[Samba] Samba processes domain authenticated user as nobody during logon. bat execution
Beating head on desk again! I have a samba server is running winbind which can access domain. It is working fine and is using domain credentials. I access the samba shares after the user has authenticated against a novell server during the novell logon script. The shares are authenticated with user domain credentials and verified with smbstatus. This works great! If I alternatively use windows networking domain authentication, I have problems. The Win95 station correctly authenticates against NT4 PDC and runs logon.bat from that server. As LOGON.BAT accesses samba shares, samba appears to get user credentials without the Domain Name. Since there are no users on the samba server, this gets morphed into nobody. All services which can be accessed as nobody are attached as nobody, all other services are denied. As a result important tools such as "net use X: /home" do not work when file and directory permissions prohibit access to nobody. During the LOGON.BAT, I issued a net config Computer name \\LGA00D0B724628B User name GPALMER Workgroup LGANET Workstation root directory C:\WINDOWS Software version 4.00.950 Redirector version 4.00 Client for NetWare version 3.26 Registry setting require authentication.. It appears that "net" thinks it is part of the domain; but as stated above, samba attaches as nobody. Samba logs indicate that it is receive user gpalmer and not lganet\gpalmer. >From a DOS window, after logon.bat finishes , I can successfully execute "net use X: /home". Samba gets and processes the full domain credentials. Samba interperets user as nobody without regard to setting in "Log on to windows nt domain" in the "client for microsoft networks" dialog. If the home directory is moved to nt server it will successfully attach during logon.bat. I have exhausted all options I know about. Thanks in advance for any insight you might give. Excerpts from Failure log: At log level 5 [2004/06/22 16:19:12, 3] smbd/reply.c:reply_sesssetup_and_X(1070) No such user gpalmer [] - using guest account . . . [2004/06/22 16:19:13, 3] smbd/service.c:find_service(140) checking for home directory gpalmer gave (NULL) [2004/06/22 16:19:13, 3] smbd/service.c:find_service(209) find_service() failed to find service gpalmer [2004/06/22 16:19:13, 0] smbd/service.c:make_connection(251) lga009027a6e884 (192.168.12.178) couldn't find service gpalmer at loglevel 0 [2004/06/23 08:59:49, 0] smbd/password.c:authorise_login(863) authorise_login: rejected invalid user nobody [2004/06/23 09:04:10, 0] smbd/service.c:make_connection(251) lga009027a6e884 (192.168.12.178) couldn't find service gpalmer Samba version 2.2.8a SMB.CONF #* #server naming server string = LGACHI01 - Chicago Main Server workgroup = LGANET netbios name = LGACHI01 netbios aliases = LGAGLE04 #* #authentication #PDC password server = LGAGLE02 LGAGLE03 logon script = logon.bat encrypt passwords = yes password level = 8 username level = 8 #username map = /usr/local/samba/lbin/map.user smb passwd file = /usr/local/samba/lbin/smbpasswd security = domain domain master = no domain admin group = @root domain logons = no # * #WINS Browsing and naming #wins server wins support = no lm announce = yes lm interval = 120 preferred master = no remote browse sync = 192.168.201.0 192.168.201.255 192.168.201.1 remote announce = 192.168.201.255/LGANET 192.168.12.255/LGANET 192.168.3 1.255/LGANET 192.168.51.255/LGANET local master = no os level = 0 #wins client name resolve order = wins bcast lmhosts host wins server = 192.168.12.28 192.168.201.1 wins proxy = yes dns proxy = no browse list = yes #* #IP Networking time server = yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=819 2 allow hosts = 192.168. 127. interfaces = 192.168.10.2/24 192.168.11.2/24 192.168.12.2/24 192.168.12. 101/24 192.168.12.104/24 oplock break wait time = 100 #* #printing print command = lpr -l -P'%p' %s printing = lprng printcap name = /etc/printcap load printers = yes #* #log files log file = /var/log/samba/log.%m max log size = 50 log level = 0 #*
RE: [Samba] XP Client cannot join Samba3 PDC
[global] #server naming netbios name = CHARON workgroup = GPNET server string = GPNET PDC Server #authentication as PDC domain logons = yes domain master = yes security = user password level = 8 username level = 8 smb passwd file=/usr/local/samba/private/smbpasswd logon script = logon.bat encrypt passwords = yes domain admin group = @root username map = /usr/local/samba/lbin/map.user #user group scripts add user script=/usr/sbin/useradd -d /dev/null -c "Samba account %u" -s /bin/false -M %u add machine script =/usr/sbin/useradd -d /dev/null -g machines -c "Machine account %u" -s /bin/false -M %u #wins server wins support = yes time server = yes local master = yes lm announce = yes lm interval = 120 browse list = yes remote announce = 192.168.201.127/GPNET 192.168.12.255/GPNET 192.168.201.135/GPNET 192.168.201.139/GPNET 192.168.201.143/GPNET os level = 64 preferred master = yes #wins client name resolve order = wins bcast lmhosts wins proxy = yes dns proxy = yes #IP Networking interfaces = 192.168.201.1/25 192.168.201.129/29 192.168.201.137/30 192.168.201.141/30 hosts allow = 192.168.201. 192.168.202. 127. 192.168.12. socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #printing printer = pshplj5 load printers = yes printcap name = /etc/printcap #log files log level = 0 max log size = 50 log file = /var/log/samba/log.%m #default share map archive = yes map system = yes map hidden = yes browseable = yes writable = yes public = yes -- # items that prevent domain join-must be removed for successful operations force group=nobody force user = nobody -- [homes] comment = Home Directory for %U browseable = no write list = %U valid users= %U path = /home/%U force user=%U force group=%U [profiles] browseable = no path=/home/%U/profile write list = %U valid users= %U force user=%U force group=%U [netlogon] comment = Network Logon Service path = /home/netlogon writable = no public = no write list=administrator root [exe] comment = Network Public Executables path = /home/exe [movie] comment = Movie files path = /home/movie [audio] comment = Audio files path = /home/audio -Original Message- From: Jose Martinez [SMTP:[EMAIL PROTECTED] Sent: Friday, April 23, 2004 12:47 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject:RE: [Samba] XP Client cannot join Samba3 PDC When u used these FORCE user and group settings, you didn't have to tell it which user and group to force? Can you send a copy of your smb.conf file. The problem I am having is that sometimes a machine that is connected to the domain will not allow a user to authenticate.. but it allows other users to authenticate.. Im wondering if this could be related... Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 23, 2004 1:26 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [Samba] XP Client cannot join Samba3 PDC Resolved problem: Had decided to use global force user/force group options for the shares. It worked like a charm. All my shares now had default groups and users. I did not realize how truly global these settings were. After a careful review of the logs, I noticed that root indeed logged in. However, the effective user always morphed into nobody. At that time, I thought this was nominal behavior. NOT! The global settings for: FORCE USER = unix user FORCE GROUP= unix group Sets the Effective User ID to those forced ID's for EVERYTHING, including non share oriented communications. Check your configs and eliminate these GLOBAL settings. 30 hours! DOH! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] XP Client cannot join Samba3 PDC
Resolved problem: Had decided to use global force user/force group options for the shares. It worked like a charm. All my shares now had default groups and users. I did not realize how truly global these settings were. After a careful review of the logs, I noticed that root indeed logged in. However, the effective user always morphed into nobody. At that time, I thought this was nominal behavior. NOT! The global settings for: FORCE USER = unix user FORCE GROUP= unix group Sets the Effective User ID to those forced ID's for EVERYTHING, including non share oriented communications. Check your configs and eliminate these GLOBAL settings. 30 hours! DOH! -Original Message- From: Chris Tepaske [SMTP:[EMAIL PROTECTED] Sent: Thursday, April 15, 2004 5:43 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject:RE: [Samba] XP Client cannot join Samba3 PDC I have found the same problem no and again especially if you remove a machine and then want to rejoin I'm assuming that you use root to for the account and that is exists in you samba setup. I found that when it happens to me that quickest and easiest way to resolve the issue is to rebuild the machine I found the problem with XP and 2003 don't know what causes the issue and I think lots of people have the same problem as it is not the first time this has come up on the posts. Cheers Chris Tepaske -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, 15 April 2004 4:47 AM To: [EMAIL PROTECTED] Subject: [Samba] XP Client cannot join Samba3 PDC Migrating a working Samba 2.2.8a Domain Controller to 3.0.2a Using smbpasswd file compiled using gcc 3.2.2 Used working 2.2.8 configuration #authentication as PDC workgroup = XNET domain logons = yes domain master = yes preferred master = yes security = user password level = 8 username level = 8 smb passwd file = /usr/local/samba/lbin/smbpasswd logon script = logon.bat encrypt passwords = yes Added automation scripts #user group scripts add user script=/usr/sbin/useradd -d /dev/null -g machines -c "Machine a ccount %u" -s /bin/false -M %u delete user script=/usr/sbin/userdel -r %u add group script=/usr/sbin/groupadd %g delete group script=/usr/sbin/groupdel %g add user to group script=/usr/sbin/usermod -G %g %u add machine script=/usr/sbin/useradd -s /bin/false -d /dev/null %u Disabled the following items in the Local Security Policy Domain member: Digitally encrypt or sign secure channel data (Always) domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Require strong (Windows 2000 or later) session key Added the following Registry Hacks [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "RequireSignOrSeal"=dword: If you still have changes, you may want to change the following [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "sealsecurechannel"=dword: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "signsecurechannel"=dword: Deleted existing machine entries in smbpasswd vi smbpasswd delete machine user line restart smb Added machine ent
RE: [Samba] XP Client cannot join Samba3 PDC
Should have included this information Smbpassword already includes a root user with uid of 0. Tried to join domain as XNET\root with root/samba root password ( unix and smb passwords are the same). Successfully joined domain using credentials from a different samba3 box. Thanks for you quick reply -Original Message- From: Matthias Spork [SMTP:[EMAIL PROTECTED] Sent: Wednesday, April 14, 2004 2:17 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject:Re: [Samba] XP Client cannot join Samba3 PDC Hello, > CANNOT join domain from XP > XP client reports: Access is denied > (logged in on XP as Administrator) > Samba reports (level 10 logging): _samr_open_domain: ACCESS DENIED > Both root and nobody appear to authenticate > Logs indicate insufficient privilege to continue Only root (User-ID 0) can add machines to a domain. Root must also exists in your Samba-userlist. matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] XP Client cannot join Samba3 PDC
Migrating a working Samba 2.2.8a Domain Controller to 3.0.2a Using smbpasswd file compiled using gcc 3.2.2 Used working 2.2.8 configuration #authentication as PDC workgroup = XNET domain logons = yes domain master = yes preferred master = yes security = user password level = 8 username level = 8 smb passwd file = /usr/local/samba/lbin/smbpasswd logon script = logon.bat encrypt passwords = yes Added automation scripts #user group scripts add user script=/usr/sbin/useradd -d /dev/null -g machines -c "Machine a ccount %u" -s /bin/false -M %u delete user script=/usr/sbin/userdel -r %u add group script=/usr/sbin/groupadd %g delete group script=/usr/sbin/groupdel %g add user to group script=/usr/sbin/usermod -G %g %u add machine script=/usr/sbin/useradd -s /bin/false -d /dev/null %u Disabled the following items in the Local Security Policy Domain member: Digitally encrypt or sign secure channel data (Always) domain member: Digitally encrypt secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Domain member: Require strong (Windows 2000 or later) session key Added the following Registry Hacks [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "RequireSignOrSeal"=dword: If you still have changes, you may want to change the following [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "sealsecurechannel"=dword: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "signsecurechannel"=dword: Deleted existing machine entries in smbpasswd vi smbpasswd delete machine user line restart smb Added machine entries smbpasswd -a -m WORKSTATION_NAME SYMPTOMS CAN authenticate from domain members added prior to migration CAN use shares from 95/XP/Samba using share based authentication username/password CAN join domain form another Samba3 box CANNOT join domain from XP XP client reports: Access is denied (logged in on XP as Administrator) Samba reports (level 10 logging): _samr_open_domain: ACCESS DENIED Both root and nobody appear to authenticate Logs indicate insufficient privilege to continue Looks like it might be something on the client?? There are no warnings or errors in any of the XP logs. Symptoms are the same from multiple installs of XP to multiple installs of samba I have racked my brain for the last week and have even resorted to reading the manual. Thank you for any guidance in advance! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
