[Samba] Samba 3.6.23 and Windows 7

Jeff Workman obn at xio.us
Fri Nov 7 08:45:10 MST 2014

On 11/7/2014 4:24 AM, Harry Jede wrote:
> On 09:43:38 wrote Jeff Workman:
>> On 11/5/2014 7:09 AM, Harry Jede wrote:
>>> On 13:03:44 wrote Jeff Workman:
>>>> I am using a new name and machine account for the new laptop, and
>>>> using a test login that has no NTUSER.DAT file yet.   Where else
>>>> can I look to see what's going on?
>>>> On 10/30/2014 8:43 PM, Karel Lang AFD wrote:
>>>>> Hi,
>>>>> i think - the SID of the workstation (laptop) respectively the
>>>>> RID part of the SID number has changed due the fact it's new
>>>>> machine. And - in your profile, that is stored somewhere at
>>>>> network drive, there is somewhere stored NTUSER.DAT file
>>>>> referring still to SID-RID of old laptop.
>>>>> you can compare:
>>>>> strings NTUSER.DAT | grep -i S-1-5-21
>>>>> with
>>>>> pdbedit -Lv machinename
>>>>> the SID-RID should be same
>>>>> I had same message after migration and changing/rearraging SID
>>>>> numbers for machines.
>>>>> cheers,
>>>>> On 10/31/2014 01:04 AM, Jeff Workman wrote:
>>>>>> After being content with an old laptop running XP for years, my
>>>>>> job decided to provide me with a shiny new one running Windows 7
>>>>>> Professional.
>>>>>> The biggest problem with this is that I can't get the Windows 7
>>>>>> box to login to my Samba NT4-style domain controller. I have
>>>>>> upgraded samba from 3.0.33 to 3.6.23, and copied my smbpasswd
>>>>>> file to where the new samba expects to find it in
>>>>>> /var/samba/lib/private. I've applied the following registry
>>>>>> changes to my Windows 7 machine:
>>>>>> ; Win7_Samba3DomainMember
>>>>>> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWork
>>>>>> st ation\Parameters]
>>>>>> "DNSNameResolutionRequired"=dword:00000000
>>>>>> "DomainCompatibilityMode"=dword:00000001
>>>>>> ; Speedup settings
>>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
>>>>>> "SlowLinkDetectEnabled"=dword:00000000
>>>>>> "DeleteRoamingCache"=dword:00000001
>>>>>> "WaitForNetwork"=dword:00000000
>>>>>> "CompatibleRUPSecurity"=dword:00000001
>>>>>> ; Can drive you nuts
>>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Po
>>>>>> li cies\System]
>>>>>> "EnableLUA"=dword:00000000
>>>>>> What's funny is that I can join the Windows 7 machine to the
>>>>>> domain, but just as soon as I reboot and then try to login as a
>>>>>> domain user, I get this message:
>>>>>> The trust relationship between this workstation and the primary
>>>>>> domain failed.
>>>>>> I imagine there's something in my smb.conf that I need to
>>>>>> change. The only change I made from my old 3.0 smb.conf was I
>>>>>> added the following line in the [global] section:
>>>>>> passdb backend = smbpasswd
>>>>>> What else do I need to do?
>>> Do not use smbpasswd as passdb backend !!!
>>> Convert your passdb backend to tdbsam and then join your PC again.
>>> read
>>> man pdbedit
>>> for example or search this mailing list.
>> Ok I converted to tdbsam, changed my "passdb backend" to tdbsam, then
>> I removed my machine account using pdbedit and re-added it.  I tried
>> logging in with a new user account (and therefore no NTUSER.DAT) and
>> I still get the same error.     What else do I need to do?
> Post your smb.conf
See my reply to Rowland Penny.

> check the Server & Domain SID, they must be equal, ie
> root at capella:~# net getdomainsid
> SID for local machine CAPELLA is: S-1-5-21-3958726613-3318811842-4132420312
> SID for domain EUROPA is: S-1-5-21-3958726613-3318811842-4132420312

Ok I've checked this and they match.
> Check your relevant Domain and Builtin Groups:
> root at capella:~# net sam show 'Administrator'
> EUROPA\Administrator is a User with SID S-1-5-21-3958726613-3318811842-4132420312-500
Now we're getting somewhere.  The only group I've ever needed in the 
past was RID 512 "Domain Admins."    The only Administrator account I 
have is local to the laptop.
> root at capella:~# net sam show 'Domain Users'
> EUROPA\Domain Users is a Domain Group with SID S-1-5-21-3958726613-3318811842-4132420312-513
> root at capella:~# net sam show 'Domain Guests'
> EUROPA\Domain Guests is a Domain Group with SID S-1-5-21-3958726613-3318811842-4132420312-514
> root at capella:~# net sam show 'Domain Computers'
> EUROPA\Domain Computers is a Domain Group with SID S-1-5-21-3958726613-3318811842-4132420312-515

None of these groups exist either.  Do I need to create all of them with 
the RIDs shown above?
> root at capella:~# net sam show 'Administrators'
> BUILTIN\Administrators is a Local Group with SID S-1-5-32-544
> root at capella:~# net sam show 'Users'
> BUILTIN\Users is a Local Group with SID S-1-5-32-545
> root at capella:~# net sam show 'Guests'
> BUILTIN\Guests is a Local Group with SID S-1-5-32-546
These all exist but I haven't ever used them for anything.
> Check that your new Laptop is recognized:
> root at capella:~# net sam list workstations
My laptop is listed.
> get the SID:
> root at capella:~# net sam show 'laptop$'
> and finally check that your laptop SID is in 'Domain Computers'
> root at capella:~# net sam listmem 'Domain Computers'

There is no group 'Domain Computers.'  I suspect this may be part of the 
problem.    I have created unix groups "ntcomp" and "ntusers" and mapped 
them to the approriate RIDs for  "Domain Computers"  and "Domain 
Users."    I now see my laptop in  the "Domain Computers" group and my 
test user in "Domain Users" but I still cannot login.
> Check that your new user can access the home & profiles folders, ie
> root at capella:~# smbclient -U<user> //capella/<user> -c'prompt;ls'
> root at capella:~# smbclient -U<user> //capella/profile -c'prompt;ls'

More information about the samba mailing list