[Samba] windows 7
Todd E Thomas
todd_dsm at ssiresults.com
Thu Nov 25 08:41:56 MST 2010
Jonathan, thank you for taking an interest in this. I did have this
directive in smb.conf file.
To reiterate, the users logon, seemingly without fail. The work stations
add to ldap without error, they only have a problem when trying to auth
after the add to ldap. These are the relevant bits of the log:
Adding workstation to the domain:
Nov 22 10:06:16 mail smbd[28796]: [2010/11/22 10:06:16, 2]
passdb/pdb_ldap.c:init_ldap_from_sam(1128)
Nov 22 10:06:16 mail smbd[28796]: init_ldap_from_sam: Setting entry
for user: 7TEST1$
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17, 2]
passdb/pdb_ldap.c:ldapsam_add_sam_account(2303)
Nov 22 10:06:17 mail smbd[28796]: ldapsam_add_sam_account: added: uid
== 7TEST1$ in the LDAP database
After adding the workstation to the domain, reboot, login user:
Nov 22 10:07:37 mail smbd[28796]: [2010/11/22 10:07:37, 0]
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555)
Nov 22 10:07:37 mail smbd[28796]: _netr_ServerAuthenticate2:
netlogon_creds_server_check failed. Rejecting auth request from client
7TEST1 machine account 7TEST1$
...
Nov 22 10:07:45 mail smbd[28796]: [2010/11/22 10:07:45, 2]
auth/auth.c:check_ntlm_password(318)
Nov 22 10:07:45 mail smbd[28796]: check_ntlm_password: Authentication
for user [7TEST1] -> [7TEST1] FAILED with error NT_STATUS_NO_SUCH_USER
...
Nov 22 10:38:00 mail smbd[19317]: [2010/11/22 10:38:00, 2]
auth/auth.c:check_ntlm_password(308)
Nov 22 10:38:00 mail smbd[19317]: check_ntlm_password: authentication
for user [thomas] -> [thomas] -> [thomas] succeeded
For some reason my attachments werestripped out on the last send. For
posterity, this is the smb.conf file.
# smb.conf from the book:
# Using Samba, Third Edition; January 2007
# Server role: ROLE_DOMAIN_PDC
# ----------------------- Browser Control Options
----------------------------
[global]
workgroup = OFFICE
netbios name = SERVER
server string = Server %v
encrypt passwords = yes
security = user
domain master = yes
domain logons = yes
os level = 35
preferred master = yes
local master = yes
; max smbd processes = 0
# ------------------------- LDAP Authentication
------------------------------
ldap passwd sync = yes
ldap ssl = off
ldap timeout = 60
ldap connection timeout = 2
passdb backend = ldapsam:ldap://mail.domain.tld:389
ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
ldap suffix = dc=domain,dc=tld
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
# -------------------------- Universal Options
-------------------------------
dos charset = ASCII
unix charset = UTF-8
time server = yes
ntlm auth = yes
client lanman auth = yes
lanman auth = no
client plaintext auth = no
pam password change = yes
obey pam restrictions = yes
server signing = Disabled
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n Retype*new*password* %n\n
*updated*
username map = /etc/samba/smbusers
wins support = yes
name resolve order = wins bcast hosts
logon script = %G.vbs
logon path =
logon drive = H:
logon home =
interfaces = lo eth0
bind interfaces only = yes
hosts deny = ALL
hosts allow = 127. 10.0.0.0/24
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=32768
SO_RCVBUF=32768
enable privileges = yes
dns proxy = no
create mask = 0777
directory mask = 0777
panic action = /usr/share/samba/panic-action %d
# ------------------------------- Printing
-----------------------------------
load printers = no
show add printer wizard = no
printcap name = /etc/printcap
; printing = cups
; printcap name = cups
; show add printer wizard = no
; use sendfile = yes
# --------------------------- Logging Options
--------------------------------
log file = /var/log/samba/%m.log
syslog = 3
log level = 3
max log size = 1000
syslog only = no
# --------------------------- Samba Scripting
--------------------------------
add machine script = /usr/sbin/useradd -n -g 100 -c
"Workstation (%u)" -M -d /nohome -s /sbin/nologin "%u"
add user script = /usr/sbin/useradd -n -g 100 -d
/export/homes/"%u" -s /sbin/nologin "%u"
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
add user to group script = /usr/bin/gpasswd -a "%u" "%g"
delete user from group script = /usr/bin/gpasswd -d %u" "%g"
set primary group script = /usr/sbin/usermod -g "%g" "%u"
Todd E Thomas
"It's a frail music knits the world together."
-Robert Dana
On 11/23/2010 03:35 PM, Jonathan Knight wrote:
>
> I think the problem that you are seeing is that the Windows 7 PC will
> join the domain but then fail to log any users on.
>
> There is some better documentation out there, but the solution is to have
>
> server signing = disabled
>
> in your smb.conf.
I too have this very same problem. I've searched my Samba List mail
folder and there are 64 emails on this very subject - all seemingly
unanswered. Perhaps we could put a wooden steak through the heart of
this beast once and for all.
I'm not sure what the cone of silence is about but, once again, for
posterity...
Apply fixes from the samba wiki:
http://wiki.samba.org/index.php/Windows7
*Registry hacks (attached)
*kb2171571 hotfixes
$ smbd -V
Version 3.3.8-0.52.el5_5.2
cat /etc/redhat-release
CentOS release 5.5 (Final) (though this seems not to be platform-specific)
Client: Win7 Pro (registered and fully patched)
1) Right-click on Computer > Properties > Change Settings
2) Enter workgroup value > OK; authenticate to add Windows 7 client to
the domain
3) tail -f /var/log/messages for relevant entries:
...
(A full log of all transactions is attached)
Nov 22 10:06:15 mail smbd[28796]: [2010/11/22 10:06:15, 2]
lib/smbldap.c:smbldap_open_connection(856)
Nov 22 10:06:15 mail smbd[28796]: smbldap_open_connection: connection
opened
...
Nov 22 10:06:15 mail smbd[28796]: [2010/11/22 10:06:15, 2]
auth/auth.c:check_ntlm_password(308)
Nov 22 10:06:15 mail smbd[28796]: check_ntlm_password: authentication
for user [admin] -> [root] -> [root] succeeded
...
Nov 22 10:06:16 mail smbd[28796]: [2010/11/22 10:06:16, 2]
lib/smbldap_util.c:smbldap_search_domain_info(277)
Nov 22 10:06:16 mail smbd[28796]: smbldap_search_domain_info:
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE))]
Nov 22 10:06:16 mail smbd[28796]: [2010/11/22 10:06:16, 2]
passdb/pdb_ldap.c:init_ldap_from_sam(1128)
Nov 22 10:06:16 mail smbd[28796]: init_ldap_from_sam: Setting entry
for user: 7TEST1$
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17, 2]
passdb/pdb_ldap.c:ldapsam_add_sam_account(2303)
Nov 22 10:06:17 mail smbd[28796]: ldapsam_add_sam_account: added: uid
== 7TEST1$ in the LDAP database
...
Strangely, this happens 12 times
Nov 22 10:06:17 mail smbd[28796]: init_sam_from_ldap: Entry found for
user: 7TEST1$
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17, 2]
passdb/pdb_ldap.c:init_sam_from_ldap(571)
And this, another 5 times:
Nov 22 10:06:17 mail smbd[28796]: [2010/11/22 10:06:17, 2]
passdb/pdb_ldap.c:init_ldap_from_sam(1128)
Nov 22 10:06:17 mail smbd[28796]: init_ldap_from_sam: Setting entry
for user: 7TEST1$
maybe this is normal for setting flags, passwords, sids, et al(?).
---
Nov 22 10:07:34 mail smbd[28796]: [2010/11/22 10:07:34, 2]
passdb/pdb_ldap.c:ldapsam_update_sam_account(1979)
Nov 22 10:07:34 mail smbd[28796]: ldapsam_update_sam_account:
successfully modified uid = 7TEST1$ in the LDAP database
...
Nov 22 10:07:37 mail smbd[28796]: [2010/11/22 10:07:37, 0]
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555)
Nov 22 10:07:37 mail smbd[28796]: _netr_ServerAuthenticate2:
netlogon_creds_server_check failed. Rejecting auth request from client
7TEST1 machine account 7TEST1$
4) Reboot anyway...
5) Login as user thomas
Nov 22 10:07:45 mail smbd[28796]: [2010/11/22 10:07:45, 2]
auth/auth.c:check_ntlm_password(318)
Nov 22 10:07:45 mail smbd[28796]: check_ntlm_password: Authentication
for user [7TEST1] -> [7TEST1] FAILED with error NT_STATUS_NO_SUCH_USER
...
Nov 22 10:38:00 mail smbd[19317]: [2010/11/22 10:38:00, 2]
auth/auth.c:check_ntlm_password(308)
Nov 22 10:38:00 mail smbd[19317]: check_ntlm_password: authentication
for user [thomas] -> [thomas] -> [thomas] succeeded
6) Desktop loads as it should. Brief permissions check on mapped drives
from logon script seem to be solid. Workstation account still fails to
auth.
7) Double checked for CentOS AVC Denials: none.
---
The workstation account can be verified from a few different angles:
$ getent passwd
...
7test1$:x:10013:100:Workstation (7test1$):/nohome:/sbin/nologin
...
$ pdbedit -Lv 7TEST1$
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: 7TEST1$
Unix username: 7TEST1$
NT username: 7TEST1$
Account Flags: [W ]
User SID: S-1-5-21-1521813849-199949043-3839498338-1005
Primary Group SID: S-1-5-21-1521813849-199949043-3839498338-513
Full Name: Workstation (7test1$)
Home Directory:
HomeDir Drive: H:
Logon Script: users.vbs
Profile Path:
Domain: OFFICE
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Mon, 22 Nov 2010 10:07:34 CST
Password can change: Mon, 22 Nov 2010 10:07:34 CST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
$ ldapsearch -x -H ldap://${FQDNAME} -b "${LDAPBASEDN}"
"(&(uid=7TEST1$)(objectClass=sambaSamAccount))" -D cn=config -w
${LDAPPASSWD}
# extended LDIF
#
# LDAPv3
# base <dc=domain,dc=tld> with scope subtree
# filter: (&(uid=7TEST1$)(objectClass=sambaSamAccount))
# requesting: ALL
#
# 7TEST1$, machines, domain.tld
dn: uid=7TEST1$,ou=machines,dc=domain,dc=tld
uid: 7TEST1$
sambaSID: S-1-5-21-1521813849-199949043-3839498338-1005
displayName: Workstation (7test1$)
objectClass: sambaSamAccount
objectClass: account
sambaAcctFlags: [W ]
sambaNTPassword: B801FD816E64791F0AA328E8FD7586BE
sambaPwdLastSet: 1290442054
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This looks identical to the WinXP workstations I've added except for the
errors:
Nov 22 10:07:37 mail smbd[28796]: [2010/11/22 10:07:37, 0]
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(555)
Nov 22 10:07:37 mail smbd[28796]: _netr_ServerAuthenticate2:
netlogon_creds_server_check failed. Rejecting auth request from client
7TEST1
&
Nov 22 10:07:45 mail smbd[28796]: [2010/11/22 10:07:45, 2]
auth/auth.c:check_ntlm_password(318)
Nov 22 10:07:45 mail smbd[28796]: check_ntlm_password: Authentication
for user [7TEST1] -> [7TEST1] FAILED with error NT_STATUS_NO_SUCH_USER
--
Thanks in advance :)
Todd E Thomas
"It's a frail music knits the world together."
-Robert Dana
On 10/25/2010 01:41 AM, Pascal Legrand wrote:
> Hello,
> i'm using Samba Version : 2:3.5.5~dfsg-1~bpo50+2 from backports
>
> Patch applied :
> http://support.microsoft.com/kb/2171571
>
> Key modified :
> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
>
> "DNSNameResolutionRequired"=dword:00000000
> "DomainCompatibilityMode"=dword:00000001
>
> --------------------------------------------------------------------------------------
>
>
> When i include windows7 station into samba domain, everything works
> fine, but
> i've got a lot of error message :
>
> [2010/10/25 08:19:53.174725, 2]
> smbd/sesssetup.c:1390(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
> close all old
> resources.
> [2010/10/25 08:19:53.177153, 2]
> smbd/sesssetup.c:1390(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
> close all old
> resources.
> [2010/10/25 08:19:53.177843, 2] auth/auth.c:304(check_ntlm_password)
> check_ntlm_password: authentication for user [root] -> [root] ->
> [root] succeeded
> [2010/10/25 08:19:55.607701, 2]
> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
> Returning domain sid for domain TEST-SAMBA ->
> S-1-5-21-3551297527-875676932-1423664221
> [2010/10/25 08:19:59.095642, 2]
> ../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal)
> credentials check failed
> [2010/10/25 08:19:59.095692, 0]
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth
> request from client WINDOWS7 machine account WINDOWS7$
> [2010/10/25 08:20:06.623691, 2] auth/auth.c:314(check_ntlm_password)
> check_ntlm_password: Authentication for user [WINDOWS7] ->
> [WINDOWS7] FAILED
> with error NT_STATUS_NO_SUCH_USER
>
> pdbedit -v WINDOWS7$ :
> -----------------------
> Unix username: WINDOWS7$
> NT username:
> Account Flags: [W ]
> User SID: S-1-5-21-3551297527-875676932-1423664221-1005
> Primary Group SID: S-1-5-21-3551297527-875676932-1423664221-513
> Full Name: WINDOWS7$
> Home Directory: \\test\windows7_
> HomeDir Drive: m:
> Logon Script:
> Profile Path:
> Domain: TEST-SAMBA
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: lun, 25 oct 2010 08:19:55 CEST
> Password can change: lun, 25 oct 2010 08:19:55 CEST
> Password must change: never
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
> pdbedit -L WINDOWS7$ :
> -----------------------
> WINDOWS7$:4294967295:WINDOWS7$
>
> What's means "4294967295" ???
>
> After that when i connect on the windows 7 station with "tiptop" user,
> i've got
> also some error messages :
>
> [2010/10/25 08:32:58.833370, 2] auth/auth.c:304(check_ntlm_password)
> check_ntlm_password: authentication for user [tiptop] -> [tiptop]
> -> [tiptop]
> succeeded
> [2010/10/25 08:32:58.860904, 1]
> auth/auth_util.c:580(make_server_info_sam)
> User WINDOWS7$ in passdb, but getpwnam() fails!
> [2010/10/25 08:32:58.860939, 0] auth/auth_sam.c:493(check_sam_security)
> check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2010/10/25 08:32:58.861009, 2] auth/auth.c:314(check_ntlm_password)
> check_ntlm_password: Authentication for user [WINDOWS7$] ->
> [WINDOWS7$]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2010/10/25 08:33:00.510068, 2] auth/auth.c:304(check_ntlm_password)
> check_ntlm_password: authentication for user [tiptop] -> [tiptop]
> -> [tiptop]
> succeeded
> [2010/10/25 08:33:00.544211, 1]
> smbd/service.c:1070(make_connection_snum)
> windows7 (192.168.151.73) connect to service tiptop initially as
> user tiptop
> (uid=1002, gid=1002) (pid 2098)
>
>
>
> but everything works fine.
> the station exist in the domain, the user can connect on it
>
> is it normal?
> this samba version doesnt well support windows 7 station yet ?
>
>
> Thanks for your help
Hello,
i'm using Samba Version : 2:3.5.5~dfsg-1~bpo50+2 from backports
Patch applied :
http://support.microsoft.com/kb/2171571
Key modified :
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]
"DNSNameResolutionRequired"=dword:00000000
"DomainCompatibilityMode"=dword:00000001
--------------------------------------------------------------------------------------
When i include windows7 station into samba domain, everything works
fine, but
i've got a lot of error message :
[2010/10/25 08:19:53.174725, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old
resources.
[2010/10/25 08:19:53.177153, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old
resources.
[2010/10/25 08:19:53.177843, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [root] -> [root] -> [root]
succeeded
[2010/10/25 08:19:55.607701, 2]
rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
Returning domain sid for domain TEST-SAMBA ->
S-1-5-21-3551297527-875676932-1423664221
[2010/10/25 08:19:59.095642, 2]
../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal)
credentials check failed
[2010/10/25 08:19:59.095692, 0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth
request from client WINDOWS7 machine account WINDOWS7$
[2010/10/25 08:20:06.623691, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [WINDOWS7] -> [WINDOWS7] FAILED
with error NT_STATUS_NO_SUCH_USER
pdbedit -v WINDOWS7$ :
-----------------------
Unix username: WINDOWS7$
NT username:
Account Flags: [W ]
User SID: S-1-5-21-3551297527-875676932-1423664221-1005
Primary Group SID: S-1-5-21-3551297527-875676932-1423664221-513
Full Name: WINDOWS7$
Home Directory: \\test\windows7_
HomeDir Drive: m:
Logon Script:
Profile Path:
Domain: TEST-SAMBA
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: lun, 25 oct 2010 08:19:55 CEST
Password can change: lun, 25 oct 2010 08:19:55 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
pdbedit -L WINDOWS7$ :
-----------------------
WINDOWS7$:4294967295:WINDOWS7$
What's means "4294967295" ???
After that when i connect on the windows 7 station with "tiptop" user,
i've got
also some error messages :
[2010/10/25 08:32:58.833370, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [tiptop] -> [tiptop] ->
[tiptop]
succeeded
[2010/10/25 08:32:58.860904, 1] auth/auth_util.c:580(make_server_info_sam)
User WINDOWS7$ in passdb, but getpwnam() fails!
[2010/10/25 08:32:58.860939, 0] auth/auth_sam.c:493(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2010/10/25 08:32:58.861009, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [WINDOWS7$] -> [WINDOWS7$]
FAILED with error NT_STATUS_NO_SUCH_USER
[2010/10/25 08:33:00.510068, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [tiptop] -> [tiptop] ->
[tiptop]
succeeded
[2010/10/25 08:33:00.544211, 1] smbd/service.c:1070(make_connection_snum)
windows7 (192.168.151.73) connect to service tiptop initially as user tiptop
(uid=1002, gid=1002) (pid 2098)
but everything works fine.
the station exist in the domain, the user can connect on it
is it normal?
this samba version doesnt well support windows 7 station yet ?
Thanks for your help
--
---------------------------------------------------------------
Pascal
---------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list