[Samba] Samba 3.6.23 and Windows 7
Jeff Workman
obn at xio.us
Mon Nov 10 08:38:42 MST 2014
[Comments are inline]
On 11/7/2014 11:56 AM, Harry Jede wrote:
> On 17:43:55 wrote Jeff Workman:
>> On 11/7/2014 4:24 AM, Harry Jede wrote:
>>> On 09:43:38 wrote Jeff Workman:
>>>> On 11/5/2014 7:09 AM, Harry Jede wrote:
>>>>> On 13:03:44 wrote Jeff Workman:
>>>>>> I am using a new name and machine account for the new laptop,
>>>>>> and using a test login that has no NTUSER.DAT file yet. Where
>>>>>> else can I look to see what's going on?
>>>>>>
>>>>>> On 10/30/2014 8:43 PM, Karel Lang AFD wrote:
>>>>>>> Hi,
>>>>>>> i think - the SID of the workstation (laptop) respectively the
>>>>>>> RID part of the SID number has changed due the fact it's new
>>>>>>> machine. And - in your profile, that is stored somewhere at
>>>>>>> network drive, there is somewhere stored NTUSER.DAT file
>>>>>>> referring still to SID-RID of old laptop.
>>>>>>>
>>>>>>> you can compare:
>>>>>>> strings NTUSER.DAT | grep -i S-1-5-21
>>>>>>> with
>>>>>>> pdbedit -Lv machinename
>>>>>>>
>>>>>>> the SID-RID should be same
>>>>>>>
>>>>>>> I had same message after migration and changing/rearraging SID
>>>>>>> numbers for machines.
>>>>>>>
>>>>>>> cheers,
>>>>>>>
>>>>>>> On 10/31/2014 01:04 AM, Jeff Workman wrote:
>>>>>>>> After being content with an old laptop running XP for years,
>>>>>>>> my job decided to provide me with a shiny new one running
>>>>>>>> Windows 7 Professional.
>>>>>>>>
>>>>>>>> The biggest problem with this is that I can't get the Windows
>>>>>>>> 7 box to login to my Samba NT4-style domain controller. I
>>>>>>>> have upgraded samba from 3.0.33 to 3.6.23, and copied my
>>>>>>>> smbpasswd file to where the new samba expects to find it in
>>>>>>>> /var/samba/lib/private. I've applied the following registry
>>>>>>>> changes to my Windows 7 machine:
>>>>>>>>
>>>>>>>> ; Win7_Samba3DomainMember
>>>>>>>> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWo
>>>>>>>> rk st ation\Parameters]
>>>>>>>>
>>>>>>>>
>>>>>>>> "DNSNameResolutionRequired"=dword:00000000
>>>>>>>> "DomainCompatibilityMode"=dword:00000001
>>>>>>>>
>>>>>>>> ; Speedup settings
>>>>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
>>>>>>>> ] "SlowLinkDetectEnabled"=dword:00000000
>>>>>>>> "DeleteRoamingCache"=dword:00000001
>>>>>>>> "WaitForNetwork"=dword:00000000
>>>>>>>> "CompatibleRUPSecurity"=dword:00000001
>>>>>>>>
>>>>>>>> ; Can drive you nuts
>>>>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
>>>>>>>> Po li cies\System]
>>>>>>>>
>>>>>>>>
>>>>>>>> "EnableLUA"=dword:00000000
>>>>>>>>
>>>>>>>>
>>>>>>>> What's funny is that I can join the Windows 7 machine to the
>>>>>>>> domain, but just as soon as I reboot and then try to login as
>>>>>>>> a domain user, I get this message:
>>>>>>>>
>>>>>>>> The trust relationship between this workstation and the
>>>>>>>> primary domain failed.
>>>>>>>>
>>>>>>>> I imagine there's something in my smb.conf that I need to
>>>>>>>> change. The only change I made from my old 3.0 smb.conf was I
>>>>>>>> added the following line in the [global] section:
>>>>>>>>
>>>>>>>> passdb backend = smbpasswd
>>>>>>>>
>>>>>>>> What else do I need to do?
>>>>> Do not use smbpasswd as passdb backend !!!
>>>>>
>>>>> Convert your passdb backend to tdbsam and then join your PC
>>>>> again.
>>>>>
>>>>> read
>>>>> man pdbedit
>>>>> for example or search this mailing list.
>>>> Ok I converted to tdbsam, changed my "passdb backend" to tdbsam,
>>>> then I removed my machine account using pdbedit and re-added it.
>>>> I tried logging in with a new user account (and therefore no
>>>> NTUSER.DAT) and I still get the same error. What else do I
>>>> need to do?
>>> Post your smb.conf
>> See my reply to Rowland Penny.
> I dont see anything. Maybe you have send to Rowland only?
[global]
;passdb backend = smbpasswd
passdb backend = tdbsam
smb ports = 139
server string = %h
security = user
workgroup = pwks
;wins server = 123.45.67.89 (*)
wins support = yes
socket options = SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
encrypt passwords = yes
domain logons =yes
logon script = scripts\%U.bat
logon drive = z:
;domain admin group = @adm
share modes=no
os level=65
log level = 3
time server=yes
;nt acl support = no
mangling method = hash
dos charset=CP850
unix charset=CP850
display charset=CP850
[homes]
guest ok = no
read only = no
create mask = 0700
directory mask = 0700
oplocks = false
locking = no
store dos attributes = yes
browseable = no
[netlogon]
path = /home/netlogon
browseable = no
writeable = no
[MP3]
guest ok = yes
read only = no
create mask = 644
directory mask = 755
oplocks = false
locking = no
path = /export/u02/
[Software]
guest ok = yes
read only = no
oplocks = true
locking = yes
path = /export/u03
>>> check the Server & Domain SID, they must be equal, ie
>>> root at capella:~# net getdomainsid
>>> SID for local machine CAPELLA is:
>>> S-1-5-21-3958726613-3318811842-4132420312 SID for domain EUROPA
>>> is: S-1-5-21-3958726613-3318811842-4132420312
>> Ok I've checked this and they match.
> I believe you, but better is you paste the commands and the output here.
[root at firenza samba]# net getdomainsid
SID for local machine FIRENZA is: S-1-5-21-3156343736-2281260705-865550557
SID for domain PWKS is: S-1-5-21-3156343736-2281260705-865550557
>
>>> Check your relevant Domain and Builtin Groups:
>>> root at capella:~# net sam show 'Administrator'
>>> EUROPA\Administrator is a User with SID
>>> S-1-5-21-3958726613-3318811842-4132420312-500
>> Now we're getting somewhere. The only group I've ever needed in the
>> past was RID 512 "Domain Admins." The only Administrator account I
>> have is local to the laptop.
> Sufficient for samba 3.0 and older windows versions, not enough today.
>
>>> root at capella:~# net sam show 'Domain Users'
>>> EUROPA\Domain Users is a Domain Group with SID
>>> S-1-5-21-3958726613-3318811842-4132420312-513 root at capella:~# net
>>> sam show 'Domain Guests'
>>> EUROPA\Domain Guests is a Domain Group with SID
>>> S-1-5-21-3958726613-3318811842-4132420312-514 root at capella:~# net
>>> sam show 'Domain Computers'
>>> EUROPA\Domain Computers is a Domain Group with SID
>>> S-1-5-21-3958726613-3318811842-4132420312-515
>> None of these groups exist either. Do I need to create all of them
>> with the RIDs shown above?
> Yes, you may read
> man net
> and search for createbuiltingroup
"Pattern not found." I had the builtin groups, just not the above groups.
>
>
>
>>> root at capella:~# net sam show 'Administrators'
>>> BUILTIN\Administrators is a Local Group with SID S-1-5-32-544
>>> root at capella:~# net sam show 'Users'
>>> BUILTIN\Users is a Local Group with SID S-1-5-32-545
>>> root at capella:~# net sam show 'Guests'
>>> BUILTIN\Guests is a Local Group with SID S-1-5-32-546
>> These all exist but I haven't ever used them for anything.
>>
>>> Check that your new Laptop is recognized:
>>> root at capella:~# net sam list workstations
>> My laptop is listed.
> I believe you, but better is you paste the commands and the output here.
frontier$ is the new laptop
[root at firenza samba]# net sam list workstations
wdtv$
malibu$
javelin$
frontier$
nova$
charger$
fiero$
gremlin$
crossfire$
nthost$
pacer$
eldorado$
delorean$
impala$
challenger$
>
>
>>> get the SID:
>>> root at capella:~# net sam show 'laptop$'
[root at firenza samba]# net sam show frontier$
PWKS\frontier$ is a User with SID
S-1-5-21-3156343736-2281260705-865550557-1002
>>>
>>> and finally check that your laptop SID is in 'Domain Computers'
>>>
>>> root at capella:~# net sam listmem 'Domain Computers'
[root at firenza samba]# net sam listmem 'Domain Computers'
PWKS\Domain Computers has 1 members
PWKS\frontier$
>> There is no group 'Domain Computers.' I suspect this may be part of
>> the problem. I have created unix groups "ntcomp" and "ntusers"
>> and mapped them to the approriate RIDs for "Domain Computers" and
>> "Domain Users." I now see my laptop in the "Domain Computers"
>> group and my test user in "Domain Users" but I still cannot login.
> You mean, that you new user cannot login from your new laptop ??
hat's correct. I still get the message "The relationship between the
workstation and the primary domain failed.
>
>>> Check that your new user can access the home & profiles folders, ie
>>> root at capella:~# smbclient -U<user> //capella/<user> -c'prompt;ls'
>>> root at capella:~# smbclient -U<user> //capella/profile -c'prompt;ls'
> You should run these commands on your PDC, really, and dont forget to
> paste here ;-) .
root at firenza samba]# smbclient -Utest7 //firenza/test7 -c'prompt;ls'
WARNING: The "share modes" option is deprecated
Enter test7's password:
Domain=[PWKS] OS=[Unix] Server=[Samba 3.6.23-6.el5]
. D 0 Mon Feb 24 15:41:34 2014
.. D 0 Mon Feb 24 15:41:34 2014
.bashrc H 124 Mon Feb 24 15:41:34 2014
.bash_logout H 33 Mon Feb 24 15:41:34 2014
.zshrc H 658 Mon Feb 24 15:41:34 2014
.bash_profile H 176 Mon Feb 24 15:41:34 2014
62995 blocks of size 8388608. 3900 blocks available
[root at firenza samba]# smbclient -Utest7 //firenza/profile -c'prompt;ls'
WARNING: The "share modes" option is deprecated
Enter test7's password:
Domain=[PWKS] OS=[Unix] Server=[Samba 3.6.23-6.el5]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Also for the sake of completeness... My test user is "test7."
[root at firenza samba]# net groupmap list
Domain Admins (S-1-5-21-3156343736-2281260705-865550557-512) -> ntadmin
Domain Users (S-1-5-21-3156343736-2281260705-865550557-513) -> ntusers
Domain Computers (S-1-5-21-3156343736-2281260705-865550557-515) -> ntcomp
[root at firenza samba]# net sam listmem 'Domain Users'
PWKS\Domain Users has 4 members
PWKS\jworkman
PWKS\jeff
PWKS\test7
PWKS\jfarrar
More information about the samba
mailing list