[Samba] samba>=3.0.4 - no more smbpasswd ? no more local auth
when joined to domain ?
Greg Folkert
greg at gregfolkert.net
Thu Dec 9 12:32:58 GMT 2004
My feedback is in-line.
On Thu, 2004-12-09 at 08:35 +0100, Izo wrote:
> Not only nobody reads news://linux.samba, nobody obviously reads this
> newsgroup also ! This is just the 5th time I am sending the same or
> similar message in last 7 days with no response...
Remember the term Volunteers? That is what SAMBA is supported by on this
list. If nobody responded, you either have a way with words that is
offensive or a problem not encountered widely or at all.
I suspect the first, as I was a bit put off by this message.
> I would like to point out that *I really need" help on this - either
> appointment to prompter resource either an answer about what is going on
> with my Samba installation
>
> Platform: SuSE-9.1, kernel-2.6.5, samba-3.0.4
Fine, thanks for the info needed.
> I have recently upgraded from 3.0.2a to 3.0.4 and I have just noticed
> that using the same smb.conf as with previous version, the system just
> does not work anymore for me !
> Furthermore, smbpasswd utility appears to be dropped !
Okay, which package(s) did you install to "upgrade" to the non-working
version, where did you get them? Are you sure you installed every
package needed?
Reason I ask, I am currently running 3.04 and I have /usr/bin/smbpasswd.
> Afterwards, I have noticed that I had to join the domain once again
> (security =
> DOMAIN). Yet, I still could not log in on to my machine. Before joining
> again, every attempt to access shared resources on MYHOST failed with:
Really means nothing.
> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
This just means that the machine account somehow got out of sync or the
samba you installed wasn't compiled properly with the options you need
OR you actually removed the samba package(s) and purged the files it
needed to remember its machine trust account info.
> This behaviour was just the same even if I tried to used local samba
> user. This indicates, that the smbpasswd file is either ignored (despite
> passdb backend being set to smbpasswd) either changed the structure
> either being displaced. Anyway, browsing the samba docs I could only
> realize it was rather outdated (it refered to samba 3.0, obviously not
> to samba-3.0.4 and later), wasn't it ?
smbpasswd *IS* still there. The docs are still very uptodate. They might
not include various options added since v3.0. Nothing has changed
considerably since v3.0
> # smbclient -U me -L MYHOST -d3
> lp_load: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> Processing section "[global]"
> Unknown parameter encountered: "character set"
> Ignoring unknown parameter "character set"
> Unknown parameter encountered: "client code page"
> Ignoring unknown parameter "client code page"
> added interface ip=172.22.110.137 bcast=172.22.255.255 nmask=255.255.0.0
> added interface ip=192.168.74.1 bcast=192.168.74.255 nmask=255.255.255.0
> Client started (version 3.0.2a-SUSE).
> Connecting to 172.22.110.137 at port 139
> Password:
> Doing spnego session setup (blob length=58)
> got OID=1 3 6 1 4 1 311 2 2 10
> got principal=NONE
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60890215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60080215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60080215
> SPENGO login failed: Trust relationship failure
> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
It appears the Machine Trust account info on your machine is not in sync
with what the domain feels is right.
> As I've already said, I realized that I should have joined domain again.
> Why so if none of samba admin files changed during upgrade ? Anyway, net
> join went smoothly - I got reported Joined to domain OURDOMAIN so I
> supposed I was joined, wasn't I ?
Maybe, possibly. I can't confirm this, you did not include any debug
info to prove otherwise.
> Now I could perform net user -L MYHOST with DOMAIN authentication, yet I
> could
> not map or browse any of served shares from MYHOST (see the smbclient
> dump below)
Could be related to the actual packages you installed... or did you
compile from source?
> And more - where has support for local user/passwords gone ? I had
> previously
> configured few users which had not been configured within OURDOMAIN (using
> smbpasswd -a FOOUSER) and authentication was performed locally even when
> MYHOST was joined into OURDOMAIN. It seems that this functionality has
> just been dropped, hasn't it ?
No, it has not been dropped. Again... *WHAT DID YOU INSTALL*? Did you
install SuSE official packages? Did you install Joe Schmoe's packages
with xyz(IOW whatever) option(s) disabled? Did you install samba.org's
packages from the binary distribution point? Did you compile from
source, with everything you needed is the way of "-devel" packages
installed?
> Smbclient dump: smbclient notoriously reports as follows (see also
> testparm dump after smbclient dump):
>
> # smbclient -d3 -L me -U MYHOST
> lp_load: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> Processing section "[global]"
> added interface ip=172.22.110.137 bcast=172.22.255.255 nmask=255.255.0.0
> added interface ip=192.168.74.1 bcast=192.168.74.255 nmask=255.255.255.0
> Client started (version 3.0.2a-SUSE).
> resolve_lmhosts: Attempting lmhosts lookup for name kiztok<0x20>
> resolve_wins: Attempting wins lookup for name kiztok<0x20>
> resolve_wins: using WINS server 172.22.0.8 and tag '*'
> Got a positive name query response from 172.22.0.8 ( 192.168.74.1
> 172.22.110.137 )
> Connecting to 192.168.74.1 at port 139
> Password:
> Doing spnego session setup (blob length=58)
> got OID=1 3 6 1 4 1 311 2 2 10
> got principal=NONE
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60890215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60080215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60080215
> SPENGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
Spegno has a problem in 3.0.4 and maybe other versions as well.
>
> # testparm -v
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[printers]"
> Processing section "[print$]"
> Processing section "[movies]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> dos charset = CP850
> unix charset = UTF-8
> display charset = ISO8859-15
> workgroup = OURDOMAIN
> realm =
> netbios name = MYHOST
> netbios aliases =
> netbios scope =
> server string = My Linux host
> interfaces =
> bind interfaces only = No
> security = DOMAIN
> auth methods =
> encrypt passwords = Yes
> update encrypted = No
> client schannel = Auto
> server schannel = Auto
> allow trusted domains = Yes
> hosts equiv =
> min passwd length = 5
> use cracklib = No
> map to guest = Never
> null passwords = No
> obey pam restrictions = No
> password server = ourpasswordserver
> smb passwd file = /etc/samba/smbpasswd
> private dir = /etc/samba
> passdb backend = smbpasswd
> algorithmic rid base = 1000
> root directory =
> guest account = nobody
> pam password change = No
> passwd program =
> passwd chat = *new*password* %n\n *new*password* %n\n *changed*
> passwd chat debug = No
> passwd chat timeout = 2
> username map =
> password level = 0
> username level = 0
> unix password sync = No
> restrict anonymous = 0
> lanman auth = Yes
> ntlm auth = Yes
> client NTLMv2 auth = No
> client lanman auth = Yes
> client plaintext auth = Yes
> preload modules =
> log level = 0
> syslog = 1
> syslog only = No
> log file =
> max log size = 5000
> timestamp logs = Yes
> debug hires timestamp = No
> debug pid = No
> debug uid = No
> smb ports = 445 139
> protocol = NT1
> large readwrite = Yes
> max protocol = NT1
> min protocol = CORE
> unicode = Yes
> read bmpx = No
> read raw = Yes
> write raw = Yes
> disable netbios = No
> acl compatibility =
> nt pipe support = Yes
> nt status support = Yes
> announce version = 4.9
> announce as = NT
> max mux = 50
> max xmit = 16644
> name resolve order = lmhosts wins host bcast
> max ttl = 259200
> max wins ttl = 518400
> min wins ttl = 21600
> time server = No
> unix extensions = Yes
> use spnego = Yes
> client signing = auto
> server signing = No
> client use spnego = Yes
> change notify timeout = 60
> deadtime = 0
> getwd cache = Yes
> keepalive = 300
> kernel change notify = Yes
> lpq cache time = 10
> max smbd processes = 0
> paranoid server security = Yes
> max disk size = 0
> max open files = 10000
> socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
> use mmap = Yes
> hostname lookups = No
> name cache timeout = 660
> load printers = Yes
> printcap name = cups
> disable spoolss = No
> enumports command =
> addprinter command =
> deleteprinter command =
> show add printer wizard = Yes
> os2 driver map =
> mangling method = hash2
> mangle prefix = 1
> stat cache = Yes
> machine password timeout = 604800
> add user script =
> delete user script =
> add group script =
> delete group script =
> add user to group script =
> delete user from group script =
> set primary group script =
> add machine script =
> shutdown script =
> abort shutdown script =
> logon script =
> logon path = \\%N\%U\profile
> logon drive =
> logon home = \\%N\%U
> domain logons = No
> os level = 65
> lm announce = Auto
> lm interval = 60
> preferred master = Auto
> local master = No
> domain master = Auto
> browse list = Yes
> enhanced browsing = Yes
> dns proxy = Yes
> wins proxy = No
> wins server = 172.22.0.8
> wins support = No
> wins hook =
> wins partners =
> kernel oplocks = Yes
> lock spin count = 3
> lock spin time = 10
> oplock break wait time = 0
> ldap suffix =
> ldap machine suffix =
> ldap user suffix =
> ldap group suffix =
> ldap idmap suffix =
> ldap filter = (uid=%u)
> ldap admin dn =
> ldap ssl =
> ldap passwd sync = no
> ldap delete dn = No
> ldap replication sleep = 1000
> add share command =
> change share command =
> delete share command =
> config file =
> preload =
> lock directory = /var/lib/samba
> pid directory = /var/run/samba
> utmp directory =
> wtmp directory =
> utmp = No
> default service =
> message command =
> dfree command =
> get quota command =
> set quota command =
> remote announce =
> remote browse sync =
> socket address = 0.0.0.0
> homedir map = auto.home
> afs username map =
> time offset = 0
> NIS homedir = No
> panic action =
> host msdfs = No
> enable rid algorithm = Yes
> idmap backend =
> idmap uid =
> idmap gid =
> template primary group = nobody
> template homedir = /home/%D/%U
> template shell = /bin/false
> winbind separator = \
> winbind cache time = 300
> winbind enable local accounts = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = No
> winbind trusted domains only = No
> comment =
> path =
> username =
> invalid users =
> valid users =
> admin users =
> read list =
> write list =
> printer admin =
> force user =
> force group =
> read only = Yes
> create mask = 0744
> force create mode = 00
> security mask = 0777
> force security mode = 00
> directory mask = 0755
> force directory mode = 00
> directory security mask = 0777
> force directory security mode = 00
> inherit permissions = No
> inherit acls = No
> guest only = No
> guest ok = No
> only user = No
> hosts allow =
> hosts deny =
> nt acl support = Yes
> profile acls = No
> map acl inherit = No
> afs share = No
> block size = 1024
> max connections = 0
> min print space = 0
> strict allocate = No
> strict sync = No
> sync always = No
> use sendfile = No
> write cache size = 0
> max reported print jobs = 0
> max print jobs = 1000
> printable = No
> printing = cups
> printing cups options =
> print command =
> lpq command =
> lprm command =
> lppause command =
> lpresume command =
> queuepause command =
> queueresume command =
> printer name =
> use client driver = No
> default devmode = No
> default case = lower
> case sensitive = No
> preserve case = Yes
> short preserve case = Yes
> mangle case = No
> mangling char = ~
> hide dot files = Yes
> hide special files = No
> hide unreadable = No
> hide unwriteable files = No
> delete veto files = No
> veto files = /*.eml/*.nws/riched20.dll/*.{*}/
> hide files =
> veto oplock files =
> map system = No
> map hidden = No
> map archive = Yes
> mangled names = Yes
> mangled map =
> browseable = Yes
> blocking locks = Yes
> csc policy = manual
> fake oplocks = No
> locking = Yes
> oplocks = Yes
> level2 oplocks = Yes
> oplock contention limit = 2
> posix locking = Yes
> strict locking = Yes
> share modes = Yes
> copy =
> include =
> exec =
> preexec close = No
> postexec =
> root preexec =
> root preexec close = No
> root postexec =
> available = Yes
> volume =
> fstype = NTFS
> set directory = No
> wide links = Yes
> follow symlinks = Yes
> dont descend =
> magic script =
> magic output =
> delete readonly = No
> dos filemode = No
> dos filetimes = No
> dos filetime resolution = No
> fake directory create times = No
> vfs objects =
> msdfs root = No
> msdfs proxy =
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> create mask = 0640
> directory mask = 0750
> browseable = No
>
> [printers]
> comment = All Printers
> path = /var/tmp
> create mask = 0600
> printable = Yes
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin, root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
> [movies]
> comment = Movies
> path = /srv/smbshare/movies
Until you provide us with the info needed there is little we can say or
do for you.
--
greg, greg at gregfolkert.net
The technology that is
Stronger, better, faster: Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20041209/5dc0895e/attachment.bin
More information about the samba
mailing list