[Samba] Samba Upgrade Yields Undesired Domain-Wide IE High Security

William Jojo jojowil at hvcc.edu
Thu Feb 24 15:37:28 GMT 2005



Roy,


Have you verified that you are using the same SID after the migration?

If the SID has changed, you cannot simply change it back as that will
break your machine trusts.

I imagine you have not received a response since you are running 2.2.12
which is a deprecated code path. You should really consider upgrading to
3.0.11.

At any rate, if you do a smbpasswd -X on the two servers you'll find the
two SIDs are different. I venture this guess based on the fact you omit
information on secrets.tdb being copied over (and the smbpasswd file).

The ntuser.dat files in your user workspaces are not owned by the user
since the internal permissions reflect the old SID.

There are several choices:

1) use smbpasswd -W to set the old SID on the new server and rejoin
everything. Or just copy the secrets.tdb from the old server to the new
assuming the servername and domain are the same.

2) Clean all the profiles and start over (not your best option).

3) Upgrade to 3.0.11 and use the profiles command in the bin dir of the
distro to modify the internal ACLs of the ntuser.dat


Any way you slice it, there's some work to be done. Personally I'd choose
#1 to get your users happy and plan an upgrade to 3.0.11 as soon as you an
muster the time and be mindful of secrets.tdb in the future since that is
your servers identity (so to speak).

You can save yourself much work next time by migrating the smbpasswd file
in the private folder as well as the secrets.tdb.

Bill



On Thu, 24 Feb 2005, RA Cohen wrote:

> Forgive the repost, but I've changed the subject line since I
> haven't seen a reply yet...please help, I don't have much hair
> left!
>
> Hello All,
>
> I had been successfully running Samba 2.2.8a on a FreeBSD 4.7
> box for a couple years using roaming profiles. The box was
> functioning as PDC. The hardware was getting old; I needed to
> migrate to a new server. So, I built a FreeBSD 5.3-RELEASE box
> on some relatively modern hardware and installed Samba 2.2.12. I
> copied the master.passwd file to the new box, did the pwd_mkdb,
> also copied the group file. Then I tarred all the home
> directories on the old server, and untarred them on the new
> server. Same with all the shares. Also used the same smb.conf
> file.
>
> As far as the users go, I am having them re-initialize their
> passwords thru Usermin so their Samba passwords are now synched
> with their FreeBSD/Unix passwords. I also manually joined each
> machine to the domain, first on the server by smbpasswd -a -m
> MACHINENAME, then actually went around to each (thank goodness
> only 65 machines) machine, unjoined it from the domain by
> putting them back into a workgroup, then joined the domain
> again. No problem. Users can log into the domain from any
> machine, get their roaming profiles, use their shares, etc. In
> short, everything seems to work BUT here's the "gotcha":
>
> Somehow, the security settings for Internet Explorer have been
> set to medium for the entire domain. I have not a clue how this
> has happened, but it means the users have to click thru numerous
> "When you send information to the internet, it might be possible
> for others to see that information. Do you want to continue?"
> This pops up anytime a form is submitted. Also, file downloads
> are now not possible.
>
> I fail to understand how this has happened. And, the IE settings
> cannot be changed, they simply revert back to the medium
> setting. It is this behavior that makes me conclude this is a
> domain-wide situation. When I log in to any of the machines as a
> local administrator, the IE settings are at a custom level that
> does permit more unrestricted browsing. I never created any
> policies for this, so I assume they were the defaults for Win2K
> with pretty much the latest patches, etc. I've also compared
> file permissions and ownerships with those on the old server,
> they seem to be the same.
>
> Any help would be greatly appreciated...Thank you in advance.
>
> Roy
>
> PS Here's the relevant parts of smb.conf:
>
> [global]
>         workgroup = XXXX
>         netbios name = YYYYYYYY
>         server string = Samba PDC running %v
>         encrypt passwords = Yes
>         passwd program = /usr/bin passwd %u
>         passwd chat = *New*UNIX*password* %n\n
> *Retype*new*UNIX*password* %n\n *Enter*new*UNIX*
> password* %n\n *Retype*new*UNIX*password* %n\n *passwd:
> *all*authentication*tokens*updated*succ
> essfully*
>         unix password sync = Yes
>         log level = 2
>         log file = /var/log/samba/log.%m
>         max log size = 50
>         name resolve order = wins lmhosts hosts bcast
>         time server = Yes
>         lpq cache time = 20
>         socket options = TCP_NODELAY IPTOS_LOWDELAY
> SO_SNDBUF=8192 SO_RCVBUF=8192
>         total print jobs = 100
>         logon drive = Q:
>         logon home = \\%L\%U\.profile
>         domain logons = Yes
>         os level = 255
>         preferred master = Yes
>         domain master = Yes
>         wins support = Yes
>         logon script = %u.bat
>         domain admin group = netadmins
>
> [netlogon]
>         path = /usr/local/samba/lib/netlogon
>         browseable = No
>         root preexec = perl
> /usr/local/samba/lib/netlogon/genlogon.pl %u %g %m
>         root postexec = perl
> /usr/local/samba/lib/netlogon/genlogoff.pl %u
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard.
> http://promotions.yahoo.com/new_mail
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>


More information about the samba mailing list