[Samba] Cannot login to PDC(FreeBSD boxen) from client(win XP)
Chris E
linuxNtux at vfemail.net
Thu Jul 29 15:05:08 GMT 2004
Craig White wrote:
>
>----
>OK but I try to believe in the accuracy of the messages.
>
>Is it possible that you joined this WinXP system to the domain with a different name? If so, can you delete the computer account in the unix passwd and samba passdb? Then rejoin with the current unique name.
>
>If you have never joined the computer to the domain, check /etc/hosts and /etc/samba/lmhosts to make sure that things are adequately represented. You also might want to stop samba, delete wins.dat and restart samba.
>
>Craig
>
>
>
I understand. I meant no disrespect in my previous respose. I understand
the thouroughness that you want to achieve here. I just wanted to clear
up what I had originally said. Anyways, following your latest advice and
help from a linux howto I was able to finally join the domain. I was
extremely happy when I saw the "Welcome to %domain" winpopup. I just
have a few questions I'd like to clear up so that I know I'm able to
recreate the procedure if I were to have to do this over from scratch.
Firstly the steps I took to get where I now am. I had first double
checked the /etc/hosts file and checked to find a lmhosts file.
/etc/hosts was indeed correct and this lmhosts file is nowhere to be
found, even now with a successful logon. Is this something I should
worry about? Secondly I removed the computer name from /etc/passwd, it
was advised to add in, in another howto I had read. It said to do so to
create a "trust account" for the computer but that might be a more
advanced security feature and I most likely confused it in with some of
the steps I was using to get to a basic setup. Anyways, after removing
the trust account I removed the user from both the unix passwd db and
the samba passwd db. I then proceded to readd him with adduser and
smbpasswd. After that I noticed the following in the howto I was
currently reading...
12. Add the root user to the password backend as follows:
*smbpasswd -a root*
13. Create the Standard NT-Unix group mappings with the following commands:
*net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody*
Add any aditional groups with the above command ... the Unix group needs
to be added first via *groupadd*.
Check that the groups are setup with the command:
*net groupmap list | sort*
The output should look like this:
Account Operators (S-1-5-32-548) -> -1
Administrators (S-1-5-32-544) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root
Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody
Domain Users (S-1-5-21-179504-2437109-488451-513) -> users
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Replicators (S-1-5-32-552) -> -1
System Operators (S-1-5-32-549) -> -1
Users (S-1-5-32-545) -> -1
So I read through the step and decided to run the 'net groupmap list |
sort' command and noticed the accounts weren't yet mapped. What exactly
is the importance of this step? I understand what it does but I'm not
exactly sure why. Forgive my blindness. Anyways, I proceeded through
step 13. After a bit farther down I believe I found the mistake I've
been making this whole time. The following is a snippet...
<snip, snip>
*Windows 2000*
1. *Right-click* on the *My Computer icon* on the desktop and select
*Properties*.
2. Click the *Network Identification* tab.
3. Click the *Properties* button, as illustrated in this picture
<http://www.hughesjr.com/images/netID.jpg>.
4. Your computer's "Computer name" must be unique.
5. Pick the *Domain* box and enter *NEWDOM* and press *OK* ... then
enter a username (*Administrator*) and password (your *root* user's
password on the linux server) that is a member of the Domain
Administrators group. See this picture
<http://www.hughesjr.com/images/netID2.jpg>
----------------------------------------------------------------------------------------------------
*Windows XP*
1. Go to the *Start menu* and *Right-click* on the *My Computer* icon.
Select *Properties*.
2. Click the *Computer Name* tab.
3. Click the *Change* button.
Follow the instructions in steps *4* and *5* for *Windows 2000* above.
<snip>
Under the win 2k section number 5. enter the username "Administrator"??
And use the root password. Is this only for the initial connection to
the domain? If so why isn't this done with a regular user? Previously I
was attempting to use the username/user passwd that I created to match
the account the client will be connecting from to connect to the domain,
is there a link that someone can provide to clear up why this is done
this way? And perhaps explain the pro's/con's. I've been all through the
samba docs and on google for days now. Perhaps I've missed the parts
that explain this. And to addon what I just said, rather than using
Administrator OR administrator (thought to perhaps be case sensitive
after first error msg) I then tried root and the root password I added
with smbpasswd and sure enough that allowed access to the domain. After
using net groupmap should Administrator point to root? My groupmap list
has double entries as you can see by the following..
Account Operators (S-1-5-32-548) -> -1
Administrators (S-1-5-32-544) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Admins (S-1-5-21-1287359100-808193645-1486204412-512) -> wheel
Domain Admins (S-1-5-21-1808004326-3451706276-3289151943-512) -> -1
Domain Guests (S-1-5-21-1287359100-808193645-1486204412-514) -> nobody
Domain Guests (S-1-5-21-1808004326-3451706276-3289151943-514) -> -1
Domain Users (S-1-5-21-1287359100-808193645-1486204412-513) -> nogroup
Domain Users (S-1-5-21-1808004326-3451706276-3289151943-513) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Replicators (S-1-5-32-552) -> -1
System Operators (S-1-5-32-549) -> -1
Users (S-1-5-32-545) -> -1
So in short I'm asking, why did I have to use the root (administrator)
user/password that was created using smbpasswd in order to logon the
domain and why can't this be any user? Links are appreciated. Is this
missing lmhosts file important for a particular aspect of using SAMBA?
If so I assume most likely a security feature? And also, are these
duplicate entries in the 'net groupmap list' going to have an adverse
affect on the functions of the domain? I'd also just like to thank
everyone again for their input and advice.
More information about the samba
mailing list