[Samba] Re: Samba offering dynamic homes share trouble..

Nolan Garrett confed16 at myexcel.com
Fri Feb 28 19:39:54 GMT 2003 

I had a similiar problem: try /home/%S

Nolan

Bob Ambroso wrote:

> I have samba running on RH 8,  samba 2.2.7-2, and using winbind..
> 
> Want "homes" share to automatically display as users access it.
> Thought I could use the %u but am having no luck.. Currently, have it
> set up but
> when user clicks on home share a username/password dialog displays and
> will not accept valid credentials for that user? Have
> my config and log snips from nmbd and machine account log as displayed
> below:
>  smb.conf:
> My smb.conf file:
> # This is the main Samba configuration file. You should read the
> # smb.conf(5) manual page in order to understand the options listed
> # here. Samba has a huge number of configurable options (perhaps too
> # many!) most of which are not shown in this example
> #
> # Any line which starts with a ; (semi-colon) or a # (hash)
> # is a comment and is ignored. In this example we will use a #
> # for commentry and a ; for parts of the config file that you
> # may wish to enable
> #
> # NOTE: Whenever you modify this file you should run the command
> "testparm"
> # to check that you have not made any basic syntactic errors.
> #
> #======================= Global Settings
> =====================================
> [global]
> 
> # workgroup = NT-Domain-Name or Workgroup-Name
>    workgroup = LIBRARY
> 
> # server string is the equivalent of the NT Description field
>    server string = Samba Server
> 
> #netbios name of machine
> ;netbios name = placer
> # This option is important for security. It allows you to restrict
> # connections to machines which are on your local network. The
> # following example restricts access to two C class networks and
> # the "loopback" interface. For more examples of the syntax see
> # the smb.conf man page
> ;   hosts allow = 192.168.15. 192.168.11. 127.0.0.
> 
> # if you want to automatically load your printer list rather
> # than setting them up individually then you'll need this
>    printcap name = /etc/printcap
>    load printers = yes
> 
> # It should not be necessary to spell out the print system type unless
> # yours is non-standard. Currently supported print systems include:
> # bsd, sysv, plp, lprng, aix, hpux, qnx
>    printing = lprng
> 
> # Uncomment this if you want a guest account, you must add this to
> /etc/passwd
> # otherwise the user "nobody" is used
> ;  guest account = pcguest
> 
> # this tells Samba to use a separate log file for each machine
> # that connects
>    log file = /var/log/samba/%m.log
> 
> # Put a capping on the size of the log files (in Kb).
>    max log size = 0
> 
> # Security mode. Most people will want user level security. See
> # security_level.txt for details.
>    security = domain
> 
> # Use password server option only with security = server
> # The argument list may include:
> #   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
> # or to auto-locate the domain controller/s
> ;    password server = *
>      password server = NTPDC LASSEN
> 
> # Password Level allows matching of _n_ characters of the password for
> # all combinations of upper and lower case.
> ;  password level = 8
> ;  username level = 8
> 
> # You may wish to use password encryption. Please read
> # ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
> # Do not enable this option unless you have read those documents
>    encrypt passwords = yes
>    smb passwd file = /etc/samba/smbpasswd
> 
> # The following is needed to keep smbclient from spouting spurious
> errors
> # when Samba is built with support for SSL.
> ;   ssl CA certFile = /usr/share/ssl/certs/ca-bundle.crt
> 
> # The following are needed to allow password changing from Windows to
> # update the Linux system password also.
> # NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
> # NOTE2: You do NOT need these to allow workstations to change only
> #        the encrypted SMB passwords. They allow the Unix password
> #        to be kept in sync with the SMB password.
>    unix password sync = Yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
> 
> # You can use PAM's password change control flag for Samba. If
> # enabled, then PAM will be used for password changes when requested
> # by an SMB client instead of the program listed in passwd program.
> # It should be possible to enable this without changing your passwd
> # chat parameter for most setups.
> 
>    pam password change = yes
> 
> # Unix users can map to different SMB User names
> ;  username map = /etc/samba/smbusers
> 
> # Using the following line enables you to customise your configuration
> # on a per machine basis. The %m gets replaced with the netbios name
> # of the machine that is connecting
> ;   include = /etc/samba/smb.conf.%m
> 
> # This parameter will control whether or not Samba should obey PAM's
> # account and session management directives. The default behavior is
> # to use PAM for clear text authentication only and to ignore any
> # account or session management. Note that Samba always ignores PAM
> # for authentication in the case of encrypt passwords = yes
> 
>   obey pam restrictions = yes
> 
> # Most people will find that this option gives better performance.
> # See speed.txt and the manual pages for details
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 
> # Configure Samba to use multiple interfaces
> # If you have multiple network interfaces then you must list them
> # here. See the man page for details.
> ;   interfaces = 192.168.12.2/24 192.168.13.2/24
> 
> # Configure remote browse list synchronisation here
> #  request announcement to, or browse list sync from:
> #a specific host or from / to a whole subnet (see below)
> ;   remote browse sync = 192.168.3.25 192.168.5.255
> # Cause this host to announce itself to local subnets here
> ;   remote announce = 192.168.1.255 192.168.2.44
> 
> # Browser Control Options:
> # set local master to no if you don't want Samba to become a master
> # browser on your network. Otherwise the normal election rules apply
> ;   local master = no
> 
> # OS Level determines the precedence of this server in master browser
> # elections. The default value should be reasonable
> ;   os level = 33
> 
> # Domain Master specifies Samba to be the Domain Master Browser. This
> # allows Samba to collate browse lists between subnets. Don't use this
> # if you already have a Windows NT domain controller doing this job
> ;   domain master = yes
> 
> # Preferred Master causes Samba to force a local browser election on
> startup
> # and gives it a slightly higher chance of winning the election
> ;   preferred master = yes
> 
> # Enable this if you want Samba to be a domain logon server for
> # Windows95 workstations.
> ;   domain logons = yes
> 
> # if you enable domain logons then you may want a per-machine or
> # per user logon script
> # run a specific logon batch file per workstation (machine)
> ;   logon script = %m.bat
> # run a specific logon batch file per username
> ;   logon script = %U.bat
> 
> # Where to store roving profiles (only for Win95 and WinNT)
> #        %L substitutes for this servers netbios name, %U is username
> #        You must uncomment the [Profiles] share below
> ;   logon path = \\%L\Profiles\%U
> 
> # Windows Internet Name Serving Support Section:
> # WINS Support - Tells the NMBD component of Samba to enable it's WINS
> Server
> ;   wins support = yes
> 
> # WINS Server - Tells the NMBD components of Samba to be a WINS Client
> #Note: Samba can be either a WINS Server, or a WINS Client, but
> NOT both
>    wins server = 192.168.1.70
> 
> # WINS Proxy - Tells Samba to answer name resolution queries on
> # behalf of a non WINS capable client, for this to work there must be
> # at least one        WINS Server on the network. The default is NO.
> ;   wins proxy = yes
> 
> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
> # via DNS nslookups. The built-in default for versions 1.9.17 is yes,
> # this has been changed in version 1.9.18 to no.
>    dns proxy = no
> 
> # Case Preservation can be handy - system default is _no_
> # NOTE: These can be set on a per share basis
> ;  preserve case = no
> ;  short preserve case = no
> # Default case is normally upper case for all DOS files
> ;  default case = lower
> # Be very careful with case sensitivity - it can break things!
> ;  case sensitive = no
> # separate domain and username with '+' , like domain+USERNAME
> winbind separator = +
> # use uids from 10000 to 20000 for domain users
> winbind uid = 10000-20000
> #use guids from 10000 to 20000 for domain groups
> winbind gid = 10000-20000
> # allow enumeration of winbind users and groups
> # might need to disable the next two for performance
> # reasons on the winbind host
> winbind enum users = yes
> winbind enum groups = yes
> # give winbind usrs a real shell (only needed if they have telnet
> access)
>  template homedir = /home/winnt/%D/%U
>  template shell = /bin/bash
> 
> #============================ Share Definitions
> ==============================
> [homes]
>    comment = Home Directory for %S
>    path = /home/%u
>    force user = %u
>    browseable = no
>    writable = yes
>    valid users = %u cityhall+administrator library+administrator
> # This test share works perfectly.. Only allows those users listed. All
> others
> #are prompted by a login dialog box.
> [CH_Test]
> comment = Test Samba Share
> path = /usr/local/CH_Test
> valid users = domain+user1 domain+user2 domain+user2
> domain+user3
> public = no
> writable = yes
> printable = no
> create mask = 0765
> browseable = yes
> 
>>From machine_name.log:
> [2003/02/27 15:10:14, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
>   cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:14, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
>   cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:14, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
>   connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> [2003/02/27 15:10:18, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
>   cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:18, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
>   cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:18, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
>   connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> [2003/02/27 15:10:25, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
>   cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:25, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
>   cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:25, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
>   connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> 
>>From nmbd.log
> [2003/02/27 07:51:43, 0] nmbd/nmbd.c:main(794)
>   Netbios nameserver version 2.2.7 started.
>   Copyright Andrew Tridgell and the Samba Team 1994-2002
> [2003/02/27 07:51:47, 0]
> nmbd/nmbd_responserecordsdb.c:find_response_record(235)
>   find_response_record: response packet id 12554 received with no
> matching record.
> [2003/02/27 07:51:47, 0]
> nmbd/nmbd_responserecordsdb.c:find_response_record(235)
>   find_response_record: response packet id 12555 received with no
> matching record.
> [2003/02/27 14:24:15, 0] nmbd/nmbd.c:terminate(59)
>   Got SIGTERM: going down...
> [2003/02/27 14:24:16, 0] nmbd/nmbd.c:main(794)
>   Netbios nameserver version 2.2.7 started.
>   Copyright Andrew Tridgell and the Samba Team 1994-2002
> [2003/02/27 14:27:17, 0] nmbd/nmbd.c:terminate(59)
>   Got SIGTERM: going down...
> [2003/02/27 14:27:17, 0] nmbd/nmbd.c:main(794)
>   Netbios nameserver version 2.2.7 started.
>   Copyright Andrew Tridgell and the Samba Team 1994-2002
> [2003/02/27 14:27:21, 0]
> nmbd/nmbd_responserecordsdb.c:find_response_record(235)
>   find_response_record: response packet id 3502 received with no
> matching record.
> [2003/02/27 14:27:21, 0]
> nmbd/nmbd_responserecordsdb.c:find_response_record(235)
>   find_response_record: response packet id 3503 received with no
> matching record.
> 
>  [2003/02/27 15:10:14, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
>   cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:14, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
>   cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:14, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
>   connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> [2003/02/27 15:10:18, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
>   cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:18, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
>   cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:18, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
>   connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> [2003/02/27 15:10:25, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
>   cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> [2003/02/27 15:10:25, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
>   cli_nt_setup_creds: auth2 challenge failed
> [2003/02/27 15:10:25, 0]
> smbd/password.c:connect_to_domain_password_server(1367)
>   connect_to_domain_password_server: unable to setup the PDC credentials
> to machine NTPDC. Error was : NT_STATUS_OK.
> 
> Sharing lots of home directories
> So, we've covered how to share a single home directory. But what do you
> do if you happen to administrate a server that contains hundreds of
> users, all of whom want to be able to access their home directories from
> Windows? Fortunately, Samba has a special share just for this purpose
> called "homes". Here's how it works:
> 
> [homes]
>         comment=Home directory for %S
>         path=/home/%u
>         valid users = %u administrator
>         force user=%u
>         writeable = yes
>         browseable = no
> As I mentioned, this is a "special" share. It doesn't work like ordinary
> shares. Samba recognizes the special identifier "[homes]" and treats
> this share differently.
> One of the most unusual things about this share is the use of the
> "browseable=no " parameter. This particular option causes a share to be
> invisible under the Network Neighborhood, and it's normally used to
> deter those malicious users who may be tempted to "explore" any share
> they can see. But why use it here?
> The answer is a bit tricky. You see, the "homes" share does create a
> share called "homes". But that particular share is of no use to us. It
> doesn't do anything, so we hide it. What the "homes" share does do for
> us is quite tremendous. It tells Samba to automatically create home
> directories on the fly for each individual user. For example, let's say
> our "drobbins" share wasn't defined in smb.conf and we explored the
> Network Neighborhood as NT user "drobbins ". We would find a share
> called "drobbins" that would behave identically to our original
> "drobbins" share. If we accessed Samba using the NT user "jimmy", we'd
> find a perfectly configured "jimmy" share. This is the beauty of homes.
> Adding one special share causes all home shares to be properly created.
> Now, how does it work? When the "homes" share is set up, Samba will
> detect which NT user is accessing Samba. Then it will create a home
> share that's been customized for this particular user. This share will
> show up in the Network Neighborhood as if it's a normal, non-dynamic
> share. The NT user will have no idea that this particular share was
> created on the fly. Let's look at what each particular option does:
> The comment parameter uses the %S wildcard, which expands to the actual
> name of the share. This will cause the "drobbins" share to have the
> comment "Home directory for drobbins", the "jimmy" share to have the
> comment "Home directory for jimmy", etc. The path parameter also
> contains the wildcard %u. %u expands to the name of the user accessing
> the share. In this particular case, %u is equivalent %S, so we could
> have used path=/home/%S instead. This allows Samba to dynamically map
> the share to the proper location on disk.
> Again, we use macros in the "valid users=" line so that only the owner
> of the share and administrator are allowed to access it. "force user"
> uses a macro too, so that all file access will be performed by a single
> account. And of course we make the share writeable for any authenticated
> users. While we use the "browseable=no " parameter, the
> dynamically-created shares will be browseable when they are created.
> Again, this just hides the non-functional "homes" share.
> 
> 
> Bob Ambroso
> Information Services Technician
> Whittier Public Library
> 7344 S. Washington Ave
> Whittier, CA 90602
> (562) 464-3452
> mailto:BAmbroso at whittierpl.org

More information about the samba mailing list