[Samba] Samba 3.6.23 and Windows 7
Rowland Penny
rowlandpenny at googlemail.com
Mon Nov 10 14:32:19 MST 2014
On 10/11/14 19:19, Harry Jede wrote:
> On 19:22:47 wrote Jeff Workman:
>> [Comments are inline]
>>
>> On 11/7/2014 11:56 AM, Harry Jede wrote:
>> > On 17:43:55 wrote Jeff Workman:
>> >> On 11/7/2014 4:24 AM, Harry Jede wrote:
>> >>> On 09:43:38 wrote Jeff Workman:
>> >>>> On 11/5/2014 7:09 AM, Harry Jede wrote:
>> >>>>> On 13:03:44 wrote Jeff Workman:
>> >>>>>> I am using a new name and machine account for the new laptop,
>> >>>>>> and using a test login that has no NTUSER.DAT file yet.
>> >>>>>> Where else can I look to see what's going on?
>> >>>>>>
>> >>>>>> On 10/30/2014 8:43 PM, Karel Lang AFD wrote:
>> >>>>>>> Hi,
>> >>>>>>> i think - the SID of the workstation (laptop) respectively
>> >>>>>>> the RID part of the SID number has changed due the fact
>> >>>>>>> it's new machine. And - in your profile, that is stored
>> >>>>>>> somewhere at network drive, there is somewhere stored
>> >>>>>>> NTUSER.DAT file referring still to SID-RID of old laptop.
>> >>>>>>>
>> >>>>>>> you can compare:
>> >>>>>>> strings NTUSER.DAT | grep -i S-1-5-21
>> >>>>>>> with
>> >>>>>>> pdbedit -Lv machinename
>> >>>>>>>
>> >>>>>>> the SID-RID should be same
>> >>>>>>>
>> >>>>>>> I had same message after migration and changing/rearraging
>> >>>>>>> SID numbers for machines.
>> >>>>>>>
>> >>>>>>> cheers,
>> >>>>>>>
>> >>>>>>> On 10/31/2014 01:04 AM, Jeff Workman wrote:
>> >>>>>>>> After being content with an old laptop running XP for
>> >>>>>>>> years, my job decided to provide me with a shiny new one
>> >>>>>>>> running Windows 7 Professional.
>> >>>>>>>>
>> >>>>>>>> The biggest problem with this is that I can't get the
>> >>>>>>>> Windows 7 box to login to my Samba NT4-style domain
>> >>>>>>>> controller. I have upgraded samba from 3.0.33 to 3.6.23,
>> >>>>>>>> and copied my smbpasswd file to where the new samba
>> >>>>>>>> expects to find it in /var/samba/lib/private. I've applied
>> >>>>>>>> the following registry changes to my Windows 7 machine:
>> >>>>>>>>
>> >>>>>>>> ; Win7_Samba3DomainMember
>> >>>>>>>> [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanMa
>> >>>>>>>> nWo rk st ation\Parameters]
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> "DNSNameResolutionRequired"=dword:00000000
>> >>>>>>>> "DomainCompatibilityMode"=dword:00000001
>> >>>>>>>>
>> >>>>>>>> ; Speedup settings
>> >>>>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sys
>> >>>>>>>> tem ] "SlowLinkDetectEnabled"=dword:00000000
>> >>>>>>>> "DeleteRoamingCache"=dword:00000001
>> >>>>>>>> "WaitForNetwork"=dword:00000000
>> >>>>>>>> "CompatibleRUPSecurity"=dword:00000001
>> >>>>>>>>
>> >>>>>>>> ; Can drive you nuts
>> >>>>>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
>> >>>>>>>> on\ Po li cies\System]
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> "EnableLUA"=dword:00000000
>> >>>>>>>>
>> >>>>>>>>
>> >>>>>>>> What's funny is that I can join the Windows 7 machine to
>> >>>>>>>> the domain, but just as soon as I reboot and then try to
>> >>>>>>>> login as a domain user, I get this message:
>> >>>>>>>>
>> >>>>>>>> The trust relationship between this workstation and the
>> >>>>>>>> primary domain failed.
>> >>>>>>>>
>> >>>>>>>> I imagine there's something in my smb.conf that I need to
>> >>>>>>>> change. The only change I made from my old 3.0 smb.conf was
>> >>>>>>>> I added the following line in the [global] section:
>> >>>>>>>>
>> >>>>>>>> passdb backend = smbpasswd
>> >>>>>>>>
>> >>>>>>>> What else do I need to do?
>> >>>>>
>> >>>>> Do not use smbpasswd as passdb backend !!!
>> >>>>>
>> >>>>> Convert your passdb backend to tdbsam and then join your PC
>> >>>>> again.
>> >>>>>
>> >>>>> read
>> >>>>> man pdbedit
>> >>>>> for example or search this mailing list.
>> >>>>
>> >>>> Ok I converted to tdbsam, changed my "passdb backend" to
>> >>>> tdbsam, then I removed my machine account using pdbedit and
>> >>>> re-added it. I tried logging in with a new user account (and
>> >>>> therefore no NTUSER.DAT) and I still get the same error. What
>> >>>> else do I need to do?
>> >>>
>> >>> Post your smb.conf
>> >>
>> >> See my reply to Rowland Penny.
>> >
>> > I dont see anything. Maybe you have send to Rowland only?
>>
>> [global]
>> ;passdb backend = smbpasswd
>> passdb backend = tdbsam
>> smb ports = 139
>> server string = %h
>> security = user
>> workgroup = pwks
>> ;wins server = 123.45.67.89 (*)
>> wins support = yes
>> socket options = SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
>> encrypt passwords = yes
>> domain logons =yes
>> logon script = scripts\%U.bat
>> logon drive = z:
>> ;domain admin group = @adm
>> share modes=no
>> os level=65
>> log level = 3
>> time server=yes
>> ;nt acl support = no
>> mangling method = hash
>> dos charset=CP850
>> unix charset=CP850
>> display charset=CP850
> Remove or diable:
> smb ports
> socket options
> share modes
> mangling method
> * charset
>
> Sambas defaults are OK.
>
>
>
>> [homes]
> No path statement !!!
> How should samba know to serve this share?
It just does, [homes] is a special share that does not need a path
statement, it doesn't work on a samba4 DC, this is why you use [home]
on a DC.
>
>> guest ok = no
>> read only = no
>> create mask = 0700
>> directory mask = 0700
>> oplocks = false
>> locking = no
>> store dos attributes = yes
> Remove or disable:
> store dos attributes
>
> If you want or need to store dos attributes you should mount /home with
> xattr support and then add these:
> ea support = yes
> store dos attributes = yes
> map readonly = no
> map system = no
> map hidden = no
> map archive = no
>
>
>> browseable = no
>> [netlogon]
>> path = /home/netlogon
>> browseable = no
>> writeable = no
>> [MP3]
>> guest ok = yes
>> read only = no
>> create mask = 644
>> directory mask = 755
>> oplocks = false
>> locking = no
>> path = /export/u02/
>> [Software]
>> guest ok = yes
>> read only = no
>> oplocks = true
>> locking = yes
>> path = /export/u03
>>
>> >>> check the Server & Domain SID, they must be equal, ie
>> >>> root at capella:~# net getdomainsid
>> >>> SID for local machine CAPELLA is:
>> >>> S-1-5-21-3958726613-3318811842-4132420312 SID for domain EUROPA
>> >>> is: S-1-5-21-3958726613-3318811842-4132420312
>> >>
>> >> Ok I've checked this and they match.
>> >
>> > I believe you, but better is you paste the commands and the output
>> > here.
>>
>> [root at firenza samba]# net getdomainsid
>> SID for local machine FIRENZA is:
>> S-1-5-21-3156343736-2281260705-865550557 SID for domain PWKS is:
>> S-1-5-21-3156343736-2281260705-865550557
> OK
>
>> >>> Check your relevant Domain and Builtin Groups:
>> >>> root at capella:~# net sam show 'Administrator'
>> >>> EUROPA\Administrator is a User with SID
>> >>> S-1-5-21-3958726613-3318811842-4132420312-500
>> >>
>> >> Now we're getting somewhere. The only group I've ever needed in
>> >> the past was RID 512 "Domain Admins." The only Administrator
>> >> account I have is local to the laptop.
>> >
>> > Sufficient for samba 3.0 and older windows versions, not enough
>> > today.
>> >
>> >>> root at capella:~# net sam show 'Domain Users'
>> >>> EUROPA\Domain Users is a Domain Group with SID
>> >>> S-1-5-21-3958726613-3318811842-4132420312-513 root at capella:~#
>> >>> net sam show 'Domain Guests'
>> >>> EUROPA\Domain Guests is a Domain Group with SID
>> >>> S-1-5-21-3958726613-3318811842-4132420312-514 root at capella:~#
>> >>> net sam show 'Domain Computers'
>> >>> EUROPA\Domain Computers is a Domain Group with SID
>> >>> S-1-5-21-3958726613-3318811842-4132420312-515
>> >>
>> >> None of these groups exist either. Do I need to create all of
>> >> them with the RIDs shown above?
>> >
>> > Yes, you may read
>> > man net
>> > and search for createbuiltingroup
>>
>> "Pattern not found." I had the builtin groups, just not the above
>> groups.
> Which samba Version?
> smbd -V
>
> my old samba 3 is:
> root at capella:~# smbd -V
> Version 3.6.6
>
>
> and man net shows:
> SAM CREATEBUILTINGROUP <NAME>
> (Re)Create a BUILTIN group. Only a wellknown set of BUILTIN
> groups can
> be created with this command. This is the list of currently
> recognized
> group names: Administrators, Users, Guests, Power Users, Account
> Operators, Server Operators, Print Operators, Backup Operators,
> Replicator, RAS Servers, Pre-Windows 2000 compatible Access. This
> command requires a running Winbindd with idmap allocation
> properly
> configured. The group gid will be allocated out of the winbindd
> range.
>
>
>> >>> root at capella:~# net sam show 'Administrators'
>> >>> BUILTIN\Administrators is a Local Group with SID S-1-5-32-544
>> >>> root at capella:~# net sam show 'Users'
>> >>> BUILTIN\Users is a Local Group with SID S-1-5-32-545
>> >>> root at capella:~# net sam show 'Guests'
>> >>> BUILTIN\Guests is a Local Group with SID S-1-5-32-546
>> >>
>> >> These all exist but I haven't ever used them for anything.
>> >>
>> >>> Check that your new Laptop is recognized:
>> >>> root at capella:~# net sam list workstations
>> >>
>> >> My laptop is listed.
>> >
>> > I believe you, but better is you paste the commands and the output
>> > here.
>>
>> frontier$ is the new laptop
>>
>> [root at firenza samba]# net sam list workstations
>> wdtv$
>> malibu$
>> javelin$
>> frontier$
>> nova$
>> charger$
>> fiero$
>> gremlin$
>> crossfire$
>> nthost$
>> pacer$
>> eldorado$
>> delorean$
>> impala$
>> challenger$
>>
>> >>> get the SID:
>> >>> root at capella:~# net sam show 'laptop$'
>>
>> [root at firenza samba]# net sam show frontier$
>> PWKS\frontier$ is a User with SID
>> S-1-5-21-3156343736-2281260705-865550557-1002
>>
>> >>> and finally check that your laptop SID is in 'Domain Computers'
>> >>>
>> >>> root at capella:~# net sam listmem 'Domain Computers'
>>
>> [root at firenza samba]# net sam listmem 'Domain Computers'
>> PWKS\Domain Computers has 1 members
>> PWKS\frontier$
> The other workstations are not shown! Does they work properly?
>
>> >> There is no group 'Domain Computers.' I suspect this may be part
>> >> of the problem. I have created unix groups "ntcomp" and
>> >> "ntusers" and mapped them to the approriate RIDs for "Domain
>> >> Computers" and "Domain Users." I now see my laptop in the
>> >> "Domain Computers" group and my test user in "Domain Users" but
>> >> I still cannot login.
>> >
>> > You mean, that you new user cannot login from your new laptop ??
>>
>> hat's correct. I still get the message "The relationship between the
>> workstation and the primary domain failed.
>>
>> >>> Check that your new user can access the home & profiles folders,
>> >>> ie root at capella:~# smbclient -U<user> //capella/<user>
>> >>> -c'prompt;ls' root at capella:~# smbclient -U<user>
>> >>> //capella/profile -c'prompt;ls'
>> >
>> > You should run these commands on your PDC, really, and dont forget
>> > to paste here ;-) .
>>
>> root at firenza samba]# smbclient -Utest7 //firenza/test7 -c'prompt;ls'
>> WARNING: The "share modes" option is deprecated
>> Enter test7's password:
>> Domain=[PWKS] OS=[Unix] Server=[Samba 3.6.23-6.el5]
>> . D 0 Mon Feb 24
>> 15:41:34 2014 .. D 0 Mon
>> Feb 24 15:41:34 2014 .bashrc H 124
>> Mon Feb 24 15:41:34 2014 .bash_logout H
>> 33 Mon Feb 24 15:41:34 2014 .zshrc H
>> 658 Mon Feb 24 15:41:34 2014 .bash_profile
>> H 176 Mon Feb 24 15:41:34 2014
>>
>> 62995 blocks of size 8388608. 3900 blocks available
> OK your user test7 can access his home. So the user account may have no
> problems.
>
>> [root at firenza samba]# smbclient -Utest7 //firenza/profile
>> -c'prompt;ls' WARNING: The "share modes" option is deprecated
>> Enter test7's password:
>> Domain=[PWKS] OS=[Unix] Server=[Samba 3.6.23-6.el5]
>> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
> You do not have a profile share in smb.conf. Create one.
Why ? the default will be used 'logon path = \\%N\%U\profile'
>
>> Also for the sake of completeness... My test user is "test7."
>>
>> [root at firenza samba]# net groupmap list
>> Domain Admins (S-1-5-21-3156343736-2281260705-865550557-512) ->
>> ntadmin Domain Users (S-1-5-21-3156343736-2281260705-865550557-513)
>> -> ntusers Domain Computers
>> (S-1-5-21-3156343736-2281260705-865550557-515) -> ntcomp
>>
>> [root at firenza samba]# net sam listmem 'Domain Users'
>> PWKS\Domain Users has 4 members
>> PWKS\jworkman
>> PWKS\jeff
>> PWKS\test7
>> PWKS\jfarrar
> Post:
> getent group ntadmin
> getent group ntusers
> getent group ntcomp
> These are the Linux groupnames for the recommended Windows groups
>
> Post also:
> getent passwd test7
> getent passwd 'frontier$'
>
>
>
> Now Samba uses the privilege feature, which was not avaiable in Samba
> 3.0
>
> root at capella:~# net rpc rights list 'Domain Admins'
> Enter root's password:
> SeMachineAccountPrivilege
> SeTakeOwnershipPrivilege
> SeBackupPrivilege
> SeRestorePrivilege
> SeRemoteShutdownPrivilege
> SePrintOperatorPrivilege
> SeAddUsersPrivilege
> SeDiskOperatorPrivilege
>
> To grant this rights do:
>
> All on one line:
>
> net rpc rights grant'Domain Admins' SeMachineAccountPrivilege
> SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege
> SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
> SeDiskOperatorPrivilege
>
>
>
> By writing this I remember the *save way* to rejoin a windows pc:
>
> In control panel - system on your laptop change from Domain Member to
> Workgroup Member, reboot, change back to Domain Member. You should see
> the welcome to Domain message, reboot again.
>
>
There is a lot more missing from the smb.conf, I would suggest googling
for 'samba PDC tdbsam' for more info.
Rowland
More information about the samba
mailing list