I?ve upgraded from Samba 2 to version 3, and am having some problems. I think
they?re related to SIDs, which I?ve not really been aware of before!
Currently I only have the Samba server which is acting as PDC for Win XP Pro
machines. My smb.conf looks like:
-------------------------------------------
[global]
netbios name = scofp1
workgroup = SCODOMAIN
server string = Samba Server PDC
hosts allow = 192.0.0. 127.
load printers = yes
printing = lp
log file = /usr/lib/samba/var/log.%m
max log size = 50
security = user
encrypt passwords = yes
smb passwd file = /etc/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = yes
os level = 64
domain master = yes
preferred master = yes
domain logons = yes
logon drive = G:
logon script = %U.bat
time server = yes
wins support = yes
dns proxy = no
disable spoolss = yes
keepalive = 0
;;;client schannel = No
;;;winbind enum users = No
;;;winbind enum groups = No
#============================ Share Definitions =============================
[homes]
comment = Home Directories
browseable = no
writable = yes
[netlogon]
comment = On-the-fly creation of login script
root preexec = /home/netlogon/loginscript.pl %U %M %m
root postexec = /home/netlogon/logoutscript.pl %U %M %m
path = /home/netlogon
guest ok = no
read only = no
locking = no
[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
valid users = @office root supremo
printable = yes
create mask = 0700
print command = lp -c -T raw -o nobanner -d%p %s; rm %s
printer admin = @office
[logs]
comment = Daily Log Reader share for members of Unix 'adm-logs' group
path = /logs
valid users = @adm-logs root supremo
writeable = no
public = no
--------------------------
and so on
..
Apart from removing ?domain admin group? and adding the ?keep alive = 0? line,
the smb.conf is the same that I was running in Samba 2. Also, I?m still using
the smbpasswd program (not using LDAP etc).
I?ve run the net groupmap command with various parameters, and I?ve finally
got the output of ?net groupmap list? to be:
System Operators (S-1-5-32-549) -> -1
Account Operators (S-1-5-21-3090875634-363489748-967283420-548) -> d-ops
Administrators (S-1-5-21-3090875634-363489748-967283420-544) -> d-admin
Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Replicators (S-1-5-21-3090875634-363489748-967283420-552) -> d-ops
Domain Controllers (S-1-5-21-3090875634-363489748-967283420-515) -> xp-name
System Operators (S-1-5-21-3090875634-363489748-967283420-549) -> d-ops
Users (S-1-5-21-3090875634-363489748-967283420-545) -> d-user
Domain Policy Admins (S-1-5-21-3090875634-363489748-967283420-520) ->
nobody
Domain Computers (S-1-5-21-3090875634-363489748-967283420-516) -> xp-name
Domain Admins (S-1-5-21-3090875634-363489748-967283420-512) -> d-admin
Power Users (S-1-5-32-547) -> -1
Domain Certificate Admins (S-1-5-21-3090875634-363489748-967283420-517) ->
nobody
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Guests (S-1-5-21-3090875634-363489748-967283420-546) -> nobody
Print Operators (S-1-5-21-3090875634-363489748-967283420-550) -> d-ops
Account Operators (S-1-5-32-548) -> -1
Domain Users (S-1-5-21-3090875634-363489748-967283420-513) -> d-user
Domain Schema Admins (S-1-5-21-3090875634-363489748-967283420-518) ->
nobody
Power Users (S-1-5-21-3090875634-363489748-967283420-547) -> d-user
Backup Operators (S-1-5-32-551) -> -1
Users (S-1-5-32-545) -> -1
Backup Operators (S-1-5-21-3090875634-363489748-967283420-551) -> d-ops
Domain Guests (S-1-5-21-3090875634-363489748-967283420-514) -> nobody
Domain Enterprise Admins (S-1-5-21-3090875634-363489748-967283420-519) ->
nobody
-------------------------------------------
You?ll see that some groups have SIDs related to the domain, and also to what
I presume is a default ?internal? config. I?m not sure how to get rid of the
latter (eg Users (S-1-5-32-545) -> -1)
I?ve added users corra, mae, and margaret to the Unix groups d-ops, d-admin,
and d-user, and have also changed their Unix logon group to be d-user. This has
stopped an error message about their primary group not being a Windows NT group.
I?m not getting any error messages in their Samba log files now, and log.smbd is
clean at the minute too).
----------------------------------
I?ve tried running ?net usersidlist? and that returns ?Could not get the
user/sid list?.
I see a list of users when I type ?net user?.
I can see users logged in by typing ?net status sessions?.
The main problem I?m experiencing is that, although users can access shares on
the server (all that seems to be working fine), they are unable to access shares
on another Windows XP PC. The only way they can do this is to use the Windows
?net use? command and give it the username and password of the user who owns the
share. For example, Margaret can not print to or view the printer properties of
the printer that is shared by Mae (on PC XPPC038) unless she types:
?net use \\xppc038\hplj4plus /user:scodomain\mae <Mae?s password>
/persistent:yes?
Obviously, sending plain text passwords isn?t a solution!
I?ve added some access rights to Mae?s printer (including granting
SCODOMAIN/Margaret full rights, and also adding groups like Domain Admins etc.
I?m a bit out of my depth now, and would really appreciate some help with
this!
