[Samba] User Level Security and PDC
So, I have this Samba PDC setup, and it's gotten to the point where a good number of my Win2K and WinXP boxes refuse to acknowledge that the PDC exists. If I logon to the Win boxes on a local account, and go to the run dialog and type \\mymachine, it prompts me for a username and password. I can then see my shares. If I logoff the local account and try and logon to the domain, I get Domain MYDOMAIN is unavailable. So why would I have user level access available through a local account and not access to my domain through my PDC? Below is the relevant portions of the [global] section of my smb.conf -Jim * Jim Kreuziger [EMAIL PROTECTED] * [global] workgroup = MYDOMAIN preexec = csh -c `echo /usr/local/samba/bin/smbclient \ -M %m -I %I` server string = Samba %v on (%L) security = user domain logons = yes encrypt passwords = Yes password level = 3 log level = 3 log file = /samba/current/var/log.smbd.%m max log size = 2000 wins support = Yes name resolve order = lmhosts wins hosts bcast dns proxy = yes deadtime = 0 keepalive = 3600 client code page = 437 domain master = yes preferred master = yes local master = yes os level = 255 guest account = samba invalid users = daemon bin sys lp smtp uucp nuucp listen dcs consult dumper nobody veto oplock files = /*.mdb/*.dbm/*.doc/*.xls socket options = TCP_NODELAY IPTOS_LOWDELAY getwd cache = yes logon script = %U.bat logon path = \\mymachine\profile\%U utmp = True username map = /samba/current/lib/usermap.txt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Monitoring Samba on Solaris with snoop
I trying to diagnose why my PDC is consistantly unavailabe on an intermitant basis. I've started to run snoop (a packet sniffer) on my Samba server in order to see what is going on. Question is, what am I looking for? I'm running 2.2.8a on a Solaris 8 box. Before you ask, I've tried everything, including swapping network cables. My PDC has been pretty much intermittant for a few months now, rendering it useless. All other network sevices on the machine which runs Samba work. -Jim * Jim Kreuziger [EMAIL PROTECTED] * -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Is it my networking?
I've used samba for the better part of 4 years now. Never had any real problems that were not easily resolved. Samba has become the single most important piece of software in our lab. It has reduced my administrative headaches considerably. However, now I have a real problem that I have no clue on. I'm running a Samba 2.2.8a PDC on Sun Solaris. About 2 months ago, we moved our lab from a location at the Med Center to the main University campus. This included completely changing our network. We updated all of our network parameters (IP, netmask, etc) on all of our UNIX and Windows boxes. The names didn't change, only the domains and the IP's. I made the appropriate changes in my smb.conf file for the new IP's and netmask. Now the problem. I have VERY intermittent connectivity to my PDC. When I show up in the morning, I can't log in more than half the time because it tells me the domain is unavailable. Sometimes stopping and restarting samba does the trick; sometimes it makes it worse. When it's not working, I'll login to the machine running samba and run the following command: nmblookup -M MYDOM and it doesn't show an MYDOM1d entry. It just can't find anything. When I log in as a local user on my Win2K box, and run the following command: nbtstat -M samba_server sometimes it connects and give me the proper info, sometimes not. Browsing is also screwed up. When I go into Windows Explorer, it takes 30 seconds for it to update all my mapped drives. The most frustrating thing(s) about all of this is that it is intermitant, and that samba worked PERFECTLY before the move. The only changes I made were the networking parameters. I've looked through my logs, but don't see anything weird. I'm at the point where I don't know what to do. I'm thinking that my network segment is all f^%$*(@ up, but since I don't control the routers and switches, I can't make changes there. Where do I start? I've probably tried alot of my own ideas already, but I'm open to listen to anybody right now. I'm sure you all have a good idea where to start. I'll post the global section of my smb.conf file below. I've changed the actual IP's, but they reflect how my network is configured. Please email me directly if you would like. Thanks, -Jim * Jim Kreuziger [EMAIL PROTECTED] * # Global parameters [global] workgroup = MYLAB preexec = csh -c `echo /usr/local/samba/bin/smbclient \ -M %m -I %I` server string = Samba %v on (%L) security = user domain logons = yes domain admin group = @domadm encrypt passwords = Yes password level = 3 log level = 2 log file = /samba/current/var/log.smbd.%m #log file = /samba/current/var/log.smbd.nodomain max log size = 2000 wins support = Yes name resolve order = lmhosts wins hosts bcast dns proxy = yes deadtime = 0 keepalive = 3600 client code page = 437 domain master = yes preferred master = yes local master = yes os level = 255 guest account = samba invalid users = daemon bin sys lp smtp uucp nuucp listen dcs consult dumper nobody hosts allow = 10.200.236.32/255.255.255.224 10.87.33. 10.200.126. 127.0.0.1 hosts deny = ALL EXCEPT 10.200.236.32/255.255.255.224 10.87.33. 10.200.126. 127.0.0.1 veto oplock files = /*.mdb/*.dbm/*.doc/*.xls socket options = TCP_NODELAY IPTOS_LOWDELAY getwd cache = yes logon script = %U.bat logon path = \\samba_server\profile\%U utmp = True username map = /samba/current/lib/usermap.txt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Is it my networking?
Well, I've checked the results of ifconfig -a, and this is what I get: lo0: flags=1000849UP,LOOPBACK,RUNNING,MULTICAST,IPv4 mtu 8232 index 1 inet 127.0.0.1 netmask ff00 hme0: flags=1000843UP,BROADCAST,RUNNING,MULTICAST,IPv4 mtu 1500 index 2 inet 10.200.236.51 netmask ffe0 broadcast 10.200.236.63 Mind you, I'm running Solaris, not Linux. My Solaris box wouldn't operate without a properly configured network. This I know, because we had this problem when we moved. My /etc/netmasks files reads like this: 10.200.236.32 255.255.255.224 -Jim * Jim Kreuziger [EMAIL PROTECTED] * On Wed, 15 Oct 2003, David Brodbeck wrote: -Original Message- From: James Kreuziger [mailto:[EMAIL PROTECTED] Now the problem. I have VERY intermittent connectivity to my PDC. When I show up in the morning, I can't log in more than half the time because it tells me the domain is unavailable. The most frustrating thing(s) about all of this is that it is intermitant, and that samba worked PERFECTLY before the move. The only changes I made were the networking parameters. You might want to check that the broadcast address is right. I've seen Linux get some pretty odd ideas about what it should be. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain unavaliable
All the WINS server parametes are set correctly on all the machines. I just finished checking them. I've also got lmhosts enabled, and I need to check that the entries in that file are correct. I'm sure they are, as I made a new one and imported it to all the machines just before we shutdown for the move. -Jim * Jim Kreuziger [EMAIL PROTECTED] * On Tue, 9 Sep 2003, Tom Dickson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 If you can't find the DOMAIN, I would suspect a WINS server issue. Look both at the log.nmbd file in /var/log/samba, and also check that your windows clients have their wins server set correctly: either ipconfig under Windows NT and sons, or winipcfg under Windows 95 and its, uh, heirs. Both can be run from a command (DOS command.com or cmd.exe) window. If the WINS server is wrong, then network browsing will go all to h*ck! James Kreuziger wrote: | First off, I'd like to give all the people involved | with the development of Samba a big thanks. I'd have | to say that Samba is probably the single most important | piece of software that we run in our research lab. | I'd also like to say that I have had so few problems that | I probably haven't written about one in 3 years. | | With that being said, I'm having problems with my | Samba PDC. I'm running Samba 2.2.8a on a Solaris 8 | box. We have recently moved our lab from one | facilty to another, which forced us to change all | of our system names and IP's. Luckily, only the | domain part of the name changed, as well as the IP's. | | I updated the smb.conf to reflect the new subnet and IP's. However, | I have recently noticed that people are getting alot of | Domain LABDOM is unavailable messages when trying to | logon from Win2k. This may last anywhere from 2 minutes to 30 | minutes. Then, for no apparent reason, they will be able to logon. | | I'm thinking that it has to do with my hosts allow and | hosts deny settings. Before the move, we were on a subnet | with a netmask setting of 255.255.255.0. So my hosts allow | setting were this (IP's have been changed to protect the innocent): | | hosts allow = 10.0.33. 127.0.0.1 | host deny = ALL EXCEPT 10.0.33. 127.0.0.1 | | We are now on a much more restricted subnet, and | can't have the full range to ourselves. Consequently, | our subnet mask is now 255.255.255.224, and the IP | address space is from 10.0.236.38 - 10.0.236.61 | (this takes into account the network devices). | | I'm wondering if my problem is related to this. | I'm thinking that that I should restrict my hosts | allow with the network/netmask combo: | | hosts allow = 10.0.236.32/255.255.255.224 | | Is this what I'm looking for? I've included the | global part of my conf below. | | Thanks, | | -Jim | | * | Jim Kreuziger | [EMAIL PROTECTED] | * | | [global] | workgroup = LABDOM | preexec = csh -c `echo /usr/local/samba/bin/smbclient \ | -M %m -I %I` | server string = Samba %v on (%L) | security = user | domain logons = yes | domain admin group = @domadm | encrypt passwords = Yes | password level = 3 | log level = 2 | log file = /samba/current/var/log.smbd.%m | max log size = 2000 | wins support = Yes | name resolve order = lmhosts wins hosts bcast | dns proxy = yes | deadtime = 0 | keepalive = 3600 | client code page = 437 | os level = 65 | preferred master = Yes | domain master = Yes | guest account = samba | invalid users = daemon bin sys lp smtp uucp nuucp listen dcs consult dumper nobody | hosts allow = 10.0.236. 10.0.33. 10.0.126. 127.0.0.1 | hosts deny = ALL EXCEPT 10.0.236. 10.0.33. 10.0.126. 127.0.0.1 | veto oplock files = /*.mdb/*.dbm/*.doc/*.xls | socket options = TCP_NODELAY IPTOS_LOWDELAY | getwd cache = yes | logon script = %U.bat | logon path = \\ralopib\profile\%U | remote announce = 10.0.126.208/IMHH | utmp = True | username map = /samba/current/lib/usermap.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE/XnnVRliD/69byygRAo/CAJ9y5rLSgSSxcMDS9+xeEDZqAYYFrACfTV+S hHGUn+KMrUfcB6HniziLTjg= =HWTX -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Domain unavaliable
First off, I'd like to give all the people involved with the development of Samba a big thanks. I'd have to say that Samba is probably the single most important piece of software that we run in our research lab. I'd also like to say that I have had so few problems that I probably haven't written about one in 3 years. With that being said, I'm having problems with my Samba PDC. I'm running Samba 2.2.8a on a Solaris 8 box. We have recently moved our lab from one facilty to another, which forced us to change all of our system names and IP's. Luckily, only the domain part of the name changed, as well as the IP's. I updated the smb.conf to reflect the new subnet and IP's. However, I have recently noticed that people are getting alot of Domain LABDOM is unavailable messages when trying to logon from Win2k. This may last anywhere from 2 minutes to 30 minutes. Then, for no apparent reason, they will be able to logon. I'm thinking that it has to do with my hosts allow and hosts deny settings. Before the move, we were on a subnet with a netmask setting of 255.255.255.0. So my hosts allow setting were this (IP's have been changed to protect the innocent): hosts allow = 10.0.33. 127.0.0.1 host deny = ALL EXCEPT 10.0.33. 127.0.0.1 We are now on a much more restricted subnet, and can't have the full range to ourselves. Consequently, our subnet mask is now 255.255.255.224, and the IP address space is from 10.0.236.38 - 10.0.236.61 (this takes into account the network devices). I'm wondering if my problem is related to this. I'm thinking that that I should restrict my hosts allow with the network/netmask combo: hosts allow = 10.0.236.32/255.255.255.224 Is this what I'm looking for? I've included the global part of my conf below. Thanks, -Jim * Jim Kreuziger [EMAIL PROTECTED] * [global] workgroup = LABDOM preexec = csh -c `echo /usr/local/samba/bin/smbclient \ -M %m -I %I` server string = Samba %v on (%L) security = user domain logons = yes domain admin group = @domadm encrypt passwords = Yes password level = 3 log level = 2 log file = /samba/current/var/log.smbd.%m max log size = 2000 wins support = Yes name resolve order = lmhosts wins hosts bcast dns proxy = yes deadtime = 0 keepalive = 3600 client code page = 437 os level = 65 preferred master = Yes domain master = Yes guest account = samba invalid users = daemon bin sys lp smtp uucp nuucp listen dcs consult dumper nobody hosts allow = 10.0.236. 10.0.33. 10.0.126. 127.0.0.1 hosts deny = ALL EXCEPT 10.0.236. 10.0.33. 10.0.126. 127.0.0.1 veto oplock files = /*.mdb/*.dbm/*.doc/*.xls socket options = TCP_NODELAY IPTOS_LOWDELAY getwd cache = yes logon script = %U.bat logon path = \\ralopib\profile\%U remote announce = 10.0.126.208/IMHH utmp = True username map = /samba/current/lib/usermap.txt -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Incredibly slow Roaming Profiles
I'm having a similar problem. I'm running Samba 2.2.8a on Solaris 8, and Win2k and XP. About 2 weeks ago, my Roaming Profile started loading/unloading REALLY slow. It had been taking 30-45 seconds to load, then all of a sudden it started taking 2-5 minutes. Yes, my profile was getting large (100 Meg I think). But it had never been a problem before, even when it was larger than that. I've gone through my profile, and dumped probably 3/4's of what's in it. I've really tried to get the profile to a small state. It is actually smaller than when I started having these problems, and it still takes 2+ minutes to load and unload my Roaming Profile. I have noticed that the NTUSER.DAT file is around 2 Meg, and hasn't changed size even after dumping stuff. I know that it probably isn't a samba specific problem, but I am looking for some tips on what I can do to reduce the time loading/unloading profiles as it will be a problem as people's profiles do get larger. -Jim * Jim Kreuziger [EMAIL PROTECTED] * On Tue, 8 Jul 2003, Nathan Ehresman wrote: On Mon, Jul 07, 2003 at 11:38:13AM -0400, Damian Gerow wrote: The profile itself is something like 800k, and this is all over a 100Mb LAN. I can see via the SAMBA logs that the profile share is opened, the profile is loaded, and the profile share is closed in a matter of seconds, yet the XP machine continues to say, 'Loading your personal preferences...' (or whatever it says at logon). We had this problem too in a lab setting. The issue for us was large My Documents, Application Data, and Desktop directories. You said your profile is 800k -- is that the NTUSER.DAT registry hive or does that including all the folders that roam as well? My guess is that the roaming special folders are quite large. If this is the case, let me know and I can give you some pointers on some ways to speed things up. Nathan -- nre :wq -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Windows 2000 permissions
I know this is probably not exclusivly a samba problem, but I'll ask anyway. The two Win2k boxes I have don't seem to want to participate properly in my samba domain. I have samba installed as a PDC on a Solaris 8 box. For whatever reason, regular samba domain users have full administrative access to the individual machines. This is not what I want. I have one Win NT 4.0 box that doesn't have this same problem. It also doesn't have any special configuration, but I need to logon as a local administrator to actually administer the machine (add local users, install software, etc.). If anybody has any experience in configuring Win2k properly for use in a samba domain, please contact me. I need to be able to limit the administrative access to the Win2k machines. -Jim * Jim Kreuziger [EMAIL PROTECTED] * -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Windows 2000 and domain users
First the details: Samba 2.2.3a running on Solaris 8 set up as a PDC. Various systems running Windows 95/98/NT 4.0. I've had absolutly no serious problems running Samba in this configuration for the last couple of years. I've upgraded Samba as the new versions have come out, and now need to integrate some new Win2k boxes. Problem is, when I add the new machines to the domain, the group DOMAIN\unix_group.2147483404 gets added to both the Administrators group and Users group. So domain users start with Administrator rights! If I remove the DOMAIN\unix_group.2147483404 group from the Administrators group, it mucks thinks up bad enough to require a reinstall of Win2k. I'd like to think that this is not a required feature of using Samba with Win2k. I would like to restrict users to the same rights as normal users, so I can lock down who can install software on each individual machine. As it stands now, I can't do that. I'm including the global section of my smb.conf, if it helps. Thanks, -Jim * Jim Kreuziger [EMAIL PROTECTED] * # Global parameters [global] # include = /samba/current/lib/smb.conf.%U workgroup = DOMAIN preexec = csh -c `echo /usr/local/samba/bin/smbclient \ -M %m -I %I` server string = Samba %v on (%L) security = user domain logons = yes encrypt passwords = Yes password level = 3 log level = 1 log file = /samba/current/var/log.smbd.%m wins support = Yes name resolve order = wins hosts lmhosts bcast dns proxy = yes deadtime = 30 keepalive = 120 client code page = 437 os level = 65 preferred master = Yes domain master = Yes guest account = samba invalid users = root daemon bin sys lp smtp uucp nuucp listen dcs consult dumper nobody # invalid users = daemon bin sys lp smtp uucp nuucp listen dcs consult dumper nobody veto oplock files = /*.mdb/*.dbm/*.doc/*.xls socket options = TCP_NODELAY IPTOS_LOWDELAY getwd cache = yes logon script = %U.bat logon path = \\server\profile\%U remote announce = IP ADDRESS/DOMAIN utmp = True # utmp consolidate = yes username map = /samba/current/lib/usermap.txt # config file = /samba/current/lib/smb.conf.%U -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba