Re: [Samba] Windows XP greyed-out Guest user password prompt
Tony Earnshaw wrote: Jules Agee: (replying to self again) Update: The Windows XP (SP2, BTW) client tries three times to log in to the Samba server with the Windows username, which is different from the Samba username. As one would expect, Samba replies to each of the three requests with a STATUS_WRONG_PASSWORD message, and in the same packets the Action segment reads 0x0001 Guest: Logged in as GUEST. If a new XP user is created with the same username and password as the Samba account, the problem goes away. But if either the XP username or the XP password differs from Samba's info, the user is never prompted for the real username or password. I don't understand. One either logs onto the domain (which has a name) or onto the local machine (which has a different name). One can't logon to both at the same time, the choice is given at logon time. The advantage of the domain logon is, that users can move from machine to machine (for example in a teachers' common room, as I have) and just carry on with their work in a familiar environment. Why would you want to synchronize local and domain accounts? There is no domain, and no domain server. Due to circumstances out of my control, we are only using workgroup shares. The samba servers are set security = share in smb.conf. They share authentication data via an LDAP server, but that information is not accessible to or synchronized with the local desktop logins at this time. I don't want to synchronize them. What I want is for Windows XP to *prompt* the user for which username they would like to use to access the share on the Samba server, since the local Windows username will always fail for the Samba server login. Instead, they are only presented with a prompt for the Guest password. I should have been clearer in my earlier message. Here is the blow-by-blow for the authentication dialog: XP: Negotiate Protocol Request, what are your capabilities? Samba: Negotiate Protocol Response, I can do this and this and this XP: I'd like to make an anonymous connection to the $IPC share, please. Samba: OK, no problem. You're successfully connected as Guest. XP: How about you let me log in as (local XP uid, local XP pw) instead of Guest? Samba: Nope, sorry, STATUS_WRONG_PASSWORD but Action = 0x0001 (you're still logged in as Guest) XP: Aww, c'mon, lemme log in as (local XP userid, local XP pw) Samba: Nope, sorry, STATUS_WRONG_PASSWORD but you're still logged in as Guest XP: PLEZE let me log in as (local XP userid, local XP pw) Samba: Uh-uh. STATUS_WRONG_PASSWORD. You're still logged in as Guest The local XP userid doesn't exist in Samba's authentication data source, and it's not supposed to. When XP is unsuccessful doing the above negotiation with a Windows 2000 or 2003 server, then it prompts the user for a different username and password. But when the user does the exact same thing with a Samba server, it doesn't allow the user to choose a different username. It just presents a dialog asking for the Guest login password. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Windows XP greyed-out Guest user password prompt
Tom Schaefer wrote: It is because you are using security = share which is emulating the old Win9x way of sharing where the username is irrelevant, which is why XP just sets it to guest and greys it out, and all that matters is knowing the password to the particular share. Share a folder from Win9x using the type of sharing where you set a password to access a folder and then access it from XP. You'll see the same thing - greyed out guest. Tom Schaefer I'm sure you're right. But I'm stuck using security=share, and Windows 2000 clients behave just fine with the exact same server and the same shares, prompting the user for a username *and* password if using the local system authentication data fails. Right now, the only idea I have is to force people to use the same username and password on their local config as in our ldap database, and train them to keep the info in sync themselves. Setting up a domain server isn't an option. Thanks for your time! -Jules -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP greyed-out Guest user password prompt
(replying to self again) Update: The Windows XP (SP2, BTW) client tries three times to log in to the Samba server with the Windows username, which is different from the Samba username. As one would expect, Samba replies to each of the three requests with a STATUS_WRONG_PASSWORD message, and in the same packets the Action segment reads 0x0001 Guest: Logged in as GUEST. If a new XP user is created with the same username and password as the Samba account, the problem goes away. But if either the XP username or the XP password differs from Samba's info, the user is never prompted for the real username or password. Unfortunately, we have situations where the desired behavior is for Windows to allow the Samba username to be different from the Windows XP client username, and prompt for a different username if the currently-logged-in username/pw fails. Instead, XP forces a guest login. I'd think that this is purely a client issue, except that when I try this with a Windows 2000 server or a 2003 server, I'm prompted for a username AND password if the Windows XP uid/pw fails. For what it's worth, Samba returns STATUS_WRONG_PASSWORD errors (even if the Samba user doesn't exist), while the Windows 2000 server returns STATUS_LOGON_FAILURE errors. -Jules Jules Agee wrote: (replying to self) I'd appreciate any response at all (including RTFM, but a pointer to which FM I should R again would be very appreciated). Again, we're running Samba 3.0.7 on Debian Sarge, and this problem doesn't appear when we connect to Windows file servers, so I thought someone here might have some information that might help me track down the solution. Thanks for your time! Jules Agee wrote: Hi, we've been using Samba for a while, and are just now starting to switch our desktop computers to Windows XP. We are having a problem where connections to our Samba server fail, and the user is presented with a password prompt asking for a password for user Guest. They can't select a different user. I've searched the Microsoft knowledgebase, and the Samba list archives, and there are others who have seen this problem, but none of the suggestions presented seem to help. We are currently using security = share because there are some legacy scripts that depend on not getting prompted for a username to access some read-only shares we have set up. But just for troubleshooting, I have tried setting security = user and map to guest = Bad User but XP still presents the guest password prompt and the user still isn't allowed to specify their username. We are not using a domain controller. Everything works great when using a Windows 2000 client. In XP, mapping a drive to the Samba share works fine. From XP's command prompt, if the user's Windows login and password match what's in our LDAP directory (and they usually do), it lets them right in -- the user doesn't even get a password dialog when they do this: net use \\fileserver.example.com\share /user:joebob But if you just set up a shortcut to \\fileserver.example.com\share or if you try to connect from the run line, it fails tries to force them to login with the guest account. If anyone has any suggestions, or can even make a guess at an explanation for this behavior, I'd really appreciate it. Thanks! -Jules [EMAIL PROTECTED] smb.conf, slightly sanitized: [global] admin users = jane,joe,bob security = share encrypt passwords = true ldap suffix = o=internet ldap admin dn=cn=Administrator,o=internet passdb backend = ldapsam:ldaps://ldap1.example.com ldaps://ldap2.example.com guest account = nobody invalid users = root workgroup = IS netbios name = fileserver.example.com server string = File Server name resolve order = host bcast socket options = SO_KEEPALIVE,TCP_NODELAY oplocks = yes kernel oplocks = yes level2 oplocks = no encrypt passwords = yes create mask = 770 directory mask = 0770 log level = 2 log file = /var/log/samba/%m.log max log size = 1 map to guest = Bad Password load printers = no delete veto files = yes hide files = /Icon?/ veto files = /.AppleDouble/.AppleDesktop/Network Trash Folder/TheVolumeSettingsFolder/TheFindByContentFolder/ dns proxy = no log file = /var/log/samba/log.%m. max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d preserve case = yes [private] comment = Your Private Home Directory path = /home/%u group = default writable = yes create mask = 0700 directory mask = 0700 [IS] comment = Information Systems path = /var/local/fileshare/IS nt acl support = no create mask = 777 directory mask = 0777 read only = No group = IS valid users = @IS,@ISAnalyst,@SupportAnalyst,@SystemAdmin [updates
Re: [Samba] Windows XP greyed-out Guest user password prompt
(replying to self) I'd appreciate any response at all (including RTFM, but a pointer to which FM I should R again would be very appreciated). Again, we're running Samba 3.0.7 on Debian Sarge, and this problem doesn't appear when we connect to Windows file servers, so I thought someone here might have some information that might help me track down the solution. Thanks for your time! Jules Agee wrote: Hi, we've been using Samba for a while, and are just now starting to switch our desktop computers to Windows XP. We are having a problem where connections to our Samba server fail, and the user is presented with a password prompt asking for a password for user Guest. They can't select a different user. I've searched the Microsoft knowledgebase, and the Samba list archives, and there are others who have seen this problem, but none of the suggestions presented seem to help. We are currently using security = share because there are some legacy scripts that depend on not getting prompted for a username to access some read-only shares we have set up. But just for troubleshooting, I have tried setting security = user and map to guest = Bad User but XP still presents the guest password prompt and the user still isn't allowed to specify their username. We are not using a domain controller. Everything works great when using a Windows 2000 client. In XP, mapping a drive to the Samba share works fine. From XP's command prompt, if the user's Windows login and password match what's in our LDAP directory (and they usually do), it lets them right in -- the user doesn't even get a password dialog when they do this: net use \\fileserver.example.com\share /user:joebob But if you just set up a shortcut to \\fileserver.example.com\share or if you try to connect from the run line, it fails tries to force them to login with the guest account. If anyone has any suggestions, or can even make a guess at an explanation for this behavior, I'd really appreciate it. Thanks! -Jules [EMAIL PROTECTED] smb.conf, slightly sanitized: [global] admin users = jane,joe,bob security = share encrypt passwords = true ldap suffix = o=internet ldap admin dn=cn=Administrator,o=internet passdb backend = ldapsam:ldaps://ldap1.example.com ldaps://ldap2.example.com guest account = nobody invalid users = root workgroup = IS netbios name = fileserver.example.com server string = File Server name resolve order = host bcast socket options = SO_KEEPALIVE,TCP_NODELAY oplocks = yes kernel oplocks = yes level2 oplocks = no encrypt passwords = yes create mask = 770 directory mask = 0770 log level = 2 log file = /var/log/samba/%m.log max log size = 1 map to guest = Bad Password load printers = no delete veto files = yes hide files = /Icon?/ veto files = /.AppleDouble/.AppleDesktop/Network Trash Folder/TheVolumeSettingsFolder/TheFindByContentFolder/ dns proxy = no log file = /var/log/samba/log.%m. max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d preserve case = yes [private] comment = Your Private Home Directory path = /home/%u group = default writable = yes create mask = 0700 directory mask = 0700 [IS] comment = Information Systems path = /var/local/fileshare/IS nt acl support = no create mask = 777 directory mask = 0777 read only = No group = IS valid users = @IS,@ISAnalyst,@SupportAnalyst,@SystemAdmin [updates] comment = Software Updates path = /var/local/fileshare/admin/updates browsable = no create mask = 774 group = SystemAdmin directory mask = 0775 nt acl support = no read only = yes guest ok = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Windows XP greyed-out Guest user password prompt
Hi, we've been using Samba for a while, and are just now starting to switch our desktop computers to Windows XP. We are having a problem where connections to our Samba server fail, and the user is presented with a password prompt asking for a password for user Guest. They can't select a different user. I've searched the Microsoft knowledgebase, and the Samba list archives, and there are others who have seen this problem, but none of the suggestions presented seem to help. We are currently using security = share because there are some legacy scripts that depend on not getting prompted for a username to access some read-only shares we have set up. But just for troubleshooting, I have tried setting security = user and map to guest = Bad User but XP still presents the guest password prompt and the user still isn't allowed to specify their username. We are not using a domain controller. Everything works great when using a Windows 2000 client. In XP, mapping a drive to the Samba share works fine. From XP's command prompt, if the user's Windows login and password match what's in our LDAP directory (and they usually do), it lets them right in -- the user doesn't even get a password dialog when they do this: net use \\fileserver.example.com\share /user:joebob But if you just set up a shortcut to \\fileserver.example.com\share or if you try to connect from the run line, it fails tries to force them to login with the guest account. If anyone has any suggestions, or can even make a guess at an explanation for this behavior, I'd really appreciate it. Thanks! -Jules [EMAIL PROTECTED] smb.conf, slightly sanitized: [global] admin users = jane,joe,bob security = share encrypt passwords = true ldap suffix = o=internet ldap admin dn=cn=Administrator,o=internet passdb backend = ldapsam:ldaps://ldap1.example.com ldaps://ldap2.example.com guest account = nobody invalid users = root workgroup = IS netbios name = fileserver.example.com server string = File Server name resolve order = host bcast socket options = SO_KEEPALIVE,TCP_NODELAY oplocks = yes kernel oplocks = yes level2 oplocks = no encrypt passwords = yes create mask = 770 directory mask = 0770 log level = 2 log file = /var/log/samba/%m.log max log size = 1 map to guest = Bad Password load printers = no delete veto files = yes hide files = /Icon?/ veto files = /.AppleDouble/.AppleDesktop/Network Trash Folder/TheVolumeSettingsFolder/TheFindByContentFolder/ dns proxy = no log file = /var/log/samba/log.%m. max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d preserve case = yes [private] comment = Your Private Home Directory path = /home/%u group = default writable = yes create mask = 0700 directory mask = 0700 [IS] comment = Information Systems path = /var/local/fileshare/IS nt acl support = no create mask = 777 directory mask = 0777 read only = No group = IS valid users = @IS,@ISAnalyst,@SupportAnalyst,@SystemAdmin [updates] comment = Software Updates path = /var/local/fileshare/admin/updates browsable = no create mask = 774 group = SystemAdmin directory mask = 0775 nt acl support = no read only = yes guest ok = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP greyed-out Guest user password prompt
(replying to self) Jules Agee wrote: Hi, we've been using Samba for a while, and are just now starting to switch our desktop computers to Windows XP. We are having a problem where connections to our Samba server fail, and the user is presented with a password prompt asking for a password for user Guest. They can't select a different user. Sorry, forgot to mention that we're running Samba 3.0.7 on Debian GNU/Linux -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] UI performance awful - please help!
I've set up a Samba 2.2.5 server authenticating against an OpenLDAP server. Everything seems to be working, except that changing directories takes 15-30 seconds. I've set up nss_ldap, optimized the nscd cache and my LDAP server's cache and indexes, and both seem to respond instantly on the command line (for cache hits, anyway). If I connect with NET USE on a client machine, it works fine, no delays. Same with smbclient. The problem only seems to rear its head when using Windows Explorer. Every time I open a new folder in Windows Explorer, at log level 2 I can see anywhere from ten to thirty entries like this: [2002/11/12 12:17:15, 2] lib/access.c:check_access(327) Allowed connection from (199.249.215.249) [2002/11/12 12:17:16, 2] lib/access.c:check_access(327) Allowed connection from (199.249.215.249) [2002/11/12 12:17:16, 2] lib/access.c:check_access(327) Allowed connection from (199.249.215.249) Here's my smb.conf file. Any suggestions would be greatly appreciated. # Global parameters [global] ldap server = localhost ldap port = 389 ldap suffix = o=internet ldap admin dn = cn=Manager,o=internet ldap ssl = no workgroup = IS netbios name = THOR server string = Thor File Server max log size = 1 hosts allow = 199.249.215.0/255.255.255.0 10.0.0.0/255.0.0.0 name resolve order = host bcast encrypt passwords = Yes group = default create mask = 770 directory mask = 0770 log level = 2 log file = /var/log/samba/%m.log delete veto files = yes veto files = /.AppleDouble/.AppleDesktop/Network Trash Folder/TheVolumeSettingsFolder/Icon?/TheFindByContentFolder/ [private] comment = Private File Storage/Backup directory mask = 0700 path = /usr/local/fileshare/home read only = No [public] comment = Public File Sharing path = /usr/local/fileshare/public create mask = 777 directory mask = 0777 read only = No guest ok = Yes [artdept-web] comment = artdept Intranet path = /usr/local/fileshare/artdept-web create mask = 774 directory mask = 0775 read only = No group = ArtDept valid users = ArtDept [hr-web] comment = humanresources Intranet path = /usr/local/fileshare/hr-web create mask = 774 directory mask = 0775 read only = No group = HumanResources valid users = HumanResources [IS] comment = Information Systems path = /usr/local/fileshare/IS read only = No group = IS valid users = IS,SysAdmin,ISAnalysts,SupportAnalysts -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] UI performance awful - please help! (umm, nevermind)
Looks like the problem I had was caused by being behind on service packs. The client I was testing with was Windows 2000 with no service packs applied (oops). Our up-to-date client machines seem to be working great with our Samba server. Sorry! Jules Agee wrote: I've set up a Samba 2.2.5 server authenticating against an OpenLDAP server. Everything seems to be working, except that changing directories takes 15-30 seconds. SNIP -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT Security tab changes [solved]
Jules Agee wrote: If I try to modify perms on a file that I don't own from the Security Tab, I get a permission denied dialog as expected. But when I actually own the file and try to change perms, for example to give Everyone write access to it, the second I click the Apply button, all my changes simply revert to whatever they were before I changed anything. SNIP The LDAP gidNumber in the user entries weren't matching up with existing groups. I didn't think this would be an issue, since I didn't really need a group for each user. So some of the files on the server just had a gid number in the group permissions field instead of a group name, and an ls -l in a user's home directory would look like this: total 48 -rw-r--r--1 julesa 1599 8661 Jan 31 2001 CHANGES.TXT -rw-r--r--1 julesa 159917032 Jan 31 2001 faq.html -rwxr-xr-x1 julesa 1599 485 Jan 31 2001 lbe.bat -rw-r--r--1 julesa 1599 1143 Feb 11 2002 userlist.txt Unfortunately, Samba sort of gagged when it couldn't map the group id number on the file to an existing group, and wouldn't let the user change any permissions, even if they owned the file. -- Jules Agee System Administrator Pacific Coast Feather Co. [EMAIL PROTECTED] x284 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] NT Security tab changes
[EMAIL PROTECTED] wrote: On Thu, Oct 03, 2002 at 05:30:07PM -0700, Jules Agee wrote: Do I need to patch ACL support into the Linux kernel just to allow users to change permissions on files hosted on the Samba 2.2.5 server? All I really need is to allow users to set read/write/execute on files. Right now, I don't have an ACL-patched kernel installed on the server. No you don't. So long as the users are only changing the u/g/w permissions Samba should reflect these onto the standard UNIX permissions. Jeremy. So... forgive me, I'm still new at using Samba. Any idea why it isn't working with the configuration described below? If I try to modify perms on a file that I don't own from the Security Tab, I get a permission denied dialog as expected. But when I actually own the file and try to change perms, for example to give Everyone write access to it, the second I click the Apply button, all my changes simply revert to whatever they were before I changed anything. If I add nt acl support = no to the config, then the Security tab disappears on the Windows client. RedHat 7.2 with RedHat kernel 2.4.9-34 Samba 2.2.5 installed from samba-latest.tar.gz running on ext3 filesystem All users have Windows 2000 Pro (not sure what SP). Samba is authenticating to OpenLDAP, and I'm using nss_ldap. Here's the relevant section of smb.conf: [global] ldap server = localhost ldap port = 389 ldap suffix = o=internet ldap admin dn = cn=Manager,o=internet ldap ssl = no workgroup = IS netbios name = THOR server string = Thor File Server security = server dos filemode = yes encrypt passwords = Yes log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No [private] comment = Private File Storage path = /usr/local/fileshare/home read only = No -- Jules Agee System Administrator Pacific Coast Feather Co. [EMAIL PROTECTED] x284 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] NT Security tab changes
Do I need to patch ACL support into the Linux kernel just to allow users to change permissions on files hosted on the Samba 2.2.5 server? All I really need is to allow users to set read/write/execute on files. Right now, I don't have an ACL-patched kernel installed on the server. My users can see the security tab when they check the preferences on Samba-hosted files, but they can't change anything, even if they own the file. If the check or un-check a box, it just reverts back as soon as they click the Apply button. If I change the file perms using chmod at the server console, logged in as the user in question, it works fine... All users have Windows 2000 Pro (not sure what SP). Samba is authenticating to OpenLDAP, and I'm using nss_ldap. Here's the relevant section of smb.conf: [global] ldap server = localhost ldap port = 389 ldap suffix = o=internet ldap admin dn = cn=Manager,o=internet ldap ssl = no workgroup = IS netbios name = THOR server string = Thor File Server security = server dos filemode = yes encrypt passwords = Yes log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = No [private] comment = Private File Storage path = /usr/local/fileshare/home read only = No -- Jules Agee System Administrator Pacific Coast Feather Co. [EMAIL PROTECTED] x284 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba