Re: machine names same as usernames -> problems... -- here's a"realworld" NetBIOS clusterfsck ...
On Thu, Feb 06, 2003 at 04:15:52PM -0800, Richard Sharpe wrote: > On Thu, 6 Feb 2003, Richard Sharpe wrote: > > > On Thu, 6 Feb 2003, Bryan J. Smith wrote: > > > > No, not really. The \$ in the name of the trust account is an MS thing. > > Samba requires a machine account be backed up on the server with an > > account of that name. However, as far as I can see, we could remove that > > restriction, as we could keep all the needed info in the secrets file or > > another tdb. > > OK, I withdraw the last sentence, since when we are operating as a PDC, we > should use the same account mechanisms for trust accounts and ordinary > user accounts. Actually it depends on direction of trust ie. whether we're dealing with _trusted_ domain or _trusting_ domain. Just my 2 cents... -- cheers, ++ |Rafal 'Mimir' Szczesniak <[EMAIL PROTECTED]> | |*BSD, GNU/Linux and Samba / |__/
Re: machine names same as usernames -> problems...
On Thu, 6 Feb 2003, Andrew Bartlett wrote: > On Thu, Feb 06, 2003 at 02:47:47PM -0800, Richard Sharpe wrote: > > On Thu, 6 Feb 2003, Bradley W. Langhorst wrote: > > > > > On Thu, 2003-02-06 at 15:39, Andrew Bartlett wrote: > > > > > adil (users) and > > > > > adil$ (machine) > > > > > cannot work. > > > > > > > > Why can't it work? I've seen this discussed a number of times, but > > > > never really been told why it doesn't work. That $ is there for exactly > > > > that reason you know - to make them different. > > > > [...] > > > > > > Can you describe the failure please? > > > I thought this was well known... > > > The machine simply fails to join the domain. With a message about bad > > > password or invalid machine account. > > > > Under what circumstances can't/doesn't this work? > > > > Does it not work only in the case that adil and adil$ both exist in the > > passwd database of the Samba server? > > > > If that is the case, then the code that allows the machine to log onto the > > trust account is probably checking for the 'adil' account and refusing to > > let it happen. > > No such code exists. Hmmm, that is interesting. Maybe I need to try this myself to see what the issues are. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: machine names same as usernames -> problems... -- here's a"realworld" NetBIOS clusterfsck ...
On Thu, 6 Feb 2003, Richard Sharpe wrote: > On Thu, 6 Feb 2003, Bryan J. Smith wrote: > > > > > Quoting Andrew Bartlett <[EMAIL PROTECTED]>: > > > Why can't it work? I've seen this discussed a number of times, but > > > never really been told why it doesn't work. That $ is there for > > > exactly that reason you know - to make them different. > > > > Er, not exactly. If I remember correctly, the "$" in the passwd file just a > > Samba-specific nomenclature, correct? Plus CIFS has all sorts of "trailing > > characters" after NetBIOS names that are _not_ part of the unique NetBIOS name > > itself. > > No, not really. The \$ in the name of the trust account is an MS thing. > Samba requires a machine account be backed up on the server with an > account of that name. However, as far as I can see, we could remove that > restriction, as we could keep all the needed info in the secrets file or > another tdb. OK, I withdraw the last sentence, since when we are operating as a PDC, we should use the same account mechanisms for trust accounts and ordinary user accounts. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: machine names same as usernames -> problems...
On Thu, 2003-02-06 at 17:47, Richard Sharpe wrote: > On Thu, 6 Feb 2003, Bradley W. Langhorst wrote: > > > On Thu, 2003-02-06 at 15:39, Andrew Bartlett wrote: > > > > adil (users) and > > > > adil$ (machine) > > > > cannot work. > > > > > > Why can't it work? I've seen this discussed a number of times, but > > > never really been told why it doesn't work. That $ is there for exactly > > > that reason you know - to make them different. > > [...] > > > > Can you describe the failure please? > > I thought this was well known... > > The machine simply fails to join the domain. With a message about bad > > password or invalid machine account. > > Under what circumstances can't/doesn't this work? > > Does it not work only in the case that adil and adil$ both exist in the > passwd database of the Samba server? it certainly fails in that situation. I've had less specific troubles with machines I thought you were just saying that there is no solution to this problem... When a user tries to log on, the workstation also tries to register that user's name as a NetBIOS name, with types of <00> and <03>. However, they clash with the already registered machine names. SOL. I've just tested an XP machine joining to a samba3a21 domain (ldap backend) it fails with this in the log [2003/02/06 17:42:02, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641) ldapsam_search_one_user: searching for:[(&(uid=bwlang$)(objectclass=sambaAccount))] [2003/02/06 17:42:03, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641) ldapsam_search_one_user: searching for:[(&(uid=bwlang$)(objectclass=sambaAccount))] [2003/02/06 17:42:03, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1857) User already in the base, with samba properties [2003/02/06 17:42:03, 0] rpc_server/srv_samr_nt.c:_api_samr_create_user(2302) could not add user/computer bwlang$ to passdb. Check permissions? [2003/02/06 17:42:04, 2] smbd/server.c:exit_server(534) Closing connections the very nice descriptive error message on the client is "Access is denied" there was no account bwlang$ when i started there was an account bwlang. interestingly - the join created the bwlang$ account but failed nonetheless brad -- Bradley W. Langhorst <[EMAIL PROTECTED]>
Re: machine names same as usernames -> problems... -- here's a"realworld" NetBIOS clusterfsck ...
Quoting Richard Sharpe <[EMAIL PROTECTED]>: > No, not really. The \$ in the name of the trust account is an MS thing. > Samba requires a machine account be backed up on the server with an > account of that name. However, as far as I can see, we could remove that > restriction, as we could keep all the needed info in the secrets file or > another tdb. > However, the issue likely boils down to NetBIOS names being registered > when the user tries to log on. > When a workstation boots, it registers its workstation name as a NetBIOS > name. Indeed, it registers several types of NetBIOS names, including a > <00> name, a <03> name and, if you have enabled sharing, a <20> name. > When a user tries to log on, the workstation also tries to register that > user's name as a NetBIOS name, with types of <00> and <03>. However, > they clash with the already registered machine names. SOL. You can tell how "rusty" I am on CIFS/NetBIOS. I've been supporting almost 100% UNIX networks (with NFS) for clost to 4 years now and it shows. -- Bryan J. Smith | Peace is a fruitless endeavor http://thebs.org | When a defeated aggressor Engineer, IT Professional | Has not, will not nor will ever Proud American Forever | Adhere to terms of its surrender
Re: machine names same as usernames -> problems...
On Thu, Feb 06, 2003 at 02:47:47PM -0800, Richard Sharpe wrote: > On Thu, 6 Feb 2003, Bradley W. Langhorst wrote: > > > On Thu, 2003-02-06 at 15:39, Andrew Bartlett wrote: > > > > adil (users) and > > > > adil$ (machine) > > > > cannot work. > > > > > > Why can't it work? I've seen this discussed a number of times, but > > > never really been told why it doesn't work. That $ is there for exactly > > > that reason you know - to make them different. > > [...] > > > > Can you describe the failure please? > > I thought this was well known... > > The machine simply fails to join the domain. With a message about bad > > password or invalid machine account. > > Under what circumstances can't/doesn't this work? > > Does it not work only in the case that adil and adil$ both exist in the > passwd database of the Samba server? > > If that is the case, then the code that allows the machine to log onto the > trust account is probably checking for the 'adil' account and refusing to > let it happen. No such code exists. Andrew Bartlett
Re: machine names same as usernames -> problems...
On Thu, 6 Feb 2003, Bradley W. Langhorst wrote: > On Thu, 2003-02-06 at 15:39, Andrew Bartlett wrote: > > > adil (users) and > > > adil$ (machine) > > > cannot work. > > > > Why can't it work? I've seen this discussed a number of times, but > > never really been told why it doesn't work. That $ is there for exactly > > that reason you know - to make them different. [...] > > Can you describe the failure please? > I thought this was well known... > The machine simply fails to join the domain. With a message about bad > password or invalid machine account. Under what circumstances can't/doesn't this work? Does it not work only in the case that adil and adil$ both exist in the passwd database of the Samba server? If that is the case, then the code that allows the machine to log onto the trust account is probably checking for the 'adil' account and refusing to let it happen. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: machine names same as usernames -> problems... -- here's a"real world" NetBIOS clusterfsck ...
On Thu, 2003-02-06 at 17:28, Richard Sharpe wrote: > When a workstation boots, it registers its workstation name as a NetBIOS > name. Indeed, it registers several types of NetBIOS names, including a > <00> name, a <03> name and, if you have enabled sharing, a <20> name. > > When a user tries to log on, the workstation also tries to register that > user's name as a NetBIOS name, with types of <00> and <03>. However, they > clash with the already registered machine names. SOL. > so i guess a doc patch is the way to go here... see my original post for a proposal. brad -- Bradley W. Langhorst <[EMAIL PROTECTED]>
Re: machine names same as usernames -> problems... -- here's a"realworld" NetBIOS clusterfsck ...
On Thu, 6 Feb 2003, Bryan J. Smith wrote: > > Quoting Andrew Bartlett <[EMAIL PROTECTED]>: > > Why can't it work? I've seen this discussed a number of times, but > > never really been told why it doesn't work. That $ is there for > > exactly that reason you know - to make them different. > > Er, not exactly. If I remember correctly, the "$" in the passwd file just a > Samba-specific nomenclature, correct? Plus CIFS has all sorts of "trailing > characters" after NetBIOS names that are _not_ part of the unique NetBIOS name > itself. No, not really. The \$ in the name of the trust account is an MS thing. Samba requires a machine account be backed up on the server with an account of that name. However, as far as I can see, we could remove that restriction, as we could keep all the needed info in the secrets file or another tdb. However, the issue likely boils down to NetBIOS names being registered when the user tries to log on. When a workstation boots, it registers its workstation name as a NetBIOS name. Indeed, it registers several types of NetBIOS names, including a <00> name, a <03> name and, if you have enabled sharing, a <20> name. When a user tries to log on, the workstation also tries to register that user's name as a NetBIOS name, with types of <00> and <03>. However, they clash with the already registered machine names. SOL. I imagine that this is not a problem with XP based on some comments from Chris Hertel. Of course, this might not be the ultimate problem, either. > Understand CIFS itself _requires_ NetBIOS names _must_ be _unique_, otherwise a > service or resource may be attempting to connect to the address of a NetBIOS > "user" (impossible) instead of the address of a NetBIOS "system". You know what, I suspect Andrew knows this. Regards - Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, sharpe[at]ethereal.com, http://www.richardsharpe.com
Re: machine names same as usernames -> problems...
On Thu, 2003-02-06 at 15:39, Andrew Bartlett wrote: > > adil (users) and > > adil$ (machine) > > cannot work. > > Why can't it work? I've seen this discussed a number of times, but > never really been told why it doesn't work. That $ is there for exactly > that reason you know - to make them different. i don't know - i probably should have said does not work instead of cannot work. I thought maybe the $ was there to identify machine accounts. > > I think it's not good practice to have machine names and usernames be > > the same but i also don't think samba should fail cryptically in that > > situation... > > Can you describe the failure please? I thought this was well known... The machine simply fails to join the domain. With a message about bad password or invalid machine account. brad -- Bradley W. Langhorst <[EMAIL PROTECTED]>
Re: machine names same as usernames -> problems... -- here's a"real world" NetBIOS clusterfsck ...
Quoting Andrew Bartlett <[EMAIL PROTECTED]>: > These are different. The $ termination is a NT suffix, that NT adds > to it's machine accounts. The netbios issues are separate. (And as any > user may add a netbios name to the network, Samba really isn't in a > position to prevent this from occurring). Okay, nix what I said in the first part of that paragraph. -- Bryan J. Smith | Peace is a fruitless endeavor http://thebs.org | When a defeated aggressor Engineer, IT Professional | Has not, will not nor will ever Proud American Forever | Adhere to terms of its surrender
Re: machine names same as usernames -> problems... -- here's a"real world" NetBIOS clusterfsck ...
On Fri, 2003-02-07 at 07:54, Bryan J. Smith wrote: > > Quoting Andrew Bartlett <[EMAIL PROTECTED]>: > > Why can't it work? I've seen this discussed a number of times, but > > never really been told why it doesn't work. That $ is there for > > exactly that reason you know - to make them different. > > Er, not exactly. If I remember correctly, the "$" in the passwd file just a > Samba-specific nomenclature, correct? Plus CIFS has all sorts of "trailing > characters" after NetBIOS names that are _not_ part of the unique NetBIOS name > itself. These are different. The $ termination is a NT suffix, that NT adds to it's machine accounts. The netbios issues are separate. (And as any user may add a netbios name to the network, Samba really isn't in a position to prevent this from occurring). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: machine names same as usernames -> problems... -- here's a"real world" NetBIOS clusterfsck ...
Quoting Andrew Bartlett <[EMAIL PROTECTED]>: > Why can't it work? I've seen this discussed a number of times, but > never really been told why it doesn't work. That $ is there for > exactly that reason you know - to make them different. Er, not exactly. If I remember correctly, the "$" in the passwd file just a Samba-specific nomenclature, correct? Plus CIFS has all sorts of "trailing characters" after NetBIOS names that are _not_ part of the unique NetBIOS name itself. Understand CIFS itself _requires_ NetBIOS names _must_ be _unique_, otherwise a service or resource may be attempting to connect to the address of a NetBIOS "user" (impossible) instead of the address of a NetBIOS "system". FIRST HAND EXPERIENCE (as I documented in "Samba Unleashed") ... I've seen this _first_hand_ with a Casiopeia PDA, and a user go nuts for over a day with Casio's tech support. This was right after the first CE devices had some out. He was trying to get it to sync with Outlook running on NT 4.0 Workstation. I came over, saw that it used RAS, and instantly "took a shot" at the problem being related to using the same NetBIOS name for both the username and systemname. Sure enough, it was. I called Casiopeia and let them know. A few weeks later, I was called back and _thanked_ for identifying that, because they had a _lot_ of calls that they were able to solve from that point on. One technician even told me that problem had been escalated to Microsoft themselves, who said "doh, we should have thought of checking that" after hearing of my resolution. Again, this is right after the first CE devices, like the Casiopeias, had come out and just started to become widespread. [ I also actually hadn't been at that job very long either, and it help me "drive my point home" that users should _not_ be renaming their systems to their username. ;-> ] > I think it's not good practice to have machine names and usernames > be the same but i also don't think samba should fail cryptically in > that situation... As with most things CIFS/SMB, it's _not_ Samba but the Windows _clients_ themselves. Windows _clients_ often make assumptions, don't differentiate between resources, etc... and are _never_ coded to resolve such things. -- Bryan J. Smith | Peace is a fruitless endeavor http://thebs.org | When a defeated aggressor Engineer, IT Professional | Has not, will not nor will ever Proud American Forever | Adhere to terms of its surrender
Re: machine names same as usernames -> problems...
On Fri, 2003-02-07 at 01:04, Bradley W. Langhorst wrote: > Since samba 2.2.8 seems to be on the way i thought i might raise this > issue before release. > > I've seen a few users get confused by the fact that their machine name > and their user name cannot be very similar > > adil (users) and > adil$ (machine) > cannot work. Why can't it work? I've seen this discussed a number of times, but never really been told why it doesn't work. That $ is there for exactly that reason you know - to make them different. > I think it's not good practice to have machine names and usernames be > the same but i also don't think samba should fail cryptically in that > situation... Can you describe the failure please? > The usernames are different - why does this fail? > I'm guessing that the $ gets stripped off somewhere but why? > > At minimum we should provide an explicit prohibion in the docs > (doc patch for SAMBA2_2 follows) > > > diff -u -r1.1.2.15 Samba-PDC-HOWTO.sgml > --- docs/docbook/projdoc/Samba-PDC-HOWTO.sgml 28 Nov 2001 22:03:22 > - 1.1.2.15 > +++ docs/docbook/projdoc/Samba-PDC-HOWTO.sgml 6 Feb 2003 14:02:08 > - > @@ -288,6 +288,11 @@ > account, and thus has no shared secret with the domain controller. > > > +Note: Machine accounts must not have the same base names as user > +accounts. eg. The machine account "sambauser1$" is not allowed when > +there is a regular user "sambauser1". > + > + Certainly at the SAM level, there is no reason for this restriction. There may be other good reasons, but an NT SAM (and therefore smbpasswd etc) should have no problem with this. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: machine names same as usernames -> problems...
On Thu, Feb 06, 2003 at 09:04:14AM -0500, Bradley W. Langhorst wrote: > Since samba 2.2.8 seems to be on the way i thought i might raise this > issue before release. > > I've seen a few users get confused by the fact that their machine name > and their user name cannot be very similar > > adil (users) and > adil$ (machine) > cannot work. > > I think it's not good practice to have machine names and usernames be > the same but i also don't think samba should fail cryptically in that > situation... > Is this not a holdover from NETBIOS and the way the NETBIOS 'protocol' worked -- flat namespace, distributed data base, unique and group level identifiers, etc. If you've been doing samba or any other netbios based network you already know this. However, what happens with netbioslees smb? aka port 443 smb... I just ran into a name resolution issue that caught me for two hours before I figured it out -- all due to the flat namespace that netbios has... samba can't go too far from whatever CIFS may define in this regard, but maybe use FQDN for the machine name and some other nonqualified name for user names may be the answer. and yes, there need to be updated documentation. I'd volunteer if I didn't have to read C code.. -- David Bear College of Public Programs/ASU Mail Code 0803
machine names same as usernames -> problems...
Since samba 2.2.8 seems to be on the way i thought i might raise this issue before release. I've seen a few users get confused by the fact that their machine name and their user name cannot be very similar adil (users) and adil$ (machine) cannot work. I think it's not good practice to have machine names and usernames be the same but i also don't think samba should fail cryptically in that situation... The usernames are different - why does this fail? I'm guessing that the $ gets stripped off somewhere but why? At minimum we should provide an explicit prohibion in the docs (doc patch for SAMBA2_2 follows) diff -u -r1.1.2.15 Samba-PDC-HOWTO.sgml --- docs/docbook/projdoc/Samba-PDC-HOWTO.sgml 28 Nov 2001 22:03:22 - 1.1.2.15 +++ docs/docbook/projdoc/Samba-PDC-HOWTO.sgml 6 Feb 2003 14:02:08 - @@ -288,6 +288,11 @@ account, and thus has no shared secret with the domain controller. +Note: Machine accounts must not have the same base names as user +accounts. eg. The machine account "sambauser1$" is not allowed when +there is a regular user "sambauser1". + + A Windows PDC stores each machine trust account in the Windows Registry. A Samba PDC, however, stores each machine trust account in two parts, as follows: -- Bradley W. Langhorst <[EMAIL PROTECTED]>
