Op woensdag 11 februari 2015 22:11:03 schreef Rowland Penny:> On 11/02/15 20:43, duportail wrote: > > Op woensdag 11 februari 2015 20:18:57 schreef Rowland Penny: > >> On 11/02/15 20:13, duportail wrote: > >>> Op woensdag 11 februari 2015 19:56:54 schreef Rowland Penny: > >>>> On 11/02/15 19:25, duportail wrote: > >>>>> Op woensdag 11 februari 2015 19:09:48 schreef Rowland Penny: > >>>>>> On 11/02/15 18:29, duportail wrote: > >>>>>>> ( could not post complete reply, message too large?) > >>>>>>> > >>>>>>> > >>>>>>> I think that's why I have a lot of black screens on the clients. > >>>>>>> Here debian pdc smb.conf: > >>>>>>> root at fai:~# cat /etc/samba/smb.conf > >>>>>>> # This is the main Samba configuration file. You should read the > >>>>>>> # smb.conf(5) manual page in order to understand the options listed > >>>>>>> # here. Samba has a huge number of configurable options (perhaps too > >>>>>>> # many!) most of which are not shown in this example > >>>>>>> # > >>>>>>> # For a step to step guide on installing, configuring and using samba, > >>>>>>> # read the Samba-HOWTO-Collection. This may be obtained from: > >>>>>>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf > >>>>>>> # > >>>>>>> # Many working examples of smb.conf files can be found in the > >>>>>>> # Samba-Guide which is generated daily and can be downloaded from: > >>>>>>> # http://www.samba.org/samba/docs/Samba-Guide.pdf > >>>>>>> # > >>>>>>> # Any line which starts with a ; (semi-colon) or a # (hash) > >>>>>>> # is a comment and is ignored. In this example we will use a # > >>>>>>> # for commentry and a ; for parts of the config file that you > >>>>>>> # may wish to enable > >>>>>>> # > >>>>>>> # NOTE: Whenever you modify this file you should run the command "testparm" > >>>>>>> # to check that you have not made any basic syntactic errors. > >>>>>>> # > >>>>>>> #======================= Global Settings ====================================> >>>>>>> [global] > >>>>>>> > >>>>>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH > >>>>>>> workgroup = fai > >>>>>>> > >>>>>>> # server string is the equivalent of the NT Description field > >>>>>>> server string = Samba Server > >>>>>>> > >>>>>>> # Security mode. Defines in which mode Samba will operate. Possible > >>>>>>> # values are share, user, server, domain and ads. Most people will want > >>>>>>> # user level security. See the Samba-HOWTO-Collection for details. > >>>>>>> security = user > >>>>>>> > >>>>>>> # This option is important for security. It allows you to restrict > >>>>>>> # connections to machines which are on your local network. The > >>>>>>> # following example restricts access to two C class networks and > >>>>>>> # the "loopback" interface. For more examples of the syntax see > >>>>>>> # the smb.conf man page > >>>>>>> ; hosts allow = 192.168.1. 192.168.2. 127. > >>>>>>> > >>>>>>> # If you want to automatically load your printer list rather > >>>>>>> # than setting them up individually then you'll need this > >>>>>>> load printers = yes > >>>>>>> > >>>>>>> # you may wish to override the location of the printcap file > >>>>>>> ; printcap name = /etc/printcap > >>>>>>> > >>>>>>> # on SystemV system setting printcap name to lpstat should allow > >>>>>>> # you to automatically obtain a printer list from the SystemV spool > >>>>>>> # system > >>>>>>> ; printcap name = lpstat > >>>>>>> > >>>>>>> # It should not be necessary to specify the print system type unless > >>>>>>> # it is non-standard. Currently supported print systems include: > >>>>>>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx > >>>>>>> ; printing = cups > >>>>>>> > >>>>>>> # Uncomment this if you want a guest account, you must add this to /etc/passwd > >>>>>>> # otherwise the user "nobody" is used > >>>>>>> ; guest account = pcguest > >>>>>>> > >>>>>>> # this tells Samba to use a separate log file for each machine > >>>>>>> # that connects > >>>>>>> log file = /var/log/samba/log.%m > >>>>>>> > >>>>>>> # Put a capping on the size of the log files (in Kb). > >>>>>>> max log size = 50 > >>>>>>> > >>>>>>> # Use password server option only with security = server > >>>>>>> # The argument list may include: > >>>>>>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] > >>>>>>> # or to auto-locate the domain controller/s > >>>>>>> # password server = * > >>>>>>> ; password server = <NT-Server-Name> > >>>>>>> > >>>>>>> # Use the realm option only with security = ads > >>>>>>> # Specifies the Active Directory realm the host is part of > >>>>>>> ; realm = MY_REALM > >>>>>>> > >>>>>>> # Backend to store user information in. New installations should > >>>>>>> # use either tdbsam or ldapsam. smbpasswd is available for backwards > >>>>>>> # compatibility. tdbsam requires no further configuration. > >>>>>>> passdb backend = tdbsam > >>>>>>> > >>>>>>> # Using the following line enables you to customise your configuration > >>>>>>> # on a per machine basis. The %m gets replaced with the netbios name > >>>>>>> # of the machine that is connecting. > >>>>>>> # Note: Consider carefully the location in the configuration file of > >>>>>>> # this line. The included file is read at that point. > >>>>>>> ; include = /usr/local/samba/lib/smb.conf.%m > >>>>>>> > >>>>>>> # Configure Samba to use multiple interfaces > >>>>>>> # If you have multiple network interfaces then you must list them > >>>>>>> # here. See the man page for details. > >>>>>>> # interfaces = 192.168.12.2/24 192.168.5.2/24 > >>>>>>> > >>>>>>> # Browser Control Options: > >>>>>>> # set local master to no if you don't want Samba to become a master > >>>>>>> # browser on your network. Otherwise the normal election rules apply > >>>>>>> ; local master = no > >>>>>>> > >>>>>>> # OS Level determines the precedence of this server in master browser > >>>>>>> # elections. The default value should be reasonable > >>>>>>> ; os level = 33 > >>>>>>> > >>>>>>> # Domain Master specifies Samba to be the Domain Master Browser. This > >>>>>>> # allows Samba to collate browse lists between subnets. Don't use this > >>>>>>> # if you already have a Windows NT domain controller doing this job > >>>>>>> domain master = yes > >>>>>>> > >>>>>>> # Preferred Master causes Samba to force a local browser election on startup > >>>>>>> # and gives it a slightly higher chance of winning the election > >>>>>>> preferred master = yes > >>>>>>> > >>>>>>> # Enable this if you want Samba to be a domain logon server for > >>>>>>> # Windows95 workstations. > >>>>>>> domain logons = yes > >>>>>>> > >>>>>>> # if you enable domain logons then you may want a per-machine or > >>>>>>> # per user logon script > >>>>>>> # run a specific logon batch file per workstation (machine) > >>>>>>> logon script = %m.bat > >>>>>>> # run a specific logon batch file per username > >>>>>>> logon script = %U.bat > >>>>>>> > >>>>>>> # Where to store roving profiles (only for Win95 and WinNT) > >>>>>>> # %L substitutes for this servers netbios name, %U is username > >>>>>>> # You must uncomment the [Profiles] share below > >>>>>>> logon path = \\%L\Profiles\%U > >>>>>>> > >>>>>>> # Windows Internet Name Serving Support Section: > >>>>>>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server > >>>>>>> ; wins support = yes > >>>>>>> > >>>>>>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client > >>>>>>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both > >>>>>>> ; wins server = 192.168.5.1 > >>>>>>> > >>>>>>> # WINS Proxy - Tells Samba to answer name resolution queries on > >>>>>>> # behalf of a non WINS capable client, for this to work there must be > >>>>>>> # at least one WINS Server on the network. The default is NO. > >>>>>>> wins proxy = yes > >>>>>>> > >>>>>>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names > >>>>>>> # via DNS nslookups. The default is NO. > >>>>>>> dns proxy = no > >>>>>>> > >>>>>>> # These scripts are used on a domain controller or stand-alone > >>>>>>> # machine to add or delete corresponding unix accounts > >>>>>>> add user script = /usr/sbin/useradd %u > >>>>>>> add group script = /usr/sbin/groupadd %g > >>>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u > >>>>>>> delete user script = /usr/sbin/userdel %u > >>>>>>> delete user from group script = /usr/sbin/deluser %u %g > >>>>>>> delete group script = /usr/sbin/groupdel %g > >>>>>>> > >>>>>>> > >>>>>>> #============================ Share Definitions =============================> >>>>>>> [homes] > >>>>>>> comment = Home Directories > >>>>>>> browseable = yes > >>>>>>> read only = no > >>>>>>> guest ok = yes > >>>>>>> create mask = 0700 > >>>>>>> directory mask = 0700 > >>>>>>> valid users = %S > >>>>>>> invalid users = root > >>>>>>> # Un-comment the following and create the netlogon directory for Domain Logons > >>>>>>> [netlogon] > >>>>>>> comment = Network Logon Service > >>>>>>> path = /usr/local/samba/lib/netlogon > >>>>>>> guest ok = yes > >>>>>>> writable = no > >>>>>>> #share modes = yes > >>>>>>> > >>>>>>> > >>>>>>> # Un-comment the following to provide a specific roving profile share > >>>>>>> # the default is to use the user's home directory > >>>>>>> ;[Profiles] > >>>>>>> ; path = /usr/local/samba/profiles > >>>>>>> ; browseable = no > >>>>>>> ; guest ok = yes > >>>>>>> > >>>>>>> > >>>>>>> # NOTE: If you have a BSD-style print system there is no need to > >>>>>>> # specifically define each individual printer > >>>>>>> [printers] > >>>>>>> comment = All Printers > >>>>>>> path = /usr/spool/samba > >>>>>>> browseable = no > >>>>>>> # Set public = yes to allow user 'guest account' to print > >>>>>>> guest ok = no > >>>>>>> writable = no > >>>>>>> printable = yes > >>>>>>> > >>>>>>> # This one is useful for people to share files > >>>>>>> ;[tmp] > >>>>>>> ; comment = Temporary file space > >>>>>>> ; path = /tmp > >>>>>>> ; read only = no > >>>>>>> ; public = yes > >>>>>>> > >>>>>>> # A publicly accessible directory, but read only, except for people in > >>>>>>> # the "staff" group > >>>>>>> ;[public] > >>>>>>> ; comment = Public Stuff > >>>>>>> ; path = /home/samba > >>>>>>> ; public = yes > >>>>>>> ; writable = no > >>>>>>> ; printable = no > >>>>>>> ; write list = @staff > >>>>>>> > >>>>>>> # Other examples. > >>>>>>> # > >>>>>>> # A private printer, usable only by fred. Spool data will be placed in fred's > >>>>>>> # home directory. Note that fred must have write access to the spool directory, > >>>>>>> # wherever it is. > >>>>>>> ;[fredsprn] > >>>>>>> ; comment = Fred's Printer > >>>>>>> ; valid users = fred > >>>>>>> ; path = /homes/fred > >>>>>>> ; printer = freds_printer > >>>>>>> ; public = no > >>>>>>> ; writable = no > >>>>>>> ; printable = yes > >>>>>>> > >>>>>>> # A private directory, usable only by fred. Note that fred requires write > >>>>>>> # access to the directory. > >>>>>>> ;[fredsdir] > >>>>>>> ; comment = Fred's Service > >>>>>>> ; path = /usr/somewhere/private > >>>>>>> ; valid users = fred > >>>>>>> ; public = no > >>>>>>> ; writable = yes > >>>>>>> ; printable = no > >>>>>>> > >>>>>>> # a service which has a different directory for each machine that connects > >>>>>>> # this allows you to tailor configurations to incoming machines. You could > >>>>>>> # also use the %U option to tailor it by user name. > >>>>>>> # The %m gets replaced with the machine name that is connecting. > >>>>>>> ;[pchome] > >>>>>>> ; comment = PC Directories > >>>>>>> ; path = /usr/pc/%m > >>>>>>> ; public = no > >>>>>>> ; writable = yes > >>>>>>> > >>>>>>> # A publicly accessible directory, read/write to all users. Note that all files > >>>>>>> # created in the directory by users will be owned by the default user, so > >>>>>>> # any user with access can delete any other user's files. Obviously this > >>>>>>> # directory must be writable by the default user. Another user could of course > >>>>>>> # be specified, in which case all files would be owned by that user instead. > >>>>>>> ;[public] > >>>>>>> ; path = /usr/somewhere/else/public > >>>>>>> ; public = yes > >>>>>>> ; only guest = yes > >>>>>>> ; writable = yes > >>>>>>> ; printable = no > >>>>>>> > >>>>>>> # The following two entries demonstrate how to share a directory so that two > >>>>>>> # users can place files there that will be owned by the specific users. In this > >>>>>>> # setup, the directory should be writable by both users and should have the > >>>>>>> # sticky bit set on it to prevent abuse. Obviously this could be extended to > >>>>>>> # as many users as required. > >>>>>>> ;[myshare] > >>>>>>> ; comment = Mary's and Fred's stuff > >>>>>>> ; path = /usr/somewhere/shared > >>>>>>> ; valid users = mary fred > >>>>>>> ; public = no > >>>>>>> ; writable = yes > >>>>>>> ; printable = no > >>>>>>> ; create mask = 0765 > >>>>>>> > >>>>>>> > >>>>>> OK, after wading through the commented lines, I end up with: > >>>>>> > >>>>>> PDC smb.conf: > >>>>>> > >>>>>> [global] > >>>>>> workgroup = fai > >>>>>> server string = Samba Server > >>>>>> security = user > >>>>>> load printers = yes > >>>>>> log file = /var/log/samba/log.%m > >>>>>> max log size = 50 > >>>>>> passdb backend = tdbsam > >>>>>> domain master = yes > >>>>>> preferred master = yes > >>>>>> domain logons = yes > >>>>>> logon script = %m.bat > >>>>>> logon script = %U.bat > >>>>>> logon path = \\%L\Profiles\%U > >>>>>> wins proxy = yes > >>>>>> dns proxy = no > >>>>>> add user script = /usr/sbin/useradd %u > >>>>>> add group script = /usr/sbin/groupadd %g > >>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d > >>>>>> /var/lib/samba -s /bin/false %u > >>>>>> delete user script = /usr/sbin/userdel %u > >>>>>> delete user from group script = /usr/sbin/deluser %u %g > >>>>>> delete group script = /usr/sbin/groupdel %g > >>>>>> > >>>>>> [homes] > >>>>>> comment = Home Directories > >>>>>> browseable = yes > >>>>>> read only = no > >>>>>> guest ok = yes > >>>>>> create mask = 0700 > >>>>>> directory mask = 0700 > >>>>>> valid users = %S > >>>>>> invalid users = root > >>>>>> > >>>>>> [netlogon] > >>>>>> comment = Network Logon Service > >>>>>> path = /usr/local/samba/lib/netlogon > >>>>>> guest ok = yes > >>>>>> writable = no > >>>>>> > >>>>>> [printers] > >>>>>> comment = All Printers > >>>>>> path = /usr/spool/samba > >>>>>> browseable = no > >>>>>> guest ok = no > >>>>>> writable = no > >>>>>> printable = yes > >>>>>> > >>>>>> > >>>>>> Client smb.conf > >>>>>> > >>>>>> [global] > >>>>>> workgroup = fai > >>>>>> server string = %h server (Samba, Ubuntu) > >>>>>> wins server = 172.20.68.14 > >>>>>> winbind separator = / > >>>>>> winbind use default domain = Yes > >>>>>> dns proxy = no > >>>>>> winbind uid = 10000-20000 > >>>>>> winbind gid = 10000-20000 > >>>>>> template shell = /bin/bash > >>>>>> allow trusted domains = yes > >>>>>> name resolve order = lmhosts host wins bcast > >>>>>> name resolve order = wins lmhosts host bcast > >>>>>> log file = /var/log/samba/log.%m > >>>>>> max log size = 1000 > >>>>>> syslog = 0 > >>>>>> panic action = /usr/share/samba/panic-action %d > >>>>>> security = domain > >>>>>> password server = 172.20.68.14 > >>>>>> encrypt passwords = true > >>>>>> passdb backend = tdbsam > >>>>>> obey pam restrictions = yes > >>>>>> unix password sync = yes > >>>>>> passwd program = /usr/bin/passwd %u > >>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n > >>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > >>>>>> pam password change = yes > >>>>>> map to guest = bad user > >>>>>> add user script = /usr/sbin/adduser --quiet --disabled-password > >>>>>> --gecos "" %u > >>>>>> add machine script = /usr/sbin/useradd -g machines -c "%u machine > >>>>>> account" -d /var/lib/samba -s /bin/false %u > >>>>>> add group script = /usr/sbin/addgroup --force-badname %g > >>>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > >>>>>> template shell = /bin/bash > >>>>>> template homedir = /home/%U > >>>>>> usershare allow guests = yes > >>>>>> > >>>>>> #======================= Share Definitions ======================> >>>>>> > >>>>>> valid users = %S > >>>>>> > >>>>>> [printers] > >>>>>> comment = All Printers > >>>>>> browseable = no > >>>>>> path = /var/spool/samba > >>>>>> printable = yes > >>>>>> guest ok = no > >>>>>> read only = yes > >>>>>> create mask = 0700 > >>>>>> > >>>>>> [print$] > >>>>>> comment = Printer Drivers > >>>>>> path = /var/lib/samba/printers > >>>>>> browseable = yes > >>>>>> read only = yes > >>>>>> guest ok = no > >>>>>> > >>>>>> There are a few lines that are duplicated in each smb.conf. > >>>>>> > >>>>>> I take it that you only use the PDC for authentication and don't let the > >>>>>> users login. > >>>>>> > >>>>>> It has been sometime since I setup and used a linux client with a PDC, > >>>>>> but I don't actually remember having all those passwd & script lines in > >>>>>> the client smb.conf. > >>>>>> > >>>>>> Do the users exist as unix users on both machines ? > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>> No, the users are created on the debian pdc. that is the long number (as their username). > >>>>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. > >>>>> The long number (as their username) comes from a smartcard). > >>>>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. > >>>>> As I was debugging, i tried to su the user on a client machine, and got another user instead: > >>>>> root at blank005:~# su 59031614949 > >>>>> 98121524292 at blank005:/root$ > >>>>> > >>>>> I never seen this . > >>>>> Is it a problem with long usernames and winbind? > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>> Well, the portion of the logfile you posted is full of lines like this: > >>>> > >>>> Failed to find a Unix account for 92101633919 > >>>> > >>>> OK, just what part of that line do you not understand ?? :-) > >>>> > >>>> You need a unix user for '92101633919' > >>>> > >>>> Rowland > >>>> > >>> Correct, but there was this user: > >>> > >>> on debian pdc: > >>> root at fai:~# cat /var/log/auth.log | grep 92101633919 > >>> Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 > >>> Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' > >>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' > >>> > >> OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd > >> 92101633919' return anything ? > >> > >> If they both are true, then you may have run into this bug: > >> https://bugzilla.samba.org/show_bug.cgi?id=11044 > >> > >> Rowland > >> > >> > >> > > Ok, > > getent on another works ok, > > but not on a user with numbers: > > root at fai:~# getent passwd ubu > > ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > > root at fai:~# getent passwd 71101411853 > > root at fai:~# > > > > > > part of /etc/passwd > > > > ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > > bind:x:111:120::/var/cache/bind:/bin/false > > fai$:x:1001:1003:Machine:/var/lib/samba:/bin/false > > test:x:1002:1004::/home/test:/bin/sh > > sshuser:x:1003:1005::/home/sshuser:/bin/sh > > ubuntu8053$:x:1008:1003:Machine:/var/lib/samba:/bin/false > > blank1$:x:1009:1003:Machine:/var/lib/samba:/bin/false > > blank3$:x:1011:1003:Machine:/var/lib/samba:/bin/false > > blank4$:x:1012:1003:Machine:/var/lib/samba:/bin/false > > blank5$:x:1013:1003:Machine:/var/lib/samba:/bin/false > > blank6$:x:1014:1003:Machine:/var/lib/samba:/bin/false > > linux:x:1026:1026::/home/linux:/bin/sh > > blank2$:x:1072:1003:blank2:/var/lib/nobody:/bin/false > > blank004$:x:1092:1003:Machine:/var/lib/samba:/bin/false > > blank001$:x:1093:1003:Machine:/var/lib/samba:/bin/false > > blank005$:x:1094:1003:Machine:/var/lib/samba:/bin/false > > blank002$:x:1095:1003:Machine:/var/lib/samba:/bin/false > > blank003$:x:1096:1003:Machine:/var/lib/samba:/bin/false > > blank006$:x:1097:1003:Machine:/var/lib/samba:/bin/false > > 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > > ayke:x:1104:1104:60,,,:/home/ayke:/bin/sh > > blank0001$:x:1146:1003:Machine:/var/lib/samba:/bin/false > > > > could it be the 60 in the line: > > 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > > > > I use this 60 to know on the client machines how long the can be logged in ( so that will be 60 minutes) > > I add this with : > > chfn -f 60 $username71101411853 > > > > > > OK, it looks like your users have id's in the 1xxx range, yet you have > this in smb.conf: winbind uid = 10000-20000, could this be your problem ? > > Rowland > >No, this does not help. What I also see if a numeric username such as 71101411853 log in on a client pc, and starts for example firefox, than top shows that firefox is run by another (non numeric) local user. net cache flush did also not help
On 12/02/15 15:19, duportail wrote:> Op woensdag 11 februari 2015 22:11:03 schreef Rowland Penny: >> On 11/02/15 20:43, duportail wrote: >>> Op woensdag 11 februari 2015 20:18:57 schreef Rowland Penny: >>>> On 11/02/15 20:13, duportail wrote: >>>>> Op woensdag 11 februari 2015 19:56:54 schreef Rowland Penny: >>>>>> On 11/02/15 19:25, duportail wrote: >>>>>>> Op woensdag 11 februari 2015 19:09:48 schreef Rowland Penny: >>>>>>>> On 11/02/15 18:29, duportail wrote: >>>>>>>>> ( could not post complete reply, message too large?) >>>>>>>>> >>>>>>>>> >>>>>>>>> I think that's why I have a lot of black screens on the clients. >>>>>>>>> Here debian pdc smb.conf: >>>>>>>>> root at fai:~# cat /etc/samba/smb.conf >>>>>>>>> # This is the main Samba configuration file. You should read the >>>>>>>>> # smb.conf(5) manual page in order to understand the options listed >>>>>>>>> # here. Samba has a huge number of configurable options (perhaps too >>>>>>>>> # many!) most of which are not shown in this example >>>>>>>>> # >>>>>>>>> # For a step to step guide on installing, configuring and using samba, >>>>>>>>> # read the Samba-HOWTO-Collection. This may be obtained from: >>>>>>>>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf >>>>>>>>> # >>>>>>>>> # Many working examples of smb.conf files can be found in the >>>>>>>>> # Samba-Guide which is generated daily and can be downloaded from: >>>>>>>>> # http://www.samba.org/samba/docs/Samba-Guide.pdf >>>>>>>>> # >>>>>>>>> # Any line which starts with a ; (semi-colon) or a # (hash) >>>>>>>>> # is a comment and is ignored. In this example we will use a # >>>>>>>>> # for commentry and a ; for parts of the config file that you >>>>>>>>> # may wish to enable >>>>>>>>> # >>>>>>>>> # NOTE: Whenever you modify this file you should run the command "testparm" >>>>>>>>> # to check that you have not made any basic syntactic errors. >>>>>>>>> # >>>>>>>>> #======================= Global Settings ====================================>>>>>>>>> [global] >>>>>>>>> >>>>>>>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH >>>>>>>>> workgroup = fai >>>>>>>>> >>>>>>>>> # server string is the equivalent of the NT Description field >>>>>>>>> server string = Samba Server >>>>>>>>> >>>>>>>>> # Security mode. Defines in which mode Samba will operate. Possible >>>>>>>>> # values are share, user, server, domain and ads. Most people will want >>>>>>>>> # user level security. See the Samba-HOWTO-Collection for details. >>>>>>>>> security = user >>>>>>>>> >>>>>>>>> # This option is important for security. It allows you to restrict >>>>>>>>> # connections to machines which are on your local network. The >>>>>>>>> # following example restricts access to two C class networks and >>>>>>>>> # the "loopback" interface. For more examples of the syntax see >>>>>>>>> # the smb.conf man page >>>>>>>>> ; hosts allow = 192.168.1. 192.168.2. 127. >>>>>>>>> >>>>>>>>> # If you want to automatically load your printer list rather >>>>>>>>> # than setting them up individually then you'll need this >>>>>>>>> load printers = yes >>>>>>>>> >>>>>>>>> # you may wish to override the location of the printcap file >>>>>>>>> ; printcap name = /etc/printcap >>>>>>>>> >>>>>>>>> # on SystemV system setting printcap name to lpstat should allow >>>>>>>>> # you to automatically obtain a printer list from the SystemV spool >>>>>>>>> # system >>>>>>>>> ; printcap name = lpstat >>>>>>>>> >>>>>>>>> # It should not be necessary to specify the print system type unless >>>>>>>>> # it is non-standard. Currently supported print systems include: >>>>>>>>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx >>>>>>>>> ; printing = cups >>>>>>>>> >>>>>>>>> # Uncomment this if you want a guest account, you must add this to /etc/passwd >>>>>>>>> # otherwise the user "nobody" is used >>>>>>>>> ; guest account = pcguest >>>>>>>>> >>>>>>>>> # this tells Samba to use a separate log file for each machine >>>>>>>>> # that connects >>>>>>>>> log file = /var/log/samba/log.%m >>>>>>>>> >>>>>>>>> # Put a capping on the size of the log files (in Kb). >>>>>>>>> max log size = 50 >>>>>>>>> >>>>>>>>> # Use password server option only with security = server >>>>>>>>> # The argument list may include: >>>>>>>>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] >>>>>>>>> # or to auto-locate the domain controller/s >>>>>>>>> # password server = * >>>>>>>>> ; password server = <NT-Server-Name> >>>>>>>>> >>>>>>>>> # Use the realm option only with security = ads >>>>>>>>> # Specifies the Active Directory realm the host is part of >>>>>>>>> ; realm = MY_REALM >>>>>>>>> >>>>>>>>> # Backend to store user information in. New installations should >>>>>>>>> # use either tdbsam or ldapsam. smbpasswd is available for backwards >>>>>>>>> # compatibility. tdbsam requires no further configuration. >>>>>>>>> passdb backend = tdbsam >>>>>>>>> >>>>>>>>> # Using the following line enables you to customise your configuration >>>>>>>>> # on a per machine basis. The %m gets replaced with the netbios name >>>>>>>>> # of the machine that is connecting. >>>>>>>>> # Note: Consider carefully the location in the configuration file of >>>>>>>>> # this line. The included file is read at that point. >>>>>>>>> ; include = /usr/local/samba/lib/smb.conf.%m >>>>>>>>> >>>>>>>>> # Configure Samba to use multiple interfaces >>>>>>>>> # If you have multiple network interfaces then you must list them >>>>>>>>> # here. See the man page for details. >>>>>>>>> # interfaces = 192.168.12.2/24 192.168.5.2/24 >>>>>>>>> >>>>>>>>> # Browser Control Options: >>>>>>>>> # set local master to no if you don't want Samba to become a master >>>>>>>>> # browser on your network. Otherwise the normal election rules apply >>>>>>>>> ; local master = no >>>>>>>>> >>>>>>>>> # OS Level determines the precedence of this server in master browser >>>>>>>>> # elections. The default value should be reasonable >>>>>>>>> ; os level = 33 >>>>>>>>> >>>>>>>>> # Domain Master specifies Samba to be the Domain Master Browser. This >>>>>>>>> # allows Samba to collate browse lists between subnets. Don't use this >>>>>>>>> # if you already have a Windows NT domain controller doing this job >>>>>>>>> domain master = yes >>>>>>>>> >>>>>>>>> # Preferred Master causes Samba to force a local browser election on startup >>>>>>>>> # and gives it a slightly higher chance of winning the election >>>>>>>>> preferred master = yes >>>>>>>>> >>>>>>>>> # Enable this if you want Samba to be a domain logon server for >>>>>>>>> # Windows95 workstations. >>>>>>>>> domain logons = yes >>>>>>>>> >>>>>>>>> # if you enable domain logons then you may want a per-machine or >>>>>>>>> # per user logon script >>>>>>>>> # run a specific logon batch file per workstation (machine) >>>>>>>>> logon script = %m.bat >>>>>>>>> # run a specific logon batch file per username >>>>>>>>> logon script = %U.bat >>>>>>>>> >>>>>>>>> # Where to store roving profiles (only for Win95 and WinNT) >>>>>>>>> # %L substitutes for this servers netbios name, %U is username >>>>>>>>> # You must uncomment the [Profiles] share below >>>>>>>>> logon path = \\%L\Profiles\%U >>>>>>>>> >>>>>>>>> # Windows Internet Name Serving Support Section: >>>>>>>>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server >>>>>>>>> ; wins support = yes >>>>>>>>> >>>>>>>>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client >>>>>>>>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both >>>>>>>>> ; wins server = 192.168.5.1 >>>>>>>>> >>>>>>>>> # WINS Proxy - Tells Samba to answer name resolution queries on >>>>>>>>> # behalf of a non WINS capable client, for this to work there must be >>>>>>>>> # at least one WINS Server on the network. The default is NO. >>>>>>>>> wins proxy = yes >>>>>>>>> >>>>>>>>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names >>>>>>>>> # via DNS nslookups. The default is NO. >>>>>>>>> dns proxy = no >>>>>>>>> >>>>>>>>> # These scripts are used on a domain controller or stand-alone >>>>>>>>> # machine to add or delete corresponding unix accounts >>>>>>>>> add user script = /usr/sbin/useradd %u >>>>>>>>> add group script = /usr/sbin/groupadd %g >>>>>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u >>>>>>>>> delete user script = /usr/sbin/userdel %u >>>>>>>>> delete user from group script = /usr/sbin/deluser %u %g >>>>>>>>> delete group script = /usr/sbin/groupdel %g >>>>>>>>> >>>>>>>>> >>>>>>>>> #============================ Share Definitions =============================>>>>>>>>> [homes] >>>>>>>>> comment = Home Directories >>>>>>>>> browseable = yes >>>>>>>>> read only = no >>>>>>>>> guest ok = yes >>>>>>>>> create mask = 0700 >>>>>>>>> directory mask = 0700 >>>>>>>>> valid users = %S >>>>>>>>> invalid users = root >>>>>>>>> # Un-comment the following and create the netlogon directory for Domain Logons >>>>>>>>> [netlogon] >>>>>>>>> comment = Network Logon Service >>>>>>>>> path = /usr/local/samba/lib/netlogon >>>>>>>>> guest ok = yes >>>>>>>>> writable = no >>>>>>>>> #share modes = yes >>>>>>>>> >>>>>>>>> >>>>>>>>> # Un-comment the following to provide a specific roving profile share >>>>>>>>> # the default is to use the user's home directory >>>>>>>>> ;[Profiles] >>>>>>>>> ; path = /usr/local/samba/profiles >>>>>>>>> ; browseable = no >>>>>>>>> ; guest ok = yes >>>>>>>>> >>>>>>>>> >>>>>>>>> # NOTE: If you have a BSD-style print system there is no need to >>>>>>>>> # specifically define each individual printer >>>>>>>>> [printers] >>>>>>>>> comment = All Printers >>>>>>>>> path = /usr/spool/samba >>>>>>>>> browseable = no >>>>>>>>> # Set public = yes to allow user 'guest account' to print >>>>>>>>> guest ok = no >>>>>>>>> writable = no >>>>>>>>> printable = yes >>>>>>>>> >>>>>>>>> # This one is useful for people to share files >>>>>>>>> ;[tmp] >>>>>>>>> ; comment = Temporary file space >>>>>>>>> ; path = /tmp >>>>>>>>> ; read only = no >>>>>>>>> ; public = yes >>>>>>>>> >>>>>>>>> # A publicly accessible directory, but read only, except for people in >>>>>>>>> # the "staff" group >>>>>>>>> ;[public] >>>>>>>>> ; comment = Public Stuff >>>>>>>>> ; path = /home/samba >>>>>>>>> ; public = yes >>>>>>>>> ; writable = no >>>>>>>>> ; printable = no >>>>>>>>> ; write list = @staff >>>>>>>>> >>>>>>>>> # Other examples. >>>>>>>>> # >>>>>>>>> # A private printer, usable only by fred. Spool data will be placed in fred's >>>>>>>>> # home directory. Note that fred must have write access to the spool directory, >>>>>>>>> # wherever it is. >>>>>>>>> ;[fredsprn] >>>>>>>>> ; comment = Fred's Printer >>>>>>>>> ; valid users = fred >>>>>>>>> ; path = /homes/fred >>>>>>>>> ; printer = freds_printer >>>>>>>>> ; public = no >>>>>>>>> ; writable = no >>>>>>>>> ; printable = yes >>>>>>>>> >>>>>>>>> # A private directory, usable only by fred. Note that fred requires write >>>>>>>>> # access to the directory. >>>>>>>>> ;[fredsdir] >>>>>>>>> ; comment = Fred's Service >>>>>>>>> ; path = /usr/somewhere/private >>>>>>>>> ; valid users = fred >>>>>>>>> ; public = no >>>>>>>>> ; writable = yes >>>>>>>>> ; printable = no >>>>>>>>> >>>>>>>>> # a service which has a different directory for each machine that connects >>>>>>>>> # this allows you to tailor configurations to incoming machines. You could >>>>>>>>> # also use the %U option to tailor it by user name. >>>>>>>>> # The %m gets replaced with the machine name that is connecting. >>>>>>>>> ;[pchome] >>>>>>>>> ; comment = PC Directories >>>>>>>>> ; path = /usr/pc/%m >>>>>>>>> ; public = no >>>>>>>>> ; writable = yes >>>>>>>>> >>>>>>>>> # A publicly accessible directory, read/write to all users. Note that all files >>>>>>>>> # created in the directory by users will be owned by the default user, so >>>>>>>>> # any user with access can delete any other user's files. Obviously this >>>>>>>>> # directory must be writable by the default user. Another user could of course >>>>>>>>> # be specified, in which case all files would be owned by that user instead. >>>>>>>>> ;[public] >>>>>>>>> ; path = /usr/somewhere/else/public >>>>>>>>> ; public = yes >>>>>>>>> ; only guest = yes >>>>>>>>> ; writable = yes >>>>>>>>> ; printable = no >>>>>>>>> >>>>>>>>> # The following two entries demonstrate how to share a directory so that two >>>>>>>>> # users can place files there that will be owned by the specific users. In this >>>>>>>>> # setup, the directory should be writable by both users and should have the >>>>>>>>> # sticky bit set on it to prevent abuse. Obviously this could be extended to >>>>>>>>> # as many users as required. >>>>>>>>> ;[myshare] >>>>>>>>> ; comment = Mary's and Fred's stuff >>>>>>>>> ; path = /usr/somewhere/shared >>>>>>>>> ; valid users = mary fred >>>>>>>>> ; public = no >>>>>>>>> ; writable = yes >>>>>>>>> ; printable = no >>>>>>>>> ; create mask = 0765 >>>>>>>>> >>>>>>>>> >>>>>>>> OK, after wading through the commented lines, I end up with: >>>>>>>> >>>>>>>> PDC smb.conf: >>>>>>>> >>>>>>>> [global] >>>>>>>> workgroup = fai >>>>>>>> server string = Samba Server >>>>>>>> security = user >>>>>>>> load printers = yes >>>>>>>> log file = /var/log/samba/log.%m >>>>>>>> max log size = 50 >>>>>>>> passdb backend = tdbsam >>>>>>>> domain master = yes >>>>>>>> preferred master = yes >>>>>>>> domain logons = yes >>>>>>>> logon script = %m.bat >>>>>>>> logon script = %U.bat >>>>>>>> logon path = \\%L\Profiles\%U >>>>>>>> wins proxy = yes >>>>>>>> dns proxy = no >>>>>>>> add user script = /usr/sbin/useradd %u >>>>>>>> add group script = /usr/sbin/groupadd %g >>>>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d >>>>>>>> /var/lib/samba -s /bin/false %u >>>>>>>> delete user script = /usr/sbin/userdel %u >>>>>>>> delete user from group script = /usr/sbin/deluser %u %g >>>>>>>> delete group script = /usr/sbin/groupdel %g >>>>>>>> >>>>>>>> [homes] >>>>>>>> comment = Home Directories >>>>>>>> browseable = yes >>>>>>>> read only = no >>>>>>>> guest ok = yes >>>>>>>> create mask = 0700 >>>>>>>> directory mask = 0700 >>>>>>>> valid users = %S >>>>>>>> invalid users = root >>>>>>>> >>>>>>>> [netlogon] >>>>>>>> comment = Network Logon Service >>>>>>>> path = /usr/local/samba/lib/netlogon >>>>>>>> guest ok = yes >>>>>>>> writable = no >>>>>>>> >>>>>>>> [printers] >>>>>>>> comment = All Printers >>>>>>>> path = /usr/spool/samba >>>>>>>> browseable = no >>>>>>>> guest ok = no >>>>>>>> writable = no >>>>>>>> printable = yes >>>>>>>> >>>>>>>> >>>>>>>> Client smb.conf >>>>>>>> >>>>>>>> [global] >>>>>>>> workgroup = fai >>>>>>>> server string = %h server (Samba, Ubuntu) >>>>>>>> wins server = 172.20.68.14 >>>>>>>> winbind separator = / >>>>>>>> winbind use default domain = Yes >>>>>>>> dns proxy = no >>>>>>>> winbind uid = 10000-20000 >>>>>>>> winbind gid = 10000-20000 >>>>>>>> template shell = /bin/bash >>>>>>>> allow trusted domains = yes >>>>>>>> name resolve order = lmhosts host wins bcast >>>>>>>> name resolve order = wins lmhosts host bcast >>>>>>>> log file = /var/log/samba/log.%m >>>>>>>> max log size = 1000 >>>>>>>> syslog = 0 >>>>>>>> panic action = /usr/share/samba/panic-action %d >>>>>>>> security = domain >>>>>>>> password server = 172.20.68.14 >>>>>>>> encrypt passwords = true >>>>>>>> passdb backend = tdbsam >>>>>>>> obey pam restrictions = yes >>>>>>>> unix password sync = yes >>>>>>>> passwd program = /usr/bin/passwd %u >>>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n >>>>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >>>>>>>> pam password change = yes >>>>>>>> map to guest = bad user >>>>>>>> add user script = /usr/sbin/adduser --quiet --disabled-password >>>>>>>> --gecos "" %u >>>>>>>> add machine script = /usr/sbin/useradd -g machines -c "%u machine >>>>>>>> account" -d /var/lib/samba -s /bin/false %u >>>>>>>> add group script = /usr/sbin/addgroup --force-badname %g >>>>>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>>>>>>> template shell = /bin/bash >>>>>>>> template homedir = /home/%U >>>>>>>> usershare allow guests = yes >>>>>>>> >>>>>>>> #======================= Share Definitions ======================>>>>>>>> >>>>>>>> valid users = %S >>>>>>>> >>>>>>>> [printers] >>>>>>>> comment = All Printers >>>>>>>> browseable = no >>>>>>>> path = /var/spool/samba >>>>>>>> printable = yes >>>>>>>> guest ok = no >>>>>>>> read only = yes >>>>>>>> create mask = 0700 >>>>>>>> >>>>>>>> [print$] >>>>>>>> comment = Printer Drivers >>>>>>>> path = /var/lib/samba/printers >>>>>>>> browseable = yes >>>>>>>> read only = yes >>>>>>>> guest ok = no >>>>>>>> >>>>>>>> There are a few lines that are duplicated in each smb.conf. >>>>>>>> >>>>>>>> I take it that you only use the PDC for authentication and don't let the >>>>>>>> users login. >>>>>>>> >>>>>>>> It has been sometime since I setup and used a linux client with a PDC, >>>>>>>> but I don't actually remember having all those passwd & script lines in >>>>>>>> the client smb.conf. >>>>>>>> >>>>>>>> Do the users exist as unix users on both machines ? >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>> No, the users are created on the debian pdc. that is the long number (as their username). >>>>>>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. >>>>>>> The long number (as their username) comes from a smartcard). >>>>>>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. >>>>>>> As I was debugging, i tried to su the user on a client machine, and got another user instead: >>>>>>> root at blank005:~# su 59031614949 >>>>>>> 98121524292 at blank005:/root$ >>>>>>> >>>>>>> I never seen this . >>>>>>> Is it a problem with long usernames and winbind? >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> Well, the portion of the logfile you posted is full of lines like this: >>>>>> >>>>>> Failed to find a Unix account for 92101633919 >>>>>> >>>>>> OK, just what part of that line do you not understand ?? :-) >>>>>> >>>>>> You need a unix user for '92101633919' >>>>>> >>>>>> Rowland >>>>>> >>>>> Correct, but there was this user: >>>>> >>>>> on debian pdc: >>>>> root at fai:~# cat /var/log/auth.log | grep 92101633919 >>>>> Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 >>>>> Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' >>>>> >>>> OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd >>>> 92101633919' return anything ? >>>> >>>> If they both are true, then you may have run into this bug: >>>> https://bugzilla.samba.org/show_bug.cgi?id=11044 >>>> >>>> Rowland >>>> >>>> >>>> >>> Ok, >>> getent on another works ok, >>> but not on a user with numbers: >>> root at fai:~# getent passwd ubu >>> ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash >>> root at fai:~# getent passwd 71101411853 >>> root at fai:~# >>> >>> >>> part of /etc/passwd >>> >>> ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash >>> bind:x:111:120::/var/cache/bind:/bin/false >>> fai$:x:1001:1003:Machine:/var/lib/samba:/bin/false >>> test:x:1002:1004::/home/test:/bin/sh >>> sshuser:x:1003:1005::/home/sshuser:/bin/sh >>> ubuntu8053$:x:1008:1003:Machine:/var/lib/samba:/bin/false >>> blank1$:x:1009:1003:Machine:/var/lib/samba:/bin/false >>> blank3$:x:1011:1003:Machine:/var/lib/samba:/bin/false >>> blank4$:x:1012:1003:Machine:/var/lib/samba:/bin/false >>> blank5$:x:1013:1003:Machine:/var/lib/samba:/bin/false >>> blank6$:x:1014:1003:Machine:/var/lib/samba:/bin/false >>> linux:x:1026:1026::/home/linux:/bin/sh >>> blank2$:x:1072:1003:blank2:/var/lib/nobody:/bin/false >>> blank004$:x:1092:1003:Machine:/var/lib/samba:/bin/false >>> blank001$:x:1093:1003:Machine:/var/lib/samba:/bin/false >>> blank005$:x:1094:1003:Machine:/var/lib/samba:/bin/false >>> blank002$:x:1095:1003:Machine:/var/lib/samba:/bin/false >>> blank003$:x:1096:1003:Machine:/var/lib/samba:/bin/false >>> blank006$:x:1097:1003:Machine:/var/lib/samba:/bin/false >>> 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh >>> ayke:x:1104:1104:60,,,:/home/ayke:/bin/sh >>> blank0001$:x:1146:1003:Machine:/var/lib/samba:/bin/false >>> >>> could it be the 60 in the line: >>> 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh >>> >>> I use this 60 to know on the client machines how long the can be logged in ( so that will be 60 minutes) >>> I add this with : >>> chfn -f 60 $username71101411853 >>> >>> >> OK, it looks like your users have id's in the 1xxx range, yet you have >> this in smb.conf: winbind uid = 10000-20000, could this be your problem ? >> >> Rowland >> >> > No, this does not help. > What I also see if a numeric username such as 71101411853 log in on a client pc, and starts for example firefox, than top shows that firefox is run by another (non numeric) local user. > net cache flush did also not helpI have nearly run out of ideas here, the only one left is, have you considered upgrading to samba4 AD ? Rowland
> >>>>>>>>> ( could not post complete reply, message too large?) > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> I think that's why I have a lot of black screens on the clients. > >>>>>>>>> Here debian pdc smb.conf: > >>>>>>>>> root at fai:~# cat /etc/samba/smb.conf > >>>>>>>>> # This is the main Samba configuration file. You should read the > >>>>>>>>> # smb.conf(5) manual page in order to understand the options listed > >>>>>>>>> # here. Samba has a huge number of configurable options (perhaps too > >>>>>>>>> # many!) most of which are not shown in this example > >>>>>>>>> # > >>>>>>>>> # For a step to step guide on installing, configuring and using samba, > >>>>>>>>> # read the Samba-HOWTO-Collection. This may be obtained from: > >>>>>>>>> # http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf > >>>>>>>>> # > >>>>>>>>> # Many working examples of smb.conf files can be found in the > >>>>>>>>> # Samba-Guide which is generated daily and can be downloaded from: > >>>>>>>>> # http://www.samba.org/samba/docs/Samba-Guide.pdf > >>>>>>>>> # > >>>>>>>>> # Any line which starts with a ; (semi-colon) or a # (hash) > >>>>>>>>> # is a comment and is ignored. In this example we will use a # > >>>>>>>>> # for commentry and a ; for parts of the config file that you > >>>>>>>>> # may wish to enable > >>>>>>>>> # > >>>>>>>>> # NOTE: Whenever you modify this file you should run the command "testparm" > >>>>>>>>> # to check that you have not made any basic syntactic errors. > >>>>>>>>> # > >>>>>>>>> #======================= Global Settings ====================================> >>>>>>>>> [global] > >>>>>>>>> > >>>>>>>>> # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH > >>>>>>>>> workgroup = fai > >>>>>>>>> > >>>>>>>>> # server string is the equivalent of the NT Description field > >>>>>>>>> server string = Samba Server > >>>>>>>>> > >>>>>>>>> # Security mode. Defines in which mode Samba will operate. Possible > >>>>>>>>> # values are share, user, server, domain and ads. Most people will want > >>>>>>>>> # user level security. See the Samba-HOWTO-Collection for details. > >>>>>>>>> security = user > >>>>>>>>> > >>>>>>>>> # This option is important for security. It allows you to restrict > >>>>>>>>> # connections to machines which are on your local network. The > >>>>>>>>> # following example restricts access to two C class networks and > >>>>>>>>> # the "loopback" interface. For more examples of the syntax see > >>>>>>>>> # the smb.conf man page > >>>>>>>>> ; hosts allow = 192.168.1. 192.168.2. 127. > >>>>>>>>> > >>>>>>>>> # If you want to automatically load your printer list rather > >>>>>>>>> # than setting them up individually then you'll need this > >>>>>>>>> load printers = yes > >>>>>>>>> > >>>>>>>>> # you may wish to override the location of the printcap file > >>>>>>>>> ; printcap name = /etc/printcap > >>>>>>>>> > >>>>>>>>> # on SystemV system setting printcap name to lpstat should allow > >>>>>>>>> # you to automatically obtain a printer list from the SystemV spool > >>>>>>>>> # system > >>>>>>>>> ; printcap name = lpstat > >>>>>>>>> > >>>>>>>>> # It should not be necessary to specify the print system type unless > >>>>>>>>> # it is non-standard. Currently supported print systems include: > >>>>>>>>> # bsd, cups, sysv, plp, lprng, aix, hpux, qnx > >>>>>>>>> ; printing = cups > >>>>>>>>> > >>>>>>>>> # Uncomment this if you want a guest account, you must add this to /etc/passwd > >>>>>>>>> # otherwise the user "nobody" is used > >>>>>>>>> ; guest account = pcguest > >>>>>>>>> > >>>>>>>>> # this tells Samba to use a separate log file for each machine > >>>>>>>>> # that connects > >>>>>>>>> log file = /var/log/samba/log.%m > >>>>>>>>> > >>>>>>>>> # Put a capping on the size of the log files (in Kb). > >>>>>>>>> max log size = 50 > >>>>>>>>> > >>>>>>>>> # Use password server option only with security = server > >>>>>>>>> # The argument list may include: > >>>>>>>>> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name] > >>>>>>>>> # or to auto-locate the domain controller/s > >>>>>>>>> # password server = * > >>>>>>>>> ; password server = <NT-Server-Name> > >>>>>>>>> > >>>>>>>>> # Use the realm option only with security = ads > >>>>>>>>> # Specifies the Active Directory realm the host is part of > >>>>>>>>> ; realm = MY_REALM > >>>>>>>>> > >>>>>>>>> # Backend to store user information in. New installations should > >>>>>>>>> # use either tdbsam or ldapsam. smbpasswd is available for backwards > >>>>>>>>> # compatibility. tdbsam requires no further configuration. > >>>>>>>>> passdb backend = tdbsam > >>>>>>>>> > >>>>>>>>> # Using the following line enables you to customise your configuration > >>>>>>>>> # on a per machine basis. The %m gets replaced with the netbios name > >>>>>>>>> # of the machine that is connecting. > >>>>>>>>> # Note: Consider carefully the location in the configuration file of > >>>>>>>>> # this line. The included file is read at that point. > >>>>>>>>> ; include = /usr/local/samba/lib/smb.conf.%m > >>>>>>>>> > >>>>>>>>> # Configure Samba to use multiple interfaces > >>>>>>>>> # If you have multiple network interfaces then you must list them > >>>>>>>>> # here. See the man page for details. > >>>>>>>>> # interfaces = 192.168.12.2/24 192.168.5.2/24 > >>>>>>>>> > >>>>>>>>> # Browser Control Options: > >>>>>>>>> # set local master to no if you don't want Samba to become a master > >>>>>>>>> # browser on your network. Otherwise the normal election rules apply > >>>>>>>>> ; local master = no > >>>>>>>>> > >>>>>>>>> # OS Level determines the precedence of this server in master browser > >>>>>>>>> # elections. The default value should be reasonable > >>>>>>>>> ; os level = 33 > >>>>>>>>> > >>>>>>>>> # Domain Master specifies Samba to be the Domain Master Browser. This > >>>>>>>>> # allows Samba to collate browse lists between subnets. Don't use this > >>>>>>>>> # if you already have a Windows NT domain controller doing this job > >>>>>>>>> domain master = yes > >>>>>>>>> > >>>>>>>>> # Preferred Master causes Samba to force a local browser election on startup > >>>>>>>>> # and gives it a slightly higher chance of winning the election > >>>>>>>>> preferred master = yes > >>>>>>>>> > >>>>>>>>> # Enable this if you want Samba to be a domain logon server for > >>>>>>>>> # Windows95 workstations. > >>>>>>>>> domain logons = yes > >>>>>>>>> > >>>>>>>>> # if you enable domain logons then you may want a per-machine or > >>>>>>>>> # per user logon script > >>>>>>>>> # run a specific logon batch file per workstation (machine) > >>>>>>>>> logon script = %m.bat > >>>>>>>>> # run a specific logon batch file per username > >>>>>>>>> logon script = %U.bat > >>>>>>>>> > >>>>>>>>> # Where to store roving profiles (only for Win95 and WinNT) > >>>>>>>>> # %L substitutes for this servers netbios name, %U is username > >>>>>>>>> # You must uncomment the [Profiles] share below > >>>>>>>>> logon path = \\%L\Profiles\%U > >>>>>>>>> > >>>>>>>>> # Windows Internet Name Serving Support Section: > >>>>>>>>> # WINS Support - Tells the NMBD component of Samba to enable it's WINS Server > >>>>>>>>> ; wins support = yes > >>>>>>>>> > >>>>>>>>> # WINS Server - Tells the NMBD components of Samba to be a WINS Client > >>>>>>>>> # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both > >>>>>>>>> ; wins server = 192.168.5.1 > >>>>>>>>> > >>>>>>>>> # WINS Proxy - Tells Samba to answer name resolution queries on > >>>>>>>>> # behalf of a non WINS capable client, for this to work there must be > >>>>>>>>> # at least one WINS Server on the network. The default is NO. > >>>>>>>>> wins proxy = yes > >>>>>>>>> > >>>>>>>>> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names > >>>>>>>>> # via DNS nslookups. The default is NO. > >>>>>>>>> dns proxy = no > >>>>>>>>> > >>>>>>>>> # These scripts are used on a domain controller or stand-alone > >>>>>>>>> # machine to add or delete corresponding unix accounts > >>>>>>>>> add user script = /usr/sbin/useradd %u > >>>>>>>>> add group script = /usr/sbin/groupadd %g > >>>>>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u > >>>>>>>>> delete user script = /usr/sbin/userdel %u > >>>>>>>>> delete user from group script = /usr/sbin/deluser %u %g > >>>>>>>>> delete group script = /usr/sbin/groupdel %g > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> #============================ Share Definitions =============================> >>>>>>>>> [homes] > >>>>>>>>> comment = Home Directories > >>>>>>>>> browseable = yes > >>>>>>>>> read only = no > >>>>>>>>> guest ok = yes > >>>>>>>>> create mask = 0700 > >>>>>>>>> directory mask = 0700 > >>>>>>>>> valid users = %S > >>>>>>>>> invalid users = root > >>>>>>>>> # Un-comment the following and create the netlogon directory for Domain Logons > >>>>>>>>> [netlogon] > >>>>>>>>> comment = Network Logon Service > >>>>>>>>> path = /usr/local/samba/lib/netlogon > >>>>>>>>> guest ok = yes > >>>>>>>>> writable = no > >>>>>>>>> #share modes = yes > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> # Un-comment the following to provide a specific roving profile share > >>>>>>>>> # the default is to use the user's home directory > >>>>>>>>> ;[Profiles] > >>>>>>>>> ; path = /usr/local/samba/profiles > >>>>>>>>> ; browseable = no > >>>>>>>>> ; guest ok = yes > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> # NOTE: If you have a BSD-style print system there is no need to > >>>>>>>>> # specifically define each individual printer > >>>>>>>>> [printers] > >>>>>>>>> comment = All Printers > >>>>>>>>> path = /usr/spool/samba > >>>>>>>>> browseable = no > >>>>>>>>> # Set public = yes to allow user 'guest account' to print > >>>>>>>>> guest ok = no > >>>>>>>>> writable = no > >>>>>>>>> printable = yes > >>>>>>>>> > >>>>>>>>> # This one is useful for people to share files > >>>>>>>>> ;[tmp] > >>>>>>>>> ; comment = Temporary file space > >>>>>>>>> ; path = /tmp > >>>>>>>>> ; read only = no > >>>>>>>>> ; public = yes > >>>>>>>>> > >>>>>>>>> # A publicly accessible directory, but read only, except for people in > >>>>>>>>> # the "staff" group > >>>>>>>>> ;[public] > >>>>>>>>> ; comment = Public Stuff > >>>>>>>>> ; path = /home/samba > >>>>>>>>> ; public = yes > >>>>>>>>> ; writable = no > >>>>>>>>> ; printable = no > >>>>>>>>> ; write list = @staff > >>>>>>>>> > >>>>>>>>> # Other examples. > >>>>>>>>> # > >>>>>>>>> # A private printer, usable only by fred. Spool data will be placed in fred's > >>>>>>>>> # home directory. Note that fred must have write access to the spool directory, > >>>>>>>>> # wherever it is. > >>>>>>>>> ;[fredsprn] > >>>>>>>>> ; comment = Fred's Printer > >>>>>>>>> ; valid users = fred > >>>>>>>>> ; path = /homes/fred > >>>>>>>>> ; printer = freds_printer > >>>>>>>>> ; public = no > >>>>>>>>> ; writable = no > >>>>>>>>> ; printable = yes > >>>>>>>>> > >>>>>>>>> # A private directory, usable only by fred. Note that fred requires write > >>>>>>>>> # access to the directory. > >>>>>>>>> ;[fredsdir] > >>>>>>>>> ; comment = Fred's Service > >>>>>>>>> ; path = /usr/somewhere/private > >>>>>>>>> ; valid users = fred > >>>>>>>>> ; public = no > >>>>>>>>> ; writable = yes > >>>>>>>>> ; printable = no > >>>>>>>>> > >>>>>>>>> # a service which has a different directory for each machine that connects > >>>>>>>>> # this allows you to tailor configurations to incoming machines. You could > >>>>>>>>> # also use the %U option to tailor it by user name. > >>>>>>>>> # The %m gets replaced with the machine name that is connecting. > >>>>>>>>> ;[pchome] > >>>>>>>>> ; comment = PC Directories > >>>>>>>>> ; path = /usr/pc/%m > >>>>>>>>> ; public = no > >>>>>>>>> ; writable = yes > >>>>>>>>> > >>>>>>>>> # A publicly accessible directory, read/write to all users. Note that all files > >>>>>>>>> # created in the directory by users will be owned by the default user, so > >>>>>>>>> # any user with access can delete any other user's files. Obviously this > >>>>>>>>> # directory must be writable by the default user. Another user could of course > >>>>>>>>> # be specified, in which case all files would be owned by that user instead. > >>>>>>>>> ;[public] > >>>>>>>>> ; path = /usr/somewhere/else/public > >>>>>>>>> ; public = yes > >>>>>>>>> ; only guest = yes > >>>>>>>>> ; writable = yes > >>>>>>>>> ; printable = no > >>>>>>>>> > >>>>>>>>> # The following two entries demonstrate how to share a directory so that two > >>>>>>>>> # users can place files there that will be owned by the specific users. In this > >>>>>>>>> # setup, the directory should be writable by both users and should have the > >>>>>>>>> # sticky bit set on it to prevent abuse. Obviously this could be extended to > >>>>>>>>> # as many users as required. > >>>>>>>>> ;[myshare] > >>>>>>>>> ; comment = Mary's and Fred's stuff > >>>>>>>>> ; path = /usr/somewhere/shared > >>>>>>>>> ; valid users = mary fred > >>>>>>>>> ; public = no > >>>>>>>>> ; writable = yes > >>>>>>>>> ; printable = no > >>>>>>>>> ; create mask = 0765 > >>>>>>>>> > >>>>>>>>> > >>>>>>>> OK, after wading through the commented lines, I end up with: > >>>>>>>> > >>>>>>>> PDC smb.conf: > >>>>>>>> > >>>>>>>> [global] > >>>>>>>> workgroup = fai > >>>>>>>> server string = Samba Server > >>>>>>>> security = user > >>>>>>>> load printers = yes > >>>>>>>> log file = /var/log/samba/log.%m > >>>>>>>> max log size = 50 > >>>>>>>> passdb backend = tdbsam > >>>>>>>> domain master = yes > >>>>>>>> preferred master = yes > >>>>>>>> domain logons = yes > >>>>>>>> logon script = %m.bat > >>>>>>>> logon script = %U.bat > >>>>>>>> logon path = \\%L\Profiles\%U > >>>>>>>> wins proxy = yes > >>>>>>>> dns proxy = no > >>>>>>>> add user script = /usr/sbin/useradd %u > >>>>>>>> add group script = /usr/sbin/groupadd %g > >>>>>>>> add machine script = /usr/sbin/useradd -N -g machines -c Machine -d > >>>>>>>> /var/lib/samba -s /bin/false %u > >>>>>>>> delete user script = /usr/sbin/userdel %u > >>>>>>>> delete user from group script = /usr/sbin/deluser %u %g > >>>>>>>> delete group script = /usr/sbin/groupdel %g > >>>>>>>> > >>>>>>>> [homes] > >>>>>>>> comment = Home Directories > >>>>>>>> browseable = yes > >>>>>>>> read only = no > >>>>>>>> guest ok = yes > >>>>>>>> create mask = 0700 > >>>>>>>> directory mask = 0700 > >>>>>>>> valid users = %S > >>>>>>>> invalid users = root > >>>>>>>> > >>>>>>>> [netlogon] > >>>>>>>> comment = Network Logon Service > >>>>>>>> path = /usr/local/samba/lib/netlogon > >>>>>>>> guest ok = yes > >>>>>>>> writable = no > >>>>>>>> > >>>>>>>> [printers] > >>>>>>>> comment = All Printers > >>>>>>>> path = /usr/spool/samba > >>>>>>>> browseable = no > >>>>>>>> guest ok = no > >>>>>>>> writable = no > >>>>>>>> printable = yes > >>>>>>>> > >>>>>>>> > >>>>>>>> Client smb.conf > >>>>>>>> > >>>>>>>> [global] > >>>>>>>> workgroup = fai > >>>>>>>> server string = %h server (Samba, Ubuntu) > >>>>>>>> wins server = 172.20.68.14 > >>>>>>>> winbind separator = / > >>>>>>>> winbind use default domain = Yes > >>>>>>>> dns proxy = no > >>>>>>>> winbind uid = 10000-20000 > >>>>>>>> winbind gid = 10000-20000 > >>>>>>>> template shell = /bin/bash > >>>>>>>> allow trusted domains = yes > >>>>>>>> name resolve order = lmhosts host wins bcast > >>>>>>>> name resolve order = wins lmhosts host bcast > >>>>>>>> log file = /var/log/samba/log.%m > >>>>>>>> max log size = 1000 > >>>>>>>> syslog = 0 > >>>>>>>> panic action = /usr/share/samba/panic-action %d > >>>>>>>> security = domain > >>>>>>>> password server = 172.20.68.14 > >>>>>>>> encrypt passwords = true > >>>>>>>> passdb backend = tdbsam > >>>>>>>> obey pam restrictions = yes > >>>>>>>> unix password sync = yes > >>>>>>>> passwd program = /usr/bin/passwd %u > >>>>>>>> passwd chat = *Enter\snew\s*\spassword:* %n\n > >>>>>>>> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > >>>>>>>> pam password change = yes > >>>>>>>> map to guest = bad user > >>>>>>>> add user script = /usr/sbin/adduser --quiet --disabled-password > >>>>>>>> --gecos "" %u > >>>>>>>> add machine script = /usr/sbin/useradd -g machines -c "%u machine > >>>>>>>> account" -d /var/lib/samba -s /bin/false %u > >>>>>>>> add group script = /usr/sbin/addgroup --force-badname %g > >>>>>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > >>>>>>>> template shell = /bin/bash > >>>>>>>> template homedir = /home/%U > >>>>>>>> usershare allow guests = yes > >>>>>>>> > >>>>>>>> #======================= Share Definitions ======================> >>>>>>>> > >>>>>>>> valid users = %S > >>>>>>>> > >>>>>>>> [printers] > >>>>>>>> comment = All Printers > >>>>>>>> browseable = no > >>>>>>>> path = /var/spool/samba > >>>>>>>> printable = yes > >>>>>>>> guest ok = no > >>>>>>>> read only = yes > >>>>>>>> create mask = 0700 > >>>>>>>> > >>>>>>>> [print$] > >>>>>>>> comment = Printer Drivers > >>>>>>>> path = /var/lib/samba/printers > >>>>>>>> browseable = yes > >>>>>>>> read only = yes > >>>>>>>> guest ok = no > >>>>>>>> > >>>>>>>> There are a few lines that are duplicated in each smb.conf. > >>>>>>>> > >>>>>>>> I take it that you only use the PDC for authentication and don't let the > >>>>>>>> users login. > >>>>>>>> > >>>>>>>> It has been sometime since I setup and used a linux client with a PDC, > >>>>>>>> but I don't actually remember having all those passwd & script lines in > >>>>>>>> the client smb.conf. > >>>>>>>> > >>>>>>>> Do the users exist as unix users on both machines ? > >>>>>>>> > >>>>>>>> Rowland > >>>>>>>> > >>>>>>> No, the users are created on the debian pdc. that is the long number (as their username). > >>>>>>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. > >>>>>>> The long number (as their username) comes from a smartcard). > >>>>>>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. > >>>>>>> As I was debugging, i tried to su the user on a client machine, and got another user instead: > >>>>>>> root at blank005:~# su 59031614949 > >>>>>>> 98121524292 at blank005:/root$ > >>>>>>> > >>>>>>> I never seen this . > >>>>>>> Is it a problem with long usernames and winbind? > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> Well, the portion of the logfile you posted is full of lines like this: > >>>>>> > >>>>>> Failed to find a Unix account for 92101633919 > >>>>>> > >>>>>> OK, just what part of that line do you not understand ?? :-) > >>>>>> > >>>>>> You need a unix user for '92101633919' > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>> Correct, but there was this user: > >>>>> > >>>>> on debian pdc: > >>>>> root at fai:~# cat /var/log/auth.log | grep 92101633919 > >>>>> Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 > >>>>> Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' > >>>>> > >>>> OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd > >>>> 92101633919' return anything ? > >>>> > >>>> If they both are true, then you may have run into this bug: > >>>> https://bugzilla.samba.org/show_bug.cgi?id=11044 > >>>> > >>>> Rowland > >>>> > >>>> > >>>> > >>> Ok, > >>> getent on another works ok, > >>> but not on a user with numbers: > >>> root at fai:~# getent passwd ubu > >>> ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > >>> root at fai:~# getent passwd 71101411853 > >>> root at fai:~# > >>> > >>> > >>> part of /etc/passwd > >>> > >>> ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > >>> bind:x:111:120::/var/cache/bind:/bin/false > >>> fai$:x:1001:1003:Machine:/var/lib/samba:/bin/false > >>> test:x:1002:1004::/home/test:/bin/sh > >>> sshuser:x:1003:1005::/home/sshuser:/bin/sh > >>> ubuntu8053$:x:1008:1003:Machine:/var/lib/samba:/bin/false > >>> blank1$:x:1009:1003:Machine:/var/lib/samba:/bin/false > >>> blank3$:x:1011:1003:Machine:/var/lib/samba:/bin/false > >>> blank4$:x:1012:1003:Machine:/var/lib/samba:/bin/false > >>> blank5$:x:1013:1003:Machine:/var/lib/samba:/bin/false > >>> blank6$:x:1014:1003:Machine:/var/lib/samba:/bin/false > >>> linux:x:1026:1026::/home/linux:/bin/sh > >>> blank2$:x:1072:1003:blank2:/var/lib/nobody:/bin/false > >>> blank004$:x:1092:1003:Machine:/var/lib/samba:/bin/false > >>> blank001$:x:1093:1003:Machine:/var/lib/samba:/bin/false > >>> blank005$:x:1094:1003:Machine:/var/lib/samba:/bin/false > >>> blank002$:x:1095:1003:Machine:/var/lib/samba:/bin/false > >>> blank003$:x:1096:1003:Machine:/var/lib/samba:/bin/false > >>> blank006$:x:1097:1003:Machine:/var/lib/samba:/bin/false > >>> 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > >>> ayke:x:1104:1104:60,,,:/home/ayke:/bin/sh > >>> blank0001$:x:1146:1003:Machine:/var/lib/samba:/bin/false > >>> > >>> could it be the 60 in the line: > >>> 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > >>> > >>> I use this 60 to know on the client machines how long the can be logged in ( so that will be 60 minutes) > >>> I add this with : > >>> chfn -f 60 $username71101411853 > >>> > >>> > >> OK, it looks like your users have id's in the 1xxx range, yet you have > >> this in smb.conf: winbind uid = 10000-20000, could this be your problem ? > >> > >> Rowland > >> > >> > > No, this does not help. > > What I also see if a numeric username such as 71101411853 log in on a client pc, and starts for example firefox, than top shows that firefox is run by another (non numeric) local user. > > net cache flush did also not help > > I have nearly run out of ideas here, the only one left is, have you > considered upgrading to samba4 AD ? > > Rowland > >Not yet, will do that in the future when debian 8 comes out. About the errors: I do not have any problems when the username is not numeric or partial numeric. So if username is abcdefghijk , not problems at all. So I think it is the numeric usernames problem. Guy
> >>>>>>>> There are a few lines that are duplicated in each smb.conf. > >>>>>>>> > >>>>>>>> I take it that you only use the PDC for authentication and don't let the > >>>>>>>> users login. > >>>>>>>> > >>>>>>>> It has been sometime since I setup and used a linux client with a PDC, > >>>>>>>> but I don't actually remember having all those passwd & script lines in > >>>>>>>> the client smb.conf. > >>>>>>>> > >>>>>>>> Do the users exist as unix users on both machines ? > >>>>>>>> > >>>>>>>> Rowland > >>>>>>>> > >>>>>>> No, the users are created on the debian pdc. that is the long number (as their username). > >>>>>>> Than the users can login on a joined ubuntu computer in the classroom. It does not matter which one. > >>>>>>> The long number (as their username) comes from a smartcard). > >>>>>>> I have this setup in many schools, and working ok. But on this setup, with the long numbers as usernames, i have problems. > >>>>>>> As I was debugging, i tried to su the user on a client machine, and got another user instead: > >>>>>>> root at blank005:~# su 59031614949 > >>>>>>> 98121524292 at blank005:/root$ > >>>>>>> > >>>>>>> I never seen this . > >>>>>>> Is it a problem with long usernames and winbind? > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>> Well, the portion of the logfile you posted is full of lines like this: > >>>>>> > >>>>>> Failed to find a Unix account for 92101633919 > >>>>>> > >>>>>> OK, just what part of that line do you not understand ?? :-) > >>>>>> > >>>>>> You need a unix user for '92101633919' > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>> Correct, but there was this user: > >>>>> > >>>>> on debian pdc: > >>>>> root at fai:~# cat /var/log/auth.log | grep 92101633919 > >>>>> Feb 10 14:54:51 fai useradd[9507]: new group: name=92101633919, GID=1209 > >>>>> Feb 10 14:54:51 fai useradd[9507]: new user: name=92101633919, UID=1209, GID=1209, home=/home/92101633919, shell=/bin/sh > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'audio' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'dip' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'video' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'plugdev' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'fuse' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to group 'pulse-access' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'audio' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'dip' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'video' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'plugdev' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'fuse' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse' > >>>>> Feb 10 14:54:51 fai useradd[9507]: add '92101633919' to shadow group 'pulse-access' > >>>>> > >>>> OK, is '92101633919' in /etc/passwd on the pdc and does 'getent passwd > >>>> 92101633919' return anything ? > >>>> > >>>> If they both are true, then you may have run into this bug: > >>>> https://bugzilla.samba.org/show_bug.cgi?id=11044 > >>>> > >>>> Rowland > >>>> > >>>> > >>>> > >>> Ok, > >>> getent on another works ok, > >>> but not on a user with numbers: > >>> root at fai:~# getent passwd ubu > >>> ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > >>> root at fai:~# getent passwd 71101411853 > >>> root at fai:~# > >>> > >>> > >>> part of /etc/passwd > >>> > >>> ubu:x:1000:1000:ubu,,,:/home/ubu:/bin/bash > >>> bind:x:111:120::/var/cache/bind:/bin/false > >>> fai$:x:1001:1003:Machine:/var/lib/samba:/bin/false > >>> test:x:1002:1004::/home/test:/bin/sh > >>> sshuser:x:1003:1005::/home/sshuser:/bin/sh > >>> ubuntu8053$:x:1008:1003:Machine:/var/lib/samba:/bin/false > >>> blank1$:x:1009:1003:Machine:/var/lib/samba:/bin/false > >>> blank3$:x:1011:1003:Machine:/var/lib/samba:/bin/false > >>> blank4$:x:1012:1003:Machine:/var/lib/samba:/bin/false > >>> blank5$:x:1013:1003:Machine:/var/lib/samba:/bin/false > >>> blank6$:x:1014:1003:Machine:/var/lib/samba:/bin/false > >>> linux:x:1026:1026::/home/linux:/bin/sh > >>> blank2$:x:1072:1003:blank2:/var/lib/nobody:/bin/false > >>> blank004$:x:1092:1003:Machine:/var/lib/samba:/bin/false > >>> blank001$:x:1093:1003:Machine:/var/lib/samba:/bin/false > >>> blank005$:x:1094:1003:Machine:/var/lib/samba:/bin/false > >>> blank002$:x:1095:1003:Machine:/var/lib/samba:/bin/false > >>> blank003$:x:1096:1003:Machine:/var/lib/samba:/bin/false > >>> blank006$:x:1097:1003:Machine:/var/lib/samba:/bin/false > >>> 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > >>> ayke:x:1104:1104:60,,,:/home/ayke:/bin/sh > >>> blank0001$:x:1146:1003:Machine:/var/lib/samba:/bin/false > >>> > >>> could it be the 60 in the line: > >>> 71101411853:x:1103:1103:60,,,:/home/71101411853:/bin/sh > >>> > >>> I use this 60 to know on the client machines how long the can be logged in ( so that will be 60 minutes) > >>> I add this with : > >>> chfn -f 60 $username71101411853 > >>> > >>> > >> OK, it looks like your users have id's in the 1xxx range, yet you have > >> this in smb.conf: winbind uid = 10000-20000, could this be your problem ? > >> > >> Rowland > >> > >> > > No, this does not help. > > What I also see if a numeric username such as 71101411853 log in on a client pc, and starts for example firefox, than top shows that firefox is run by another (non numeric) local user. > > net cache flush did also not help > > I have nearly run out of ideas here, the only one left is, have you > considered upgrading to samba4 AD ? > > Rowland > >Not yet, will do that in the future when debian 8 comes out. About the errors: I do not have any problems when the username is not numeric or partial numeric. So if username is abcdefghijk , not problems at all. So I think it is the numeric usernames problem. i found this: http://www.linuxquestions.org/questions/linux-security-4/linux-userid-syntax-requirements-don%27t-allow-id-to-begin-with-a-number-368518/ Guy