[Samba] Re: Samba offering dynamic homes share trouble..
Nolan Garrett
confed16 at myexcel.com
Fri Feb 28 19:39:54 GMT 2003
I had a similiar problem: try /home/%S
Nolan
Bob Ambroso wrote:
> I have samba running on RH 8, samba 2.2.7-2, and using winbind..
>
> Want "homes" share to automatically display as users access it.
> Thought I could use the %u but am having no luck.. Currently, have it
> set up but
> when user clicks on home share a username/password dialog displays and
> will not accept valid credentials for that user? Have
> my config and log snips from nmbd and machine account log as displayed
> below:
> smb.conf:
> My smb.conf file:
> # This is the main Samba configuration file. You should read the
> # smb.conf(5) manual page in order to understand the options listed
> # here. Samba has a huge number of configurable options (perhaps too
> # many!) most of which are not shown in this example
> #
> # Any line which starts with a ; (semi-colon) or a # (hash)
> # is a comment and is ignored. In this example we will use a #
> # for commentry and a ; for parts of the config file that you
> # may wish to enable
> #
> # NOTE: Whenever you modify this file you should run the command
> "testparm"
> # to check that you have not made any basic syntactic errors.
> #
> #======================= Global Settings
> =====================================
> [global]
>
> # workgroup = NT-Domain-Name or Workgroup-Name
> workgroup = LIBRARY
>
> # server string is the equivalent of the NT Description field
> server string = Samba Server
>
> #netbios name of machine
> ;netbios name = placer
> # This option is important for security. It allows you to restrict
> # connections to machines which are on your local network. The
> # following example restricts access to two C class networks and
> # the "loopback" interface. For more examples of the syntax see
> # the smb.conf man page
> ; hosts allow = 192.168.15. 192.168.11. 127.0.0.
>
> # if you want to automatically load your printer list rather
> # than setting them up individually then you'll need this
> printcap name = /etc/printcap
> load printers = yes
>
> # It should not be necessary to spell out the print system type unless
> # yours is non-standard. Currently supported print systems include:
> # bsd, sysv, plp, lprng, aix, hpux, qnx
> printing = lprng
>
> # Uncomment this if you want a guest account, you must add this to
> /etc/passwd
> # otherwise the user "nobody" is used
> ; guest account = pcguest
>
> # this tells Samba to use a separate log file for each machine
> # that connects
> log file = /var/log/samba/%m.log
>
> # Put a capping on the size of the log files (in Kb).
> max log size = 0
>
> # Security mode. Most people will want user level security. See
> # security_level.txt for details.
> security = domain
>
> # Use password server option only with security = server
> # The argument list may include:
> # password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
> # or to auto-locate the domain controller/s
> ; password server = *
> password server = NTPDC LASSEN
>
> # Password Level allows matching of _n_ characters of the password for
> # all combinations of upper and lower case.
> ; password level = 8
> ; username level = 8
>
> # You may wish to use password encryption. Please read
> # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
> # Do not enable this option unless you have read those documents
> encrypt passwords = yes
> smb passwd file = /etc/samba/smbpasswd
>
> # The following is needed to keep smbclient from spouting spurious
> errors
> # when Samba is built with support for SSL.
> ; ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt
>
> # The following are needed to allow password changing from Windows to
> # update the Linux system password also.
> # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
> # NOTE2: You do NOT need these to allow workstations to change only
> # the encrypted SMB passwords. They allow the Unix password
> # to be kept in sync with the SMB password.
> unix password sync = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> # You can use PAM's password change control flag for Samba. If
> # enabled, then PAM will be used for password changes when requested
> # by an SMB client instead of the program listed in passwd program.
> # It should be possible to enable this without changing your passwd
> # chat parameter for most setups.
>
> pam password change = yes
>
> # Unix users can map to different SMB User names
> ; username map = /etc/samba/smbusers
>
> # Using the following line enables you to customise your configuration
> # on a per machine basis. The %m gets replaced with the netbios name
> # of the machine that is connecting
> ; include = /etc/samba/smb.conf.%m
>
> # This parameter will control whether or not Samba should obey PAM's
> # account and session management directives. The default behavior is
> # to use PAM for clear text authentication only and to ignore any
> # account or session management. Note that Samba always ignores PAM
> # for authentication in the case of encrypt passwords = yes
>
> obey pam restrictions = yes
>
> # Most people will find that this option gives better performance.
> # See speed.txt and the manual pages for details
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> # Configure Samba to use multiple interfaces
> # If you have multiple network interfaces then you must list them
> # here. See the man page for details.
> ; interfaces = 192.168.12.2/24 192.168.13.2/24
>
> # Configure remote browse list synchronisation here
> # request announcement to, or browse list sync from:
> #a specific host or from / to a whole subnet (see below)
> ; remote browse sync = 192.168.3.25 192.168.5.255
> # Cause this host to announce itself to local subnets here
> ; remote announce = 192.168.1.255 192.168.2.44
>
> # Browser Control Options:
> # set local master to no if you don't want Samba to become a master
> # browser on your network. Otherwise the normal election rules apply
> ; local master = no
>
> # OS Level determines the precedence of this server in master browser
> # elections. The default value should be reasonable
> ; os level = 33
>
> # Domain Master specifies Samba to be the Domain Master Browser. This
> # allows Samba to collate browse lists between subnets. Don't use this
> # if you already have a Windows NT domain controller doing this job
> ; domain master = yes
>
> # Preferred Master causes Samba to force a local browser election on
> startup
> # and gives it a slightly higher chance of winning the election
> ; preferred master = yes
>
> # Enable this if you want Samba to be a domain logon server for
> # Windows95 workstations.
> ; domain logons = yes
>
> # if you enable domain logons then you may want a per-machine or
> # per user logon script
> # run a specific logon batch file per workstation (machine)
> ; logon script = %m.bat
> # run a specific logon batch file per username
> ; logon script = %U.bat
>
> # Where to store roving profiles (only for Win95 and WinNT)
> # %L substitutes for this servers netbios name, %U is username
> # You must uncomment the [Profiles] share below
> ; logon path = \\%L\Profiles\%U
>
> # Windows Internet Name Serving Support Section:
> # WINS Support - Tells the NMBD component of Samba to enable it's WINS
> Server
> ; wins support = yes
>
> # WINS Server - Tells the NMBD components of Samba to be a WINS Client
> #Note: Samba can be either a WINS Server, or a WINS Client, but
> NOT both
> wins server = 192.168.1.70
>
> # WINS Proxy - Tells Samba to answer name resolution queries on
> # behalf of a non WINS capable client, for this to work there must be
> # at least one WINS Server on the network. The default is NO.
> ; wins proxy = yes
>
> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
> # via DNS nslookups. The built-in default for versions 1.9.17 is yes,
> # this has been changed in version 1.9.18 to no.
> dns proxy = no
>
> # Case Preservation can be handy - system default is _no_
> # NOTE: These can be set on a per share basis
> ; preserve case = no
> ; short preserve case = no
> # Default case is normally upper case for all DOS files
> ; default case = lower
> # Be very careful with case sensitivity - it can break things!
> ; case sensitive = no
> # separate domain and username with '+' , like domain+USERNAME
> winbind separator = +
> # use uids from 10000 to 20000 for domain users
> winbind uid = 10000-20000
> #use guids from 10000 to 20000 for domain groups
> winbind gid = 10000-20000
> # allow enumeration of winbind users and groups
> # might need to disable the next two for performance
> # reasons on the winbind host
> winbind enum users = yes
> winbind enum groups = yes
> # give winbind usrs a real shell (only needed if they have telnet
> access)
> template homedir = /home/winnt/%D/%U
> template shell = /bin/bash
>
> #============================ Share Definitions
> ==============================
> [homes]
> comment = Home Directory for %S
> path = /home/%u
> force user = %u
> browseable = no
> writable = yes
> valid users = %u cityhall+administrator library+administrator
> # This test share works perfectly.. Only allows those users listed. All
> others
> #are prompted by a login dialog box.
> [CH_Test]
> comment = Test Samba Share
> path = /usr/local/CH_Test
> valid users = domain+user1 domain+user2 domain+user2
> domain+user3
> public = no
> writable = yes
> printable = no
> create mask = 0765
> browseable = yes
>
>>From machine_name.log:
> [2003/02/27 15:10:14, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
> cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:14, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
> cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:14, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
> connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> [2003/02/27 15:10:18, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
> cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:18, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
> cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:18, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
> connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> [2003/02/27 15:10:25, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
> cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:25, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
> cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:25, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
> connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
>
>>From nmbd.log
> [2003/02/27 07:51:43, 0] nmbd/nmbd.c:main(794)
> Netbios nameserver version 2.2.7 started.
> Copyright Andrew Tridgell and the Samba Team 1994-2002
> [2003/02/27 07:51:47, 0]
> nmbd/nmbd_responserecordsdb.c:find_response_record(235)
> find_response_record: response packet id 12554 received with no
> matching record.
> [2003/02/27 07:51:47, 0]
> nmbd/nmbd_responserecordsdb.c:find_response_record(235)
> find_response_record: response packet id 12555 received with no
> matching record.
> [2003/02/27 14:24:15, 0] nmbd/nmbd.c:terminate(59)
> Got SIGTERM: going down...
> [2003/02/27 14:24:16, 0] nmbd/nmbd.c:main(794)
> Netbios nameserver version 2.2.7 started.
> Copyright Andrew Tridgell and the Samba Team 1994-2002
> [2003/02/27 14:27:17, 0] nmbd/nmbd.c:terminate(59)
> Got SIGTERM: going down...
> [2003/02/27 14:27:17, 0] nmbd/nmbd.c:main(794)
> Netbios nameserver version 2.2.7 started.
> Copyright Andrew Tridgell and the Samba Team 1994-2002
> [2003/02/27 14:27:21, 0]
> nmbd/nmbd_responserecordsdb.c:find_response_record(235)
> find_response_record: response packet id 3502 received with no
> matching record.
> [2003/02/27 14:27:21, 0]
> nmbd/nmbd_responserecordsdb.c:find_response_record(235)
> find_response_record: response packet id 3503 received with no
> matching record.
>
> [2003/02/27 15:10:14, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
> cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:14, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
> cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:14, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
> connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> [2003/02/27 15:10:18, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
> cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:18, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
> cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:18, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
> connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> [2003/02/27 15:10:25, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
> cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:25, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
> cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:25, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
> connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
>
> Sharing lots of home directories
> So, we've covered how to share a single home directory. But what do you
> do if you happen to administrate a server that contains hundreds of
> users, all of whom want to be able to access their home directories from
> Windows? Fortunately, Samba has a special share just for this purpose
> called "homes". Here's how it works:
>
> [homes]
> comment=Home directory for %S
> path=/home/%u
> valid users = %u administrator
> force user=%u
> writeable = yes
> browseable = no
> As I mentioned, this is a "special" share. It doesn't work like ordinary
> shares. Samba recognizes the special identifier "[homes]" and treats
> this share differently.
> One of the most unusual things about this share is the use of the
> "browseable=no " parameter. This particular option causes a share to be
> invisible under the Network Neighborhood, and it's normally used to
> deter those malicious users who may be tempted to "explore" any share
> they can see. But why use it here?
> The answer is a bit tricky. You see, the "homes" share does create a
> share called "homes". But that particular share is of no use to us. It
> doesn't do anything, so we hide it. What the "homes" share does do for
> us is quite tremendous. It tells Samba to automatically create home
> directories on the fly for each individual user. For example, let's say
> our "drobbins" share wasn't defined in smb.conf and we explored the
> Network Neighborhood as NT user "drobbins ". We would find a share
> called "drobbins" that would behave identically to our original
> "drobbins" share. If we accessed Samba using the NT user "jimmy", we'd
> find a perfectly configured "jimmy" share. This is the beauty of homes.
> Adding one special share causes all home shares to be properly created.
> Now, how does it work? When the "homes" share is set up, Samba will
> detect which NT user is accessing Samba. Then it will create a home
> share that's been customized for this particular user. This share will
> show up in the Network Neighborhood as if it's a normal, non-dynamic
> share. The NT user will have no idea that this particular share was
> created on the fly. Let's look at what each particular option does:
> The comment parameter uses the %S wildcard, which expands to the actual
> name of the share. This will cause the "drobbins" share to have the
> comment "Home directory for drobbins", the "jimmy" share to have the
> comment "Home directory for jimmy", etc. The path parameter also
> contains the wildcard %u. %u expands to the name of the user accessing
> the share. In this particular case, %u is equivalent %S, so we could
> have used path=/home/%S instead. This allows Samba to dynamically map
> the share to the proper location on disk.
> Again, we use macros in the "valid users=" line so that only the owner
> of the share and administrator are allowed to access it. "force user"
> uses a macro too, so that all file access will be performed by a single
> account. And of course we make the share writeable for any authenticated
> users. While we use the "browseable=no " parameter, the
> dynamically-created shares will be browseable when they are created.
> Again, this just hides the non-functional "homes" share.
>
>
> Bob Ambroso
> Information Services Technician
> Whittier Public Library
> 7344 S. Washington Ave
> Whittier, CA 90602
> (562) 464-3452
> mailto:BAmbroso at whittierpl.org
More information about the samba
mailing list