[Samba] Samba 3.6.23 and Windows 7

Harry Jede walk2sun at arcor.de
Fri Nov 7 09:56:27 MST 2014


On 17:43:55 wrote Jeff Workman:
> On 11/7/2014 4:24 AM, Harry Jede wrote:
> > On 09:43:38 wrote Jeff Workman:
> >> On 11/5/2014 7:09 AM, Harry Jede wrote:
> >>> On 13:03:44 wrote Jeff Workman:
> >>>> I am using a new name and machine account for the new laptop,
> >>>> and using a test login that has no NTUSER.DAT file yet.   Where
> >>>> else can I look to see what's going on?
> >>>> 
> >>>> On 10/30/2014 8:43 PM, Karel Lang AFD wrote:
> >>>>> Hi,
> >>>>> i think - the SID of the workstation (laptop) respectively the
> >>>>> RID part of the SID number has changed due the fact it's new
> >>>>> machine. And - in your profile, that is stored somewhere at
> >>>>> network drive, there is somewhere stored NTUSER.DAT file
> >>>>> referring still to SID-RID of old laptop.
> >>>>> 
> >>>>> you can compare:
> >>>>> strings NTUSER.DAT | grep -i S-1-5-21
> >>>>> with
> >>>>> pdbedit -Lv machinename
> >>>>> 
> >>>>> the SID-RID should be same
> >>>>> 
> >>>>> I had same message after migration and changing/rearraging SID
> >>>>> numbers for machines.
> >>>>> 
> >>>>> cheers,
> >>>>> 
> >>>>> On 10/31/2014 01:04 AM, Jeff Workman wrote:
> >>>>>> After being content with an old laptop running XP for years,
> >>>>>> my job decided to provide me with a shiny new one running
> >>>>>> Windows 7 Professional.
> >>>>>> 
> >>>>>> The biggest problem with this is that I can't get the Windows
> >>>>>> 7 box to login to my Samba NT4-style domain controller. I
> >>>>>> have upgraded samba from 3.0.33 to 3.6.23, and copied my
> >>>>>> smbpasswd file to where the new samba expects to find it in
> >>>>>> /var/samba/lib/private. I've applied the following registry
> >>>>>> changes to my Windows 7 machine:
> >>>>>> 
> >>>>>> ; Win7_Samba3DomainMember
> >>>>>> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWo
> >>>>>> rk st ation\Parameters]
> >>>>>> 
> >>>>>> 
> >>>>>> "DNSNameResolutionRequired"=dword:00000000
> >>>>>> "DomainCompatibilityMode"=dword:00000001
> >>>>>> 
> >>>>>> ; Speedup settings
> >>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
> >>>>>> ] "SlowLinkDetectEnabled"=dword:00000000
> >>>>>> "DeleteRoamingCache"=dword:00000001
> >>>>>> "WaitForNetwork"=dword:00000000
> >>>>>> "CompatibleRUPSecurity"=dword:00000001
> >>>>>> 
> >>>>>> ; Can drive you nuts
> >>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
> >>>>>> Po li cies\System]
> >>>>>> 
> >>>>>> 
> >>>>>> "EnableLUA"=dword:00000000
> >>>>>> 
> >>>>>> 
> >>>>>> What's funny is that I can join the Windows 7 machine to the
> >>>>>> domain, but just as soon as I reboot and then try to login as
> >>>>>> a domain user, I get this message:
> >>>>>> 
> >>>>>> The trust relationship between this workstation and the
> >>>>>> primary domain failed.
> >>>>>> 
> >>>>>> I imagine there's something in my smb.conf that I need to
> >>>>>> change. The only change I made from my old 3.0 smb.conf was I
> >>>>>> added the following line in the [global] section:
> >>>>>> 
> >>>>>> passdb backend = smbpasswd
> >>>>>> 
> >>>>>> What else do I need to do?
> >>> 
> >>> Do not use smbpasswd as passdb backend !!!
> >>> 
> >>> Convert your passdb backend to tdbsam and then join your PC
> >>> again.
> >>> 
> >>> read
> >>> man pdbedit
> >>> for example or search this mailing list.
> >> 
> >> Ok I converted to tdbsam, changed my "passdb backend" to tdbsam,
> >> then I removed my machine account using pdbedit and re-added it. 
> >> I tried logging in with a new user account (and therefore no
> >> NTUSER.DAT) and I still get the same error.     What else do I
> >> need to do?
> > 
> > Post your smb.conf
> 
> See my reply to Rowland Penny.
I dont see anything. Maybe you have send to Rowland only?
>
> > check the Server & Domain SID, they must be equal, ie
> > root at capella:~# net getdomainsid
> > SID for local machine CAPELLA is:
> > S-1-5-21-3958726613-3318811842-4132420312 SID for domain EUROPA
> > is: S-1-5-21-3958726613-3318811842-4132420312
> 
> Ok I've checked this and they match.
I believe you, but better is you paste the commands and the output here.

> > Check your relevant Domain and Builtin Groups:
> > root at capella:~# net sam show 'Administrator'
> > EUROPA\Administrator is a User with SID
> > S-1-5-21-3958726613-3318811842-4132420312-500
> 
> Now we're getting somewhere.  The only group I've ever needed in the
> past was RID 512 "Domain Admins."    The only Administrator account I
> have is local to the laptop.
Sufficient for samba 3.0 and older windows versions, not enough today.

> > root at capella:~# net sam show 'Domain Users'
> > EUROPA\Domain Users is a Domain Group with SID
> > S-1-5-21-3958726613-3318811842-4132420312-513 root at capella:~# net
> > sam show 'Domain Guests'
> > EUROPA\Domain Guests is a Domain Group with SID
> > S-1-5-21-3958726613-3318811842-4132420312-514 root at capella:~# net
> > sam show 'Domain Computers'
> > EUROPA\Domain Computers is a Domain Group with SID
> > S-1-5-21-3958726613-3318811842-4132420312-515
> 
> None of these groups exist either.  Do I need to create all of them
> with the RIDs shown above?
Yes, you may read
man net
and search for createbuiltingroup


 
> > root at capella:~# net sam show 'Administrators'
> > BUILTIN\Administrators is a Local Group with SID S-1-5-32-544
> > root at capella:~# net sam show 'Users'
> > BUILTIN\Users is a Local Group with SID S-1-5-32-545
> > root at capella:~# net sam show 'Guests'
> > BUILTIN\Guests is a Local Group with SID S-1-5-32-546
> 
> These all exist but I haven't ever used them for anything.
> 
> > Check that your new Laptop is recognized:
> > root at capella:~# net sam list workstations
> 
> My laptop is listed.
I believe you, but better is you paste the commands and the output here.

 
> > get the SID:
> > root at capella:~# net sam show 'laptop$'
> > 
> > and finally check that your laptop SID is in 'Domain Computers'
> > 
> > root at capella:~# net sam listmem 'Domain Computers'
> 
> There is no group 'Domain Computers.'  I suspect this may be part of
> the problem.    I have created unix groups "ntcomp" and "ntusers"
> and mapped them to the approriate RIDs for  "Domain Computers"  and
> "Domain Users."    I now see my laptop in  the "Domain Computers"
> group and my test user in "Domain Users" but I still cannot login.
You mean, that you new user cannot login from your new laptop ??
 
> > Check that your new user can access the home & profiles folders, ie
> > root at capella:~# smbclient -U<user> //capella/<user> -c'prompt;ls'
> > root at capella:~# smbclient -U<user> //capella/profile -c'prompt;ls'
You should run these commands on your PDC, really, and dont forget to 
paste here ;-) .

-- 

Regards
	Harry Jede


More information about the samba mailing list