Samba: Difference between revisions
No edit summary |
No edit summary |
||
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=INSTALLING= | |||
INSTALLING | |||
---------- | ---------- | ||
Line 8: | Line 7: | ||
1) edit /etc/samba/smb.conf and make sure it has stuff like this in it | 1) edit /etc/samba/smb.conf and make sure it has stuff like this in it | ||
<pre> | |||
workgroup = DOMAINNAME | workgroup = DOMAINNAME | ||
server string = SERVERNAME | server string = SERVERNAME | ||
Line 35: | Line 34: | ||
log level = 2 | log level = 2 | ||
</pre> | |||
2) Explanation | 2) Explanation | ||
Line 71: | Line 70: | ||
3) make sure there is a user nobody and a user guest (both can be made with 'null' passwords) in both smbpasswd and passwd | 3) make sure there is a user nobody and a user guest (both can be made with 'null' passwords) in both smbpasswd and passwd | ||
and a user root (with a different password than that in passwd - ie. the unix root) in smbpasswd | and a user root (with a different password than that in passwd - ie. the unix root) in smbpasswd | ||
<pre> | |||
# smbpasswd -a root | # smbpasswd -a root | ||
# smbpasswd -a guest | # smbpasswd -a guest | ||
</pre> | |||
4) Groups you need NT groups mapped to Unix groups for the users to be recognised. | 4) Groups you need NT groups mapped to Unix groups for the users to be recognised. | ||
<pre> | |||
# net groupmap list | # net groupmap list | ||
System Operators (S-1-5-32-549) -> -1 | System Operators (S-1-5-32-549) -> -1 | ||
Line 88: | Line 90: | ||
Users (S-1-5-32-545) -> -1 | Users (S-1-5-32-545) -> -1 | ||
Domain Guests (S-1-5-21-3687569591-2717907897-2748310743-514) -> -1 | Domain Guests (S-1-5-21-3687569591-2717907897-2748310743-514) -> -1 | ||
</pre> | |||
The last numbers are the RID numbers and they need to be a specific value for them to work. | |||
shows the group mappings it expects. So these need to be made in /etc/group | shows the group mappings it expects. So these need to be made in /etc/group | ||
<pre> | |||
sysops:x:500: | sysops:x:500: | ||
repl:x:501: | repl:x:501: | ||
Line 104: | Line 108: | ||
domgsts:x:511: | domgsts:x:511: | ||
machine:x:512: | machine:x:512: | ||
</pre> | |||
then the unix groups get mapped to the NT groups: | then the unix groups get mapped to the NT groups: | ||
<pre> | |||
net groupmap modify ntgroup="System Operators" unixgroup=sysops | net groupmap modify ntgroup="System Operators" unixgroup=sysops | ||
net groupmap modify ntgroup="Replicators" unixgroup=repl | net groupmap modify ntgroup="Replicators" unixgroup=repl | ||
Line 119: | Line 123: | ||
net groupmap modify ntgroup="Domain Guests" unixgroup=domgsts | net groupmap modify ntgroup="Domain Guests" unixgroup=domgsts | ||
net groupmap modify ntgroup="Domain Admins" unixgroup=domadm | net groupmap modify ntgroup="Domain Admins" unixgroup=domadm | ||
</pre> | |||
Note: case + quotes for ntgroups. | Note: case + quotes for ntgroups. | ||
Line 125: | Line 129: | ||
So to add a domain user to an ntgroup they have to be listed in the /etc/group file at the right place. | So to add a domain user to an ntgroup they have to be listed in the /etc/group file at the right place. | ||
http://www.it.lut.fi/~doc/samba-3.0.0beta3/htmldocs/groupmapping.html | [http://www.it.lut.fi/~doc/samba-3.0.0beta3/htmldocs/groupmapping.html] | ||
Now we modified the above group list, because they seem to come as default with samba and adding them creates duplicate SIDs (which xp don't accept), so if we want to add new groups we use | Now we modified the above group list, because they seem to come as default with samba and adding them creates duplicate SIDs (which xp don't accept), so if we want to add new groups we use | ||
<pre> | |||
#net groupmap add ntgroup="new nt group name" unixgroup=newunixgrpname | #net groupmap add ntgroup="new nt group name" unixgroup=newunixgrpname | ||
</pre> | |||
THESE need to be as follows: | |||
<pre> | |||
net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d | |||
net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d | |||
net groupmap add ntgroup="Domain Guests" unixgroup=domusr rid=514 type=d | |||
(http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id344099) | |||
net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d | |||
net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d | |||
net groupmap add ntgroup="Domain Guests" unixgroup=domgsts rid=514 type=d | |||
net groupmap add ntgroup="Print Operators" unixgroup=printops rid=550 type=d | |||
net groupmap add ntgroup="Administrators" unixgroup=ntadmin rid=544 type=d | |||
net groupmap add ntgroup="Users" unixgroup=usrs rid=545 type=d | |||
net groupmap add ntgroup="Guests" unixgroup=guests rid=546 type=d | |||
net groupmap add ntgroup="Power Users" unixgroup=pwrusr rid=547 type=d | |||
net groupmap add ntgroup="Account Operators" unixgroup=acctops rid=548 type=d | |||
net groupmap add ntgroup="System Operators" unixgroup=sysops rid=549 type=d | |||
net groupmap add ntgroup="Backup Operators" unixgroup=backops rid=551 type=d | |||
net groupmap add ntgroup="Replicators" unixgroup=repl rid=552 type=d | |||
<pre> | |||
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#set-group-map (table 12.1) | |||
More on groupmapping here: | |||
http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html | |||
so now users must be added to the groups - i like my users to be able to administer the local machine, but not the domain, so each user has to be added to the (unix) groups ntadmin and domusr. | so now users must be added to the groups - i like my users to be able to administer the local machine, but not the domain, so each user has to be added to the (unix) groups ntadmin and domusr. | ||
Line 135: | Line 166: | ||
6) in /etc/services make sure you have the following lines: | 6) in /etc/services make sure you have the following lines: | ||
<pre> | |||
netbios-ns 137/tcp # NETBIOS Name Service | netbios-ns 137/tcp # NETBIOS Name Service | ||
netbios-ns 137/udp | netbios-ns 137/udp | ||
Line 143: | Line 175: | ||
microsoft-ds 445/tcp # Microsoft Naked CIFS | microsoft-ds 445/tcp # Microsoft Naked CIFS | ||
microsoft-ds 445/udp # Microsoft Naked CIFS | microsoft-ds 445/udp # Microsoft Naked CIFS | ||
</pre> | |||
allthough this might no longer be strictly necessary with samba 3.0.0 | allthough this might no longer be strictly necessary with samba 3.0.0 | ||
Line 152: | Line 184: | ||
8) try | 8) try | ||
<pre> | |||
rpcclient -U username -W DOMAIN SERVERNAME | rpcclient -U username -W DOMAIN SERVERNAME | ||
</pre> | |||
or | or | ||
<pre> | |||
smbclient -L ftp -I SERVERNAME | smbclient -L ftp -I SERVERNAME | ||
</pre> | |||
for some more info on why you're not logging in | for some more info on why you're not logging in | ||
Line 161: | Line 196: | ||
10) Upgrading the samba password mechanism from smbpasswd to tdbsam using | 10) Upgrading the samba password mechanism from smbpasswd to tdbsam using | ||
<pre> | |||
# pdbedit -i smbpasswd -e tdbsam | # pdbedit -i smbpasswd -e tdbsam | ||
</pre> | |||
then changing | then changing | ||
<pre> | |||
passdb backend = tdbsam | passdb backend = tdbsam | ||
</pre> | |||
from | from | ||
<pre> | |||
passdb backend = smbpasswd | passdb backend = smbpasswd | ||
</pre> | |||
in /etc/samba/smb.conf | in /etc/samba/smb.conf | ||
From here on in we're using the pdbedit tool to manage samba users instead of smbpasswd. Or we're upgrading to ldap, but we'll see about that. | From here on in we're using the pdbedit tool to manage samba users instead of smbpasswd. Or we're upgrading to ldap, but we'll see about that. | ||
=Connecting from another machine= | |||
https://help.ubuntu.com/community/Samba/SambaClientGuide | |||
=TROUBLESHOOTING= | |||
==Problems with XP / Vista clients can't find the domain controller== | |||
Problems with an XP Client: | if the domain controller has moved from IP, it'll still find broadcasts over the network. Try deleting /var/lib/samba/wins.dat and /var/cache/samba/* | ||
==Problems with an XP Client:== | |||
If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these... | If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these... | ||
Line 182: | Line 229: | ||
----- cut ------------ | ----- cut ------------ | ||
</pre> | |||
Windows Registry Editor Version 5.00 | Windows Registry Editor Version 5.00 | ||
Line 193: | Line 240: | ||
"signsecurechannel"=dword:00000001 | "signsecurechannel"=dword:00000001 | ||
"Update"="no" | "Update"="no" | ||
</pre> | |||
---------- paste into sambalogin.reg ----------------- | ---------- paste into sambalogin.reg ----------------- | ||
Event ID: 3036 | ==Event ID: 3036== | ||
Source MRxSmb | Source MRxSmb | ||
Type Warning | Type Warning | ||
Description The redirector detected a security signature mismatch. The connection has been disconnected. | Description The redirector detected a security signature mismatch. The connection has been disconnected. | ||
Comments Adrian Grigorof | Comments Adrian Grigorof | ||
From a newsgroup posting: "Use Regedit and set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList | From a newsgroup posting: "Use Regedit and set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList | ||
To: FALSE | To: FALSE | ||
This will prevent the computer from attempting to become a Domain Master Browser and compete with Domain Controllers." | This will prevent the computer from attempting to become a Domain Master Browser and compete with Domain Controllers." | ||
Line 208: | Line 261: | ||
Jason S. Rundle (Last update 5/15/2003): | Jason S. Rundle (Last update 5/15/2003): | ||
See Microsoft Knowledge Base Article - Q325487. | See Microsoft Knowledge Base Article - Q325487. | ||
Greg Donovan | Greg Donovan | ||
When trying to browse a master domain resource from an untrusted domain or workstation, you are not allowed to view the master (untrusing domain) and the event log shows the 3036 error. The solution is to set HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature to 1 instead of to 0 on the client workstation and reboot (or stop workstation and restart workstation, messenger and netlogon). Acknowledgements to Alexander Lobodzinski for solving and posting this on samba @ lists.samba.org. | |||
== cannot find domain controller after reboot== | |||
If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these... | If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these... | ||
1) Registry: | 1) Registry: | ||
2) If you find application errors in Event Viewer going on about auto-enrollment: | 2) If you find application errors in Event Viewer going on about auto-enrollment: | ||
<pre> | |||
Solution: This is straight from Microsoft's Knowledgebase article (Q318266): | Solution: This is straight from Microsoft's Knowledgebase article (Q318266): | ||
Click Start, and then click Control Panel. | Click Start, and then click Control Panel. | ||
Line 227: | Line 282: | ||
Under the Local Policies\Security Options node, double-click the Domain Member:Digitally encrypt or sign secure channel data (always) policy to open it. | Under the Local Policies\Security Options node, double-click the Domain Member:Digitally encrypt or sign secure channel data (always) policy to open it. | ||
Click Disabled , and then click OK. | Click Disabled , and then click OK. | ||
</pre> | |||
SYMPTOMS | SYMPTOMS | ||
The following Event ID 15 error entries are logged at 8-hour intervals in the Application event log: | The following Event ID 15 error entries are logged at 8-hour intervals in the Application event log: | ||
<pre> | |||
Event Type: Error | Event Type: Error | ||
Event Source: AutoEnrollment | Event Source: AutoEnrollment | ||
Line 240: | Line 295: | ||
User: N/A | User: N/A | ||
Computer: computer name | Computer: computer name | ||
Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. | Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed. | ||
</pre> | |||
CAUSE | CAUSE | ||
This behavior can occur if the Autoenrollment feature cannot reach an Active Directory domain controller. In a Microsoft Windows NT 4.0 domain, Active Directory is not available, so Autoenrollment cannot work. In an Active Directory domain with Microsoft Windows 2000 or later domain controllers, the problem can be caused by a DNS name resolution or network connectivity issue. | This behavior can occur if the Autoenrollment feature cannot reach an Active Directory domain controller. In a Microsoft Windows NT 4.0 domain, Active Directory is not available, so Autoenrollment cannot work. In an Active Directory domain with Microsoft Windows 2000 or later domain controllers, the problem can be caused by a DNS name resolution or network connectivity issue. | ||
RESOLUTION | RESOLUTION | ||
<pre> | |||
For a Windows XP-based or a Windows Server 2003-based computer that is joined to a Windows NT 4.0 domain, to disable Autoenrollment in the Local Group Policy, follow these steps on the local workstation: | For a Windows XP-based or a Windows Server 2003-based computer that is joined to a Windows NT 4.0 domain, to disable Autoenrollment in the Local Group Policy, follow these steps on the local workstation: | ||
Click Start, click Run, type gpedit.msc, and then press ENTER. | Click Start, click Run, type gpedit.msc, and then press ENTER. | ||
Line 252: | Line 311: | ||
Security Settings | Security Settings | ||
Public Key Policies | Public Key Policies | ||
Double-click Autoenrollment Settings. | Double-click Autoenrollment Settings. | ||
Line 266: | Line 324: | ||
Type the correct DNS modifyress in the Preferred DNS server box. | Type the correct DNS modifyress in the Preferred DNS server box. | ||
Click OK. | Click OK. | ||
</pre> | |||
Notes for Samba 2 | =Notes for Samba 2= | ||
<pre> | |||
#flat files that map Unix groups to NT type groups. | #flat files that map Unix groups to NT type groups. | ||
#these files take the form unix_group = `Windows NT group'' | #these files take the form unix_group = `Windows NT group'' | ||
Line 280: | Line 340: | ||
Using swat makes life easier! | Using swat makes life easier! | ||
</pre> | |||
SYMPTOMS | |||
If Office (Word or Excel) is writing files with strange permissions, but is correctly writing the swap file, the the offending line is probably | |||
<pre> | |||
# profile acls = Yes NB THIS IS THE ROOT OF EVIL!!! | |||
</pre> | |||
in the Globals section. Just remark it out. | |||
SYMPTOMS | |||
If you find that you can create a file on a samba share on an NFS mount but get locking error messages after editing and then saving (and stupidly being able to save as over the old file): | |||
<pre> | |||
# strict locking solves the process cannot access the file because "another process has locked a portion of the file" with files over nfs mounts | |||
strict locking = no | |||
</pre> | |||
=ON MIGRATION= | |||
When moving a PDC to another machine, the setup creates different SIDs (see 'net groupmap list') than on the first PDC. The windows machines want to connect to the same SIDs, so will refuse to connect to the new PDC, giving all sorts of problems. | When moving a PDC to another machine, the setup creates different SIDs (see 'net groupmap list') than on the first PDC. The windows machines want to connect to the same SIDs, so will refuse to connect to the new PDC, giving all sorts of problems. | ||
What can you do? Theoretically you should be able to net groupmap modify the SIDs of the new server so that they will be the same as the old servers. I didn't do it that way - I created and left the new SIDs. There seems to be some residue of the old SIDs in the password files. | What can you do? Theoretically you should be able to net groupmap modify the SIDs of the new server so that they will be the same as the old servers. I didn't do it that way - I created and left the new SIDs. There seems to be some residue of the old SIDs in the password files. | ||
Remove the machine accounts from /etc/passwd and /etc/samba/smbpasswd. | Remove the machine accounts from /etc/passwd and /etc/samba/smbpasswd. | ||
Start up machine, log in as local administrator (not on the domain, silly!) | Start up machine, log in as local administrator (not on the domain, silly!) | ||
remove the machine from the domain (doesn't matter which PDC as long as you remember the correct root account password for samba) - rightclick my computer, tab Identification, change ID and put it in a workgroup. | remove the machine from the domain (doesn't matter which PDC as long as you remember the correct root account password for samba) - rightclick my computer, tab Identification, change ID and put it in a workgroup. | ||
check the registry settings (see above) | check the registry settings (see above) | ||
rename my documents - username.DOMAIN to username.DOMAIN.old | rename my documents - username.DOMAIN to username.DOMAIN.old | ||
remove the samba users (the usernames your clients log into) from /etc/passwd and /etc/smbpasswd | remove the samba users (the usernames your clients log into) from /etc/passwd and /etc/smbpasswd | ||
Reboot client | Reboot client | ||
log in as local administrator | log in as local administrator | ||
join the domain | join the domain | ||
reboot the machine | reboot the machine | ||
create the new client users in /etc/passwd and /etc/smbpasswd (use adduser and smbpasswd -a - don't copy and paste from any old ones!) | create the new client users in /etc/passwd and /etc/smbpasswd (use adduser and smbpasswd -a - don't copy and paste from any old ones!) | ||
log in with the user on the client on the domain | log in with the user on the client on the domain | ||
when the default profile has finished building, reboot | when the default profile has finished building, reboot | ||
log in as local administrator | log in as local administrator | ||
copy the contents of /documents and settings/username.DOMAIN.old/* to /documents and settings/username.DOMAIN/ | copy the contents of /documents and settings/username.DOMAIN.old/* to /documents and settings/username.DOMAIN/ | ||
make sure that ntuser.dat has been copied | make sure that ntuser.dat has been copied | ||
log out, log in as the user on the domain. | log out, log in as the user on the domain. | ||
Migration complete! | Migration complete! |
Latest revision as of 19:21, 1 February 2018
INSTALLING
Samba 3.0.0-Debian Primary Domain Controller (PDC) with WinXP and Win2k / Win 2000 clients Howto in 10 steps checklist format.
After downloading the packages samba-common samba_3.0.0 and getting them installed with dpkg,
1) edit /etc/samba/smb.conf and make sure it has stuff like this in it
workgroup = DOMAINNAME server string = SERVERNAME netbios name = SERVERNAME security = user obey pam restrictions = yes password server = passdb backend = smbpasswd hosts allow = 192.168. local master = yes os level = 65 domain master = yes preferred master = yes domain logons = yes server signing = auto logon script = logon.bat logon drive = X: logon home = time server = yes add machine script = /usr/sbin/adduser --ingroup machine --system --home /dev/null --no-create-home --force-badname %u logon path = wins support = yes log level = 2
2) Explanation
workgroup is the domainname. Keep it under 8 characters and uppercase. You will need to use this often, so make sure you like it.
server string is the name the server has for itself. Also under 8 chars and uppercase, and the same as netbios name (this is for windows name resolution - wins).
security = there are several options, but i'm assuming you have one samba machine (the one being configured) and no other servers handling authentication. All the options apart from 'user' assume there is another machine taking care of authentication!
password server is left empty, because I found it gave some weird results if I uncommented it. This is related to security, any other value tells samba to do the authentication elsewhere.
passdb backend tells samba how to handle authentication. Best to leave it on whatever it is you have now (if you're migrating) or smbpasswd - at least untill you have everything up and running. this file can be found in /etc/samba/smbpasswd and is a text file that maps unix accounts to samba accounts (see later).
hosts allow is there for security. Add as many netmasks as you like (ie this will let in ip adresses from 192.168.0.0 - 192.168.255.255). You can put more subnets in if you need them there.
local master, preferred master, domain master and domain logons are what makes samba the domain master. If you have more samba running machines in the network, set them to 'no' on the ones that aren't PDC's.
os level - the lower this is, the more chance it will have to beat other machines trying to act as PDCs on the network. 65 will allow you to beat any NT machines you have floating around on the network, but obviously, you shouldn't have more than 1 PDC on any network.
logon script is the name of the logon script that will run. There are better howto's than this one how to build one of them - just remember they have to be in msdos format, so convert any unix file to msdos format should you make one in unix. I do like putting net time /domain:DOMAINNNAME /set /y into the logon script as it keeps all the machines on the network at the same time. Make sure there is a [netlogon] setting, as the script is where that setting is set to. You can use stuff like %Gnetlogon.bat which will start a file called groupnamenetlogon.bat. I set the browseable = No, Read Only = Yes, etc. none of anyone's business what all my groups connect to!
logon drive tells windows which drive will be mapped to the home directory.
logon home is where win9x/Me will store roaming profiles. My profiles are local (because they can get really big!) so I've explicitly left it to empty - otherwise samba will default it to some other value. The same goes for logon path, but this is for 200x/XP profiles
time server is not necessary (unless you go for roaming profiles) but is nice as it allows you to synchronise all the clients on the network to the same time (see logon script)
add machine script - this one adds machines for DEBIAN - red hat users find another one! (hint: it doesn't use adduser, the redhat script uses useradd) Later on this gets explained.
log level - set to 2 for debugging - most errors will be logged fairly verbosely like this. Reset it to 1 once you're no longer getting any errors.
3) make sure there is a user nobody and a user guest (both can be made with 'null' passwords) in both smbpasswd and passwd and a user root (with a different password than that in passwd - ie. the unix root) in smbpasswd
# smbpasswd -a root # smbpasswd -a guest
4) Groups you need NT groups mapped to Unix groups for the users to be recognised.
# net groupmap list System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1 Guests (S-1-5-32-546) -> -1 Domain Users (S-1-5-21-3687569591-2717907897-2748310743-513) -> -1 Power Users (S-1-5-32-547) -> -1 Print Operators (S-1-5-32-550) -> -1 Administrators (S-1-5-32-544) -> -1 Account Operators (S-1-5-32-548) -> -1 Domain Admins (S-1-5-21-3687569591-2717907897-2748310743-512) -> -1 Backup Operators (S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1 Domain Guests (S-1-5-21-3687569591-2717907897-2748310743-514) -> -1
The last numbers are the RID numbers and they need to be a specific value for them to work.
shows the group mappings it expects. So these need to be made in /etc/group
sysops:x:500: repl:x:501: guests:x:502: domusr:x:503: pwrusr:x:504: printops:x:505: ntadmin:x:506:administrator acctops:x:507: domadm:x:508: backops:x:509: usrs:x:510: domgsts:x:511: machine:x:512:
then the unix groups get mapped to the NT groups:
net groupmap modify ntgroup="System Operators" unixgroup=sysops net groupmap modify ntgroup="Replicators" unixgroup=repl net groupmap modify ntgroup="Guests" unixgroup=guests net groupmap modify ntgroup="Domain Users" unixgroup=domusr net groupmap modify ntgroup="Power Users" unixgroup=pwrusr net groupmap modify ntgroup="Print Operators" unixgroup=printops net groupmap modify ntgroup="Administrators" unixgroup=ntadmin net groupmap modify ntgroup="Account Operators" unixgroup=acctops net groupmap modify ntgroup="Backup Operators" unixgroup=backops net groupmap modify ntgroup="Users" unixgroup=usrs net groupmap modify ntgroup="Domain Guests" unixgroup=domgsts net groupmap modify ntgroup="Domain Admins" unixgroup=domadm
Note: case + quotes for ntgroups.
in windows doing a "net group /domain" from cmd will show the groups.
So to add a domain user to an ntgroup they have to be listed in the /etc/group file at the right place. [1]
Now we modified the above group list, because they seem to come as default with samba and adding them creates duplicate SIDs (which xp don't accept), so if we want to add new groups we use
#net groupmap add ntgroup="new nt group name" unixgroup=newunixgrpname
THESE need to be as follows:
net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d net groupmap add ntgroup="Domain Guests" unixgroup=domusr rid=514 type=d (http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html#id344099) net groupmap add ntgroup="Domain Admins" unixgroup=domadm rid=512 type=d net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d net groupmap add ntgroup="Domain Guests" unixgroup=domgsts rid=514 type=d net groupmap add ntgroup="Print Operators" unixgroup=printops rid=550 type=d net groupmap add ntgroup="Administrators" unixgroup=ntadmin rid=544 type=d net groupmap add ntgroup="Users" unixgroup=usrs rid=545 type=d net groupmap add ntgroup="Guests" unixgroup=guests rid=546 type=d net groupmap add ntgroup="Power Users" unixgroup=pwrusr rid=547 type=d net groupmap add ntgroup="Account Operators" unixgroup=acctops rid=548 type=d net groupmap add ntgroup="System Operators" unixgroup=sysops rid=549 type=d net groupmap add ntgroup="Backup Operators" unixgroup=backops rid=551 type=d net groupmap add ntgroup="Replicators" unixgroup=repl rid=552 type=d <pre> http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#set-group-map (table 12.1) More on groupmapping here: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html so now users must be added to the groups - i like my users to be able to administer the local machine, but not the domain, so each user has to be added to the (unix) groups ntadmin and domusr. 5) Make sure that all the machine and domain names are in CAPITAL LETTERS! 6) in /etc/services make sure you have the following lines: <pre> netbios-ns 137/tcp # NETBIOS Name Service netbios-ns 137/udp netbios-dgm 138/tcp # NETBIOS Datagram Service netbios-dgm 138/udp netbios-ssn 139/tcp # NETBIOS session service netbios-ssn 139/udp microsoft-ds 445/tcp # Microsoft Naked CIFS microsoft-ds 445/udp # Microsoft Naked CIFS
allthough this might no longer be strictly necessary with samba 3.0.0
7) Migrating the existing local profiles in XP to domain profiles without roaming As I'm not roaming my profiles, first login to the machine as local administrator, rightclick on my computer -> properties -> computername tab. Here click 'change' and fill in the domainname. Enter the samba 'root' account we made earlier and you should be welcomed. Reboot the machine and log in as the new user. This will create the domain profile. Reboot and log in as the domain administrator user and go to computer properties again. tab Advanced and the user profiles settings. Here you can choose the local profile and select 'copy to' - choose the directory that's just been made (usually c:\documents and settings\username.DOMAINNAME) and in permitted to use select 'everyone'. Once the copy is done, reboot the machine and log in as the new user. The local profile should now be copied over to the domain profile on that machine, and when you log in 99% of settings should work and look the same.
Under win2k it's slightly different - open control panel -> users, click on the advanced tab, advanced button and go to groups. Select the administrator group and doubleclick it. click 'add' and choose as location the domain, then (Because I don't just want domain admins, but domain users to be administrators for the machine) choose DOMAIN\Domain Users.
8) try
rpcclient -U username -W DOMAIN SERVERNAME
or
smbclient -L ftp -I SERVERNAME
for some more info on why you're not logging in
9) Check your settings for typo's :)
10) Upgrading the samba password mechanism from smbpasswd to tdbsam using
# pdbedit -i smbpasswd -e tdbsam
then changing
passdb backend = tdbsam
from
passdb backend = smbpasswd
in /etc/samba/smb.conf
From here on in we're using the pdbedit tool to manage samba users instead of smbpasswd. Or we're upgrading to ldap, but we'll see about that.
Connecting from another machine
https://help.ubuntu.com/community/Samba/SambaClientGuide
TROUBLESHOOTING
Problems with XP / Vista clients can't find the domain controller
if the domain controller has moved from IP, it'll still find broadcasts over the network. Try deleting /var/lib/samba/wins.dat and /var/cache/samba/*
Problems with an XP Client:
If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these... 1) Registry:
cut ------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "DisablePasswordChange"=dword:00000000 "maximumpasswordage"=dword:0000001e "requiresignorseal"=dword:00000000 "requirestrongkey"=dword:00000000 "sealsecurechannel"=dword:00000001 "signsecurechannel"=dword:00000001 "Update"="no"
paste into sambalogin.reg -----------------
Event ID: 3036
Source MRxSmb
Type Warning
Description The redirector detected a security signature mismatch. The connection has been disconnected.
Comments Adrian Grigorof
From a newsgroup posting: "Use Regedit and set: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList
To: FALSE
This will prevent the computer from attempting to become a Domain Master Browser and compete with Domain Controllers."
In certain conditions, this can also occur when a Windows 2000 computer is trying to connect to a Windows NT machine with SMB signing enable. See Q259698.
Jason S. Rundle (Last update 5/15/2003):
See Microsoft Knowledge Base Article - Q325487.
Greg Donovan
When trying to browse a master domain resource from an untrusted domain or workstation, you are not allowed to view the master (untrusing domain) and the event log shows the 3036 error. The solution is to set HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature to 1 instead of to 0 on the client workstation and reboot (or stop workstation and restart workstation, messenger and netlogon). Acknowledgements to Alexander Lobodzinski for solving and posting this on samba @ lists.samba.org.
cannot find domain controller after reboot
If your XP client either logs onto the domain when changing network id and then gives an error like 'cannot find the domain controller' after reboot and trying to log in to the domain from the very beginning you can try these...
1) Registry:
2) If you find application errors in Event Viewer going on about auto-enrollment:
Solution: This is straight from Microsoft's Knowledgebase article (Q318266): Click Start, and then click Control Panel. If you are using Classic view in Control Panel, double-click Administrative Tools , and then double-click Local Security Policy. If you are using Category view in Control Panel, click Performance and Maintenance , click Administrative Tools , and then double-click Local Security Policy. Under the Local Policies\Security Options node, double-click the Domain Member:Digitally encrypt or sign secure channel data (always) policy to open it. Click Disabled , and then click OK.
SYMPTOMS The following Event ID 15 error entries are logged at 8-hour intervals in the Application event log:
Event Type: Error Event Source: AutoEnrollment Event Category: None Event ID: 15 Date: date Time: time User: N/A Computer: computer name Description: Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.
CAUSE
This behavior can occur if the Autoenrollment feature cannot reach an Active Directory domain controller. In a Microsoft Windows NT 4.0 domain, Active Directory is not available, so Autoenrollment cannot work. In an Active Directory domain with Microsoft Windows 2000 or later domain controllers, the problem can be caused by a DNS name resolution or network connectivity issue.
RESOLUTION
For a Windows XP-based or a Windows Server 2003-based computer that is joined to a Windows NT 4.0 domain, to disable Autoenrollment in the Local Group Policy, follow these steps on the local workstation: Click Start, click Run, type gpedit.msc, and then press ENTER. In the left pane, expand the following branches: User Configuration Computer Configuration Windows Settings Security Settings Public Key Policies Double-click Autoenrollment Settings. Click Do not enroll certificates automatically. Click OK. Close the Group Policy window. For a computer that is a member of a Windows 2000 or later Active Directory domain, make sure that the domain member has network connectivity with at least one domain controller. After you have determined that you have good Internet Protocol (IP) connectivity between the member and a domain controller, correct the DNS modifyress in the IP properties of the workstation: Start the Network Connections tool in Control Panel. Right-click Local Area Connection, and then click Properties. Click Internet Protocol (TCP/IP), and then click Properties. Type the correct DNS modifyress in the Preferred DNS server box. Click OK.
Notes for Samba 2
#flat files that map Unix groups to NT type groups. #these files take the form unix_group = `Windows NT group'' domain group map = /usr/local/samba/private/domaingroup.map domain alias map = /usr/local/samba/private/domainalias.map but maybe the above is just for samba-tng domain admin group = @ntadmin in [global] seems to be the way to go for now... Also the add machine script = is add user script = in 2 (confusing huh?!) Using swat makes life easier!
SYMPTOMS
If Office (Word or Excel) is writing files with strange permissions, but is correctly writing the swap file, the the offending line is probably
# profile acls = Yes NB THIS IS THE ROOT OF EVIL!!!
in the Globals section. Just remark it out.
SYMPTOMS If you find that you can create a file on a samba share on an NFS mount but get locking error messages after editing and then saving (and stupidly being able to save as over the old file):
# strict locking solves the process cannot access the file because "another process has locked a portion of the file" with files over nfs mounts strict locking = no
ON MIGRATION
When moving a PDC to another machine, the setup creates different SIDs (see 'net groupmap list') than on the first PDC. The windows machines want to connect to the same SIDs, so will refuse to connect to the new PDC, giving all sorts of problems.
What can you do? Theoretically you should be able to net groupmap modify the SIDs of the new server so that they will be the same as the old servers. I didn't do it that way - I created and left the new SIDs. There seems to be some residue of the old SIDs in the password files.
Remove the machine accounts from /etc/passwd and /etc/samba/smbpasswd.
Start up machine, log in as local administrator (not on the domain, silly!)
remove the machine from the domain (doesn't matter which PDC as long as you remember the correct root account password for samba) - rightclick my computer, tab Identification, change ID and put it in a workgroup.
check the registry settings (see above)
rename my documents - username.DOMAIN to username.DOMAIN.old
remove the samba users (the usernames your clients log into) from /etc/passwd and /etc/smbpasswd
Reboot client
log in as local administrator
join the domain
reboot the machine
create the new client users in /etc/passwd and /etc/smbpasswd (use adduser and smbpasswd -a - don't copy and paste from any old ones!)
log in with the user on the client on the domain
when the default profile has finished building, reboot
log in as local administrator
copy the contents of /documents and settings/username.DOMAIN.old/* to /documents and settings/username.DOMAIN/
make sure that ntuser.dat has been copied
log out, log in as the user on the domain.
Migration complete!