[Samba] samba>=3.0.4 - no more smbpasswd ? no more local auth
whenjoined to domain ?
Adi Nugraha
adi at westindo.co.id
Thu Dec 9 08:23:41 GMT 2004
how about redirecting the smbpasswd file to the older version (assuming you
have one) using smbpasswd file = /file/path/smbpasswd , I replaced my copy
of smbpasswd for 3.09 with a 2.216 and the smbpasswd command stopped
working, (no new entry added to the smbpasswd file), but when i used that it
worked again
"Izo" <I at siol.net> wrote in message news:41B8004E.8050807 at siol.net...
> Not only nobody reads news://linux.samba, nobody obviously reads this
> newsgroup also ! This is just the 5th time I am sending the same or
> similar message in last 7 days with no response...
>
> I would like to point out that *I really need" help on this - either
> appointment to prompter resource either an answer about what is going on
> with my Samba installation
>
> Platform: SuSE-9.1, kernel-2.6.5, samba-3.0.4
>
> I have recently upgraded from 3.0.2a to 3.0.4 and I have just noticed
> that using the same smb.conf as with previous version, the system just
> does not work anymore for me !
> Furthermore, smbpasswd utility appears to be dropped !
>
> Afterwards, I have noticed that I had to join the domain once again
> (security =
> DOMAIN). Yet, I still could not log in on to my machine. Before joining
> again, every attempt to access shared resources on MYHOST failed with:
>
> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
>
> This behaviour was just the same even if I tried to used local samba
> user. This indicates, that the smbpasswd file is either ignored (despite
> passdb backend being set to smbpasswd) either changed the structure
> either being displaced. Anyway, browsing the samba docs I could only
> realize it was rather outdated (it refered to samba 3.0, obviously not
> to samba-3.0.4 and later), wasn't it ?
>
> # smbclient -U me -L MYHOST -d3
> lp_load: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
> Processing section "[global]"
> Unknown parameter encountered: "character set"
> Ignoring unknown parameter "character set"
> Unknown parameter encountered: "client code page"
> Ignoring unknown parameter "client code page"
> added interface ip=172.22.110.137 bcast=172.22.255.255 nmask=255.255.0.0
> added interface ip=192.168.74.1 bcast=192.168.74.255 nmask=255.255.255.0
> Client started (version 3.0.2a-SUSE).
> Connecting to 172.22.110.137 at port 139
> Password:
> Doing spnego session setup (blob length=58)
> got OID=1 3 6 1 4 1 311 2 2 10
> got principal=NONE
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60890215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60080215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60080215
> SPENGO login failed: Trust relationship failure
> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
>
>
>
> As I've already said, I realized that I should have joined domain again.
> Why so if none of samba admin files changed during upgrade ? Anyway, net
> join went smoothly - I got reported Joined to domain OURDOMAIN so I
> supposed I was joined, wasn't I ?
>
> Now I could perform net user -L MYHOST with DOMAIN authentication, yet I
> could
> not map or browse any of served shares from MYHOST (see the smbclient
> dump below)
>
> And more - where has support for local user/passwords gone ? I had
> previously
> configured few users which had not been configured within OURDOMAIN (using
> smbpasswd -a FOOUSER) and authentication was performed locally even when
> MYHOST was joined into OURDOMAIN. It seems that this functionality has
> just been dropped, hasn't it ?
>
>
>
> Smbclient dump: smbclient notoriously reports as follows (see also
> testparm dump after smbclient dump):
>
> # smbclient -d3 -L me -U MYHOST
> lp_load: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
> Processing section "[global]"
> added interface ip=172.22.110.137 bcast=172.22.255.255 nmask=255.255.0.0
> added interface ip=192.168.74.1 bcast=192.168.74.255 nmask=255.255.255.0
> Client started (version 3.0.2a-SUSE).
> resolve_lmhosts: Attempting lmhosts lookup for name kiztok<0x20>
> resolve_wins: Attempting wins lookup for name kiztok<0x20>
> resolve_wins: using WINS server 172.22.0.8 and tag '*'
> Got a positive name query response from 172.22.0.8 ( 192.168.74.1
> 172.22.110.137 )
> Connecting to 192.168.74.1 at port 139
> Password:
> Doing spnego session setup (blob length=58)
> got OID=1 3 6 1 4 1 311 2 2 10
> got principal=NONE
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60890215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60080215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60080215
> SPENGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
>
>
>
> # testparm -v
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[printers]"
> Processing section "[print$]"
> Processing section "[movies]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> dos charset = CP850
> unix charset = UTF-8
> display charset = ISO8859-15
> workgroup = OURDOMAIN
> realm =
> netbios name = MYHOST
> netbios aliases =
> netbios scope =
> server string = My Linux host
> interfaces =
> bind interfaces only = No
> security = DOMAIN
> auth methods =
> encrypt passwords = Yes
> update encrypted = No
> client schannel = Auto
> server schannel = Auto
> allow trusted domains = Yes
> hosts equiv =
> min passwd length = 5
> use cracklib = No
> map to guest = Never
> null passwords = No
> obey pam restrictions = No
> password server = ourpasswordserver
> smb passwd file = /etc/samba/smbpasswd
> private dir = /etc/samba
> passdb backend = smbpasswd
> algorithmic rid base = 1000
> root directory =
> guest account = nobody
> pam password change = No
> passwd program =
> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
> passwd chat debug = No
> passwd chat timeout = 2
> username map =
> password level = 0
> username level = 0
> unix password sync = No
> restrict anonymous = 0
> lanman auth = Yes
> ntlm auth = Yes
> client NTLMv2 auth = No
> client lanman auth = Yes
> client plaintext auth = Yes
> preload modules =
> log level = 0
> syslog = 1
> syslog only = No
> log file =
> max log size = 5000
> timestamp logs = Yes
> debug hires timestamp = No
> debug pid = No
> debug uid = No
> smb ports = 445 139
> protocol = NT1
> large readwrite = Yes
> max protocol = NT1
> min protocol = CORE
> unicode = Yes
> read bmpx = No
> read raw = Yes
> write raw = Yes
> disable netbios = No
> acl compatibility =
> nt pipe support = Yes
> nt status support = Yes
> announce version = 4.9
> announce as = NT
> max mux = 50
> max xmit = 16644
> name resolve order = lmhosts wins host bcast
> max ttl = 259200
> max wins ttl = 518400
> min wins ttl = 21600
> time server = No
> unix extensions = Yes
> use spnego = Yes
> client signing = auto
> server signing = No
> client use spnego = Yes
> change notify timeout = 60
> deadtime = 0
> getwd cache = Yes
> keepalive = 300
> kernel change notify = Yes
> lpq cache time = 10
> max smbd processes = 0
> paranoid server security = Yes
> max disk size = 0
> max open files = 10000
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> use mmap = Yes
> hostname lookups = No
> name cache timeout = 660
> load printers = Yes
> printcap name = cups
> disable spoolss = No
> enumports command =
> addprinter command =
> deleteprinter command =
> show add printer wizard = Yes
> os2 driver map =
> mangling method = hash2
> mangle prefix = 1
> stat cache = Yes
> machine password timeout = 604800
> add user script =
> delete user script =
> add group script =
> delete group script =
> add user to group script =
> delete user from group script =
> set primary group script =
> add machine script =
> shutdown script =
> abort shutdown script =
> logon script =
> logon path = \\%N\%U\profile
> logon drive =
> logon home = \\%N\%U
> domain logons = No
> os level = 65
> lm announce = Auto
> lm interval = 60
> preferred master = Auto
> local master = No
> domain master = Auto
> browse list = Yes
> enhanced browsing = Yes
> dns proxy = Yes
> wins proxy = No
> wins server = 172.22.0.8
> wins support = No
> wins hook =
> wins partners =
> kernel oplocks = Yes
> lock spin count = 3
> lock spin time = 10
> oplock break wait time = 0
> ldap suffix =
> ldap machine suffix =
> ldap user suffix =
> ldap group suffix =
> ldap idmap suffix =
> ldap filter = (uid=%u)
> ldap admin dn =
> ldap ssl =
> ldap passwd sync = no
> ldap delete dn = No
> ldap replication sleep = 1000
> add share command =
> change share command =
> delete share command =
> config file =
> preload =
> lock directory = /var/lib/samba
> pid directory = /var/run/samba
> utmp directory =
> wtmp directory =
> utmp = No
> default service =
> message command =
> dfree command =
> get quota command =
> set quota command =
> remote announce =
> remote browse sync =
> socket address = 0.0.0.0
> homedir map = auto.home
> afs username map =
> time offset = 0
> NIS homedir = No
> panic action =
> host msdfs = No
> enable rid algorithm = Yes
> idmap backend =
> idmap uid =
> idmap gid =
> template primary group = nobody
> template homedir = /home/%D/%U
> template shell = /bin/false
> winbind separator = \
> winbind cache time = 300
> winbind enable local accounts = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = No
> winbind trusted domains only = No
> comment =
> path =
> username =
> invalid users =
> valid users =
> admin users =
> read list =
> write list =
> printer admin =
> force user =
> force group =
> read only = Yes
> create mask = 0744
> force create mode = 00
> security mask = 0777
> force security mode = 00
> directory mask = 0755
> force directory mode = 00
> directory security mask = 0777
> force directory security mode = 00
> inherit permissions = No
> inherit acls = No
> guest only = No
> guest ok = No
> only user = No
> hosts allow =
> hosts deny =
> nt acl support = Yes
> profile acls = No
> map acl inherit = No
> afs share = No
> block size = 1024
> max connections = 0
> min print space = 0
> strict allocate = No
> strict sync = No
> sync always = No
> use sendfile = No
> write cache size = 0
> max reported print jobs = 0
> max print jobs = 1000
> printable = No
> printing = cups
> printing cups options =
> print command =
> lpq command =
> lprm command =
> lppause command =
> lpresume command =
> queuepause command =
> queueresume command =
> printer name =
> use client driver = No
> default devmode = No
> default case = lower
> case sensitive = No
> preserve case = Yes
> short preserve case = Yes
> mangle case = No
> mangling char = ~
> hide dot files = Yes
> hide special files = No
> hide unreadable = No
> hide unwriteable files = No
> delete veto files = No
> veto files = /*.eml/*.nws/riched20.dll/*.{*}/
> hide files =
> veto oplock files =
> map system = No
> map hidden = No
> map archive = Yes
> mangled names = Yes
> mangled map =
> browseable = Yes
> blocking locks = Yes
> csc policy = manual
> fake oplocks = No
> locking = Yes
> oplocks = Yes
> level2 oplocks = Yes
> oplock contention limit = 2
> posix locking = Yes
> strict locking = Yes
> share modes = Yes
> copy =
> include =
> exec =
> preexec close = No
> postexec =
> root preexec =
> root preexec close = No
> root postexec =
> available = Yes
> volume =
> fstype = NTFS
> set directory = No
> wide links = Yes
> follow symlinks = Yes
> dont descend =
> magic script =
> magic output =
> delete readonly = No
> dos filemode = No
> dos filetimes = No
> dos filetime resolution = No
> fake directory create times = No
> vfs objects =
> msdfs root = No
> msdfs proxy =
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> create mask = 0640
> directory mask = 0750
> browseable = No
>
> [printers]
> comment = All Printers
> path = /var/tmp
> create mask = 0600
> printable = Yes
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin, root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
> [movies]
> comment = Movies
> path = /srv/smbshare/movies
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list