[Samba] Cannot connect to NT 4 BDC Server
Marc-Henri PAMISEUX
marc-henri at pamiseux.nom.fr
Sat May 12 01:44:12 GMT 2007
Hi all,
I'm using Samba from a long date, and i was need to configure it for a
client who want to replace his old NT4.0 server (acting as a PDC)
I've install Samba version 3.0.22 on an Ubuntu Server (Kernel
2.6.17-10-generic). As my client was interested by LDAP, i've join Samba
with LDAP.
My Samba Server was first acting as a BDC, then i've vampirise all NT4
account, and all works fine.
I pu my Samba server in a PDC mode, so NT4 server denote to a BDC
(service Network Access was now off). In NT4 Server, when i go to the
Domain user's interface, i can see all my LDAP users.
I'va add some users in LDAP, and i can see them in NT4 user interface.
To simplify, i will name NT4 server as SERVEUR and Samba 3 server as SAMBA.
When i want to connect from a workstation in the LAN to SERVEUR (first i
wasn't able to connect cause a strange credential error, but i've resolv
this problem) using an account imported in LDAP by vampirise state, all
works fine. And, when i want to connect to SERVEUR using a new account
create in LDAP by myself, all looks wrong.
When i want to connect to SERVEUR from SAMBA using a new user account,
i'm using the following command, and the result is NT_STATUS_LOGON_FAILURE:
# smbclient -d 4 -W ALITEC -U marcori //SERVEUR/usr
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = ALITEC
doing parameter netbios name = ALBERTINE
handle_netbios_name: set global_myname to: ALBERTINE
doing parameter server string = Samba-LDAP PDC Server
doing parameter syslog = 0
doing parameter syslog only = no
doing parameter log level = 2
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter os level = 80
doing parameter local master = yes
doing parameter domain master = yes
doing parameter preferred master = yes
doing parameter announce version = 5.2
doing parameter announce as = NT Server
doing parameter domain logons = Yes
doing parameter logon script = script.bat
doing parameter logon drive = U:
doing parameter logon home = \\%L\%U
doing parameter logon path = \\%L\%U\.winprofile
doing parameter name resolve order = wins lmhosts hosts bcast
doing parameter dns proxy = yes
doing parameter wins proxy = No
doing parameter wins support = Yes
doing parameter time server = yes
doing parameter include = /etc/samba/dhcp.conf
params.c:pm_process() - Processing configuration file "/etc/samba/dhcp.conf"
doing parameter security = user
doing parameter null passwords = no
doing parameter unix password sync = no
doing parameter encrypt passwords = true
doing parameter update encrypted = yes
doing parameter passdb backend = ldapsam:ldap://192.168.5.11/
doing parameter admin users = @SmbDomAdmins
doing parameter guest account = guest
doing parameter username map = /etc/samba/smbusers
doing parameter password level = 5
doing parameter username level = 5
doing parameter ldap delete dn = yes
doing parameter ldap admin dn = cn=admin,ou=ldapadmins,dc=all4tec,dc=net
doing parameter ldap suffix = dc=all4tec,dc=net
doing parameter ldap user suffix = ou=users
doing parameter ldap group suffix = ou=groups
doing parameter ldap machine suffix = ou=machines
doing parameter ldap ssl = no
doing parameter ldap passwd sync = Yes
doing parameter add user script = /usr/sbin/smbldap-useradd -m "%u"
doing parameter delete user script = /usr/sbin/smbldap-userdel "%u"
doing parameter add machine script = /usr/sbin/smbldap-useradd -w -i "%u"
doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g"
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
doing parameter delete user from group script =
/usr/sbin/smbldap-groupmod -x "%u" "%g"
doing parameter set primary group script = /usr/sbin/smbldap-usermod -g
"%g" "%u"
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter bind interfaces only = true
doing parameter interfaces = 127.0.0.1 192.168.5.11
doing parameter remote announce = 192.168.5.255/ALITEC
doing parameter socket options = IPTOS_LOWDELAY SO_KEEPALIVE TCP_NODELAY
SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter preserve case = yes
doing parameter short preserve case = Yes
doing parameter case sensitive = No
doing parameter dos charset = 850
doing parameter unix charset = UTF-8
doing parameter hide files = /.*/desktop.ini/ntuser.ini/NTUSER.*/
doing parameter veto files = /*.eml/*.nws/*.{*}/
doing parameter veto oplock files = /*.doc/*.xml/*.mdb/
doing parameter oplocks = yes
doing parameter level2 oplocks = yes
doing parameter strict locking = yes
doing parameter posix locking = yes
doing parameter kernel oplocks = yes
doing parameter oplock contention limit = 2
doing parameter share modes = yes
doing parameter acl compatibility = win2k
doing parameter nt acl support = Yes
doing parameter map acl inherit = yes
doing parameter passdb expand explicit = no
doing parameter use spnego = yes
doing parameter disable netbios = no
doing parameter client schannel = yes
doing parameter server schannel = yes
doing parameter host msdfs = Yes
doing parameter smb ports = 139 445
doing parameter hosts allow = 123.53.5.0/24 192.168.5.0/24 127.0.0.1
doing parameter hosts deny = 0.0.0.0/0
doing parameter winbind use default domain = Yes
pm_process() returned Yes
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.5.11 bcast=192.168.5.255 nmask=255.255.255.0
Client started (version 3.0.22).
Connecting to 192.168.5.12 at port 445
error connecting to 192.168.5.12:445 (Connexion refusée)
Connecting to 192.168.5.12 at port 139
session request ok
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
As you can see, it doesn't work. When i use the same command with
another user who was imported in LDAP using net rpc vampirise, all works
fine:
smbclient -d 4 -W ALITEC -U importeduser //SERVEUR/usr
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = ALITEC
doing parameter netbios name = ALBERTINE
handle_netbios_name: set global_myname to: ALBERTINE
doing parameter server string = Samba-LDAP PDC Server
doing parameter syslog = 0
doing parameter syslog only = no
doing parameter log level = 2
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter os level = 80
doing parameter local master = yes
doing parameter domain master = yes
doing parameter preferred master = yes
doing parameter announce version = 5.2
doing parameter announce as = NT Server
doing parameter domain logons = Yes
doing parameter logon script = script.bat
doing parameter logon drive = U:
doing parameter logon home = \\%L\%U
doing parameter logon path = \\%L\%U\.winprofile
doing parameter name resolve order = wins lmhosts hosts bcast
doing parameter dns proxy = yes
doing parameter wins proxy = No
doing parameter wins support = Yes
doing parameter time server = yes
doing parameter include = /etc/samba/dhcp.conf
params.c:pm_process() - Processing configuration file "/etc/samba/dhcp.conf"
doing parameter security = user
doing parameter null passwords = no
doing parameter unix password sync = no
doing parameter encrypt passwords = true
doing parameter update encrypted = yes
doing parameter passdb backend = ldapsam:ldap://192.168.5.11/
doing parameter admin users = @SmbDomAdmins
doing parameter guest account = guest
doing parameter username map = /etc/samba/smbusers
doing parameter password level = 5
doing parameter username level = 5
doing parameter ldap delete dn = yes
doing parameter ldap admin dn = cn=admin,ou=ldapadmins,dc=all4tec,dc=net
doing parameter ldap suffix = dc=all4tec,dc=net
doing parameter ldap user suffix = ou=users
doing parameter ldap group suffix = ou=groups
doing parameter ldap machine suffix = ou=machines
doing parameter ldap ssl = no
doing parameter ldap passwd sync = Yes
doing parameter add user script = /usr/sbin/smbldap-useradd -m "%u"
doing parameter delete user script = /usr/sbin/smbldap-userdel "%u"
doing parameter add machine script = /usr/sbin/smbldap-useradd -w -i "%u"
doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g"
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
doing parameter delete user from group script =
/usr/sbin/smbldap-groupmod -x "%u" "%g"
doing parameter set primary group script = /usr/sbin/smbldap-usermod -g
"%g" "%u"
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter bind interfaces only = true
doing parameter interfaces = 127.0.0.1 192.168.5.11
doing parameter remote announce = 192.168.5.255/ALITEC
doing parameter socket options = IPTOS_LOWDELAY SO_KEEPALIVE TCP_NODELAY
SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter preserve case = yes
doing parameter short preserve case = Yes
doing parameter case sensitive = No
doing parameter dos charset = 850
doing parameter unix charset = UTF-8
doing parameter hide files = /.*/desktop.ini/ntuser.ini/NTUSER.*/
doing parameter veto files = /*.eml/*.nws/*.{*}/
doing parameter veto oplock files = /*.doc/*.xml/*.mdb/
doing parameter oplocks = yes
doing parameter level2 oplocks = yes
doing parameter strict locking = yes
doing parameter posix locking = yes
doing parameter kernel oplocks = yes
doing parameter oplock contention limit = 2
doing parameter share modes = yes
doing parameter acl compatibility = win2k
doing parameter nt acl support = Yes
doing parameter map acl inherit = yes
doing parameter passdb expand explicit = no
doing parameter use spnego = yes
doing parameter disable netbios = no
doing parameter client schannel = yes
doing parameter server schannel = yes
doing parameter host msdfs = Yes
doing parameter smb ports = 139 445
doing parameter hosts allow = 123.53.5.0/24 192.168.5.0/24 127.0.0.1
doing parameter hosts deny = 0.0.0.0/0
doing parameter winbind use default domain = Yes
pm_process() returned Yes
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.5.11 bcast=192.168.5.255 nmask=255.255.255.0
Client started (version 3.0.22).
Connecting to 192.168.5.12 at port 445
error connecting to 192.168.5.12:445 (Connexion refusée)
Connecting to 192.168.5.12 at port 139
session request ok
Password:
Domain=[ALITEC] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]
session setup ok
tconx ok
dos_clean_name []
smb: \> exit
Something else, when i try to connect from SERVEUR to SAMBA, using the
LDAP user i've just add, all work nice:
C:\> NET USE P: \\SAMBA\partage /USER:ALITEC\marcori
Taper le mot de passe pour \\SAMBA\partage :
La commande a été exécutée.
C:\> P:
P:\> dir
[ ... some files ... ]
P:\> C:
C:\> NET USE P: /DELETE
Connexions can be established in a single way !
In fact, when i go to NT4 server, in the domain user interface, menu
Strategy -> User rights, i can't see any strategy defined (they were
defined before acting as a BDC).
Before adding some strategy, i've create some well defined group and
group mapping:
# net groupmap list
Administrators (S-1-5-32-544) -> SmbAdministrators
Replicators (S-1-5-32-552) -> SmbReplicators
Account Operators (S-1-5-32-548) -> SmbAccountOperators
Backup Operators (S-1-5-32-551) -> SmbBackupOperators
Domain Admins (S-1-5-21-114968459-120084214-1990678075-512) -> SmbDomAdmins
Domain Computers (S-1-5-21-114968459-120084214-1990678075-515) ->
SmbDomComputers
Domain Guests (S-1-5-21-114968459-120084214-1990678075-514) -> SmbDomGuests
Domain Users (S-1-5-21-114968459-120084214-1990678075-513) -> SmbDomUsers
Print Operators (S-1-5-32-550) -> SmbPrintOperators
Guests (S-1-5-32-546) -> SmbGuests
Server Operators (S-1-5-32-549) -> SmbServerOperators
Users (S-1-5-32-545) -> SmbUsers
Anonymous (S-1-5-7) -> SmbAnonymous
Power Users (S-1-5-32-547) -> SmbPowerUsers
So, i've try to add some user's strategy, NT4 can see my group, but when
i try to add it, i've got an error 'A peripheral connected to this
system doesn't works' or something like that...
When i try to modify LDAP user i've add, i've got an error indicate that
NT4 can't find the primary Group Name (or any group in reality).
My question is: Is it possible to connect to an NT4 server acting as a
BDC, or should i denote NT4 server as a standalone server (and then join
it to Samba PDC) ?
Another question: Is it possible to denote an NT4 server acting as a BDC
to a standalone server, and how can i do that without re-installing NT4 ?
Do you know some free utility, or some Registry Key to change ?
Best Regards,
--
Marc-Henri PAMISEUX
mél. marc-henri at pamiseux.nom.fr
Tél. +33 0 243 020 161
31, rue des closeaux
53240 SAINT JEAN SUR MAYENNE
More information about the samba
mailing list