[Samba] SuSE 9.1 Pro

rruegner robert at ruegner.org
Tue Oct 5 18:28:26 GMT 2004 

Chuck Chauvin schrieb:
> My entire smb.conf file is listed in the thread "[Samba] Samba 3.0.4 Profile 
> Permissions".
> 
> I'll post it here as well.
> 
> My layout is fairly simple. I have one machine in my network running Linux 
> and Samba that acts as a Primary Domain Controller. It resides at IP addres 
> 192.168.1.100 while all of the other machines on my network (all Windows XP 
> clients) have an IP address of 192.168.1.xxx
> 
> I currently have this setup running in Mandrake (from about 2 years ago) and 
> everything works as it should regarding Samba (version 2.2.4 btw).
> 
> All of my clients login to the server using an account and password that 
> exists on the Linux machine.
> 
> Following this message is my smb.conf and my log files from last night. This 
> was with the firewall disabled altogether. I would like a firewall of some 
> sort on this server so disabling the firewall doesn't really make me feel 
> all that comfortable but if it doesn't work right, it doesn't work. I have 
> ports 137, 138, 139 and 445 open, according to YaST, but this still will not 
> work. I (usually) can't even see the Domain Controller while the firewall is 
> running. I say ususally because sometimes I do... and I hadn't changed a 
> thing. It's there one minute and gone the next.
> 
> When you look at the log files you will notice that I attempted to log in 
> with a user account of bagginsadmin which is a member of the adm group. The 
> adm group is set in all of my Windows XP clients as a member of the 
> Administrators group so that I can use this particular login to access any 
> of my XP clients and make any necessary modifications.
> 
> When I attempted to login last night I got the following error:
> 
> "Windows did not load your roaming profile and is attempting to log you on 
> with your local profile. Changes to the profile will not be copied to the 
> server when you logoff. Windows did not load your profile because a server 
> copy of the profile folder already exists that does not have the correct 
> security. Either the current user or the Administrator's group must be the 
> owner of the folder. Contact your network administrator."
> 
> 
> I then attempted to login with my own account (also a member of the adm 
> group) and got this error:
> 
> 
> "Windows cannot log you in now because the domain BAGGINS is not available."
> 
> 
> I then created a new user account in Linux and Samba and attempted to login. 
> I get the same error.
> 
> When I login using the original administrative account above I get access to 
> most of the shares that I have setup. My network logon script runs just 
> fine. I do not, however, have Administrative priveleges on the XP client. 
> When I attempt to modify the XP client Administrators group I get a list of 
> numbers as the members instead of what I am used to seeing (i.e. 
> BAGGINS\unix_group.XXXXXXX).
> 
> Now I am sure that the following line in my log.smbd explains what is going 
> wrong but I'll be snookered if I knew what it meant:
> 
> [2004/10/04 11:59:05, 0] rpc_parse/parse_samr.c:init_sam_user_info21A(5988)
>  init_sam_user_info_21A: User bagginsadmin has Primary Group SID S-1-5-32-
> 544,
>  which conflicts with the domain sid S-1-5-21-2763611909-969304523-
> 3334035465.
>  Failing operation.
> 
> 
> So, having said all of that, here are my configuration and log files.
> 
> As always, any help is greatly appreciated.
> 
> 
> [global]
>   workgroup = BAGGINS
>   security = user
>   encrypt passwords = yes
>   passdb backend = smbpasswd
>   server string = Domain Controller
>   netbios name = BILBO
>   add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -
> s /bin/false %m$
>   domain master = yes
>   domain logons = yes
>   logon script = logon.cmd
>   local master = yes
>   preferred master = yes
>   os level = 65
> 
> [homes]
>   comment = Home Directory for %u
>   path = /home/%u
>   read only = No
>   browseable = No
> 
> [Projects]
>   comment = Project Folders
>   path = /data-1/projects
>   admin users = @Design, adm, Manager
>   read only = No
>   create mask = 0775
>   force create mode = 0775
>   force security mode = 0775
>   force directory mode = 0775
>   force directory security mode = 0775
> 
> [Temp]
>   comment = Temporary Space
>   path = /data-1/temp
>   admin users = @Design, adm, Manager
>   read only = No
>   create mask = 0777
> 
> [Archive]
>   comment = Archived Projects
>   path = /data-1/archive
>   write list = @adm
>   security mask = 0755
>   directory security mask = 0755
>   guest ok = Yes
> 
> [netlogon]
>   comment = Network Logon Service
>   path = /etc/samba/netlogon
>   guest ok = Yes
> 
> [Profiles]
>   path = /home/%u/profile
>   browseable = No
>   writeable = yes
>   nt acl support = yes
> 
> My log.smbd
> 
> [2004/10/04 11:55:00, 1] smbd/service.c:make_connection_snum(619)
>  baggins001 (192.168.1.6) connect to service bagginsadmin initially as user 
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:55:00, 1] smbd/service.c:close_cnum(801)
>  baggins001 (192.168.1.6) closed connection to service bagginsadmin
> [2004/10/04 11:55:04, 1] smbd/service.c:make_connection_snum(619)
>  baggins001 (192.168.1.6) connect to service bagginsadmin initially as user 
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:55:13, 1] smbd/service.c:close_cnum(801)
>  baggins001 (192.168.1.6) closed connection to service bagginsadmin
> [2004/10/04 11:55:14, 1] smbd/service.c:make_connection_snum(619)
>  baggins001 (192.168.1.6) connect to service bagginsadmin initially as user 
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:55:15, 1] smbd/service.c:make_connection_snum(619)
>  baggins001 (192.168.1.6) connect to service netlogon initially as user 
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:56:50, 1] smbd/service.c:close_cnum(801)
>  baggins001 (192.168.1.6) closed connection to service netlogon
> [2004/10/04 11:58:43, 1] smbd/service.c:make_connection_snum(619)
>  baggins001 (192.168.1.6) connect to service Archive initially as user 
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:58:43, 1] smbd/service.c:make_connection_snum(619)
>  baggins001 (192.168.1.6) connect to service Projects initially as user 
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:58:43, 1] smbd/service.c:make_connection_snum(619)
>  baggins001 (192.168.1.6) connect to service Temp initially as user 
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:59:05, 0] rpc_parse/parse_samr.c:init_sam_user_info21A(5988)
>  init_sam_user_info_21A: User bagginsadmin has Primary Group SID S-1-5-32-
> 544,
>  which conflicts with the domain sid S-1-5-21-2763611909-969304523-
> 3334035465.  Failing operation.
> [2004/10/04 12:00:21, 1] smbd/service.c:close_cnum(801)
>  baggins001 (192.168.1.6) closed connection to service bagginsadmin
> [2004/10/04 12:00:24, 1] smbd/service.c:make_connection_snum(619)
>  baggins001 (192.168.1.6) connect to service bagginsadmin initially as user 
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 12:00:24, 1] smbd/service.c:close_cnum(801)
>  baggins001 (192.168.1.6) closed connection to service bagginsadmin
> [2004/10/04 12:01:23, 1] smbd/service.c:close_cnum(801)
>  baggins001 (192.168.1.6) closed connection to service Archive
> [2004/10/04 12:01:23, 1] smbd/service.c:close_cnum(801)
>  baggins001 (192.168.1.6) closed connection to service Projects
> [2004/10/04 12:01:23, 1] smbd/service.c:close_cnum(801)
>  baggins001 (192.168.1.6) closed connection to service Temp
> 
> My log.nmbd
> 
>  *****
> [2004/10/04 08:34:07, 0] nmbd/nmbd.c:terminate(54)
>  Got SIGTERM: going down...
> [2004/10/04 09:59:49, 0] nmbd/nmbd.c:main(664)
>  Netbios nameserver version 3.0.4-SUSE started.
>  Copyright Andrew Tridgell and the Samba Team 1994-2004
> [2004/10/04 09:59:49, 0] nmbd/nmbd_logonnames.c:add_logon_names(163)
>  add_domain_logon_names:
>  Attempting to become logon server for workgroup BAGGINS on subnet 
> 192.168.1.100
> [2004/10/04 09:59:49, 0] 
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(282)
>  become_domain_master_browser_bcast:
>  Attempting to become domain master browser on workgroup BAGGINS on subnet 
> 192.168.1.100
> [2004/10/04 09:59:49, 0] 
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(295)
>  become_domain_master_browser_bcast: querying subnet 192.168.1.100 for 
> domain master browser on workgroup BAGGINS
> [2004/10/04 09:59:53, 0] nmbd/nmbd_logonnames.c:become_logon_server_success
> (124)
>  become_logon_server_success: Samba is now a logon server for workgroup 
> BAGGINS on subnet 192.168.1.100
> [2004/10/04 09:59:57, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2
> (113)
>  *****
> 
>  Samba server BILBO is now a domain master browser for workgroup BAGGINS on 
> subnet 192.168.1.100
> 
>  *****
> [2004/10/04 10:00:13, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2
> (396)
>  *****
> 
>  Samba name server BILBO is now a local master browser for workgroup 
> BAGGINS on subnet 192.168.1.100
> 
>  *****
> 
> 
> 
> 
> 
> ---------- Original Message -----------
> From: rruegner <robert at ruegner.org>
> To: Holger Krull <holger.krull at gmx.de>
> Sent: Tue, 05 Oct 2004 14:50:14 +0200
> Subject: Re: [Samba] SuSE 9.1 Pro
> 
> 
>>Holger Krull schrieb:
>>
>>>>Hi, the simple answer is dont use suse firewall,( iptables scripts are 
>>>>easy to google )
>>>>and study more chapters from Samba Browsing
>>>
>>>
>>>That's not very nice, the Suse 'firewall' is well written. And you can't 
>>>expect everyone to learn that much about paket filtering just to run 
> 
> samba.
> 
>>>And it works with samba.
>>>
>>
>>Sorry Holger, but my opinion is different, suse firewall may be good 
>>written, but learning about packet filtering and networking is 
>>helpfull in any way. If you dont push the button block internal 
>>internal interface in yast and you bind samba to your internal nic 
>>suse firewall is not involded with you samba stuff. If you want use 
>>samba trough nat or suse firewall, you should take your own iptables 
>>script, cause you cant really adjust this in suse firewall. For more 
>>help post more of your desired network layout and you samba conf Regards
>>-- 
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
> ------- End of Original Message -------
> 
> 
> --
> Chuck Chauvin
> Network Administrator
> clchauvin at edcaugusta.com
> 
Hi Chuck now i think it is clear that your firewall is not envolved
anyway disable it until you fetch the bug.
at a short look
User bagginsadmin has Primary Group SID S-1-5-32-
 > 544,
 >  which conflicts with the domain sid S-1-5-21-2763611909-969304523-
 > 3334035465.
 >  Failing operation.
your user is not a domain user,
your smb.conf is very small for a pdc but should be enough,
as your samba does logs no blocking by a firewall is done
in my suse setup i have
passdb backend = smbpasswd:/etc/samba/smbpasswd

check if the user is exist /etc/passwd
and create him with smbpasswd -a user
This should help you out , but i recommend to read more on samba faq and 
suse example conf as well, cause your missing very usefull parameters in 
your conf
Regards

More information about the samba mailing list