FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 12-10-2009, 12:20 AM
Pete Clapham
 
Default Horrible problem with SAMBA -- continued

Tom H wrote:


Thank you for your comments. I assumed that the netlogon had something
to do with the problem. The form in which it was in the smb.conf file
was what's worked find for the last 3 years in Samba and which stopped
working when I upgraded to Karmic (hence the post on ubuntu-users). Did
Karmic change the default logon path and/or logon home? (I'm not really
sure what these are anyhow), Also I'm not sure what group maps are.
Can you advise?
BTW, I did recreate the user and machine accounts when I reloaded Karmic.



You're welcome.

1) Netlogon share

I was amazed to read that you have had a PDC without a netlogon share
for three years so I checked the samba.org documentation.

***quote***
A domain controller is an SMB/CIFS server that:

* Registers and advertises itself as a domain controller (through
NetBIOS broadcasts as well as by way of name registrations either by
Mailslot Broadcasts over UDP broadcast, to a WINS server over UDP
unicast, or via DNS and Active Directory).

* Provides the NETLOGON service. (This is actually a collection of
services that runs over multiple protocols. These include the LanMan
logon service, the Netlogon service, the Local Security Account
service, and variations of them.)

* Provides a share called NETLOGON."
***endquote***

from
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html

and

***quote***
# The netlogon share is required for
# functioning as the primary domain controller.
# Make sure the directory used for the path exists.

[netlogon]
path = /usr/local/samba/lib/netlogon
writable = no
browsable = no
***endquote***
from
http://www.samba.org/samba/docs/using_samba/appa.html

***quote***
NETLOGON Share

The NETLOGON share plays a central role in domain logon and domain
membership support. This share is provided on all Microsoft domain
controllers. It is used to provide logon scripts, to store group
policy files (NTConfig.POL), as well as to locate other common tools
that may be needed for logon processing. This is an essential share on
a domain controller.
***endquote***
from
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html

So, if it worked, it worked, but the documentation is clear that the
netlogon share is required unless it is out of date or it is
incomplete/inaccurate and the share is unnecessary if you do not use
logon scripts.


2) Groups maps

***quote***
Samba 3.0.x series releases before 3.0.23 automatically created group
mappings for the essential Windows domain groups Domain Admins, Domain
Users, Domain Guests. Commencing with Samba 3.0.23 these mappings need
to be created by the Samba administrator. Failure to do this may
result in a failure to correctly authenticate and recoognize valid
domain users. When this happens users will not be able to log onto the
Windows client.
Note

Group mappings are essential only if the Samba servers is running as a
PDC/BDC. Stand-alone servers do not require these group mappings.

The following mappings are required:

Domain Group RID Example UNIX Group
Domain Admins 512 root
Domain Users 513 users
Domain Guests 514 nobody
***endquote***
from
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html


3) logon path and/or logon home

"logon path" is where your users' roaming profiles are/will be stored.
According to its man pages, Karmic uses the defaults set by the Samba
team.


4) Recreation of accounts

I had hoped to look it up since I last replied to you but I have not
had the time. I think that the SIDs of your boxes will have the
previous domain's SID and you may have to take them out of the domain
and add them back in for them to have the correct SID (another option
is to get the previous domain SID and change the new one to the old
one). The mention f adding of boxes to the domain also reminds me that
you need to add root to samba with a RID of 500.



Tom --



Thanks for your help.* I've been reading up on the references you
provided and have made some major changes.* BTW, as for the Netlogon
share, obviously I did have a netlogon share when the system worked; I
commented it out to see if it would work (it didn't), but I thought
that was where the problem might be.*



Here is most of the current smb.conf file.* It includes the global and
bookkeeping stuff; the first share in the list is imaginex; there are
lots of others as well, and they all work for all users.



# Samba config file created using SWAT

# from UNKNOWN (127.0.0.)

# Date: 2009/12/04 10:30:16



[global]

******* workgroup = ERSL

******* netbios aliases = earth.sr-02-01.csuohio.edu

******* server string = Environmental Remote Sensing Laboratory

******* interfaces = eth1

******* passdb backend = tdbsam

******* syslog = 0

******* log file = /var/log/samba/log.%m

******* max log size = 1000

******* add user script = /usr/sbin/useradd -m %u

******* delete user script = /usr/sbin/userdel -r %u

******* add group script = /usr/sbin/groupadd %g

******* delete group script = /usr/sbin/groupdel %g

******* add user to group script = /usr/sbin/groupmod -A %u %g

******* delete user from group script = /usr/sbin/groupmod -R %u %g

******* add machine script = /usr/sbin/useradd -d /var/lib/nobody -g
100 -s /bin/false -M %u

******* logon drive = X:

******* logon path = \%Lprofiles\%u\%m

******* time server = Yes

******* domain logons = Yes

******* preferred master = Yes

******* domain master = Yes

******* local master = Yes

******* wins support = Yes

******* os level = 255

******* idmap uid = 10000-20000

******* idmap gid = 10000-20000

******* template homedir = /home2/%D/%U

******* template shell = /bin/bash

******* #domain admin group = root clapham

******* security = user

******* encrypt passwords = Yes

******* host msdfs = Yes



[homes]

******* comment = Home Directories

******* valid users = %S

******* read >
******* browsable = No

******* map archive = Yes



[netlogon]

******* comment = Network Logon Service

******* path = /var/lib/samba/netlogon

******* browseable = No

******* writable = No



[profiles]

******* comment = place to store Windows roaming profiles

******* path = /var/lib/samba/profiles

******* writable = Yes

******* create mask = 0600

******* directory mask = 0700

******* profile acls = Yes

******* browsable = No



[dfs]

******* comment = Dfs share

******* path = /usr/local/samba/dfs

******* msdfs root = Yes



[print$]

******* comment = Printer Drivers

******* path = /var/lib/samba/printers

******* write list = root, @ersladmin



[cdrom]

******* comment = Samba server's CD-ROM

******* path = /cdrom

******* guest ok = Yes

******* locking = No

******* preexec = /bin/mount /cdrom

******* postexec = /bin/umount /cdrom



[imaginex]

******* comment = ERDAS Imagine files

******* path = /applications/imaginex

~

~******

There are two problems:



1.* When I do certain commands, (e.g. net rpc group members . . .) I
get the message, "* WARNING: no network interfaces found

WARNING: no network interfaces found"* This may mean that I don't have
a "bind interfaces only" command in the smb.conf, but I can interact
with the server for share purposes using samba, and I can easily get
out from the server to other places, so it would seem that the
interfaces are correctly described by eth1, and it works.*



2.* Probably more important, I don't think that the machines are
setting up the trust relationships correctly.* I actually tried to use
some command (don't remember which) from which I was told explicitly
that the trust relationship has been broken.* I've tried to do it
manually in the past, but the "on the fly" approach would appear to be
preferable.* The documentation in the "HowTo-Collection" is rather
vague on how to do this.* I've added an add-machine script to the
smb.conf.* However, I'm not sure how to request that the system access
it.* Should this be a "net use . . ." from the windows workstation?* An
attempt to log onto the domain?* It's not at all clear what this
actually means!



Any insight you can provide into either of these issues would be
greatly appreciated.



Thanks for your help.*



cheers,

pete
--
W. B. (Pete) Clapham, Jr.
Department of Biological, Geological, and Environmental Sciences
Cleveland State University
2121 Euclid Avenue
Cleveland, Ohio, 44115

voice: [216] 687-4820
fax: [216] 687-6972

w.clapham@csuohio.edu


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 12-10-2009, 10:15 PM
Tom H
 
Default Horrible problem with SAMBA -- continued

> Thanks for your help. I've been reading up on the references you provided
> and have made some major changes. BTW, as for the Netlogon share, obviously
> I did have a netlogon share when the system worked; I commented it out to
> see if it would work (it didn't), but I thought that was where the problem
> might be.

> [global]
> workgroup = ERSL
> netbios aliases = earth.sr-02-01.csuohio.edu
> server string = Environmental Remote Sensing Laboratory
> interfaces = eth1
> passdb backend = tdbsam
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> add user script = /usr/sbin/useradd -m %u
> delete user script = /usr/sbin/userdel -r %u
> add group script = /usr/sbin/groupadd %g
> delete group script = /usr/sbin/groupdel %g
> add user to group script = /usr/sbin/groupmod -A %u %g
> delete user from group script = /usr/sbin/groupmod -R %u %g
> add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s
> /bin/false -M %u
> logon drive = X:
> logon path = \%Lprofiles\%u\%m
> time server = Yes
> domain logons = Yes
> preferred master = Yes
> domain master = Yes
> local master = Yes
> wins support = Yes
> os level = 255
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template homedir = /home2/%D/%U
> template shell = /bin/bash
> #domain admin group = root clapham
> security = user
> encrypt passwords = Yes
> host msdfs = Yes
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browsable = No
> map archive = Yes
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> browseable = No
> writable = No
> [profiles]
> comment = place to store Windows roaming profiles
> path = /var/lib/samba/profiles
> writable = Yes
> create mask = 0600
> directory mask = 0700
> profile acls = Yes
> browsable = No

> There are two problems:

> 1. When I do certain commands, (e.g. net rpc group members . . .) I get the
> message, " WARNING: no network interfaces found
> WARNING: no network interfaces found" This may mean that I don't have a
> "bind interfaces only" command in the smb.conf, but I can interact with the
> server for share purposes using samba, and I can easily get out from the
> server to other places, so it would seem that the interfaces are correctly
> described by eth1, and it works.

> 2. Probably more important, I don't think that the machines are setting up
> the trust relationships correctly. I actually tried to use some command
> (don't remember which) from which I was told explicitly that the trust
> relationship has been broken. I've tried to do it manually in the past, but
> the "on the fly" approach would appear to be preferable. The documentation
> in the "HowTo-Collection" is rather vague on how to do this. I've added an
> add-machine script to the smb.conf. However, I'm not sure how to request
> that the system access it. Should this be a "net use . . ." from the
> windows workstation? An attempt to log onto the domain? It's not at all
> clear what this actually means!

You're welcome. I am glad that you had a netlogon section; as I said
in my last email, I was surprised.

1.a I have not come across this error and I just googled it without
getting anything useful in the first page...

1.b "bind interfaces only = no" is the default so you need "bind
interfaces only = yes" for "interfaces=" to work.

1.c I have forgotten why I do it, but I always add "127.0.0.1" to the
"interfaces=" stanza. Since you theoretically have "bind interfaces
only = no" by default, this should not be the cause of your problem
but...

2.a "net rpc..." is a Linux command so you cannot run its declinations
on a Windows box. If you want to add a machine account through your
smb.conf scripts, you have to run "net rpc join -I smbserveripaddress
-U root%rootpassword".

2.b On a Linux box, you can test with "net rpc testjoin" whether it
has a machine account in your domain.

2.c "net use..." is a Windows command to map an smb share. I don't
think that you can add a computer with "net" on a Windows box, unless
you are doing so on a PDC ("net computer...") .

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 08:31 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org