[Samba] SuSE 9.1 Pro
rruegner
robert at ruegner.org
Tue Oct 5 18:28:26 GMT 2004
Chuck Chauvin schrieb:
> My entire smb.conf file is listed in the thread "[Samba] Samba 3.0.4 Profile
> Permissions".
>
> I'll post it here as well.
>
> My layout is fairly simple. I have one machine in my network running Linux
> and Samba that acts as a Primary Domain Controller. It resides at IP addres
> 192.168.1.100 while all of the other machines on my network (all Windows XP
> clients) have an IP address of 192.168.1.xxx
>
> I currently have this setup running in Mandrake (from about 2 years ago) and
> everything works as it should regarding Samba (version 2.2.4 btw).
>
> All of my clients login to the server using an account and password that
> exists on the Linux machine.
>
> Following this message is my smb.conf and my log files from last night. This
> was with the firewall disabled altogether. I would like a firewall of some
> sort on this server so disabling the firewall doesn't really make me feel
> all that comfortable but if it doesn't work right, it doesn't work. I have
> ports 137, 138, 139 and 445 open, according to YaST, but this still will not
> work. I (usually) can't even see the Domain Controller while the firewall is
> running. I say ususally because sometimes I do... and I hadn't changed a
> thing. It's there one minute and gone the next.
>
> When you look at the log files you will notice that I attempted to log in
> with a user account of bagginsadmin which is a member of the adm group. The
> adm group is set in all of my Windows XP clients as a member of the
> Administrators group so that I can use this particular login to access any
> of my XP clients and make any necessary modifications.
>
> When I attempted to login last night I got the following error:
>
> "Windows did not load your roaming profile and is attempting to log you on
> with your local profile. Changes to the profile will not be copied to the
> server when you logoff. Windows did not load your profile because a server
> copy of the profile folder already exists that does not have the correct
> security. Either the current user or the Administrator's group must be the
> owner of the folder. Contact your network administrator."
>
>
> I then attempted to login with my own account (also a member of the adm
> group) and got this error:
>
>
> "Windows cannot log you in now because the domain BAGGINS is not available."
>
>
> I then created a new user account in Linux and Samba and attempted to login.
> I get the same error.
>
> When I login using the original administrative account above I get access to
> most of the shares that I have setup. My network logon script runs just
> fine. I do not, however, have Administrative priveleges on the XP client.
> When I attempt to modify the XP client Administrators group I get a list of
> numbers as the members instead of what I am used to seeing (i.e.
> BAGGINS\unix_group.XXXXXXX).
>
> Now I am sure that the following line in my log.smbd explains what is going
> wrong but I'll be snookered if I knew what it meant:
>
> [2004/10/04 11:59:05, 0] rpc_parse/parse_samr.c:init_sam_user_info21A(5988)
> init_sam_user_info_21A: User bagginsadmin has Primary Group SID S-1-5-32-
> 544,
> which conflicts with the domain sid S-1-5-21-2763611909-969304523-
> 3334035465.
> Failing operation.
>
>
> So, having said all of that, here are my configuration and log files.
>
> As always, any help is greatly appreciated.
>
>
> [global]
> workgroup = BAGGINS
> security = user
> encrypt passwords = yes
> passdb backend = smbpasswd
> server string = Domain Controller
> netbios name = BILBO
> add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -
> s /bin/false %m$
> domain master = yes
> domain logons = yes
> logon script = logon.cmd
> local master = yes
> preferred master = yes
> os level = 65
>
> [homes]
> comment = Home Directory for %u
> path = /home/%u
> read only = No
> browseable = No
>
> [Projects]
> comment = Project Folders
> path = /data-1/projects
> admin users = @Design, adm, Manager
> read only = No
> create mask = 0775
> force create mode = 0775
> force security mode = 0775
> force directory mode = 0775
> force directory security mode = 0775
>
> [Temp]
> comment = Temporary Space
> path = /data-1/temp
> admin users = @Design, adm, Manager
> read only = No
> create mask = 0777
>
> [Archive]
> comment = Archived Projects
> path = /data-1/archive
> write list = @adm
> security mask = 0755
> directory security mask = 0755
> guest ok = Yes
>
> [netlogon]
> comment = Network Logon Service
> path = /etc/samba/netlogon
> guest ok = Yes
>
> [Profiles]
> path = /home/%u/profile
> browseable = No
> writeable = yes
> nt acl support = yes
>
> My log.smbd
>
> [2004/10/04 11:55:00, 1] smbd/service.c:make_connection_snum(619)
> baggins001 (192.168.1.6) connect to service bagginsadmin initially as user
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:55:00, 1] smbd/service.c:close_cnum(801)
> baggins001 (192.168.1.6) closed connection to service bagginsadmin
> [2004/10/04 11:55:04, 1] smbd/service.c:make_connection_snum(619)
> baggins001 (192.168.1.6) connect to service bagginsadmin initially as user
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:55:13, 1] smbd/service.c:close_cnum(801)
> baggins001 (192.168.1.6) closed connection to service bagginsadmin
> [2004/10/04 11:55:14, 1] smbd/service.c:make_connection_snum(619)
> baggins001 (192.168.1.6) connect to service bagginsadmin initially as user
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:55:15, 1] smbd/service.c:make_connection_snum(619)
> baggins001 (192.168.1.6) connect to service netlogon initially as user
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:56:50, 1] smbd/service.c:close_cnum(801)
> baggins001 (192.168.1.6) closed connection to service netlogon
> [2004/10/04 11:58:43, 1] smbd/service.c:make_connection_snum(619)
> baggins001 (192.168.1.6) connect to service Archive initially as user
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:58:43, 1] smbd/service.c:make_connection_snum(619)
> baggins001 (192.168.1.6) connect to service Projects initially as user
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:58:43, 1] smbd/service.c:make_connection_snum(619)
> baggins001 (192.168.1.6) connect to service Temp initially as user
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 11:59:05, 0] rpc_parse/parse_samr.c:init_sam_user_info21A(5988)
> init_sam_user_info_21A: User bagginsadmin has Primary Group SID S-1-5-32-
> 544,
> which conflicts with the domain sid S-1-5-21-2763611909-969304523-
> 3334035465. Failing operation.
> [2004/10/04 12:00:21, 1] smbd/service.c:close_cnum(801)
> baggins001 (192.168.1.6) closed connection to service bagginsadmin
> [2004/10/04 12:00:24, 1] smbd/service.c:make_connection_snum(619)
> baggins001 (192.168.1.6) connect to service bagginsadmin initially as user
> bagginsadmin (uid=543, gid=4) (pid 7537)
> [2004/10/04 12:00:24, 1] smbd/service.c:close_cnum(801)
> baggins001 (192.168.1.6) closed connection to service bagginsadmin
> [2004/10/04 12:01:23, 1] smbd/service.c:close_cnum(801)
> baggins001 (192.168.1.6) closed connection to service Archive
> [2004/10/04 12:01:23, 1] smbd/service.c:close_cnum(801)
> baggins001 (192.168.1.6) closed connection to service Projects
> [2004/10/04 12:01:23, 1] smbd/service.c:close_cnum(801)
> baggins001 (192.168.1.6) closed connection to service Temp
>
> My log.nmbd
>
> *****
> [2004/10/04 08:34:07, 0] nmbd/nmbd.c:terminate(54)
> Got SIGTERM: going down...
> [2004/10/04 09:59:49, 0] nmbd/nmbd.c:main(664)
> Netbios nameserver version 3.0.4-SUSE started.
> Copyright Andrew Tridgell and the Samba Team 1994-2004
> [2004/10/04 09:59:49, 0] nmbd/nmbd_logonnames.c:add_logon_names(163)
> add_domain_logon_names:
> Attempting to become logon server for workgroup BAGGINS on subnet
> 192.168.1.100
> [2004/10/04 09:59:49, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(282)
> become_domain_master_browser_bcast:
> Attempting to become domain master browser on workgroup BAGGINS on subnet
> 192.168.1.100
> [2004/10/04 09:59:49, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(295)
> become_domain_master_browser_bcast: querying subnet 192.168.1.100 for
> domain master browser on workgroup BAGGINS
> [2004/10/04 09:59:53, 0] nmbd/nmbd_logonnames.c:become_logon_server_success
> (124)
> become_logon_server_success: Samba is now a logon server for workgroup
> BAGGINS on subnet 192.168.1.100
> [2004/10/04 09:59:57, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2
> (113)
> *****
>
> Samba server BILBO is now a domain master browser for workgroup BAGGINS on
> subnet 192.168.1.100
>
> *****
> [2004/10/04 10:00:13, 0] nmbd/nmbd_become_lmb.c:become_local_master_stage2
> (396)
> *****
>
> Samba name server BILBO is now a local master browser for workgroup
> BAGGINS on subnet 192.168.1.100
>
> *****
>
>
>
>
>
> ---------- Original Message -----------
> From: rruegner <robert at ruegner.org>
> To: Holger Krull <holger.krull at gmx.de>
> Sent: Tue, 05 Oct 2004 14:50:14 +0200
> Subject: Re: [Samba] SuSE 9.1 Pro
>
>
>>Holger Krull schrieb:
>>
>>>>Hi, the simple answer is dont use suse firewall,( iptables scripts are
>>>>easy to google )
>>>>and study more chapters from Samba Browsing
>>>
>>>
>>>That's not very nice, the Suse 'firewall' is well written. And you can't
>>>expect everyone to learn that much about paket filtering just to run
>
> samba.
>
>>>And it works with samba.
>>>
>>
>>Sorry Holger, but my opinion is different, suse firewall may be good
>>written, but learning about packet filtering and networking is
>>helpfull in any way. If you dont push the button block internal
>>internal interface in yast and you bind samba to your internal nic
>>suse firewall is not involded with you samba stuff. If you want use
>>samba trough nat or suse firewall, you should take your own iptables
>>script, cause you cant really adjust this in suse firewall. For more
>>help post more of your desired network layout and you samba conf Regards
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions: http://lists.samba.org/mailman/listinfo/samba
>
> ------- End of Original Message -------
>
>
> --
> Chuck Chauvin
> Network Administrator
> clchauvin at edcaugusta.com
>
Hi Chuck now i think it is clear that your firewall is not envolved
anyway disable it until you fetch the bug.
at a short look
User bagginsadmin has Primary Group SID S-1-5-32-
> 544,
> which conflicts with the domain sid S-1-5-21-2763611909-969304523-
> 3334035465.
> Failing operation.
your user is not a domain user,
your smb.conf is very small for a pdc but should be enough,
as your samba does logs no blocking by a firewall is done
in my suse setup i have
passdb backend = smbpasswd:/etc/samba/smbpasswd
check if the user is exist /etc/passwd
and create him with smbpasswd -a user
This should help you out , but i recommend to read more on samba faq and
suse example conf as well, cause your missing very usefull parameters in
your conf
Regards
More information about the samba
mailing list