[Samba] ARGH!!! Samba and Re-installing Windows 2000

[Van Sickler, Jim]

> -----Original Message-----
> From: James Kreuziger [mailto:jkreuzig at massun.peds.mc.uci.edu]
> Sent: Monday, April 15, 2002 7:46 PM
> To: samba at lists.samba.org
> Subject: [Samba] ARGH!!! Samba and Re-installing Windows 2000
> 
> 
> Ok, I'll try the questions again and hopefully get
> some help.
> 
> Current setup:
> 
> Samba 2.2.3a running on Solaris 8 set up as a PDC.
> Various systems running Windows 95/98/NT 4.0.
> TRYING to add new Windows 2000 machines.
> 
> Problem is, when I add the new machines to the domain,
> the group "DOMAIN\unix_group.2147483404" gets added to
> both the Administrators group and Users group.  So domain
> users start with Administrator rights!  If I remove
> the "DOMAIN\unix_group.2147483404" group from the Administrators
> group, it mucks thinks up bad enough to require a reinstall
> of Win2k.  I'd like to think that this is not a required
> feature of using Samba with Win2k.  I would like to restrict
> users to the same rights as normal users, so I can lock down
> who can install software on each individual machine.  As it
> stands now, I can't do that.
> 
> Now for the new part.  I've managed to get Win2k re-installed,
> and I'm still having problems.  When I try to join the domain
> is when I have problems.  I'm successful in joing the domain,
> but after reboot is when weird things happen.  The
> "DOMAIN\unix_group.2147483404" is back in the Administrators
> group.  Whoever logs into the domain through THIS SPECIFIC
> MACHINE gets logged on, and all of the mapped shares show up
> with the "red x" through them.  This indicates that the shares
> are not logged into.  However, the shares can be accessed.  If
> I set log level = 3 (or greater) it shows a number of the following:
> 
>   [2002/04/15 19:21:53, 4] smbd/password.c:password_ok(602)
>     Null passwords not allowed.
> 
> Followed by:
> 
>   [2002/04/15 19:21:53, 2] smbd/service.c:make_connection(328)
>     Invalid username/password for share_name [samba]
> 
> These messages occur for each share I have, with the samba
> user being my guest user.  Funny thing, the samba (guest) user
> can log in and the same messages appear.  If I bump up the log level
> high enough, I start getting the following:
> 
>   [2002/04/12 17:07:40, 2] smbd/service.c:make_connection(328)
>     Invalid username/password for share_name [samba]
>   [2002/04/12 17:07:40, 3] smbd/error.c:error_packet(103)
>     error packet at smbd/reply.c(167) cmd=117 (SMBtconX) 
> NT_STATUS_WRONG_PASSWORD
> 
> I have my logs set up by machine (log file =
> /samba/current/var/log.smbd.%m) and I don't see this in any other
> log file.  I've tried a number of things, including
> dropping out of the domain and re-joining, and this still
> occurs ONLY ON THIS ONE MACHINE!
> 
> I'm really pulling my hair out, because nothing seems to
> work right.  I might add that this is the only problem
> that I have had with samba that I haven't been able to
> get solved by reading the newsgroup or emailing someone.
> So far, I've had nothing but good luck using samba.
> 
> I'm including the global section of my smb.conf, if it
> helps.
> 
> Thanks,
> 
Jim,

  Did you run the Microsoft Personal Security Advisor (MPSA)
on this machine?  I seem to remember having problems with
shares after setting RestrictAnonymous=2. Setting it to
1 fixed the issues.

RestrictAnonymous Values and their basic effect:
0 None. Rely on default permissions
1 Do not allow enumeration of SAM accounts and names
2 No access without explicit anonymous permissions

The red X's are okay, I think;  Win2k restores mapped
drive links, but doesn't connect to them until you
explicitly do so.  This saves a lot of bandwidth by
not handhaking idle mappings, and speeds up shutdown
and sleeping by not having to handshake disconnections.
It's actually a good thing, I think.  Remember Win9x's
hang on shutdown?  That was due to mapped drive issues.

HTH
Jim