[Samba] ARGH!!! Samba and Re-installing Windows 2000
Van Sickler, Jim
vansickj-eodc at Kaman.com
Tue Apr 16 08:07:01 GMT 2002
> -----Original Message-----
> From: James Kreuziger [mailto:jkreuzig at massun.peds.mc.uci.edu]
> Sent: Monday, April 15, 2002 7:46 PM
> To: samba at lists.samba.org
> Subject: [Samba] ARGH!!! Samba and Re-installing Windows 2000
>
>
> Ok, I'll try the questions again and hopefully get
> some help.
>
> Current setup:
>
> Samba 2.2.3a running on Solaris 8 set up as a PDC.
> Various systems running Windows 95/98/NT 4.0.
> TRYING to add new Windows 2000 machines.
>
> Problem is, when I add the new machines to the domain,
> the group "DOMAIN\unix_group.2147483404" gets added to
> both the Administrators group and Users group. So domain
> users start with Administrator rights! If I remove
> the "DOMAIN\unix_group.2147483404" group from the Administrators
> group, it mucks thinks up bad enough to require a reinstall
> of Win2k. I'd like to think that this is not a required
> feature of using Samba with Win2k. I would like to restrict
> users to the same rights as normal users, so I can lock down
> who can install software on each individual machine. As it
> stands now, I can't do that.
>
> Now for the new part. I've managed to get Win2k re-installed,
> and I'm still having problems. When I try to join the domain
> is when I have problems. I'm successful in joing the domain,
> but after reboot is when weird things happen. The
> "DOMAIN\unix_group.2147483404" is back in the Administrators
> group. Whoever logs into the domain through THIS SPECIFIC
> MACHINE gets logged on, and all of the mapped shares show up
> with the "red x" through them. This indicates that the shares
> are not logged into. However, the shares can be accessed. If
> I set log level = 3 (or greater) it shows a number of the following:
>
> [2002/04/15 19:21:53, 4] smbd/password.c:password_ok(602)
> Null passwords not allowed.
>
> Followed by:
>
> [2002/04/15 19:21:53, 2] smbd/service.c:make_connection(328)
> Invalid username/password for share_name [samba]
>
> These messages occur for each share I have, with the samba
> user being my guest user. Funny thing, the samba (guest) user
> can log in and the same messages appear. If I bump up the log level
> high enough, I start getting the following:
>
> [2002/04/12 17:07:40, 2] smbd/service.c:make_connection(328)
> Invalid username/password for share_name [samba]
> [2002/04/12 17:07:40, 3] smbd/error.c:error_packet(103)
> error packet at smbd/reply.c(167) cmd=117 (SMBtconX)
> NT_STATUS_WRONG_PASSWORD
>
> I have my logs set up by machine (log file =
> /samba/current/var/log.smbd.%m) and I don't see this in any other
> log file. I've tried a number of things, including
> dropping out of the domain and re-joining, and this still
> occurs ONLY ON THIS ONE MACHINE!
>
> I'm really pulling my hair out, because nothing seems to
> work right. I might add that this is the only problem
> that I have had with samba that I haven't been able to
> get solved by reading the newsgroup or emailing someone.
> So far, I've had nothing but good luck using samba.
>
> I'm including the global section of my smb.conf, if it
> helps.
>
> Thanks,
>
Jim,
Did you run the Microsoft Personal Security Advisor (MPSA)
on this machine? I seem to remember having problems with
shares after setting RestrictAnonymous=2. Setting it to
1 fixed the issues.
RestrictAnonymous Values and their basic effect:
0 None. Rely on default permissions
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions
The red X's are okay, I think; Win2k restores mapped
drive links, but doesn't connect to them until you
explicitly do so. This saves a lot of bandwidth by
not handhaking idle mappings, and speeds up shutdown
and sleeping by not having to handshake disconnections.
It's actually a good thing, I think. Remember Win9x's
hang on shutdown? That was due to mapped drive issues.
HTH
Jim
More information about the samba
mailing list