[Samba] Samba 3.6.23 and Windows 7

Harry Jede walk2sun at arcor.de
Mon Nov 10 12:19:46 MST 2014 

On 19:22:47 wrote Jeff Workman:
> [Comments are inline]
> 
> On 11/7/2014 11:56 AM, Harry Jede wrote:
>  > On 17:43:55 wrote Jeff Workman:
>  >> On 11/7/2014 4:24 AM, Harry Jede wrote:
>  >>> On 09:43:38 wrote Jeff Workman:
>  >>>> On 11/5/2014 7:09 AM, Harry Jede wrote:
>  >>>>> On 13:03:44 wrote Jeff Workman:
>  >>>>>> I am using a new name and machine account for the new laptop,
>  >>>>>> and using a test login that has no NTUSER.DAT file yet.  
>  >>>>>> Where else can I look to see what's going on?
>  >>>>>> 
>  >>>>>> On 10/30/2014 8:43 PM, Karel Lang AFD wrote:
>  >>>>>>> Hi,
>  >>>>>>> i think - the SID of the workstation (laptop) respectively
>  >>>>>>> the RID part of the SID number has changed due the fact
>  >>>>>>> it's new machine. And - in your profile, that is stored
>  >>>>>>> somewhere at network drive, there is somewhere stored
>  >>>>>>> NTUSER.DAT file referring still to SID-RID of old laptop.
>  >>>>>>> 
>  >>>>>>> you can compare:
>  >>>>>>> strings NTUSER.DAT | grep -i S-1-5-21
>  >>>>>>> with
>  >>>>>>> pdbedit -Lv machinename
>  >>>>>>> 
>  >>>>>>> the SID-RID should be same
>  >>>>>>> 
>  >>>>>>> I had same message after migration and changing/rearraging
>  >>>>>>> SID numbers for machines.
>  >>>>>>> 
>  >>>>>>> cheers,
>  >>>>>>> 
>  >>>>>>> On 10/31/2014 01:04 AM, Jeff Workman wrote:
>  >>>>>>>> After being content with an old laptop running XP for
>  >>>>>>>> years, my job decided to provide me with a shiny new one
>  >>>>>>>> running Windows 7 Professional.
>  >>>>>>>> 
>  >>>>>>>> The biggest problem with this is that I can't get the
>  >>>>>>>> Windows 7 box to login to my Samba NT4-style domain
>  >>>>>>>> controller. I have upgraded samba from 3.0.33 to 3.6.23,
>  >>>>>>>> and copied my smbpasswd file to where the new samba
>  >>>>>>>> expects to find it in /var/samba/lib/private. I've applied
>  >>>>>>>> the following registry changes to my Windows 7 machine:
>  >>>>>>>> 
>  >>>>>>>> ; Win7_Samba3DomainMember
>  >>>>>>>> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanMa
>  >>>>>>>> nWo rk st ation\Parameters]
>  >>>>>>>> 
>  >>>>>>>> 
>  >>>>>>>> "DNSNameResolutionRequired"=dword:00000000
>  >>>>>>>> "DomainCompatibilityMode"=dword:00000001
>  >>>>>>>> 
>  >>>>>>>> ; Speedup settings
>  >>>>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sys
>  >>>>>>>> tem ] "SlowLinkDetectEnabled"=dword:00000000
>  >>>>>>>> "DeleteRoamingCache"=dword:00000001
>  >>>>>>>> "WaitForNetwork"=dword:00000000
>  >>>>>>>> "CompatibleRUPSecurity"=dword:00000001
>  >>>>>>>> 
>  >>>>>>>> ; Can drive you nuts
>  >>>>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
>  >>>>>>>> on\ Po li cies\System]
>  >>>>>>>> 
>  >>>>>>>> 
>  >>>>>>>> "EnableLUA"=dword:00000000
>  >>>>>>>> 
>  >>>>>>>> 
>  >>>>>>>> What's funny is that I can join the Windows 7 machine to
>  >>>>>>>> the domain, but just as soon as I reboot and then try to
>  >>>>>>>> login as a domain user, I get this message:
>  >>>>>>>> 
>  >>>>>>>> The trust relationship between this workstation and the
>  >>>>>>>> primary domain failed.
>  >>>>>>>> 
>  >>>>>>>> I imagine there's something in my smb.conf that I need to
>  >>>>>>>> change. The only change I made from my old 3.0 smb.conf was
>  >>>>>>>> I added the following line in the [global] section:
>  >>>>>>>> 
>  >>>>>>>> passdb backend = smbpasswd
>  >>>>>>>> 
>  >>>>>>>> What else do I need to do?
>  >>>>> 
>  >>>>> Do not use smbpasswd as passdb backend !!!
>  >>>>> 
>  >>>>> Convert your passdb backend to tdbsam and then join your PC
>  >>>>> again.
>  >>>>> 
>  >>>>> read
>  >>>>> man pdbedit
>  >>>>> for example or search this mailing list.
>  >>>> 
>  >>>> Ok I converted to tdbsam, changed my "passdb backend" to
>  >>>> tdbsam, then I removed my machine account using pdbedit and
>  >>>> re-added it. I tried logging in with a new user account (and
>  >>>> therefore no NTUSER.DAT) and I still get the same error. What
>  >>>> else do I need to do?
>  >>> 
>  >>> Post your smb.conf
>  >> 
>  >> See my reply to Rowland Penny.
>  > 
>  > I dont see anything. Maybe you have send to Rowland only?
> 
> [global]
> ;passdb backend = smbpasswd
> passdb backend = tdbsam
> smb ports = 139
> server string = %h
> security = user
> workgroup = pwks
> ;wins server = 123.45.67.89 (*)
> wins support = yes
> socket options = SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
> encrypt passwords = yes
> domain logons =yes
> logon script = scripts\%U.bat
> logon drive = z:
> ;domain admin group = @adm
> share modes=no
> os level=65
> log level = 3
> time server=yes
> ;nt acl support = no
> mangling method = hash
> dos charset=CP850
> unix charset=CP850
> display charset=CP850
Remove or diable:
smb ports
socket options
share modes
mangling method
* charset

Sambas defaults are OK.



> [homes]
No path statement !!!
How should samba know to serve this share?

> guest ok = no
> read only = no
> create mask = 0700
> directory mask = 0700
> oplocks = false
> locking = no
> store dos attributes = yes
Remove or disable:
store dos attributes

If you want or need to store dos attributes you should mount /home with 
xattr support and then add these:
    ea support = yes
    store dos attributes = yes
    map readonly = no
    map system = no
    map hidden = no
    map archive = no


> browseable = no

> [netlogon]
> path = /home/netlogon
> browseable = no
> writeable = no
> [MP3]
> guest ok = yes
> read only = no
> create mask = 644
> directory mask = 755
> oplocks = false
> locking = no
> path = /export/u02/
> [Software]
> guest ok = yes
> read only = no
> oplocks = true
> locking = yes
> path = /export/u03
> 
>  >>> check the Server & Domain SID, they must be equal, ie
>  >>> root at capella:~# net getdomainsid
>  >>> SID for local machine CAPELLA is:
>  >>> S-1-5-21-3958726613-3318811842-4132420312 SID for domain EUROPA
>  >>> is: S-1-5-21-3958726613-3318811842-4132420312
>  >> 
>  >> Ok I've checked this and they match.
>  > 
>  > I believe you, but better is you paste the commands and the output
>  > here.
> 
> [root at firenza samba]# net getdomainsid
> SID for local machine FIRENZA is:
> S-1-5-21-3156343736-2281260705-865550557 SID for domain PWKS is:
> S-1-5-21-3156343736-2281260705-865550557
OK
 
>  >>> Check your relevant Domain and Builtin Groups:
>  >>> root at capella:~# net sam show 'Administrator'
>  >>> EUROPA\Administrator is a User with SID
>  >>> S-1-5-21-3958726613-3318811842-4132420312-500
>  >> 
>  >> Now we're getting somewhere.  The only group I've ever needed in
>  >> the past was RID 512 "Domain Admins."    The only Administrator
>  >> account I have is local to the laptop.
>  > 
>  > Sufficient for samba 3.0 and older windows versions, not enough
>  > today.
>  > 
>  >>> root at capella:~# net sam show 'Domain Users'
>  >>> EUROPA\Domain Users is a Domain Group with SID
>  >>> S-1-5-21-3958726613-3318811842-4132420312-513 root at capella:~#
>  >>> net sam show 'Domain Guests'
>  >>> EUROPA\Domain Guests is a Domain Group with SID
>  >>> S-1-5-21-3958726613-3318811842-4132420312-514 root at capella:~#
>  >>> net sam show 'Domain Computers'
>  >>> EUROPA\Domain Computers is a Domain Group with SID
>  >>> S-1-5-21-3958726613-3318811842-4132420312-515
>  >> 
>  >> None of these groups exist either.  Do I need to create all of
>  >> them with the RIDs shown above?
>  > 
>  > Yes, you may read
>  > man net
>  > and search for createbuiltingroup
> 
> "Pattern not found."   I had the builtin groups, just not the above
> groups.
Which samba Version?
smbd -V

my old samba 3 is:
root at capella:~# smbd -V
Version 3.6.6


and man net shows:
  SAM CREATEBUILTINGROUP <NAME>
       (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN 
groups can
       be created with this command. This is the list of currently 
recognized
       group names: Administrators, Users, Guests, Power Users, Account
       Operators, Server Operators, Print Operators, Backup Operators,
       Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
       command requires a running Winbindd with idmap allocation 
properly
       configured. The group gid will be allocated out of the winbindd 
range.


> 
>  >>> root at capella:~# net sam show 'Administrators'
>  >>> BUILTIN\Administrators is a Local Group with SID S-1-5-32-544
>  >>> root at capella:~# net sam show 'Users'
>  >>> BUILTIN\Users is a Local Group with SID S-1-5-32-545
>  >>> root at capella:~# net sam show 'Guests'
>  >>> BUILTIN\Guests is a Local Group with SID S-1-5-32-546
>  >> 
>  >> These all exist but I haven't ever used them for anything.
>  >> 
>  >>> Check that your new Laptop is recognized:
>  >>> root at capella:~# net sam list workstations
>  >> 
>  >> My laptop is listed.
>  > 
>  > I believe you, but better is you paste the commands and the output
>  > here.
> 
> frontier$ is the new laptop
> 
> [root at firenza samba]# net sam list workstations
> wdtv$
> malibu$
> javelin$
> frontier$
> nova$
> charger$
> fiero$
> gremlin$
> crossfire$
> nthost$
> pacer$
> eldorado$
> delorean$
> impala$
> challenger$
> 
>  >>> get the SID:
>  >>> root at capella:~# net sam show 'laptop$'
> 
> [root at firenza samba]# net sam show frontier$
> PWKS\frontier$ is a User with SID
> S-1-5-21-3156343736-2281260705-865550557-1002
> 
>  >>> and finally check that your laptop SID is in 'Domain Computers'
>  >>> 
>  >>> root at capella:~# net sam listmem 'Domain Computers'
> 
> [root at firenza samba]# net sam listmem 'Domain Computers'
> PWKS\Domain Computers has 1 members
>   PWKS\frontier$
The other workstations are not shown! Does they work properly?

> 
>  >> There is no group 'Domain Computers.'  I suspect this may be part
>  >> of the problem.    I have created unix groups "ntcomp" and
>  >> "ntusers" and mapped them to the approriate RIDs for  "Domain
>  >> Computers"  and "Domain Users."    I now see my laptop in  the
>  >> "Domain Computers" group and my test user in "Domain Users" but
>  >> I still cannot login.
>  > 
>  > You mean, that you new user cannot login from your new laptop ??
> 
> hat's correct.  I still get the message "The relationship between the
> workstation and the primary domain failed.
> 
>  >>> Check that your new user can access the home & profiles folders,
>  >>> ie root at capella:~# smbclient -U<user> //capella/<user>
>  >>> -c'prompt;ls' root at capella:~# smbclient -U<user>
>  >>> //capella/profile -c'prompt;ls'
>  > 
>  > You should run these commands on your PDC, really, and dont forget
>  > to paste here ;-) .
> 
> root at firenza samba]# smbclient -Utest7 //firenza/test7 -c'prompt;ls'
> WARNING: The "share modes" option is deprecated
> Enter test7's password:
> Domain=[PWKS] OS=[Unix] Server=[Samba 3.6.23-6.el5]
>    .                                   D        0  Mon Feb 24
> 15:41:34 2014 ..                                  D        0  Mon
> Feb 24 15:41:34 2014 .bashrc                             H      124 
> Mon Feb 24 15:41:34 2014 .bash_logout                        H      
> 33  Mon Feb 24 15:41:34 2014 .zshrc                              H  
>    658  Mon Feb 24 15:41:34 2014 .bash_profile                      
> H      176  Mon Feb 24 15:41:34 2014
> 
>                  62995 blocks of size 8388608. 3900 blocks available
OK your user test7 can access his home. So the user account may have no 
problems. 

> [root at firenza samba]# smbclient -Utest7 //firenza/profile
> -c'prompt;ls' WARNING: The "share modes" option is deprecated
> Enter test7's password:
> Domain=[PWKS] OS=[Unix] Server=[Samba 3.6.23-6.el5]
> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
You do not have a profile share in smb.conf. Create one.

> Also for the sake of completeness...  My test user is "test7."
> 
> [root at firenza samba]# net groupmap list
> Domain Admins (S-1-5-21-3156343736-2281260705-865550557-512) ->
> ntadmin Domain Users (S-1-5-21-3156343736-2281260705-865550557-513)
> -> ntusers Domain Computers
> (S-1-5-21-3156343736-2281260705-865550557-515) -> ntcomp
> 
> [root at firenza samba]# net sam listmem 'Domain Users'
> PWKS\Domain Users has 4 members
>   PWKS\jworkman
>   PWKS\jeff
>   PWKS\test7
>   PWKS\jfarrar
Post:
getent group ntadmin
getent group ntusers
getent group ntcomp
These are the Linux groupnames for the recommended Windows groups

Post also:
getent passwd test7
getent passwd 'frontier$'



Now Samba uses the privilege feature, which was not avaiable in Samba 
3.0

root at capella:~# net rpc rights list 'Domain Admins'
Enter root's password:
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege

To grant this rights do:

All on one line:

net rpc rights grant'Domain Admins' SeMachineAccountPrivilege 
SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege 
SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege 
SeDiskOperatorPrivilege



By writing this I remember the *save way* to rejoin a windows pc:

In control panel - system on your laptop change from Domain Member to 
Workgroup Member, reboot, change back to Domain Member. You should see 
the welcome to Domain message, reboot again.


-- 

Regards
	Harry Jede

More information about the samba mailing list