Kenneth Illingsworth illingsk at cityofrochester.gov
Mon Dec 23 19:07:01 GMT 2002

Thank you for replying. You are correct in that the version of SAMBA is 2.2.1 . 

I was not aware of the WinXP_SignOrSeal.reg registry update. However, I am aware of WinXP SP1 which has been applied. I suspect that the WinXP_SignOrSeal.reg registry update is separate from SP1. I will attempt to obtain the registry update and apply it to the XP workstation.

Any direction you can give on this issue would be greatly appreciated.

Here is an additional observation:  From the SAMBA Troubleshooting Guide, I have encountered the precise anomaly that I am experiencing:

Symptom:	It is possible to "ping" the HOST from the client (on port 7; the echo port) but the client is unable to obtain the list of shares on HOST. [I can ping either the IP addr or the NetBIOS name of the server from the workstation].

Cause:	Traffic on one or more of the NetBIOS-over-TCP ports (137, 138, 139) are blocked. To verify this, type one of the following commands:

 	nbtstat -A

If this command shows a list of NetBIOS names, then port 137 is open. Otherwise, it is blocked. [The COFR3 server is listed along with the COFRNY domain as shown in the separate section below].

Resolution:	Find the router, firewall, switch or other device that is blocking ports 137-139 and reconfigure it. UDP traffic must be permitted on ports 137 and 138, and TCP traffic must be permitted on port 139. [Since this Linux server is a Virtual Machine, could this be interpreted as an issue with its TCP/IP configuration?].

I could not run a traceroute on the workstations NetBIOS name from the Linux server as it was an unknown host. However, I was able to obtain the following using the workstations leased IP address: 

traceroute to (, 30 hops max, 38 byte packets
 1 (  7.462 ms  0.812 ms  0.678 ms
 2 (  3.379 ms  23.449 ms  5.059 ms

Here are the results of the nbstat command above:

C:\>nbtstat -A

Local Area Connection:
Node IpAddress: [] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    COFR3          <00>  UNIQUE      Registered
    COFR3          <03>  UNIQUE      Registered
    COFR3          <20>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered
    COFRNY         <00>  GROUP       Registered
    COFRNY         <1B>  UNIQUE      Registered
    COFRNY         <1C>  GROUP       Registered
    COFRNY         <1D>  UNIQUE      Registered
    COFRNY         <1E>  GROUP       Registered

    MAC Address = 00-00-00-00-00-00

COFR3 is the NetBIOS name of the server, and COFRNY is the workgroup name that I am trying to use to set up the domain.

>>> John H Terpstra <jht at samba.org> 12/23/02 12:48PM >>>

You did not mention the samba version. Suspect you are using 2.2.x.
Did you apply the WinXP_SignOrSeal.reg registry update?
You will need to as XP defaults to this and samba-2.2.x does not support
it yet.

- John T.

On Mon, 23 Dec 2002, Kenneth Illingsworth wrote:

> I followed the procedure to configure SAMBA as a PDC as outlined in samba/swat.cgi/swat/using_samba/ch06_05.html on my Linux server. My domain name is COFRNY, and I expected a COFRNY.SID to be generated. However,   MACHINE.SID was generated instead. Furthermore, I cannot see the COFRNY domain listed within MS Networks on my XP workstation. Any ideas on what I did wrong?
> Here is the procedure in detail:
> [global]
> workgroup = COFRNY
> domain logons = yes
> security = user
> os level = 34
> local master = yes
> preferred master = yes
> domain master = yes
> ------------------------------------------------
> For Windows NT clients you must also ensure that Samba is using encrypted passwords:
> encrypted passwords = yes
> Furthermore, also exclusively for Windows NT clients, create Trust accounts which allow a machine to log in to the PDC itself. Create a "dummy" account in the /etc/passwd file with the following entry:
> city-f5pfa29xta$:*:1000:900:Trust Account:/dev/null:/dev/null
> Note that we have also disabled the password field by placing a * in it. This is because Samba will use the smbpasswd file to contain the password instead, and we don't want anyone to telnet into the machine using that account. Additionally, '1000' is the UID of the account for the encrypted password database.
> Next, add the encrypted password using the smbpasswd command, as follows:
> # smbpasswd -a -m city-f5pfa29xta
> Added user city-f5pfa29xta$
> Password changed for user city-f5pfa29xta$
> The -m option specifies that a machine trust account is being generated. The smbpasswd program will automatically set the initial encrypted password as the NetBIOS name of the machine in lowercase letters. When specifying this option on the command line, do not put a dollar sign after the machine name - it will be appended automatically. Once the encrypted password has been added, Samba is ready to handle domain logins from a NT client.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba 

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list