[Samba] Cannot login to PDC(FreeBSD boxen) from client(win XP)

Chris E linuxNtux at vfemail.net
Thu Jul 29 15:05:08 GMT 2004 

Craig White wrote:

>
>----
>OK but I try to believe in the accuracy of the messages.
>
>Is it possible that you joined this WinXP system to the domain with a different name? If so, can you delete the computer account in the unix passwd and samba passdb? Then rejoin with the current unique name.
>
>If you have never joined the computer to the domain, check /etc/hosts and /etc/samba/lmhosts to make sure that things are adequately represented. You also might want to stop samba, delete wins.dat and restart samba.
>
>Craig
>
>  
>

I understand. I meant no disrespect in my previous respose. I understand 
the thouroughness that you want to achieve here. I just wanted to clear 
up what I had originally said. Anyways, following your latest advice and 
help from a linux howto I was able to finally join the domain. I was 
extremely happy when I saw the "Welcome to %domain" winpopup. I just 
have a few questions I'd like to clear up so that I know I'm able to 
recreate the procedure if I were to have to do this over from scratch. 
Firstly the steps I took to get where I now am. I had first double 
checked the /etc/hosts file and checked to find a lmhosts file. 
/etc/hosts was indeed correct and this lmhosts file is nowhere to be 
found, even now with a successful logon. Is this something I should 
worry about? Secondly I removed the computer name from /etc/passwd, it 
was advised to add in, in another howto I had read. It said to do so to 
create a "trust account" for the computer but that might be a more 
advanced security feature and I most likely confused it in with some of 
the steps I was using to get to a basic setup. Anyways, after removing 
the trust account I removed the user from both the unix passwd db and 
the samba passwd db. I then proceded to readd him with adduser and 
smbpasswd. After that I noticed the following in the howto I was 
currently reading...



12. Add the root user to the password backend as follows:

*smbpasswd -a root*

13. Create the Standard NT-Unix group mappings with the following commands:

*net groupmap modify ntgroup="Domain Admins" unixgroup=root
net groupmap modify ntgroup="Domain Users" unixgroup=users
net groupmap modify ntgroup="Domain Guests" unixgroup=nobody*

Add any aditional groups with the above command ... the Unix group needs 
to be added first via *groupadd*.

Check that the groups are setup with the command:

*net groupmap list | sort*

The output should look like this:

Account Operators (S-1-5-32-548) -> -1
Administrators (S-1-5-32-544) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Admins (S-1-5-21-179504-2437109-488451-512) -> root
Domain Guests (S-1-5-21-179504-2437109-488451-514) -> nobody
Domain Users (S-1-5-21-179504-2437109-488451-513) -> users
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Replicators (S-1-5-32-552) -> -1
System Operators (S-1-5-32-549) -> -1
Users (S-1-5-32-545) -> -1


So I read through the step and decided to run the 'net groupmap list | 
sort' command and noticed the accounts weren't yet mapped. What exactly 
is the importance of this step? I understand what it does but I'm not 
exactly sure why. Forgive my blindness. Anyways, I proceeded through 
step 13. After a bit farther down I believe I found the mistake I've 
been making this whole time. The following is a snippet...


<snip, snip>


*Windows 2000*

1. *Right-click* on the *My Computer icon* on the desktop and select 
*Properties*.

2. Click the *Network Identification* tab.

3. Click the *Properties* button, as illustrated in this picture 
<http://www.hughesjr.com/images/netID.jpg>.

4. Your computer's "Computer name" must be unique.

5. Pick the *Domain* box and enter *NEWDOM* and press *OK* ... then 
enter a username (*Administrator*) and password (your *root* user's 
password on the linux server) that is a member of the Domain 
Administrators group. See this picture 
<http://www.hughesjr.com/images/netID2.jpg>
----------------------------------------------------------------------------------------------------
*Windows XP*

1. Go to the *Start menu* and *Right-click* on the *My Computer* icon. 
Select *Properties*.

2. Click the *Computer Name* tab.

3. Click the *Change* button.

Follow the instructions in steps *4* and *5* for *Windows 2000* above.

<snip>



Under the win 2k section number 5. enter the username "Administrator"?? 
And use the root password. Is this only for the initial connection to 
the domain? If so why isn't this done with a regular user? Previously I 
was attempting to use the username/user passwd that I created to match 
the account the client will be connecting from to connect to the domain, 
is there a link that someone can provide to clear up why this is done 
this way? And perhaps explain the pro's/con's. I've been all through the 
samba docs and on google for days now. Perhaps I've missed the parts 
that explain this. And to addon what I just said, rather than using 
Administrator OR administrator (thought to perhaps be case sensitive 
after first error msg) I then tried root and the root password I added 
with smbpasswd and sure enough that allowed access to the domain. After 
using net groupmap should Administrator point to root? My groupmap list 
has double entries as you can see by the following..


Account Operators (S-1-5-32-548) -> -1
Administrators (S-1-5-32-544) -> -1
Backup Operators (S-1-5-32-551) -> -1
Domain Admins (S-1-5-21-1287359100-808193645-1486204412-512) -> wheel
Domain Admins (S-1-5-21-1808004326-3451706276-3289151943-512) -> -1
Domain Guests (S-1-5-21-1287359100-808193645-1486204412-514) -> nobody
Domain Guests (S-1-5-21-1808004326-3451706276-3289151943-514) -> -1
Domain Users (S-1-5-21-1287359100-808193645-1486204412-513) -> nogroup
Domain Users (S-1-5-21-1808004326-3451706276-3289151943-513) -> -1
Guests (S-1-5-32-546) -> -1
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Replicators (S-1-5-32-552) -> -1
System Operators (S-1-5-32-549) -> -1
Users (S-1-5-32-545) -> -1




So in short I'm asking, why did I have to use the root (administrator) 
user/password that was created using smbpasswd in order to logon the 
domain and why can't this be any user? Links are appreciated. Is this 
missing lmhosts file important for a particular aspect of using SAMBA? 
If so I assume most likely a security feature? And also, are these 
duplicate entries in the 'net groupmap list' going to have an adverse 
affect on the functions of the domain? I'd also just like to thank 
everyone again for their input and advice.

More information about the samba mailing list