Re: [Samba] Lost Access to Logon Profiles after upgrade to samba 3Beta 2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Monday 02 September 2002 05:24 pm, Doug MacFarlane wrote: [DM]> Team: [DM]> [DM]> My Debian Sarge "testing" box got upgraded from Samba 2.2.6, I believe, to Samba 3 Beta 2 in the latest dist-upgrade supplied spate of updates (90+, and I missed Sambe being in there . . . ). [DM]> [DM]> Not a big deal except that now I have lost access to the logon profiles directories at logon time. [DM]> [DM]> It's a basic Samba setup. Uses Unix passwords and Unix accounts, etc. Nothing fancy - no virtual accounts or anything like that. Samba server is running as the PDC. Been bullet-proof. [DM]> [DM]> I've trolled looking for Samba 2 to Samba 3 upgrade issues and logon profiles issues to no avail. Take a look at the configuration I posted yesterday. HTH - -- Tempt me with a spoon! - ----------- Damiano G. Preatoni, PhD Unità di Analisi e Gestione delle Biocenosi Dipartimento di Biologia Strutturale e Funzionale Università degli Studi dell'Insubria Via J.H. Dunant, 3 - 21100 Varese (ITALY) http://biocenosi.dipbsf.uninsubria.it/ ICQ: 78690321 Odigo: 2645129 - --- - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.2.2 (GNU/Linux) mQGiBD40aw8RBADACOJXSNuMPg9XhNeJxaMHZVHgCFhQkIP8bQf7ySIwjy8mpIrD MDK7lyN1tClHp863aiFsNSMLe7lQUcAfBvTsB0xenwBu2U3MkOFaSDtoLprNAbHq M3V5fMYo2hVRdiKYiIFcoR51d3XC/TA/2LjL61oDpUKkVdEJ13t3/pai3wCg41P2 e9pAXBNZPj9dZKcck+GCVIsD/RU/bEsR94df7fvDMn7HCuxtc6PoL+Gr2ADda2Yh cLlEgFObcxSutQFH82VHG03ynaQ4x8QKf3NhPeMmcT5D/cwdSt9uT+DvzwCE4EMt B0W39gGllRS/KP1ByLpLR66BKwvH+TRIzfPAf41kZSEx2uLP6vDJO0MgfVupkMgv 17ZxA/wMY7Fgco5T6VMp2O7y8WozXpsgauCqodlpryhj2h1v4PA/mGnnPhZeuAve wUkZqFrhGWUJqn4bto3fgeKIKcNjmZADLDeyCd1EkzAkEfNM1qi8QiFG4WRwwkS0 4mutKG2mV39Z1CB/3EOK6Rs41DC2MyW0gwgpP69ocdT1nhIqnLQoRGFtaWFubyBH LiBQcmVhdG9uaSA8cHJlYUB1bmluc3VicmlhLml0PohZBBMRAgAZBQI+NGsPBAsH AwIDFQIDAxYCAQIeAQIXgAAKCRBmFqXVbV6HRrtGAJ0SbS6+kPfexAVv0FPBTJhg O1AzUgCeIfTup9PskKkzxm7oDCBA7R4fd3G5AQ0EPjRrEhAEAPBhd6KNwUavukYs rKAg4Psf8XxS9PwPnqiCusGKHDsIRe9eRH4ts/e6olr8vccHBbpTtj191gQ42GYS fZhmPUDeZC/H58bL5Rfwpv3zH8nZnu5zBwbFyC6fA1InOW/K0JUfN1gLphGk+wVW yECOMoAgGTzc+FVPInnFtLWWVGWXAAMFA/9gatgWAk0mAYnRqBg1V0qxicks17/O GQzFrkiICROfihhjiQd0c37VziUup7tLGl3QQw54Ah2xkbqwIz70lmoeK1Ur7y05 5kqYx2YFGe2JNyLzi3jYZG5j9SKOhXwpEii4mEyUFHm1qUIllm36Hk6233FSyFcw XU/PCqZXXa583IhGBBgRAgAGBQI+NGsSAAoJEGYWpdVtXodGRrMAn0ydvZjO+uKt NeE2431kFSchaxUGAKDEfNuuzBiVutwAX/huqYNuaxdiNQ== =CwKl - -END PGP PUBLIC KEY BLOCK- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/VLk4Zhal1W1eh0YRAhnCAJ41qrIsdyuJCFDYIHKXY2k7PrNJnwCg2ZCa zzrnYhG9qKpKV5snJJd97yU= =02VB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] DID IT! Samba 2.2.8a PCD +W2K +SP4
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, listers I managed how to fix the issue caused by upgrading W2k clients to SP4 (no domain logins, no profiles, no netlogon). It's been a nice week-end as you can figure... :) I resume here the steps i've done so far. SERVER SIDE: /etc/samba/smb.conf: [global] ; basic server settings workgroup = uagb netbios name = malaussene server string = %L (Samba %v PDC for UAGB domain) socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ; PDC and master browser settings os level = 64 preferred master = yes local master = yes domain master = yes wins support = yes name resolve order = wins bcast ; security and logging settings security = user encrypt passwords = yes domain logons = yes log file = /var/log/samba/%m.log log level = 3 max log size = 50 hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0 ; roaming profiles support logon home = \\%L\%U\.profile logon drive = G: logon path = \\%L\profiles\%U logon script = logon.bat ; automated machine accounts creation add user script = /usr/sbin/useradd -d /dev/null -g workstations -s /bin/false -M %u ; UNIX password synchronization unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # == [homes] comment = %u home directory browseable = no writeable = yes [profiles] comment = UAGB Profile directory (Samba %v PDC) path = /home/profiles writeable = yes browseable = no create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes writable = no share modes = no [printers] browseable = no comment = Printers on %L path = /var/spool/samba printable = yes public = no writable = no # "normal" shares follow... [SCAMBIO] browseable = yes comment = UAGB shared directory only user = no path = /home/share public = no writable = yes I set permissions (chmod) 1517 on /home/profiles, and set ownership to root.root. Each directory in /home/profiles should be chmod 0700, and owned by each user. I set permissions 0775 to /home/netlogon, and ownership to root.smbadmin I created a group "smbadmin", and a group "workstations". GIDs are 1000 and 500, but I think it doesn't matter. The samba server also acts as a caching DNS (see the DNS-HOWTO!) CLIENT SIDE login as Administrator Go to System/Network Identification and place the machine into a WORKGROUP, (any name will do, just leave the old domain) leaving the domain. Don't waste your time rebooting. Go to Control Panel/Network and Dial-up Connections, pick your LAN connection (should be called "Local Area Connection") and go to the Properties of the TCP/IP protocol. Set Preferred DNS: 192.168.1.250 (i.e. the samba server IP, that acts also as a caching DNS) Click on "Advanced", go to DNS tab and set "Append primary and connection specific DNS suffixes" and "Append parent suffixes of the primary DNS suffix". Other checkboxes/radiobuttons in this panel should be unchecked. Go to WINS tab. Set the WINS server IP to the IP of the samba server (102.168.1.250 in my case). DISABLE "Enable LMHOSTS lookup" ENABLE "Enable NEtBIOS over TCP/IP" I didn't touch the "Options" tab. No IPSEC, No filtering. Close everything, go back to System/Network Identification Make sure that, clicking on "More", the domain where your boxes are is specified. I put in "dipbsf.uninsubria.it", which is my "primary and connection specific DNS suffixes" in MicroSpeak. UNCHECK the "Change primary DNS suffix when domain membership changes" checkbox. Now click the "Domain" radio button, and rejoin the domain, logging in as any samba user. Close everything, and this time reboot. I advise, after the reboot, to log in as Administrator again, and to launch (Window/R, or Start/Run) LUSRMGR.MSC and to remove "Domain Users" from the "Users" group, and adding it instead to the "Power Users" group. Feel free to ask any question! Still, I'm really trying to figure a way to convince my boss and my colleagues to switch to diskless X terminals... - -- Many aligators will be slain, but the swamp will remain. - --- Damiano G. Preatoni, PhD Unità di Analisi e Gestione delle Biocenosi Dipartimento di Biologia Strutturale e Funzionale Università degli Studi dell'Insubria Via J.H. Dunant, 3 - 21100 Varese (ITALY) http://biocenosi.dipbsf.uninsubria.it/ ICQ: 78690321 O
[Samba] connection to netlogon denied due to security descriptor
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 After having upgraded my W2K clients with SP4, i'm unable to access the [netlogon] share. A look at the .log file says: [2003/09/01 16:44:59, 0] smbd/service.c:make_connection(528) make_connection: connection to netlogon denied due to security descriptor. The netlogon share (if set browseable) is visible from clients, in Network Neighborhood, but unaccessible: W2k asks for a username/password couple. Here is the minimal smb.conf I am using for testing. Note that with this setup you can have profiles working smoothly. [global] ; basic server settings workgroup = uagb netbios name = malaussene server string = %L (Samba %v PDC for UAGB domain) socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ; PDC and master browser settings os level = 64 preferred master = yes local master = yes domain master = yes wins support = yes name resolve order = wins bcast ; security and logging settings security = user encrypt passwords = yes domain logons = yes log file = /var/log/samba/%m.log log level = 2 max log size = 50 hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0 ; roaming profiles support logon home = \\%L\%U\.profile logon drive = G: logon path = \\%L\profiles\%U logon script = logon.bat ; automated machine accounts creation add user script = /usr/sbin/useradd -d /dev/null -g workstations -s /bin/false -M %u ; UNIX password synchronization unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated *successfully* # == [homes] comment = %u home directory browseable = no writeable = yes [profiles] comment = UAGB Profile directory (Samba %v PDC) path = /home/profiles writeable = yes browseable = no create mask = 0600 directory mask = 0700 [netlogon] comment = UAGB Domain Logon Service (Samba %v PDC) path = /home/netlogon read only = yes browseable = no write list = root [printers] browseable = no comment = Printers on %L path = /var/spool/samba printable = yes public = no writable = no [SCAMBIO] browseable = yes comment = UAGB shared directory only user = no path = /home/share public = no valid users = @users, @uagb, @udc writable = yes write list = @users, @uagb, @udc any hints? The wall in front of my desk is starting to dreak, due to heavy head banging! :( - -- "Our attitude with TCP/IP is, `Hey, we'll do it, but don't make a big system, because we can't fix it if it breaks -- nobody can.'" "TCP/IP is OK if you've got a little informal club, and it doesn't make any difference if it takes a while to fix it." -- Ken Olson, in Digital News, 1988 - ----------- Damiano G. Preatoni, PhD Unità di Analisi e Gestione delle Biocenosi Dipartimento di Biologia Strutturale e Funzionale Università degli Studi dell'Insubria Via J.H. Dunant, 3 - 21100 Varese (ITALY) http://biocenosi.dipbsf.uninsubria.it/ ICQ: 78690321 Odigo: 2645129 - --- - -BEGIN PGP PUBLIC KEY BLOCK- Version: GnuPG v1.2.2 (GNU/Linux) mQGiBD40aw8RBADACOJXSNuMPg9XhNeJxaMHZVHgCFhQkIP8bQf7ySIwjy8mpIrD MDK7lyN1tClHp863aiFsNSMLe7lQUcAfBvTsB0xenwBu2U3MkOFaSDtoLprNAbHq M3V5fMYo2hVRdiKYiIFcoR51d3XC/TA/2LjL61oDpUKkVdEJ13t3/pai3wCg41P2 e9pAXBNZPj9dZKcck+GCVIsD/RU/bEsR94df7fvDMn7HCuxtc6PoL+Gr2ADda2Yh cLlEgFObcxSutQFH82VHG03ynaQ4x8QKf3NhPeMmcT5D/cwdSt9uT+DvzwCE4EMt B0W39gGllRS/KP1ByLpLR66BKwvH+TRIzfPAf41kZSEx2uLP6vDJO0MgfVupkMgv 17ZxA/wMY7Fgco5T6VMp2O7y8WozXpsgauCqodlpryhj2h1v4PA/mGnnPhZeuAve wUkZqFrhGWUJqn4bto3fgeKIKcNjmZADLDeyCd1EkzAkEfNM1qi8QiFG4WRwwkS0 4mutKG2mV39Z1CB/3EOK6Rs41DC2MyW0gwgpP69ocdT1nhIqnLQoRGFtaWFubyBH LiBQcmVhdG9uaSA8cHJlYUB1bmluc3VicmlhLml0PohZBBMRAgAZBQI+NGsPBAsH AwIDFQIDAxYCAQIeAQIXgAAKCRBmFqXVbV6HRrtGAJ0SbS6+kPfexAVv0FPBTJhg O1AzUgCeIfTup9PskKkzxm7oDCBA7R4fd3G5AQ0EPjRrEhAEAPBhd6KNwUavukYs rKAg4Psf8XxS9PwPnqiCusGKHDsIRe9eRH4ts/e6olr8vccHBbpTtj191gQ42GYS fZhmPUDeZC/H58bL5Rfwpv3zH8nZnu5zBwbFyC6fA1InOW/K0JUfN1gLphGk+wVW yECOMoAgGTzc+FVPInnFtLWWVGWXAAMFA/9gatgWAk0mAYnRqBg1V0qxicks17/O GQzFrkiICROfihhjiQd0c37VziUup7tLGl3QQw54Ah2xkbqwIz70lmoeK1Ur7y05 5kqYx2YFGe2JNyLzi3jYZG5j9SKOhXwpEii4mEyUFHm1qUIllm36Hk6233FSyFcw XU/PCqZXXa583IhGBBgRAgAGBQI+NGsSAAoJEGYWpdVtXodGRrMAn0ydvZjO+uKt NeE2431kFSchaxUGAKDEfNuuzBiVutwAX/huqYNuaxdiNQ== =CwKl - -END PGP PUBLIC KEY BLOCK- -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/U14pZhal1W1eh0YRApluAKCPB9EjqlXRkm2HTzeGFSDZr4eY1wCgioV8 5AtR7JlMYcOi4sOAg4siLl0= =AjtT -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] W2k, SP4 and Domain logon
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all. Yesterday I had the funny idea of upgrading all my Windows 2000 Professional worksations (20 W2k boxes more or less) to SP4. I run Samba 2.2.8a on a glorious RedHat 6.2, and after the endless download-and-reboot I found with no W2K client able to logging in. I skimmed the mail archives, tried a bunch of suggestion from really a lot of postings (a big thank to all who contributed, I should have penciled down a list...) and here I am with half a solution. SERVER SIDE: check your smb.conf, in particular the [profiles] section. Mine says: [profiles] path = /home/profile read only = no create mask = 0600 directory mask = 0700 force directory mode = 0700 inherit permissions = yes nt acl support = yes map system = yes map hidden = yes browseable = no comment = User profile directory on %L (Samba %v PDC) profile acls = yes Note that my server is acting as a PDC: [global] add user script = /usr/sbin/useradd -d /dev/null -g workstations -s /bin/false -M %u create mask = 0664 dead time = 0 debug level = 3 default case = lower dfree command = /sbin/diskfree directory mask = 0770 dns proxy = no domain logons = yes domain master = yes dos filetimes = yes encrypt passwords = yes hide dot files = yes hosts allow = 192.168.1. 127. interfaces = 192.168.1.250/255.255.255.0 load printers = no local master = yes log file = /var/log/samba/%m.log log level = 2 logon drive = G: logon home = \\%L\%u logon path = \\%L\profiles\%u logon script = logon.bat max log size = 50 name resolve order = host wins bcast netbios name = MALAUSSENE os level = 64 passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updat ed*successfully* passwd program = /usr/bin/passwd %u password level = 8 preferred master = yes printcap name = /etc/printcap security = user server string = UAGB Primary Domain Controller (Samba %v PDC) socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 smb passwd file = /etc/samba/smbpasswd time server = yes unix password sync = yes username level = 8 username map = /etc/samba/smbusers wins support = yes workgroup = UAGB null passwords = no CLIENT SIDE: Here comes the workload... one day ot the other I will switch to LTSP terminals... It seems that with SP4 and the so-called "fix" for the blaster worm the way in which a W2K client works changed abruptly. Anyway, roll up your sleeves and login as Administrator Go to System/Network Identification and place the machine into a WORKGROUP, leaving the domain. Don't waste your time rebooting. Go to Control Panel/Network and Dial-up Connections, pick your LAN connection (should be called "Local Area Connection") and go to Properties of the TCP/IP protocol. Set Preferred DNS: 192.168.1.250 (i.e. the samba server IP, it acts also as a caching DNS) Click on "Advanced", go to DNS tab and set Append primary and connection specific DNS suffixes Append parent suffixes of the primary DNS suffix other checkboxes/radiobuttons should be unchecked. Go to WINS tab. Set the WINS server IP to the IP of the samba server. DISABLE "Enable LMHOSTS lookup" ENABLE "Enable NEtBIOS over TCP/IP" I didn't touch the "Options" tab. No IPSEC, No filtering. Close everything, go back to System/Network Identification Make sure that, clicking on "More", the domain where your boxes are is specified. I put in "dipbsf.uninsubria.it", which is mine. UNCHECK the "Change primary DNS suffix when domain membership changes" checkbox. Now click the "Domain" radio button, and rejoin the domain. Close everything, and this time reboot. I advise, after the reboot, to log in as Administrator again, and to launch (Window/R, or Start/Run) LUSRMGR.MSC and to remove "Domain Users" from the "Users" group, and adding it instead to the "Power Users" group. This way my poor W2k boxes are still able to join the domain and next Monday users will be able to login. Still, the [netlogon] share is unaccessible, and logon script processing still doesn't work. My logon script does only a net time \\malaussene /set /yes, and mounts six or seven shares. At present I copied it in the most used share, and I will say to my users to manually mount this and launch MOUNT.BAT. Any further suggestion will be welcome! BTW: I read about an almost-up-to-date HOWTO that Scott Phelps promised to write about PDC, LDAP and so on... any news? Thanks to all! - -- "I changed my headlights the other day. I put in strobe lights instead! Now when I drive at night, it looks like everyone else is standing still ..."