254971 -Other books in production. - - -
Ashutosh Kamdar
2005-Apr-16 07:15 UTC
[Samba] Unable to join samba server to a NT4 style domain/Sam ba-Guide feedback
John / Jim, Thanks for the feedback. It appears that the restrictanonymous setting issue is a known one. Is there a workaround or patch for Samba that does not require the registry changes on the PDC? I would imagine network/system admins would have heartburn making registry changes in the production environment. In my case itself, making this change in the production environment to allow a Samba server to join the domain will invite a load of CRFs and questions. Any guidance would be appreciated. Regards, Ash ------Original Message----- -From: John H Terpstra [mailto:jht@Samba.Org] -Sent: Friday, April 15, 2005 11:27 PM -To: 'Van Sickler, Jim' -Cc: samba@lists.samba.org, 'jht@samba.org' -Subject: Re: [Samba] Unable to join samba server to a NT4 style domain/Sam ba-Guide feedback - -Jim / Others, - -I have tried to deal with the issues raised in this email. I agree entirely -with the suggestion. I hope it has been sufficiently dealt with in my latest -update that should become visible on the Samba web servers within 24 hours. - -Please check over the changes to Section 7.3.2 and let me know if it missed -the mark. Thanks for the feedback. - -- John T. - -On Friday 15 April 2005 15:36, Van Sickler, Jim wrote: -> John, -> -> The restrictanonymous setting was the primary culprit -> in Ash's issue. I think he's using basically the same -> setup as I am; no winbind/LDAP involved. I'm thinking -> there's some initial handshaking that requires an -> anonymous connection to PDC, and it's being blocked -> if the restrictanonymous setting is too high. -> -> I sent a note to Ash (& the list) asking for the -> restrictanonymous settings on his server. They -> were 2 (no join) and 0 (successful join). His -> admin has changed it back to 2 now that the -> Samba server is a member server. The setting -> is dynamic; no NT4 server reboot is required. -> Can this be added to Chap 7 as a note for section 7.3.2.3? -> -> In the case of using "net rpc join -U administrator%xxxxxx" -> his result was "Unable to find a suitable server" -> which indicate Samba wasn't finding the PDC. -> -> In the case of using -> net rpc join -S NT4SERVER -U administrator -> net rpc join -S NT4SERVER -U administrator%'xxxxxxxx' -> net rpc join -W MYWORKGROUP -U administrator -> net rpc join -W MYWORKGROUP -U administrator%'xxxxxxxx' -> his results were "Unable to join domain <domain>" -> which indicate a connection to the PDC. -> -> He had the PDC entry in smb.conf and /etc/lmhosts, -> so I think the syntax for the example in the -> Guide should be revised to "net join rpc -S PDC -U root%not24get" -> (which are %not24et on pgs 241/242 in the current Guide) -> to aid in first-try success. -> -> Section 7.3.2 might be broken into 2 sections: -> -> 7.3.2.1 NT4/Samba Domain with Samba Domain Member Server - Using smbusers -> Detailing use of the /etc/samba/smbusers file for *nix/Domain users -> Incorporate the current Item 3 for joining the domain -> Using net rpc info/net rpc testjoin to validate membership -> This is for OS that support Samba but don't support Winbind -> -> 7.3.2.2 NT4/Samba Domain with Samba Domain Member Server - Using Winbind -> Containing the current 7.3.2 contents -> -> -> That's all for now... -> Jim Van Sickler -> Network Administrator -> Kaman Aerospace Corp - --- -John H Terpstra -Samba-Team Member -Phone: +1 (650) 580-8668 - -Author: -The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 -Samba-3 by Example, ISBN: 0131472216 -Hardening Linux, ISBN: 0072254971 -Other books in production. - - -