[Samba] Samba 3.6.23 and Windows 7

Harry Jede walk2sun at arcor.de
Fri Nov 7 02:24:58 MST 2014 

On 09:43:38 wrote Jeff Workman:
> On 11/5/2014 7:09 AM, Harry Jede wrote:
> > On 13:03:44 wrote Jeff Workman:
> >> I am using a new name and machine account for the new laptop, and
> >> using a test login that has no NTUSER.DAT file yet.   Where else
> >> can I look to see what's going on?
> >> 
> >> On 10/30/2014 8:43 PM, Karel Lang AFD wrote:
> >>> Hi,
> >>> i think - the SID of the workstation (laptop) respectively the
> >>> RID part of the SID number has changed due the fact it's new
> >>> machine. And - in your profile, that is stored somewhere at
> >>> network drive, there is somewhere stored NTUSER.DAT file
> >>> referring still to SID-RID of old laptop.
> >>> 
> >>> you can compare:
> >>> strings NTUSER.DAT | grep -i S-1-5-21
> >>> with
> >>> pdbedit -Lv machinename
> >>> 
> >>> the SID-RID should be same
> >>> 
> >>> I had same message after migration and changing/rearraging SID
> >>> numbers for machines.
> >>> 
> >>> cheers,
> >>> 
> >>> On 10/31/2014 01:04 AM, Jeff Workman wrote:
> >>>> After being content with an old laptop running XP for years, my
> >>>> job decided to provide me with a shiny new one running Windows 7
> >>>> Professional.
> >>>> 
> >>>> The biggest problem with this is that I can't get the Windows 7
> >>>> box to login to my Samba NT4-style domain controller. I have
> >>>> upgraded samba from 3.0.33 to 3.6.23, and copied my smbpasswd
> >>>> file to where the new samba expects to find it in
> >>>> /var/samba/lib/private. I've applied the following registry
> >>>> changes to my Windows 7 machine:
> >>>> 
> >>>> ; Win7_Samba3DomainMember
> >>>> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWork
> >>>> st ation\Parameters]
> >>>> 
> >>>> 
> >>>> "DNSNameResolutionRequired"=dword:00000000
> >>>> "DomainCompatibilityMode"=dword:00000001
> >>>> 
> >>>> ; Speedup settings
> >>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
> >>>> "SlowLinkDetectEnabled"=dword:00000000
> >>>> "DeleteRoamingCache"=dword:00000001
> >>>> "WaitForNetwork"=dword:00000000
> >>>> "CompatibleRUPSecurity"=dword:00000001
> >>>> 
> >>>> ; Can drive you nuts
> >>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Po
> >>>> li cies\System]
> >>>> 
> >>>> 
> >>>> "EnableLUA"=dword:00000000
> >>>> 
> >>>> 
> >>>> What's funny is that I can join the Windows 7 machine to the
> >>>> domain, but just as soon as I reboot and then try to login as a
> >>>> domain user, I get this message:
> >>>> 
> >>>> The trust relationship between this workstation and the primary
> >>>> domain failed.
> >>>> 
> >>>> I imagine there's something in my smb.conf that I need to
> >>>> change. The only change I made from my old 3.0 smb.conf was I
> >>>> added the following line in the [global] section:
> >>>> 
> >>>> passdb backend = smbpasswd
> >>>> 
> >>>> What else do I need to do?
> > 
> > Do not use smbpasswd as passdb backend !!!
> > 
> > Convert your passdb backend to tdbsam and then join your PC again.
> > 
> > read
> > man pdbedit
> > for example or search this mailing list.
> 
> Ok I converted to tdbsam, changed my "passdb backend" to tdbsam, then
> I removed my machine account using pdbedit and re-added it.  I tried
> logging in with a new user account (and therefore no NTUSER.DAT) and
> I still get the same error.     What else do I need to do?
Post your smb.conf

check the Server & Domain SID, they must be equal, ie
root at capella:~# net getdomainsid
SID for local machine CAPELLA is: S-1-5-21-3958726613-3318811842-4132420312
SID for domain EUROPA is: S-1-5-21-3958726613-3318811842-4132420312

Check your relevant Domain and Builtin Groups:
root at capella:~# net sam show 'Administrator'
EUROPA\Administrator is a User with SID S-1-5-21-3958726613-3318811842-4132420312-500

root at capella:~# net sam show 'Domain Users'
EUROPA\Domain Users is a Domain Group with SID S-1-5-21-3958726613-3318811842-4132420312-513
root at capella:~# net sam show 'Domain Admins'
EUROPA\Domain Admins is a Domain Group with SID S-1-5-21-3958726613-3318811842-4132420312-512
root at capella:~# net sam show 'Domain Guests'
EUROPA\Domain Guests is a Domain Group with SID S-1-5-21-3958726613-3318811842-4132420312-514
root at capella:~# net sam show 'Domain Computers'
EUROPA\Domain Computers is a Domain Group with SID S-1-5-21-3958726613-3318811842-4132420312-515

root at capella:~# net sam show 'Administrators'
BUILTIN\Administrators is a Local Group with SID S-1-5-32-544
root at capella:~# net sam show 'Users'
BUILTIN\Users is a Local Group with SID S-1-5-32-545
root at capella:~# net sam show 'Guests'
BUILTIN\Guests is a Local Group with SID S-1-5-32-546

Check that your new Laptop is recognized:
root at capella:~# net sam list workstations

get the SID:
root at capella:~# net sam show 'laptop$'

and finally check that your laptop SID is in 'Domain Computers'

root at capella:~# net sam listmem 'Domain Computers'


Check that your new user can access the home & profiles folders, ie
root at capella:~# smbclient -U<user> //capella/<user> -c'prompt;ls'
root at capella:~# smbclient -U<user> //capella/profile -c'prompt;ls'


-- 

Regards
	Harry Jede

More information about the samba mailing list