Op woensdag 11 februari 2015 20:18:57 schreef Rowland Penny:> On 11/02/15 20:13, duportail wrote: > > Op woensdag 11 februari 2015 19:56:54 schreef Rowland Penny: > >> On 11/02/15 19:25, duportail wrote: > >>> Op woensdag 11 februari 2015 19:09:48 schreef Rowland Penny: > >>>> On 11/02/15 18:29, duportail wrote: > >>>>> ( could not post complete reply, message too large?) > >>>>> > >>>>> > >>>>> I think that's why I have a lot of black screens on the clients. > >>>>> Here debian pdc smb.conf: > >>>>> root at fai:~# cat /etc/samba/smb.conf > >>>>> # This is the main Samba configuration file. You should read the > >>>>> # smb.conf(5) manual page in order to understand the options listed > >>>>> # here. Samba has a huge number of configurable options (perhaps too > >>>>> # many!) most of which are not shown in this example > >>>>> # > >>>>> # For a step to step guide on installing, configuring and using samba, > >>>>> # read the Samba-HOWTO-Collection. This may be obtained from: > >>>>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf > >>>>> # > >>>>> # Many working examples of smb.conf files can be found in the > >>>>> # Samba-Guide which is generated daily and can be downloaded from: > >>>>> # http://www.samba.org/samba/docs/Samba-Guide.pdf > >>>>> # > >>>>> # Any line which starts with a ; (semi-colon) or a # (hash) > >>>>> # is a comment and is ignored. In this example we will use a # > >>>>> # for commentry and a ; for parts of the config file that you > >>>>> # may wish to enable > >>>>> # > >>>>> # NOTE: Whenever you modify this file you should run the command "testparm" > >>>>> # to check that you have not made any basic syntactic errors. > >>>>> # > >>>>> #======================= Global Settings ====================================> >>>>> [global] > >>>>> > >>>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH > >>>>> workgroup = fai > >>>>> > >>>>> # server string is the equivalent of the NT Description field > >>>>> server string = Samba Server > >>>>> > >>>>> # Security mode. Defines in which mode Samba will operate. Possible > >>>>> # values are share, user, server, domain and ads. Most people will want > >>>>> # user level security. See the Samba-HOWTO-Collection for details. > >>>>> security = user > >>>>> > >>>>> # This option is important for security. It allows you to restrict > >>>>> # connections to machines which are on your local network. The > >>>>> # following example restricts access to two C class networks and > >>>>> # the "loopback" interface. For more examples of the syntax see > >>>>> # the smb.conf man page > >>>>> ; hosts allow = 192.168.1. 192.168.2. 127. > >>>>> > >>>>> # If you want to automatically load your printer list rather > >>>>> # than setting them up individually then you'll need this > >>>>> load printers = yes > >>>>> > >>>>> # you may wish to override the location of the printcap file > >>>>> ; printcap name = /etc/printcap > >>>>> > >>>>> # on SystemV system setting printcap name to lpstat should allow > >>>>> # you to automatically obtain a printer list from the SystemV spool > >>>>> # system > >>>>> ; printcap name = lpstat > >>>>> > >>>>> # It should not be necessary to specify the print system type unless > >>>>> # it is non-standard. Currently supported print systems include: > >>>>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx > >>>>> ; printing = cups > >>>>> > >>>>> # Uncomment this if you want a guest account, you must add this to /etc/passwd > >>>>> # otherwise the user "nobody" is used > >>>>> ; guest account = pcguest > >>>>> > >>>>> # this tells Samba to use a separate log file for each machine > >>>>> # that connects > >>>>> log file = /var/log/samba/log.%m > >>>>> > >>>>> # Put a capping on the size of the log files (in Kb). > >>>>> max log size = 50 > >>>>> > >>>>> # Use password server option only with security = server > >>>>> # The argument list may include: > >>>>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] > >>>>> # or to auto-locate the domain controller/s > >>>>> # password server = * > >>>>> ; password server = <NT-Server-Name> > >>>>> > >>>>> # Use the realm option only with security = ads > >>>>> # Specifies the Active Directory realm the host is part of > >>>>> ; realm = MY_REALM > >>>>> > >>>>> # Backend to store user information in. New installations should > >>>>> # use either tdbsam or ldapsam. smbpasswd is available for backwards > >>>>> # compatibility. tdbsam requires no further configuration. > >>>>> passdb backend = tdbsam > >>>>> > >>>>> # Using the following line enables you to customise your configuration > >>>>> # on a per machine basis. The %m gets replaced with the netbios name > >>>>> # of the machine that is connecting. > >>>>> # Note: Consider carefully the location in the configuration file of > >>>>> # this line. The included file is read at that point. > >>>>> ; include = /usr/local/samba/lib/smb.conf.%m > >>>>> > >>>>> # Configure Samba to use multiple interfaces > >>>>> # If you have multiple network interfaces then you must list them > >>>>> # here. See the man page for details. > >>>>> # interfaces = 192.168.12.2/24 192.168.5.2/24 > >>>>> > >>>>> # Browser Control Options: > >>>>> # set local master to no if you don't want Samba to become a master > >>>>> # browser on your network. Otherwise the normal election rules apply > >>>>> ; local master = no > >>>>> > >>>>> # OS Level determines the precedence of this server in master browser > >>>>> # elections. The default value should be reasonable > >>>>> ; os level = 33 > >>>>> > >>>>> # Domain Master specifies Samba to be the Domain Master Browser. This > >>>>> # allows Samba to collate browse lists between subnets. Don't use this > >>>>> # if you already have a Windows NT domain controller doing this job > >>>>> domain master = yes > >>>>> > >>>>> # Preferred Master causes Samba to force a local browser election on startup > >>>>> # and gives it a slightly higher chance of winning the election > >>>>> preferred master = yes > >>>>> > >>>>> # Enable this if you want Samba to be a domain logon server for > >>>>> # Windows95 workstations. > >>>>> domain logons = yes > >>>>> > >>>>> # if you enable domain logons then you may want a per-machine or > >>>>> # per user logon script > >>>>> # run a specific logon batch file per workstation (machine) > >>>>> logon script = %m.bat > >>>>> # run a specific logon batch file per username > >>>>> logon script = %U.bat > >>>>> > >>>>> # Where to store roving profiles (only for Win95 and WinNT) > >>>>> # %L substitutes for this servers netbios name, %U is username > >>>>> # You must uncomment the [Profiles] share below > >>>>> logon path = \\%L\Profiles\%U > >>>>> > >>>>> # Windows Internet Name Serving Support Section: > >>>>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server > >>>>> ; wins support = yes > >>>>> > >>>>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client > >>>>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both > >>>>> ; wins server = 192.168.5.1 > >>>>> > >>>>> # WINS Proxy - Tells Samba to answer name resolution queries on > >>>>> # behalf of a non WINS capable client, for this to work there must be > >>>>> # at least one WINS Server on the network. The default is NO. > >>>>> wins proxy = yes > >>>>> > >>>>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names > >>>>> # via DNS nslookups. The default is NO. > >>>>> dns proxy = no > >>>>> > >>>>> # These scripts are used on a domain controller or stand-alone > >>>>> # machine to add or delete corresponding unix accounts > >>>>> add user script = /usr/sbin/useradd %u > >>>>> add group script = /usr/sbin/groupadd %g > >>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u > >>>>> delete user script = /usr/sbin/userdel %u > >>>>> delete user from group script = /usr/sbin/deluser %u %g > >>>>> delete group script = /usr/sbin/groupdel %g > >>>>> > >>>>> > >>>>> #============================ Share Definitions =============================> >>>>> [homes] > >>>>> comment = Home Directories > >>>>> browseable = yes > >>>>> read only = no > >>>>> guest ok = yes > >>>>> create mask = 0700 > >>>>> directory mask = 0700 > >>>>> valid users = %S > >>>>> invalid users = root > >>>>> # Un-comment the following and create the netlogon directory for Domain Logons > >>>>> [netlogon] > >>>>> comment = Network Logon Service > >>>>> path = /usr/local/samba/lib/netlogon > >>>>> guest ok = yes > >>>>> writable = no > >>>>> #share modes = yes > >>>>> > >>>>> > >>>>> # Un-comment the following to provide a specific roving profile share > >>>>> # the default is to use the user's home directory > >>>>> ;[Profiles] > >>>>> ; path = /usr/local/samba/profiles > >>>>> ; browseable = no > >>>>> ; guest ok = yes > >>>>> > >>>>> > >>>>> # NOTE: If you have a BSD-style print system there is no need to > >>>>> # specifically define each individual printer > >>>>> [printers] > >>>>> comment = All Printers > >>>>> path = /usr/spool/samba > >>>>> browseable = no > >>>>> # Set public = yes to allow user 'guest account' to print > >>>>> guest ok = no > >>>>> writable = no > >>>>> printable = yes > >>>>> > >>>>> # This one is useful for people to share files > >>>>> ;[tmp] > >>>>> ; comment = Temporary file space > >>>>> ; path = /tmp > >>>>> ; read only = no > >>>>> ; public = yes > >>>>> > >>>>> # A publicly accessible directory, but read only, except for people in > >>>>> # the "staff" group > >>>>> ;[public] > >>>>> ; comment = Public Stuff > >>>>> ; path = /home/samba > >>>>> ; public = yes > >>>>> ; writable = no > >>>>> ; printable = no > >>>>> ; write list = @staff > >>>>> > >>>>> # Other examples. > >>>>> # > >>>>> # A private printer, usable only by fred. Spool data will be placed in fred's > >>>>> # home directory. Note that fred must have write access to the spool directory, > >>>>> # wherever it is. > >>>>> ;[fredsprn] > >>>>> ; comment = Fred's Printer > >>>>> ; valid users = fred > >>>>> ; path = /homes/fred > >>>>> ; printer = freds_printer > >>>>> ; public = no > >>>>> ; writable = no > >>>>> ; printable = yes > >>>>> > >>>>> # A private directory, usable only by fred. Note that fred requires write > >>>>> # access to the directory. > >>>>> ;[fredsdir] > >>>>> ; comment = Fred's Service > >>>>> ; path = /usr/somewhere/private > >>>>> ; valid users = fred > >>>>> ; public = no > >>>>> ; writable = yes > >>>>> ; printable = no > >>>>> > >>>>> # a service which has a different directory for each machine that connects > >>>>> # this allows you to tailor configurations to incoming machines. You could > >>>>> # also use the %U option to tailor it by user name. > >>>>> # The %m gets replaced with the machine name that is connecting. > >>>>> ;[pchome] > >>>>> ; comment = PC Directories > >>>>> ; path = /usr/pc/%m > >>>>> ; public = no > >>>>> ; writable = yes > >>>>> > >>>>> # A publicly accessible directory, read/write to all users. Note that all files > >>>>> # created in the directory by users will be owned by the default user, so > >>>>> # any user with access can delete any other user's files. Obviously this > >>>>> # directory must be writable by the default user. Another user could of course > >>>>> # be specified, in which case all files would be owned by that user instead. > >>>>> ;[public] > >>>>> ; path = /usr/somewhere/else/public > >>>>> ; public = yes > >>>>> ; only guest = yes > >>>>> ; writable = yes > >>>>> ; printable = no > >>>>> > >>>>> # The following two entries demonstrate how to share a directory so that two > >>>>> # users can place files there that will be owned by the specific users. In this > >>>>> # setup, the directory should be writable by both users and should have the > >>>>> # sticky bit set on it to prevent abuse. Obviously this could be extended to > >>>>> # as many users as required. > >>>>> ;[myshare] > >>>>> ; comment = Mary's and Fred's stuff > >>>>> ; path = /usr/somewhere/shared > >>>>> ; valid users = mary fred > >>>>> ; public = no > >>>>> ; writable = yes > >>>>> ; printable = no > >>>>> ; create mask = 0765 > >>>>> > >>>>> > >>>> OK, after wading through the commented lines, I end up with: > >>>> > >>>> PDC smb.conf: > >>>> > >>>> [global] > >>>> workgroup = fai > >>>> server string = Samba Server > >>>> security = user > >>>> load printers = yes > >>>> log file = /var/log/samba/log.%m > >>>> max log size = 50 > >>>> passdb backend = tdbsam > >>>> domain master = yes > >>>> preferred master = yes > >>>> domain logons = yes > >>>> logon script = %m.bat > >>>> logon script = %U.bat > >>>> logon path = \\%L\Profiles\%U > >>>> wins proxy = yes > >>>> dns proxy = no > >>>> add user script = /usr/sbin/useradd %u > >>>> add group script = /usr/sbin/groupadd %g > >>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d > >>>> /var/lib/samba -s /bin/false %u > >>>> delete user script = /usr/sbin/userdel %u > >>>> delete user from group script = /usr/sbin/deluser %u %g > >>>> delete group script = /usr/sbin/groupdel %g > >>>> > >>>> [homes] > >>>> comment = Home Directories > >>>> browseable = yes > >>>> read only = no > >>>> guest ok = yes > >>>> create mask = 0700 > >>>> directory mask = 0700 > >>>> valid users = %S > >>>> invalid users = root > >>>> > >>>> [netlogon] > >>>> comment = Network Logon Service > >>>> path = /usr/local/samba/lib/netlogon > >>>> guest ok = yes > >>>> writable = no > >>>> > >>>> [printers] > >>>> comment = All Printers > >>>> path = /usr/spool/samba > >>>> browseable = no > >>>> guest ok = no > >>>> writable = no > >>>> printable = yes > >>>> > >>>> > >>>> Client smb.conf > >>>> > >>>> [global] > >>>> workgroup = fai > >>>> server string = %h server (Samba, Ubuntu) > >>>> wins server = 172.20.68.14 > >>>> winbind separator = / > >>>> winbind use default domain = Yes > >>>> dns proxy = no > >>>> winbind uid = 10000-20000 > >>>> winbind gid = 10000-20000 > >>>> template shell = /bin/bash > >>>> allow trusted domains = yes > >>>> name resolve order = lmhosts host wins bcast > >>>> name resolve order = wins lmhosts host bcast > >>>> log file = /var/log/samba/log.%m > >>>> max log size = 1000 > >>>> syslog = 0 > >>>> panic action = /usr/share/samba/panic-action %d > >>>> security = domain > >>>> password server = 172.20.68.14 > >>>> encrypt passwords = true > >>>> passdb backend = tdbsam > >>>> obey pam restrictions = yes > >>>> unix password sync = yes > >>>> passwd program = /usr/bin/passwd %u > >>>> passwd chat = *Enter\snew\s*\spassword:* %n\n > >>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > >>>> pam password change = yes > >>>> map to guest = bad user > >>>> add user script = /usr/sbin/adduser --quiet --disabled-password > >>>> --gecos "" %u > >>>> add machine script = /usr/sbin/useradd -g machines -c "%u machine > >>>> account" -d /var/lib/samba -s /bin/false %u > >>>> add group script = /usr/sbin/addgroup --force-badname %g > >>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > >>>> template shell = /bin/bash > >>>> template homedir = /home/%U > >>>> usershare allow guests = yes > >>>> > >>>> #======================= Share Definitions ======================> >>>> > >>>> valid users = %S > >>>> > >>>> [printers] > >>>> comment = All Printers > >>>> browseable = no > >>>> path = /var/spool/samba > >>>> printable = yes > >>>> guest ok = no > >>>> read only = yes > >>>> create mask = 0700 > >>>> > >>>> [print$] > >>>> comment = Printer Drivers > >>>> path = /var/lib/samba/printers > >>>> browseable = yes > >>>> read only = yes > >>>> guest ok = no > >>>> > >>>> There are a few lines that are duplicated in each smb.conf. > >>>> > >>>> I take it that you only use the PDC for authentication and don't let the > >>>> users login. > >>>> > >>>> It has been sometime since I setup and used a linux client with a PDC, > >>>> but I don't actually remember having all those passwd & script lines in > >>>> the client smb.conf. > >>>> > >>>> Do the users exist as unix users on both machines ? > >>>> > >>>> Rowland > >>>> > >>> No, the users are created on the debian pdc. that is the long number (as their username). > >>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. > >>> The long number (as their username) comes from a smartcard). > >>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. > >>> As I was debugging, i tried to su the user on a client machine, and got another user instead: > >>> root at blank005:~# su 59031614949 > >>> 98121524292 at blank005:/root$ > >>> > >>> I never seen this . > >>> Is it a problem with long usernames and winbind? > >>> > >>> > >>> > >>> > >>> > >> Well, the portion of the logfile you posted is full of lines like this: > >> > >> Failed to find a Unix account for 92101633919 > >> > >> OK, just what part of that line do you not understand ?? :-) > >> > >> You need a unix user for '92101633919' > >> > >> Rowland > >> > > Correct, but there was this user: > > > > on debian pdc: > > root at fai:~# cat /var/log/auth.log | grep 92101633919 > > Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 > > Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' > > Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' > > > > OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd > 92101633919' return anything ? > > If they both are true, then you may have run into this bug: > https://bugzilla.samba.org/show_bug.cgi?id=11044 > > Rowland > > >Ok, getent on another works ok, but not on a user with numbers: root at fai:~# getent passwd ubu ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash root at fai:~# getent passwd 71101411853 root at fai:~# part of /etc/passwd ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash bind:x:111:120::/var/cache/bind:/bin/false fai$:x:1001:1003:Machine:/var/lib/samba:/bin/false test:x:1002:1004::/home/test:/bin/sh sshuser:x:1003:1005::/home/sshuser:/bin/sh ubuntu8053$:x:1008:1003:Machine:/var/lib/samba:/bin/false blank1$:x:1009:1003:Machine:/var/lib/samba:/bin/false blank3$:x:1011:1003:Machine:/var/lib/samba:/bin/false blank4$:x:1012:1003:Machine:/var/lib/samba:/bin/false blank5$:x:1013:1003:Machine:/var/lib/samba:/bin/false blank6$:x:1014:1003:Machine:/var/lib/samba:/bin/false linux:x:1026:1026::/home/linux:/bin/sh blank2$:x:1072:1003:blank2:/var/lib/nobody:/bin/false blank004$:x:1092:1003:Machine:/var/lib/samba:/bin/false blank001$:x:1093:1003:Machine:/var/lib/samba:/bin/false blank005$:x:1094:1003:Machine:/var/lib/samba:/bin/false blank002$:x:1095:1003:Machine:/var/lib/samba:/bin/false blank003$:x:1096:1003:Machine:/var/lib/samba:/bin/false blank006$:x:1097:1003:Machine:/var/lib/samba:/bin/false 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh ayke:x:1104:1104:60,,,:/home/ayke:/bin/sh blank0001$:x:1146:1003:Machine:/var/lib/samba:/bin/false could it be the 60 in the line: 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh I use this 60 to know on the client machines how long the can be logged in ( so that will be 60 minutes) I add this with : chfn -f 60 $username
On 11/02/15 20:43, duportail wrote:> Op woensdag 11 februari 2015 20:18:57 schreef Rowland Penny: >> On 11/02/15 20:13, duportail wrote: >>> Op woensdag 11 februari 2015 19:56:54 schreef Rowland Penny: >>>> On 11/02/15 19:25, duportail wrote: >>>>> Op woensdag 11 februari 2015 19:09:48 schreef Rowland Penny: >>>>>> On 11/02/15 18:29, duportail wrote: >>>>>>> ( could not post complete reply, message too large?) >>>>>>> >>>>>>> >>>>>>> I think that's why I have a lot of black screens on the clients. >>>>>>> Here debian pdc smb.conf: >>>>>>> root at fai:~# cat /etc/samba/smb.conf >>>>>>> # This is the main Samba configuration file. You should read the >>>>>>> # smb.conf(5) manual page in order to understand the options listed >>>>>>> # here. Samba has a huge number of configurable options (perhaps too >>>>>>> # many!) most of which are not shown in this example >>>>>>> # >>>>>>> # For a step to step guide on installing, configuring and using samba, >>>>>>> # read the Samba-HOWTO-Collection. This may be obtained from: >>>>>>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf >>>>>>> # >>>>>>> # Many working examples of smb.conf files can be found in the >>>>>>> # Samba-Guide which is generated daily and can be downloaded from: >>>>>>> # http://www.samba.org/samba/docs/Samba-Guide.pdf >>>>>>> # >>>>>>> # Any line which starts with a ; (semi-colon) or a # (hash) >>>>>>> # is a comment and is ignored. In this example we will use a # >>>>>>> # for commentry and a ; for parts of the config file that you >>>>>>> # may wish to enable >>>>>>> # >>>>>>> # NOTE: Whenever you modify this file you should run the command "testparm" >>>>>>> # to check that you have not made any basic syntactic errors. >>>>>>> # >>>>>>> #======================= Global Settings ====================================>>>>>>> [global] >>>>>>> >>>>>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH >>>>>>> workgroup = fai >>>>>>> >>>>>>> # server string is the equivalent of the NT Description field >>>>>>> server string = Samba Server >>>>>>> >>>>>>> # Security mode. Defines in which mode Samba will operate. Possible >>>>>>> # values are share, user, server, domain and ads. Most people will want >>>>>>> # user level security. See the Samba-HOWTO-Collection for details. >>>>>>> security = user >>>>>>> >>>>>>> # This option is important for security. It allows you to restrict >>>>>>> # connections to machines which are on your local network. The >>>>>>> # following example restricts access to two C class networks and >>>>>>> # the "loopback" interface. For more examples of the syntax see >>>>>>> # the smb.conf man page >>>>>>> ; hosts allow = 192.168.1. 192.168.2. 127. >>>>>>> >>>>>>> # If you want to automatically load your printer list rather >>>>>>> # than setting them up individually then you'll need this >>>>>>> load printers = yes >>>>>>> >>>>>>> # you may wish to override the location of the printcap file >>>>>>> ; printcap name = /etc/printcap >>>>>>> >>>>>>> # on SystemV system setting printcap name to lpstat should allow >>>>>>> # you to automatically obtain a printer list from the SystemV spool >>>>>>> # system >>>>>>> ; printcap name = lpstat >>>>>>> >>>>>>> # It should not be necessary to specify the print system type unless >>>>>>> # it is non-standard. Currently supported print systems include: >>>>>>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx >>>>>>> ; printing = cups >>>>>>> >>>>>>> # Uncomment this if you want a guest account, you must add this to /etc/passwd >>>>>>> # otherwise the user "nobody" is used >>>>>>> ; guest account = pcguest >>>>>>> >>>>>>> # this tells Samba to use a separate log file for each machine >>>>>>> # that connects >>>>>>> log file = /var/log/samba/log.%m >>>>>>> >>>>>>> # Put a capping on the size of the log files (in Kb). >>>>>>> max log size = 50 >>>>>>> >>>>>>> # Use password server option only with security = server >>>>>>> # The argument list may include: >>>>>>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] >>>>>>> # or to auto-locate the domain controller/s >>>>>>> # password server = * >>>>>>> ; password server = <NT-Server-Name> >>>>>>> >>>>>>> # Use the realm option only with security = ads >>>>>>> # Specifies the Active Directory realm the host is part of >>>>>>> ; realm = MY_REALM >>>>>>> >>>>>>> # Backend to store user information in. New installations should >>>>>>> # use either tdbsam or ldapsam. smbpasswd is available for backwards >>>>>>> # compatibility. tdbsam requires no further configuration. >>>>>>> passdb backend = tdbsam >>>>>>> >>>>>>> # Using the following line enables you to customise your configuration >>>>>>> # on a per machine basis. The %m gets replaced with the netbios name >>>>>>> # of the machine that is connecting. >>>>>>> # Note: Consider carefully the location in the configuration file of >>>>>>> # this line. The included file is read at that point. >>>>>>> ; include = /usr/local/samba/lib/smb.conf.%m >>>>>>> >>>>>>> # Configure Samba to use multiple interfaces >>>>>>> # If you have multiple network interfaces then you must list them >>>>>>> # here. See the man page for details. >>>>>>> # interfaces = 192.168.12.2/24 192.168.5.2/24 >>>>>>> >>>>>>> # Browser Control Options: >>>>>>> # set local master to no if you don't want Samba to become a master >>>>>>> # browser on your network. Otherwise the normal election rules apply >>>>>>> ; local master = no >>>>>>> >>>>>>> # OS Level determines the precedence of this server in master browser >>>>>>> # elections. The default value should be reasonable >>>>>>> ; os level = 33 >>>>>>> >>>>>>> # Domain Master specifies Samba to be the Domain Master Browser. This >>>>>>> # allows Samba to collate browse lists between subnets. Don't use this >>>>>>> # if you already have a Windows NT domain controller doing this job >>>>>>> domain master = yes >>>>>>> >>>>>>> # Preferred Master causes Samba to force a local browser election on startup >>>>>>> # and gives it a slightly higher chance of winning the election >>>>>>> preferred master = yes >>>>>>> >>>>>>> # Enable this if you want Samba to be a domain logon server for >>>>>>> # Windows95 workstations. >>>>>>> domain logons = yes >>>>>>> >>>>>>> # if you enable domain logons then you may want a per-machine or >>>>>>> # per user logon script >>>>>>> # run a specific logon batch file per workstation (machine) >>>>>>> logon script = %m.bat >>>>>>> # run a specific logon batch file per username >>>>>>> logon script = %U.bat >>>>>>> >>>>>>> # Where to store roving profiles (only for Win95 and WinNT) >>>>>>> # %L substitutes for this servers netbios name, %U is username >>>>>>> # You must uncomment the [Profiles] share below >>>>>>> logon path = \\%L\Profiles\%U >>>>>>> >>>>>>> # Windows Internet Name Serving Support Section: >>>>>>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server >>>>>>> ; wins support = yes >>>>>>> >>>>>>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client >>>>>>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both >>>>>>> ; wins server = 192.168.5.1 >>>>>>> >>>>>>> # WINS Proxy - Tells Samba to answer name resolution queries on >>>>>>> # behalf of a non WINS capable client, for this to work there must be >>>>>>> # at least one WINS Server on the network. The default is NO. >>>>>>> wins proxy = yes >>>>>>> >>>>>>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names >>>>>>> # via DNS nslookups. The default is NO. >>>>>>> dns proxy = no >>>>>>> >>>>>>> # These scripts are used on a domain controller or stand-alone >>>>>>> # machine to add or delete corresponding unix accounts >>>>>>> add user script = /usr/sbin/useradd %u >>>>>>> add group script = /usr/sbin/groupadd %g >>>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u >>>>>>> delete user script = /usr/sbin/userdel %u >>>>>>> delete user from group script = /usr/sbin/deluser %u %g >>>>>>> delete group script = /usr/sbin/groupdel %g >>>>>>> >>>>>>> >>>>>>> #============================ Share Definitions =============================>>>>>>> [homes] >>>>>>> comment = Home Directories >>>>>>> browseable = yes >>>>>>> read only = no >>>>>>> guest ok = yes >>>>>>> create mask = 0700 >>>>>>> directory mask = 0700 >>>>>>> valid users = %S >>>>>>> invalid users = root >>>>>>> # Un-comment the following and create the netlogon directory for Domain Logons >>>>>>> [netlogon] >>>>>>> comment = Network Logon Service >>>>>>> path = /usr/local/samba/lib/netlogon >>>>>>> guest ok = yes >>>>>>> writable = no >>>>>>> #share modes = yes >>>>>>> >>>>>>> >>>>>>> # Un-comment the following to provide a specific roving profile share >>>>>>> # the default is to use the user's home directory >>>>>>> ;[Profiles] >>>>>>> ; path = /usr/local/samba/profiles >>>>>>> ; browseable = no >>>>>>> ; guest ok = yes >>>>>>> >>>>>>> >>>>>>> # NOTE: If you have a BSD-style print system there is no need to >>>>>>> # specifically define each individual printer >>>>>>> [printers] >>>>>>> comment = All Printers >>>>>>> path = /usr/spool/samba >>>>>>> browseable = no >>>>>>> # Set public = yes to allow user 'guest account' to print >>>>>>> guest ok = no >>>>>>> writable = no >>>>>>> printable = yes >>>>>>> >>>>>>> # This one is useful for people to share files >>>>>>> ;[tmp] >>>>>>> ; comment = Temporary file space >>>>>>> ; path = /tmp >>>>>>> ; read only = no >>>>>>> ; public = yes >>>>>>> >>>>>>> # A publicly accessible directory, but read only, except for people in >>>>>>> # the "staff" group >>>>>>> ;[public] >>>>>>> ; comment = Public Stuff >>>>>>> ; path = /home/samba >>>>>>> ; public = yes >>>>>>> ; writable = no >>>>>>> ; printable = no >>>>>>> ; write list = @staff >>>>>>> >>>>>>> # Other examples. >>>>>>> # >>>>>>> # A private printer, usable only by fred. Spool data will be placed in fred's >>>>>>> # home directory. Note that fred must have write access to the spool directory, >>>>>>> # wherever it is. >>>>>>> ;[fredsprn] >>>>>>> ; comment = Fred's Printer >>>>>>> ; valid users = fred >>>>>>> ; path = /homes/fred >>>>>>> ; printer = freds_printer >>>>>>> ; public = no >>>>>>> ; writable = no >>>>>>> ; printable = yes >>>>>>> >>>>>>> # A private directory, usable only by fred. Note that fred requires write >>>>>>> # access to the directory. >>>>>>> ;[fredsdir] >>>>>>> ; comment = Fred's Service >>>>>>> ; path = /usr/somewhere/private >>>>>>> ; valid users = fred >>>>>>> ; public = no >>>>>>> ; writable = yes >>>>>>> ; printable = no >>>>>>> >>>>>>> # a service which has a different directory for each machine that connects >>>>>>> # this allows you to tailor configurations to incoming machines. You could >>>>>>> # also use the %U option to tailor it by user name. >>>>>>> # The %m gets replaced with the machine name that is connecting. >>>>>>> ;[pchome] >>>>>>> ; comment = PC Directories >>>>>>> ; path = /usr/pc/%m >>>>>>> ; public = no >>>>>>> ; writable = yes >>>>>>> >>>>>>> # A publicly accessible directory, read/write to all users. Note that all files >>>>>>> # created in the directory by users will be owned by the default user, so >>>>>>> # any user with access can delete any other user's files. Obviously this >>>>>>> # directory must be writable by the default user. Another user could of course >>>>>>> # be specified, in which case all files would be owned by that user instead. >>>>>>> ;[public] >>>>>>> ; path = /usr/somewhere/else/public >>>>>>> ; public = yes >>>>>>> ; only guest = yes >>>>>>> ; writable = yes >>>>>>> ; printable = no >>>>>>> >>>>>>> # The following two entries demonstrate how to share a directory so that two >>>>>>> # users can place files there that will be owned by the specific users. In this >>>>>>> # setup, the directory should be writable by both users and should have the >>>>>>> # sticky bit set on it to prevent abuse. Obviously this could be extended to >>>>>>> # as many users as required. >>>>>>> ;[myshare] >>>>>>> ; comment = Mary's and Fred's stuff >>>>>>> ; path = /usr/somewhere/shared >>>>>>> ; valid users = mary fred >>>>>>> ; public = no >>>>>>> ; writable = yes >>>>>>> ; printable = no >>>>>>> ; create mask = 0765 >>>>>>> >>>>>>> >>>>>> OK, after wading through the commented lines, I end up with: >>>>>> >>>>>> PDC smb.conf: >>>>>> >>>>>> [global] >>>>>> workgroup = fai >>>>>> server string = Samba Server >>>>>> security = user >>>>>> load printers = yes >>>>>> log file = /var/log/samba/log.%m >>>>>> max log size = 50 >>>>>> passdb backend = tdbsam >>>>>> domain master = yes >>>>>> preferred master = yes >>>>>> domain logons = yes >>>>>> logon script = %m.bat >>>>>> logon script = %U.bat >>>>>> logon path = \\%L\Profiles\%U >>>>>> wins proxy = yes >>>>>> dns proxy = no >>>>>> add user script = /usr/sbin/useradd %u >>>>>> add group script = /usr/sbin/groupadd %g >>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d >>>>>> /var/lib/samba -s /bin/false %u >>>>>> delete user script = /usr/sbin/userdel %u >>>>>> delete user from group script = /usr/sbin/deluser %u %g >>>>>> delete group script = /usr/sbin/groupdel %g >>>>>> >>>>>> [homes] >>>>>> comment = Home Directories >>>>>> browseable = yes >>>>>> read only = no >>>>>> guest ok = yes >>>>>> create mask = 0700 >>>>>> directory mask = 0700 >>>>>> valid users = %S >>>>>> invalid users = root >>>>>> >>>>>> [netlogon] >>>>>> comment = Network Logon Service >>>>>> path = /usr/local/samba/lib/netlogon >>>>>> guest ok = yes >>>>>> writable = no >>>>>> >>>>>> [printers] >>>>>> comment = All Printers >>>>>> path = /usr/spool/samba >>>>>> browseable = no >>>>>> guest ok = no >>>>>> writable = no >>>>>> printable = yes >>>>>> >>>>>> >>>>>> Client smb.conf >>>>>> >>>>>> [global] >>>>>> workgroup = fai >>>>>> server string = %h server (Samba, Ubuntu) >>>>>> wins server = 172.20.68.14 >>>>>> winbind separator = / >>>>>> winbind use default domain = Yes >>>>>> dns proxy = no >>>>>> winbind uid = 10000-20000 >>>>>> winbind gid = 10000-20000 >>>>>> template shell = /bin/bash >>>>>> allow trusted domains = yes >>>>>> name resolve order = lmhosts host wins bcast >>>>>> name resolve order = wins lmhosts host bcast >>>>>> log file = /var/log/samba/log.%m >>>>>> max log size = 1000 >>>>>> syslog = 0 >>>>>> panic action = /usr/share/samba/panic-action %d >>>>>> security = domain >>>>>> password server = 172.20.68.14 >>>>>> encrypt passwords = true >>>>>> passdb backend = tdbsam >>>>>> obey pam restrictions = yes >>>>>> unix password sync = yes >>>>>> passwd program = /usr/bin/passwd %u >>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>>> pam password change = yes >>>>>> map to guest = bad user >>>>>> add user script = /usr/sbin/adduser --quiet --disabled-password >>>>>> --gecos "" %u >>>>>> add machine script = /usr/sbin/useradd -g machines -c "%u machine >>>>>> account" -d /var/lib/samba -s /bin/false %u >>>>>> add group script = /usr/sbin/addgroup --force-badname %g >>>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>>>>> template shell = /bin/bash >>>>>> template homedir = /home/%U >>>>>> usershare allow guests = yes >>>>>> >>>>>> #======================= Share Definitions ======================>>>>>> >>>>>> valid users = %S >>>>>> >>>>>> [printers] >>>>>> comment = All Printers >>>>>> browseable = no >>>>>> path = /var/spool/samba >>>>>> printable = yes >>>>>> guest ok = no >>>>>> read only = yes >>>>>> create mask = 0700 >>>>>> >>>>>> [print$] >>>>>> comment = Printer Drivers >>>>>> path = /var/lib/samba/printers >>>>>> browseable = yes >>>>>> read only = yes >>>>>> guest ok = no >>>>>> >>>>>> There are a few lines that are duplicated in each smb.conf. >>>>>> >>>>>> I take it that you only use the PDC for authentication and don't let the >>>>>> users login. >>>>>> >>>>>> It has been sometime since I setup and used a linux client with a PDC, >>>>>> but I don't actually remember having all those passwd & script lines in >>>>>> the client smb.conf. >>>>>> >>>>>> Do the users exist as unix users on both machines ? >>>>>> >>>>>> Rowland >>>>>> >>>>> No, the users are created on the debian pdc. that is the long number (as their username). >>>>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. >>>>> The long number (as their username) comes from a smartcard). >>>>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. >>>>> As I was debugging, i tried to su the user on a client machine, and got another user instead: >>>>> root at blank005:~# su 59031614949 >>>>> 98121524292 at blank005:/root$ >>>>> >>>>> I never seen this . >>>>> Is it a problem with long usernames and winbind? >>>>> >>>>> >>>>> >>>>> >>>>> >>>> Well, the portion of the logfile you posted is full of lines like this: >>>> >>>> Failed to find a Unix account for 92101633919 >>>> >>>> OK, just what part of that line do you not understand ?? :-) >>>> >>>> You need a unix user for '92101633919' >>>> >>>> Rowland >>>> >>> Correct, but there was this user: >>> >>> on debian pdc: >>> root at fai:~# cat /var/log/auth.log | grep 92101633919 >>> Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 >>> Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' >>> >> OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd >> 92101633919' return anything ? >> >> If they both are true, then you may have run into this bug: >> https://bugzilla.samba.org/show_bug.cgi?id=11044 >> >> Rowland >> >> >> > Ok, > getent on another works ok, > but not on a user with numbers: > root at fai:~# getent passwd ubu > ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > root at fai:~# getent passwd 71101411853 > root at fai:~# > > > part of /etc/passwd > > ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > bind:x:111:120::/var/cache/bind:/bin/false > fai$:x:1001:1003:Machine:/var/lib/samba:/bin/false > test:x:1002:1004::/home/test:/bin/sh > sshuser:x:1003:1005::/home/sshuser:/bin/sh > ubuntu8053$:x:1008:1003:Machine:/var/lib/samba:/bin/false > blank1$:x:1009:1003:Machine:/var/lib/samba:/bin/false > blank3$:x:1011:1003:Machine:/var/lib/samba:/bin/false > blank4$:x:1012:1003:Machine:/var/lib/samba:/bin/false > blank5$:x:1013:1003:Machine:/var/lib/samba:/bin/false > blank6$:x:1014:1003:Machine:/var/lib/samba:/bin/false > linux:x:1026:1026::/home/linux:/bin/sh > blank2$:x:1072:1003:blank2:/var/lib/nobody:/bin/false > blank004$:x:1092:1003:Machine:/var/lib/samba:/bin/false > blank001$:x:1093:1003:Machine:/var/lib/samba:/bin/false > blank005$:x:1094:1003:Machine:/var/lib/samba:/bin/false > blank002$:x:1095:1003:Machine:/var/lib/samba:/bin/false > blank003$:x:1096:1003:Machine:/var/lib/samba:/bin/false > blank006$:x:1097:1003:Machine:/var/lib/samba:/bin/false > 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > ayke:x:1104:1104:60,,,:/home/ayke:/bin/sh > blank0001$:x:1146:1003:Machine:/var/lib/samba:/bin/false > > could it be the 60 in the line: > 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > > I use this 60 to know on the client machines how long the can be logged in ( so that will be 60 minutes) > I add this with : > chfn -f 60 $username > >OK, it looks like your users have id's in the 1xxx range, yet you have this in smb.conf: winbind uid = 10000-20000, could this be your problem ? Rowland
Op woensdag 11 februari 2015 22:11:03 schreef Rowland Penny:> On 11/02/15 20:43, duportail wrote: > > Op woensdag 11 februari 2015 20:18:57 schreef Rowland Penny: > >> On 11/02/15 20:13, duportail wrote: > >>> Op woensdag 11 februari 2015 19:56:54 schreef Rowland Penny: > >>>> On 11/02/15 19:25, duportail wrote: > >>>>> Op woensdag 11 februari 2015 19:09:48 schreef Rowland Penny: > >>>>>> On 11/02/15 18:29, duportail wrote: > >>>>>>> ( could not post complete reply, message too large?) > >>>>>>> > >>>>>>> > >>>>>>> I think that's why I have a lot of black screens on the clients. > >>>>>>> Here debian pdc smb.conf: > >>>>>>> root at fai:~# cat /etc/samba/smb.conf > >>>>>>> # This is the main Samba configuration file. You should read the > >>>>>>> # smb.conf(5) manual page in order to understand the options listed > >>>>>>> # here. Samba has a huge number of configurable options (perhaps too > >>>>>>> # many!) most of which are not shown in this example > >>>>>>> # > >>>>>>> # For a step to step guide on installing, configuring and using samba, > >>>>>>> # read the Samba-HOWTO-Collection. This may be obtained from: > >>>>>>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf > >>>>>>> # > >>>>>>> # Many working examples of smb.conf files can be found in the > >>>>>>> # Samba-Guide which is generated daily and can be downloaded from: > >>>>>>> # http://www.samba.org/samba/docs/Samba-Guide.pdf > >>>>>>> # > >>>>>>> # Any line which starts with a ; (semi-colon) or a # (hash) > >>>>>>> # is a comment and is ignored. In this example we will use a # > >>>>>>> # for commentry and a ; for parts of the config file that you > >>>>>>> # may wish to enable > >>>>>>> # > >>>>>>> # NOTE: Whenever you modify this file you should run the command "testparm" > >>>>>>> # to check that you have not made any basic syntactic errors. > >>>>>>> # > >>>>>>> #======================= Global Settings ====================================> >>>>>>> [global] > >>>>>>> > >>>>>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH > >>>>>>> workgroup = fai > >>>>>>> > >>>>>>> # server string is the equivalent of the NT Description field > >>>>>>> server string = Samba Server > >>>>>>> > >>>>>>> # Security mode. Defines in which mode Samba will operate. Possible > >>>>>>> # values are share, user, server, domain and ads. Most people will want > >>>>>>> # user level security. See the Samba-HOWTO-Collection for details. > >>>>>>> security = user > >>>>>>> > >>>>>>> # This option is important for security. It allows you to restrict > >>>>>>> # connections to machines which are on your local network. The > >>>>>>> # following example restricts access to two C class networks and > >>>>>>> # the "loopback" interface. For more examples of the syntax see > >>>>>>> # the smb.conf man page > >>>>>>> ; hosts allow = 192.168.1. 192.168.2. 127. > >>>>>>> > >>>>>>> # If you want to automatically load your printer list rather > >>>>>>> # than setting them up individually then you'll need this > >>>>>>> load printers = yes > >>>>>>> > >>>>>>> # you may wish to override the location of the printcap file > >>>>>>> ; printcap name = /etc/printcap > >>>>>>> > >>>>>>> # on SystemV system setting printcap name to lpstat should allow > >>>>>>> # you to automatically obtain a printer list from the SystemV spool > >>>>>>> # system > >>>>>>> ; printcap name = lpstat > >>>>>>> > >>>>>>> # It should not be necessary to specify the print system type unless > >>>>>>> # it is non-standard. Currently supported print systems include: > >>>>>>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx > >>>>>>> ; printing = cups > >>>>>>> > >>>>>>> # Uncomment this if you want a guest account, you must add this to /etc/passwd > >>>>>>> # otherwise the user "nobody" is used > >>>>>>> ; guest account = pcguest > >>>>>>> > >>>>>>> # this tells Samba to use a separate log file for each machine > >>>>>>> # that connects > >>>>>>> log file = /var/log/samba/log.%m > >>>>>>> > >>>>>>> # Put a capping on the size of the log files (in Kb). > >>>>>>> max log size = 50 > >>>>>>> > >>>>>>> # Use password server option only with security = server > >>>>>>> # The argument list may include: > >>>>>>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] > >>>>>>> # or to auto-locate the domain controller/s > >>>>>>> # password server = * > >>>>>>> ; password server = <NT-Server-Name> > >>>>>>> > >>>>>>> # Use the realm option only with security = ads > >>>>>>> # Specifies the Active Directory realm the host is part of > >>>>>>> ; realm = MY_REALM > >>>>>>> > >>>>>>> # Backend to store user information in. New installations should > >>>>>>> # use either tdbsam or ldapsam. smbpasswd is available for backwards > >>>>>>> # compatibility. tdbsam requires no further configuration. > >>>>>>> passdb backend = tdbsam > >>>>>>> > >>>>>>> # Using the following line enables you to customise your configuration > >>>>>>> # on a per machine basis. The %m gets replaced with the netbios name > >>>>>>> # of the machine that is connecting. > >>>>>>> # Note: Consider carefully the location in the configuration file of > >>>>>>> # this line. The included file is read at that point. > >>>>>>> ; include = /usr/local/samba/lib/smb.conf.%m > >>>>>>> > >>>>>>> # Configure Samba to use multiple interfaces > >>>>>>> # If you have multiple network interfaces then you must list them > >>>>>>> # here. See the man page for details. > >>>>>>> # interfaces = 192.168.12.2/24 192.168.5.2/24 > >>>>>>> > >>>>>>> # Browser Control Options: > >>>>>>> # set local master to no if you don't want Samba to become a master > >>>>>>> # browser on your network. Otherwise the normal election rules apply > >>>>>>> ; local master = no > >>>>>>> > >>>>>>> # OS Level determines the precedence of this server in master browser > >>>>>>> # elections. The default value should be reasonable > >>>>>>> ; os level = 33 > >>>>>>> > >>>>>>> # Domain Master specifies Samba to be the Domain Master Browser. This > >>>>>>> # allows Samba to collate browse lists between subnets. Don't use this > >>>>>>> # if you already have a Windows NT domain controller doing this job > >>>>>>> domain master = yes > >>>>>>> > >>>>>>> # Preferred Master causes Samba to force a local browser election on startup > >>>>>>> # and gives it a slightly higher chance of winning the election > >>>>>>> preferred master = yes > >>>>>>> > >>>>>>> # Enable this if you want Samba to be a domain logon server for > >>>>>>> # Windows95 workstations. > >>>>>>> domain logons = yes > >>>>>>> > >>>>>>> # if you enable domain logons then you may want a per-machine or > >>>>>>> # per user logon script > >>>>>>> # run a specific logon batch file per workstation (machine) > >>>>>>> logon script = %m.bat > >>>>>>> # run a specific logon batch file per username > >>>>>>> logon script = %U.bat > >>>>>>> > >>>>>>> # Where to store roving profiles (only for Win95 and WinNT) > >>>>>>> # %L substitutes for this servers netbios name, %U is username > >>>>>>> # You must uncomment the [Profiles] share below > >>>>>>> logon path = \\%L\Profiles\%U > >>>>>>> > >>>>>>> # Windows Internet Name Serving Support Section: > >>>>>>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server > >>>>>>> ; wins support = yes > >>>>>>> > >>>>>>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client > >>>>>>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both > >>>>>>> ; wins server = 192.168.5.1 > >>>>>>> > >>>>>>> # WINS Proxy - Tells Samba to answer name resolution queries on > >>>>>>> # behalf of a non WINS capable client, for this to work there must be > >>>>>>> # at least one WINS Server on the network. The default is NO. > >>>>>>> wins proxy = yes > >>>>>>> > >>>>>>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names > >>>>>>> # via DNS nslookups. The default is NO. > >>>>>>> dns proxy = no > >>>>>>> > >>>>>>> # These scripts are used on a domain controller or stand-alone > >>>>>>> # machine to add or delete corresponding unix accounts > >>>>>>> add user script = /usr/sbin/useradd %u > >>>>>>> add group script = /usr/sbin/groupadd %g > >>>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u > >>>>>>> delete user script = /usr/sbin/userdel %u > >>>>>>> delete user from group script = /usr/sbin/deluser %u %g > >>>>>>> delete group script = /usr/sbin/groupdel %g > >>>>>>> > >>>>>>> > >>>>>>> #============================ Share Definitions =============================> >>>>>>> [homes] > >>>>>>> comment = Home Directories > >>>>>>> browseable = yes > >>>>>>> read only = no > >>>>>>> guest ok = yes > >>>>>>> create mask = 0700 > >>>>>>> directory mask = 0700 > >>>>>>> valid users = %S > >>>>>>> invalid users = root > >>>>>>> # Un-comment the following and create the netlogon directory for Domain Logons > >>>>>>> [netlogon] > >>>>>>> comment = Network Logon Service > >>>>>>> path = /usr/local/samba/lib/netlogon > >>>>>>> guest ok = yes > >>>>>>> writable = no > >>>>>>> #share modes = yes > >>>>>>> > >>>>>>> > >>>>>>> # Un-comment the following to provide a specific roving profile share > >>>>>>> # the default is to use the user's home directory > >>>>>>> ;[Profiles] > >>>>>>> ; path = /usr/local/samba/profiles > >>>>>>> ; browseable = no > >>>>>>> ; guest ok = yes > >>>>>>> > >>>>>>> > >>>>>>> # NOTE: If you have a BSD-style print system there is no need to > >>>>>>> # specifically define each individual printer > >>>>>>> [printers] > >>>>>>> comment = All Printers > >>>>>>> path = /usr/spool/samba > >>>>>>> browseable = no > >>>>>>> # Set public = yes to allow user 'guest account' to print > >>>>>>> guest ok = no > >>>>>>> writable = no > >>>>>>> printable = yes > >>>>>>> > >>>>>>> # This one is useful for people to share files > >>>>>>> ;[tmp] > >>>>>>> ; comment = Temporary file space > >>>>>>> ; path = /tmp > >>>>>>> ; read only = no > >>>>>>> ; public = yes > >>>>>>> > >>>>>>> # A publicly accessible directory, but read only, except for people in > >>>>>>> # the "staff" group > >>>>>>> ;[public] > >>>>>>> ; comment = Public Stuff > >>>>>>> ; path = /home/samba > >>>>>>> ; public = yes > >>>>>>> ; writable = no > >>>>>>> ; printable = no > >>>>>>> ; write list = @staff > >>>>>>> > >>>>>>> # Other examples. > >>>>>>> # > >>>>>>> # A private printer, usable only by fred. Spool data will be placed in fred's > >>>>>>> # home directory. Note that fred must have write access to the spool directory, > >>>>>>> # wherever it is. > >>>>>>> ;[fredsprn] > >>>>>>> ; comment = Fred's Printer > >>>>>>> ; valid users = fred > >>>>>>> ; path = /homes/fred > >>>>>>> ; printer = freds_printer > >>>>>>> ; public = no > >>>>>>> ; writable = no > >>>>>>> ; printable = yes > >>>>>>> > >>>>>>> # A private directory, usable only by fred. Note that fred requires write > >>>>>>> # access to the directory. > >>>>>>> ;[fredsdir] > >>>>>>> ; comment = Fred's Service > >>>>>>> ; path = /usr/somewhere/private > >>>>>>> ; valid users = fred > >>>>>>> ; public = no > >>>>>>> ; writable = yes > >>>>>>> ; printable = no > >>>>>>> > >>>>>>> # a service which has a different directory for each machine that connects > >>>>>>> # this allows you to tailor configurations to incoming machines. You could > >>>>>>> # also use the %U option to tailor it by user name. > >>>>>>> # The %m gets replaced with the machine name that is connecting. > >>>>>>> ;[pchome] > >>>>>>> ; comment = PC Directories > >>>>>>> ; path = /usr/pc/%m > >>>>>>> ; public = no > >>>>>>> ; writable = yes > >>>>>>> > >>>>>>> # A publicly accessible directory, read/write to all users. Note that all files > >>>>>>> # created in the directory by users will be owned by the default user, so > >>>>>>> # any user with access can delete any other user's files. Obviously this > >>>>>>> # directory must be writable by the default user. Another user could of course > >>>>>>> # be specified, in which case all files would be owned by that user instead. > >>>>>>> ;[public] > >>>>>>> ; path = /usr/somewhere/else/public > >>>>>>> ; public = yes > >>>>>>> ; only guest = yes > >>>>>>> ; writable = yes > >>>>>>> ; printable = no > >>>>>>> > >>>>>>> # The following two entries demonstrate how to share a directory so that two > >>>>>>> # users can place files there that will be owned by the specific users. In this > >>>>>>> # setup, the directory should be writable by both users and should have the > >>>>>>> # sticky bit set on it to prevent abuse. Obviously this could be extended to > >>>>>>> # as many users as required. > >>>>>>> ;[myshare] > >>>>>>> ; comment = Mary's and Fred's stuff > >>>>>>> ; path = /usr/somewhere/shared > >>>>>>> ; valid users = mary fred > >>>>>>> ; public = no > >>>>>>> ; writable = yes > >>>>>>> ; printable = no > >>>>>>> ; create mask = 0765 > >>>>>>> > >>>>>>> > >>>>>> OK, after wading through the commented lines, I end up with: > >>>>>> > >>>>>> PDC smb.conf: > >>>>>> > >>>>>> [global] > >>>>>> workgroup = fai > >>>>>> server string = Samba Server > >>>>>> security = user > >>>>>> load printers = yes > >>>>>> log file = /var/log/samba/log.%m > >>>>>> max log size = 50 > >>>>>> passdb backend = tdbsam > >>>>>> domain master = yes > >>>>>> preferred master = yes > >>>>>> domain logons = yes > >>>>>> logon script = %m.bat > >>>>>> logon script = %U.bat > >>>>>> logon path = \\%L\Profiles\%U > >>>>>> wins proxy = yes > >>>>>> dns proxy = no > >>>>>> add user script = /usr/sbin/useradd %u > >>>>>> add group script = /usr/sbin/groupadd %g > >>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d > >>>>>> /var/lib/samba -s /bin/false %u > >>>>>> delete user script = /usr/sbin/userdel %u > >>>>>> delete user from group script = /usr/sbin/deluser %u %g > >>>>>> delete group script = /usr/sbin/groupdel %g > >>>>>> > >>>>>> [homes] > >>>>>> comment = Home Directories > >>>>>> browseable = yes > >>>>>> read only = no > >>>>>> guest ok = yes > >>>>>> create mask = 0700 > >>>>>> directory mask = 0700 > >>>>>> valid users = %S > >>>>>> invalid users = root > >>>>>> > >>>>>> [netlogon] > >>>>>> comment = Network Logon Service > >>>>>> path = /usr/local/samba/lib/netlogon > >>>>>> guest ok = yes > >>>>>> writable = no > >>>>>> > >>>>>> [printers] > >>>>>> comment = All Printers > >>>>>> path = /usr/spool/samba > >>>>>> browseable = no > >>>>>> guest ok = no > >>>>>> writable = no > >>>>>> printable = yes > >>>>>> > >>>>>> > >>>>>> Client smb.conf > >>>>>> > >>>>>> [global] > >>>>>> workgroup = fai > >>>>>> server string = %h server (Samba, Ubuntu) > >>>>>> wins server = 172.20.68.14 > >>>>>> winbind separator = / > >>>>>> winbind use default domain = Yes > >>>>>> dns proxy = no > >>>>>> winbind uid = 10000-20000 > >>>>>> winbind gid = 10000-20000 > >>>>>> template shell = /bin/bash > >>>>>> allow trusted domains = yes > >>>>>> name resolve order = lmhosts host wins bcast > >>>>>> name resolve order = wins lmhosts host bcast > >>>>>> log file = /var/log/samba/log.%m > >>>>>> max log size = 1000 > >>>>>> syslog = 0 > >>>>>> panic action = /usr/share/samba/panic-action %d > >>>>>> security = domain > >>>>>> password server = 172.20.68.14 > >>>>>> encrypt passwords = true > >>>>>> passdb backend = tdbsam > >>>>>> obey pam restrictions = yes > >>>>>> unix password sync = yes > >>>>>> passwd program = /usr/bin/passwd %u > >>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n > >>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > >>>>>> pam password change = yes > >>>>>> map to guest = bad user > >>>>>> add user script = /usr/sbin/adduser --quiet --disabled-password > >>>>>> --gecos "" %u > >>>>>> add machine script = /usr/sbin/useradd -g machines -c "%u machine > >>>>>> account" -d /var/lib/samba -s /bin/false %u > >>>>>> add group script = /usr/sbin/addgroup --force-badname %g > >>>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > >>>>>> template shell = /bin/bash > >>>>>> template homedir = /home/%U > >>>>>> usershare allow guests = yes > >>>>>> > >>>>>> #======================= Share Definitions ======================> >>>>>> > >>>>>> valid users = %S > >>>>>> > >>>>>> [printers] > >>>>>> comment = All Printers > >>>>>> browseable = no > >>>>>> path = /var/spool/samba > >>>>>> printable = yes > >>>>>> guest ok = no > >>>>>> read only = yes > >>>>>> create mask = 0700 > >>>>>> > >>>>>> [print$] > >>>>>> comment = Printer Drivers > >>>>>> path = /var/lib/samba/printers > >>>>>> browseable = yes > >>>>>> read only = yes > >>>>>> guest ok = no > >>>>>> > >>>>>> There are a few lines that are duplicated in each smb.conf. > >>>>>> > >>>>>> I take it that you only use the PDC for authentication and don't let the > >>>>>> users login. > >>>>>> > >>>>>> It has been sometime since I setup and used a linux client with a PDC, > >>>>>> but I don't actually remember having all those passwd & script lines in > >>>>>> the client smb.conf. > >>>>>> > >>>>>> Do the users exist as unix users on both machines ? > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>> No, the users are created on the debian pdc. that is the long number (as their username). > >>>>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. > >>>>> The long number (as their username) comes from a smartcard). > >>>>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. > >>>>> As I was debugging, i tried to su the user on a client machine, and got another user instead: > >>>>> root at blank005:~# su 59031614949 > >>>>> 98121524292 at blank005:/root$ > >>>>> > >>>>> I never seen this . > >>>>> Is it a problem with long usernames and winbind? > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>> Well, the portion of the logfile you posted is full of lines like this: > >>>> > >>>> Failed to find a Unix account for 92101633919 > >>>> > >>>> OK, just what part of that line do you not understand ?? :-) > >>>> > >>>> You need a unix user for '92101633919' > >>>> > >>>> Rowland > >>>> > >>> Correct, but there was this user: > >>> > >>> on debian pdc: > >>> root at fai:~# cat /var/log/auth.log | grep 92101633919 > >>> Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 > >>> Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' > >>> > >> OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd > >> 92101633919' return anything ? > >> > >> If they both are true, then you may have run into this bug: > >> https://bugzilla.samba.org/show_bug.cgi?id=11044 > >> > >> Rowland > >> > >> > >> > > Ok, > > getent on another works ok, > > but not on a user with numbers: > > root at fai:~# getent passwd ubu > > ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > > root at fai:~# getent passwd 71101411853 > > root at fai:~# > > > > > > part of /etc/passwd > > > > ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > > bind:x:111:120::/var/cache/bind:/bin/false > > fai$:x:1001:1003:Machine:/var/lib/samba:/bin/false > > test:x:1002:1004::/home/test:/bin/sh > > sshuser:x:1003:1005::/home/sshuser:/bin/sh > > ubuntu8053$:x:1008:1003:Machine:/var/lib/samba:/bin/false > > blank1$:x:1009:1003:Machine:/var/lib/samba:/bin/false > > blank3$:x:1011:1003:Machine:/var/lib/samba:/bin/false > > blank4$:x:1012:1003:Machine:/var/lib/samba:/bin/false > > blank5$:x:1013:1003:Machine:/var/lib/samba:/bin/false > > blank6$:x:1014:1003:Machine:/var/lib/samba:/bin/false > > linux:x:1026:1026::/home/linux:/bin/sh > > blank2$:x:1072:1003:blank2:/var/lib/nobody:/bin/false > > blank004$:x:1092:1003:Machine:/var/lib/samba:/bin/false > > blank001$:x:1093:1003:Machine:/var/lib/samba:/bin/false > > blank005$:x:1094:1003:Machine:/var/lib/samba:/bin/false > > blank002$:x:1095:1003:Machine:/var/lib/samba:/bin/false > > blank003$:x:1096:1003:Machine:/var/lib/samba:/bin/false > > blank006$:x:1097:1003:Machine:/var/lib/samba:/bin/false > > 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > > ayke:x:1104:1104:60,,,:/home/ayke:/bin/sh > > blank0001$:x:1146:1003:Machine:/var/lib/samba:/bin/false > > > > could it be the 60 in the line: > > 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > > > > I use this 60 to know on the client machines how long the can be logged in ( so that will be 60 minutes) > > I add this with : > > chfn -f 60 $username71101411853 > > > > > > OK, it looks like your users have id's in the 1xxx range, yet you have > this in smb.conf: winbind uid = 10000-20000, could this be your problem ? > > Rowland > >No, this does not help. What I also see if a numeric username such as 71101411853 log in on a client pc, and starts for example firefox, than top shows that firefox is run by another (non numeric) local user. net cache flush did also not help