Rowland Penny
2023-Oct-06 18:02 UTC
[Samba] Simple question about netbios name and workgroup, in smb.conf
On Fri, 6 Oct 2023 14:03:55 -0300 Ricardo Campos via samba <samba at lists.samba.org> wrote:> Hi, all. I need some help. > > I've installed samba 4.4 in a SuSE 42.2, years ago and it was still > running smoothly till weeks ago. It is still running but new windows > machines and old ones that were updated with some Microsoft software > could not enter the domain because of a sort of loss of confidence > error. > > Well, I was called to solve the problem. It seemed to me that the > better way to do it was to install the new version of samba (4.19.0) > which was said to correct the issue. I'm exactly at this point. > > I installed it, and openldap, in a Ubuntu 22.04 LTS box, from source > and started some tests, but I couldn't go far enough because smbd > finds errors: > > [2023/09/25 13:56:40.683717, 0] > ../../source3/passdb/pdb_ldap_util.c:313(smbldap_search_domain_info) > smbldap_search_domain_info: Adding domain info for *NEWATENA* > failed with NT_STATUS_UNSUCCESSFUL > [2023/09/25 13:56:40.683755, 0] > ../../source3/passdb/pdb_ldap.c:6716(pdb_ldapsam_init_common) > pdb_init_ldapsam: WARNING: Could not get domain info, nor add one > to the domain. We cannot work reliably without it. > [2023/09/25 13:56:40.683769, 0] > ../../source3/passdb/pdb_interface.c:182(make_pdb_method_name) > pdb backend ldapsam:ldap://127.0.0.1 did not correctly init (error > was NT_STATUS_CANT_ACCESS_DOMAIN_INFO) > > A piece of the smb.conf file follows:Please do not post part of a smb.conf , it doesn't really help, it would be better to post the output of 'testparm -s'> > server max protocol = NT1 > # > preserve case = no > time server = yes > inherit acls = yes > nt acl support = yes > netbios name = *newatena* > netbios aliases = newatena > inherit permissions = yes > printing = cups > logon script = logon.bat > dos charset = iso-8859-1 > local master = yes > workgroup = *FUTURO* > os level = 33 > > Both newatena and FUTURO are temporary names, since I still have the > samba 4.4 running.Samba 4.4 is extremely old> > With slapcat we can see this (partial) entry: > > dn: sambaDomainName=*FUTURO*,dc=xxxx,dc=xxx,dc=xx > sambaDomainName: *FUTURO* > sambaAlgorithmicRidBase: 1000 > sambaNextUserRid: 1000 > sambaMinPwdLength: 5 > structuralObjectClass: sambaDomain > > My simple question is this: why would samba asks for a domain using > the *netbios > name* instead of the *workgroup*?Because, there are two workgroups on a Samba server, one, the 'local' one, uses the NetBIOS name and the 'domain' that uses the NetBIOS domain name.> > If you need more information, please ask.Yes, why are you trying to keep an old obsolete system working ? The old 'PDC' type domains rely on SMBv1 and that protocol is very, very insecure. You would be better off either upgrading your existing domain to AD, or setting up a new domain, the latter is probably better because it gets rid of all the really old ways of doing things. Rowland
Ricardo Campos
2023-Oct-06 18:43 UTC
[Samba] Simple question about netbios name and workgroup, in smb.conf
Thanks, Rowland for your quick answer. 1. testparm -s Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_STANDALONE # Global parameters [global] add group script = /usr/sbin/smbldap-groupadd -p "%g" add machine script = /usr/sbin/smbldap-useradd -W "%u" add user script = /usr/sbin/smbldap-useradd -a -m "%u" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" delete user script = /usr/sbin/smbldap-userdel "%u" domain master = Yes dos charset = iso-8859-1 ldap admin dn = uid=XXXX,ou=xxx,dc=xxx,dc=xxx,dc=xx ldap group suffix = ou=grupos ldap idmap suffix = ou=usuarios ldap machine suffix = ou=computadores ldap page size = 1024 ldap ssl = no ldap suffix = dc=xxxx,dc=xxx,dc=xx ldap user suffix = ou=usuarios log file = /var/log/samba/%U_%m.log logon drive = U: logon home logon path logon script = logon.bat max log size = 8000 netbios aliases = newatena netbios name = NEWATENA ntlm auth = ntlmv1-permitted os level = 33 passdb backend = ldapsam:ldap://127.0.0.1 preferred master = Yes printcap name = cups security = USER server max protocol = NT1 server string = Servidor de arquivos - em testes set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" time server = Yes unix charset = iso-8859-1 username map = /usr/local/samba/etc/samba/smbusers workgroup = FUTURO recycle:subdir_mode = 0700 recycle:exclude_dir = /tmp /temp /cache /recycle /xxxx/transfer recycle:exclude = *.tmp *.temp *.o *.obj ~$* *.~?? thumbs.db recycle:maxsixe = 0 recycle:versions = Yes recycle:touch = Yes recycle:keeptree = Yes recycle:repository = /dados/recycle/%U idmap config * : backend = tdb comment = qq hide unreadable = Yes inherit acls = Yes inherit permissions = Yes map acl inherit = Yes path = /dados preserve case = No printer name = impsuporte short preserve case = No vfs objects = recycle [netlogon] browseable = No path = /home/%u write list = simone mdourado [profiles] browseable = No create mask = 0600 directory mask = 0700 path = /var/lib/samba/profiles read only = No [homes] browseable = No comment = Home Directories read only = No [print$] guest ok = Yes path = /var/lib/samba/drivers write list = root [saf] browseable = No comment = Area SAF create mask = 0600 directory mask = 0700 force group = saf path = /dados/saf read list = @saf @suporte write list = @saf @suporte [des] browseable = No comment = Area DES create mask = 0600 directory mask = 0700 force group = des path = /dados/des read list = @des @suporte write list = @des @suporte [ensur] browseable = No comment = Area ENSUR create mask = 0600 directory mask = 0700 force group = ensur path = /dados/ensur read list = @ensur @suporte write list = @ensur @suporte [oeg] browseable = No comment = Area O&G create mask = 0600 directory mask = 0700 force group = oeg path = /dados/oeg write list = @oeg @suporte sandra [sistemas] force group = sistemas path = /dados/sistemas write list = @suporte @sistemas [malas] force group = malas path = /dados/malas write list = @suporte @malas root at massa:/usr/local/samba/etc# 2. you said: Samba 4.4 is extremely old Yes, I know. The problem is that some people resist upgrading things. 3. you said: Because, there are two workgroups on a Samba server, one, the 'local' one, uses the NetBIOS name and the 'domain' that uses the NetBIOS domain name Well, why then is there only one sambaDomainName in ldap, till now? 4. you said: why are you trying to keep an old obsolete system working ? The old 'PDC' type domains rely on SMBv1 and that protocol is very, very insecure. You would be better off either upgrading your existing domain to AD, or setting up a new domain, the latter is probably better because it gets rid of all the really old ways of doing things. I couldn't agree more but there are very old windows machines that people do not want to get rid off. Going a little bit further. With this configuration, smbd cancels before starting. The problem seems to be related to permissions in ldap. smbd can not create this domain based on netbios name. I'll try to solve this problem before going on. Thank you again. Ricardo> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >