samba - Nov 2015 - session setup failed: NT_STATUS_LOGON_FAILURE

2015-11-05 0:16 GMT+08:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
> On 04/11/15 15:38, Roger Wu wrote:
>
>>
>>
>> 2015-11-04 22:55 GMT+08:00 Rowland Penny <rowlandpenny241155 at
gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>>:
>>
>>
>>     On 04/11/15 14:34, Roger Wu wrote:
>>
>>
>>
>>
>>
>>             Doh! now you have raised more questions :-D
>>
>>             First, the more users that you have, the harder it gets to
>>             maintain them in a workgroup, about 8 users is the maximum
>>         from my
>>             experience. Some of them will never use more than one
>>         machine, but
>>             most will move from one machine to another and so they
>>         will have
>>             to have login details on *all* machines they will log
>>         into. This
>>             is where a domain comes in, you create the user in one
>>         place and
>>             the user can then login everywhere.
>>
>>
>>         I don't really get it. Maybe I misinterpret what you said.
>>         If our samba server works, users only want to access samba
>>         service using their own PC,
>>         that's what they need, they are not allowed to use
others' PCs
>>         but their own.
>>
>>         And yes, users can move from one machine to another, that's
>>         how a domain works,
>>         but we don't need to provide samba service between
Workstation,
>>         only one way access from PCs to Workstations is needed for
users.
>>
>>         I am not worried about users limitation, it's just as I
said
>>         that not so many users need this service.
>>         If so, I'll figure it out.
>>
>>
>>             Now we come to the new questions, will the Unix machines
>>         need to
>>             be part of the domain ?
>>
>>
>>         What do you mean "to be part of the domain"?
>>         We have unix/linux machines in each NIS domain, they are a
>>         part of their domain.
>>         Could you define your question more precisely?
>>
>>             You mention that they are in different domains, do you mean
>>             domains or do you mean workgroups?
>>
>>         What I mean is NIS domain. We have three different domains, so
>>         I plan to start up one samba server for each domain separately
>>         As for workgroup, we only have one workgroup for windows, so
>>         it won't be an issue.
>>
>>             Are any machines in a windows domain already?
>>
>>         No.
>>
>>             Finally, if you cannot set up a new domain, do your users
>>         need to
>>             own files on your samba server or do they just need to read
&
>>             store files on the samba server.
>>
>>             Rowland
>>
>>         They just need to read & store files on the samba server.
>>
>>         Regards,
>>         Roger
>>
>>
>>     OK, from what you have posted, you have Unix & windows
>>     workstations and they are in groups. You will probably be better
>>     of creating a new AD domain with a number of sites, you can use
>>     the DCs to authenticate all the users & groups and if push
comes
>>     to shove, use the DCs as fileservers. Your users would log into
>>     their workstation (either windows or Unix) and have all their data
>>     to hand, the windows users would use the standard AD capabilities
>>     and the Unix users would use the RFC2307 attributes that are built
>>     into a Samba AD as standard.
>>
>>     This will give you is centralisation of user & group
maintenance,
>>     your users info will exist in just one place, you only need to add
>>     a user once, you can do it without leaving your chair, unlike a
>>     WORKGROUP, where you will have to visit *every* workstation or
>>     server that a user will connect to. I have been there, done that
>>     and my workgroup was scattered over three counties! It isn't
easy.
>>
>>     Rowland
>>
>> I am still confused why can't I use NIS as centralization of user
authentication?
I can do it at samba3x, or samba4x do it in a total different way?
>
>> Geez! It's too deep for me to understand.
>> I did achieve what I want with old samba version only doing some simple
>> settings,
>> I tried to reduplicate the result using new samba version but it
failed.
>> I didn't expect it comes to this way you mentioned, it seems more
>> complicated.
>>
>
> No, I doubt if you will be unable to understand it, you just haven't
had
> any experience yet.
>
>
>> We do have an AD for PC windows workgroup. Why should I need to create
a
>> new AD?
>>
>
> No, again I doubt you are using an AD for a workgroup, domain yes,
> workgroup no
 It's my misunderstanding. you're right we are using an AD for windows
domain.
Even so, I still need to create another new AD for what ?
> .
>
> Would you please give me an example or show me how to setup samba as you
>> said?
>>
>>
> OK, start here:
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
> I'm try to study the above link you suggest, but I can't find
samba-tool
for my installed packages
Where can I find samba-tool?
[root at testcad16 ~]# rpm -qa | grep samba
sernet-samba-4.2.5-19.el6.x86_64
sernet-samba-libs-4.2.5-19.el6.x86_64
sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
sernet-samba-client-4.2.5-19.el6.x86_64
sernet-samba-common-4.2.5-19.el6.x86_64


> I have no experience creating a AD domain and DCs.
>>
>
> Everybody has to start somewhere.
>
>
> OK, if you do not want to go down this path, then try this smb.conf
>
> [global]
>     workgroup = WORKGROUP
>     server string = ****
>     netbios name = *****
>     printcap name = /dev/null
>     load printers = no
>     disable spoolss = yes
>     printing = bsd
>     dns proxy = no
>     map to guest = Bad User
>     guest ok = yes
>
> This should work without adding any users to the server, anybody that
> connects gets mapped to the guest user, but this does mean that your users
> cannot own anything on the server and anybody will be able to read or
> delete anything!!!
>
> I've tried the above smb.conf, and ya, it worked, but it's
definitely not
what I want.
I'll jump to the other option you suggested, but it will takes me time to
learn it.

Roger

> You just need to add whatever shares you require (and alter it to suit
> your workgroup etc).
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 05/11/15 03:38, Roger Wu wrote:
>
>
>
>
>                     Now we come to the new questions, will the Unix
>         machines
>                 need to
>                     be part of the domain ?
>
>
>                 What do you mean "to be part of the domain"?
>                 We have unix/linux machines in each NIS domain, they are a
>                 part of their domain.
>                 Could you define your question more precisely?
>
>                     You mention that they are in different domains, do
>         you mean
>                     domains or do you mean workgroups?
>
>                 What I mean is NIS domain. We have three different
>         domains, so
>                 I plan to start up one samba server for each domain
>         separately
>                 As for workgroup, we only have one workgroup for
>         windows, so
>                 it won't be an issue.
>
>                     Are any machines in a windows domain already?
>
>                 No.
>
>                     Finally, if you cannot set up a new domain, do
>         your users
>                 need to
>                     own files on your samba server or do they just
>         need to read &
>                     store files on the samba server.
>
>                     Rowland
>
>                 They just need to read & store files on the samba
server.
>
>
>
> I'm try to study the above link you suggest, but I can't find 
> samba-tool for my installed packages
> Where can I find samba-tool?
> [root at testcad16 ~]# rpm -qa | grep samba
> sernet-samba-4.2.5-19.el6.x86_64
> sernet-samba-libs-4.2.5-19.el6.x86_64
> sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
> sernet-samba-client-4.2.5-19.el6.x86_64
> sernet-samba-common-4.2.5-19.el6.x86_64
If you install the sernet packages, you should just be able to run 
'samba-tool --help'
>
>         I have no experience creating a AD domain and DCs.
>
>
>     Everybody has to start somewhere.
>
>
>     OK, if you do not want to go down this path, then try this smb.conf
>
>     [global]
>         workgroup = WORKGROUP
>         server string = ****
>         netbios name = *****
>         printcap name = /dev/null
>         load printers = no
>         disable spoolss = yes
>         printing = bsd
>         dns proxy = no
>         map to guest = Bad User
>         guest ok = yes
>
>     This should work without adding any users to the server, anybody
>     that connects gets mapped to the guest user, but this does mean
>     that your users cannot own anything on the server and anybody will
>     be able to read or delete anything!!!
>
> I've tried the above smb.conf, and ya, it worked, but it's
definitely
> not what I want.
> I'll jump to the other option you suggested, but it will takes me time 
> to learn it.
>
You have a few options here, you could create all your users on the 
samba machine, then recreate then again as samba users, this of course 
means knowing all your users passwords and changing them on the samba 
machine when they change them on the workstations. This way the files 
will be owned by whoever creates them.

You could setup a new NT4-style domain, but as these are on the way out, 
I wouldn't bother.

Probably the best way to go is to setup a new AD domain, this may think 
this is hard, but once you get into it, it is fairly logical. There is a 
lot of info out there on the internet, but I would start with the Samba 
wiki:

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

Create your first domain in a test environment (this way it won't matter 
if you make a big error) and once you are sure it works as you want, you 
can move it to production.

Any problems or questions, just ask.

Rowland

As you said you have an AD domain already set up, this AD domain contains
already your users and certainly some groups to manage them. You can re-use
this AD of course, that's the whole point of AD since 15 years: to be
re-used.

You seem to want to have files server, add this server as a member of your
already existing domain. Doing that this server will become part of your
domain, it will be able to retrieve users from your already existing AD to
use them as local users, to grant these users (coming from your AD domain)
for authenticating them when they will access the file server. In others
words, AD users will be able to access your file server. After some
configuration of course, but without recreating users, they are existing in
your already existing domain.

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
This page gives links, read them.


2015-11-05 9:56 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
> On 05/11/15 03:38, Roger Wu wrote:
>
>>
>>
>>
>>
>>                     Now we come to the new questions, will the Unix
>>         machines
>>                 need to
>>                     be part of the domain ?
>>
>>
>>                 What do you mean "to be part of the domain"?
>>                 We have unix/linux machines in each NIS domain, they
are a
>>                 part of their domain.
>>                 Could you define your question more precisely?
>>
>>                     You mention that they are in different domains, do
>>         you mean
>>                     domains or do you mean workgroups?
>>
>>                 What I mean is NIS domain. We have three different
>>         domains, so
>>                 I plan to start up one samba server for each domain
>>         separately
>>                 As for workgroup, we only have one workgroup for
>>         windows, so
>>                 it won't be an issue.
>>
>>                     Are any machines in a windows domain already?
>>
>>                 No.
>>
>>                     Finally, if you cannot set up a new domain, do
>>         your users
>>                 need to
>>                     own files on your samba server or do they just
>>         need to read &
>>                     store files on the samba server.
>>
>>                     Rowland
>>
>>                 They just need to read & store files on the samba
server.
>>
>>
>>
>> I'm try to study the above link you suggest, but I can't find
samba-tool
>> for my installed packages
>> Where can I find samba-tool?
>> [root at testcad16 ~]# rpm -qa | grep samba
>> sernet-samba-4.2.5-19.el6.x86_64
>> sernet-samba-libs-4.2.5-19.el6.x86_64
>> sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
>> sernet-samba-client-4.2.5-19.el6.x86_64
>> sernet-samba-common-4.2.5-19.el6.x86_64
>>
>
> If you install the sernet packages, you should just be able to run
> 'samba-tool --help'
>
>
>>         I have no experience creating a AD domain and DCs.
>>
>>
>>     Everybody has to start somewhere.
>>
>>
>>     OK, if you do not want to go down this path, then try this smb.conf
>>
>>     [global]
>>         workgroup = WORKGROUP
>>         server string = ****
>>         netbios name = *****
>>         printcap name = /dev/null
>>         load printers = no
>>         disable spoolss = yes
>>         printing = bsd
>>         dns proxy = no
>>         map to guest = Bad User
>>         guest ok = yes
>>
>>     This should work without adding any users to the server, anybody
>>     that connects gets mapped to the guest user, but this does mean
>>     that your users cannot own anything on the server and anybody will
>>     be able to read or delete anything!!!
>>
>> I've tried the above smb.conf, and ya, it worked, but it's
definitely not
>> what I want.
>> I'll jump to the other option you suggested, but it will takes me
time to
>> learn it.
>>
>>
> You have a few options here, you could create all your users on the samba
> machine, then recreate then again as samba users, this of course means
> knowing all your users passwords and changing them on the samba machine
> when they change them on the workstations. This way the files will be owned
> by whoever creates them.
>
> You could setup a new NT4-style domain, but as these are on the way out, I
> wouldn't bother.
>
> Probably the best way to go is to setup a new AD domain, this may think
> this is hard, but once you get into it, it is fairly logical. There is a
> lot of info out there on the internet, but I would start with the Samba
> wiki:
>
>
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
> Create your first domain in a test environment (this way it won't
matter
> if you make a big error) and once you are sure it works as you want, you
> can move it to production.
>
> Any problems or questions, just ask.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

2015-11-05 16:56 GMT+08:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 05/11/15 03:38, Roger Wu wrote:
>
>>
>>
>>
>>
>>                     Now we come to the new questions, will the Unix
>>         machines
>>                 need to
>>                     be part of the domain ?
>>
>>
>>                 What do you mean "to be part of the domain"?
>>                 We have unix/linux machines in each NIS domain, they
are a
>>                 part of their domain.
>>                 Could you define your question more precisely?
>>
>>                     You mention that they are in different domains, do
>>         you mean
>>                     domains or do you mean workgroups?
>>
>>                 What I mean is NIS domain. We have three different
>>         domains, so
>>                 I plan to start up one samba server for each domain
>>         separately
>>                 As for workgroup, we only have one workgroup for
>>         windows, so
>>                 it won't be an issue.
>>
>>                     Are any machines in a windows domain already?
>>
>>                 No.
>>
>>                     Finally, if you cannot set up a new domain, do
>>         your users
>>                 need to
>>                     own files on your samba server or do they just
>>         need to read &
>>                     store files on the samba server.
>>
>>                     Rowland
>>
>>                 They just need to read & store files on the samba
server.
>>
>>
>>
>> I'm try to study the above link you suggest, but I can't find
samba-tool
>> for my installed packages
>> Where can I find samba-tool?
>> [root at testcad16 ~]# rpm -qa | grep samba
>> sernet-samba-4.2.5-19.el6.x86_64
>> sernet-samba-libs-4.2.5-19.el6.x86_64
>> sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
>> sernet-samba-client-4.2.5-19.el6.x86_64
>> sernet-samba-common-4.2.5-19.el6.x86_64
>>
>
> If you install the sernet packages, you should just be able to run
> 'samba-tool --help'

No. It's weird that I can't find where it is.
That said samba-tools should be at /usr/local/samba/bin, but I can't find
anything

[root at testcad16 samba]# ls /usr/bin/samb*
/usr/bin/samba-regedit
[root at testcad16 samba]# ls /usr/sbin/samb*
ls: cannot access /usr/sbin/samb*: No such file or directory
[root at testcad16 samba]# ls /usr/local/bin/samb*
ls: cannot access /usr/local/bin/samb*: No such file or directory
[root at testcad16 samba]# ls /usr/local/sbin/samb*
ls: cannot access /usr/local/sbin/samb*: No such file or directory
[root at testcad16 samba]# ls /usr/local/samba/bin/samb*
ls: cannot access /usr/local/samba/bin/samb*: No such file or directory
[root at testcad16 samba]# ls /usr/local/samba/sbin/samb*
ls: cannot access /usr/local/samba/sbin/samb*: No such file or directory
[root at testcad16 samba]# ls /usr/local/sam*
ls: cannot access /usr/local/sam*: No such file or directory
>
>
>
>>         I have no experience creating a AD domain and DCs.
>>
>>
>>     Everybody has to start somewhere.
>>
>>
>>     OK, if you do not want to go down this path, then try this smb.conf
>>
>>     [global]
>>         workgroup = WORKGROUP
>>         server string = ****
>>         netbios name = *****
>>         printcap name = /dev/null
>>         load printers = no
>>         disable spoolss = yes
>>         printing = bsd
>>         dns proxy = no
>>         map to guest = Bad User
>>         guest ok = yes
>>
>>     This should work without adding any users to the server, anybody
>>     that connects gets mapped to the guest user, but this does mean
>>     that your users cannot own anything on the server and anybody will
>>     be able to read or delete anything!!!
>>
>> I've tried the above smb.conf, and ya, it worked, but it's
definitely not
>> what I want.
>> I'll jump to the other option you suggested, but it will takes me
time to
>> learn it.
>>
>>
> You have a few options here, you could create all your users on the samba
> machine, then recreate then again as samba users, this of course means
> knowing all your users passwords and changing them on the samba machine
> when they change them on the workstations. This way the files will be owned
> by whoever creates them.
>
I've tried this option on old samba version.
I know this can work, but users have to reset their passwords, and I have
to maintain one more account system
which is not the best option for me apparently.  I considered it as second
option.

Anyway, considering not so many users need this service, if setting a new
AD can't goes well,
I may go this way.
>
> You could setup a new NT4-style domain, but as these are on the way out, I
> wouldn't bother.
>
> Probably the best way to go is to setup a new AD domain, this may think
> this is hard, but once you get into it, it is fairly logical. There is a
> lot of info out there on the internet, but I would start with the Samba
> wiki:
>
>
>
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
> Create your first domain in a test environment (this way it won't
matter
> if you make a big error) and once you are sure it works as you want, you
> can move it to production.
>
> Any problems or questions, just ask.

Thanks for your suggestion, I'll try that.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>