Horrible problem with SAMBA -- continued
Pete Clapham
pclapham at windstream.net
Thu Dec 10 01:20:00 UTC 2009
Tom H wrote:
>> Thank you for your comments. I assumed that the netlogon had something
>> to do with the problem. The form in which it was in the smb.conf file
>> was what's worked find for the last 3 years in Samba and which stopped
>> working when I upgraded to Karmic (hence the post on ubuntu-users). Did
>> Karmic change the default logon path and/or logon home? (I'm not really
>> sure what these are anyhow), Also I'm not sure what group maps are.
>> Can you advise?
>> BTW, I did recreate the user and machine accounts when I reloaded Karmic.
>>
>
> You're welcome.
>
> 1) Netlogon share
>
> I was amazed to read that you have had a PDC without a netlogon share
> for three years so I checked the samba.org documentation.
>
> ***quote***
> A domain controller is an SMB/CIFS server that:
>
> * Registers and advertises itself as a domain controller (through
> NetBIOS broadcasts as well as by way of name registrations either by
> Mailslot Broadcasts over UDP broadcast, to a WINS server over UDP
> unicast, or via DNS and Active Directory).
>
> * Provides the NETLOGON service. (This is actually a collection of
> services that runs over multiple protocols. These include the LanMan
> logon service, the Netlogon service, the Local Security Account
> service, and variations of them.)
>
> * Provides a share called NETLOGON."
> ***endquote***
>
> from
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html
>
> and
>
> ***quote***
> # The netlogon share is required for
> # functioning as the primary domain controller.
> # Make sure the directory used for the path exists.
>
> [netlogon]
> path = /usr/local/samba/lib/netlogon
> writable = no
> browsable = no
> ***endquote***
> from
> http://www.samba.org/samba/docs/using_samba/appa.html
>
> ***quote***
> NETLOGON Share
>
> The NETLOGON share plays a central role in domain logon and domain
> membership support. This share is provided on all Microsoft domain
> controllers. It is used to provide logon scripts, to store group
> policy files (NTConfig.POL), as well as to locate other common tools
> that may be needed for logon processing. This is an essential share on
> a domain controller.
> ***endquote***
> from
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html
>
> So, if it worked, it worked, but the documentation is clear that the
> netlogon share is required unless it is out of date or it is
> incomplete/inaccurate and the share is unnecessary if you do not use
> logon scripts.
>
>
> 2) Groups maps
>
> ***quote***
> Samba 3.0.x series releases before 3.0.23 automatically created group
> mappings for the essential Windows domain groups Domain Admins, Domain
> Users, Domain Guests. Commencing with Samba 3.0.23 these mappings need
> to be created by the Samba administrator. Failure to do this may
> result in a failure to correctly authenticate and recoognize valid
> domain users. When this happens users will not be able to log onto the
> Windows client.
> Note
>
> Group mappings are essential only if the Samba servers is running as a
> PDC/BDC. Stand-alone servers do not require these group mappings.
>
> The following mappings are required:
>
> Domain Group RID Example UNIX Group
> Domain Admins 512 root
> Domain Users 513 users
> Domain Guests 514 nobody
> ***endquote***
> from
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ChangeNotes.html
>
>
> 3) logon path and/or logon home
>
> "logon path" is where your users' roaming profiles are/will be stored.
> According to its man pages, Karmic uses the defaults set by the Samba
> team.
>
>
> 4) Recreation of accounts
>
> I had hoped to look it up since I last replied to you but I have not
> had the time. I think that the SIDs of your boxes will have the
> previous domain's SID and you may have to take them out of the domain
> and add them back in for them to have the correct SID (another option
> is to get the previous domain SID and change the new one to the old
> one). The mention f adding of boxes to the domain also reminds me that
> you need to add root to samba with a RID of 500.
>
>
Tom --
Thanks for your help. I've been reading up on the references you
provided and have made some major changes. BTW, as for the Netlogon
share, obviously I did have a netlogon share when the system worked; I
commented it out to see if it would work (it didn't), but I thought that
was where the problem might be.
Here is most of the current smb.conf file. It includes the global and
bookkeeping stuff; the first share in the list is imaginex; there are
lots of others as well, and they all work for all users.
# Samba config file created using SWAT
# from UNKNOWN (127.0.0.)
# Date: 2009/12/04 10:30:16
[global]
workgroup = ERSL
netbios aliases = earth.sr-02-01.csuohio.edu
server string = Environmental Remote Sensing Laboratory
interfaces = eth1
passdb backend = tdbsam
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g
100 -s /bin/false -M %u
logon drive = X:
logon path = \\%L\profiles\%u\%m
time server = Yes
domain logons = Yes
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
os level = 255
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home2/%D/%U
template shell = /bin/bash
#domain admin group = root clapham
security = user
encrypt passwords = Yes
host msdfs = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
browsable = No
map archive = Yes
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
browseable = No
writable = No
[profiles]
comment = place to store Windows roaming profiles
path = /var/lib/samba/profiles
writable = Yes
create mask = 0600
directory mask = 0700
profile acls = Yes
browsable = No
[dfs]
comment = Dfs share
path = /usr/local/samba/dfs
msdfs root = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
write list = root, @ersladmin
[cdrom]
comment = Samba server's CD-ROM
path = /cdrom
guest ok = Yes
locking = No
preexec = /bin/mount /cdrom
postexec = /bin/umount /cdrom
[imaginex]
comment = ERDAS Imagine files
path = /applications/imaginex
~
~
There are two problems:
1. When I do certain commands, (e.g. net rpc group members . . .) I get
the message, " WARNING: no network interfaces found
WARNING: no network interfaces found" This may mean that I don't have a
"bind interfaces only" command in the smb.conf, but I can interact with
the server for share purposes using samba, and I can easily get out from
the server to other places, so it would seem that the interfaces are
correctly described by eth1, and it works.
2. Probably more important, I don't think that the machines are setting
up the trust relationships correctly. I actually tried to use some
command (don't remember which) from which I was told explicitly that the
trust relationship has been broken. I've tried to do it manually in the
past, but the "on the fly" approach would appear to be preferable. The
documentation in the "HowTo-Collection" is rather vague on how to do
this. I've added an add-machine script to the smb.conf. However, I'm
not sure how to request that the system access it. Should this be a
"net use . . ." from the windows workstation? An attempt to log onto
the domain? It's not at all clear what this actually means!
Any insight you can provide into either of these issues would be greatly
appreciated.
Thanks for your help.
cheers,
pete
--
W. B. (Pete) Clapham, Jr.
Department of Biological, Geological, and Environmental Sciences
Cleveland State University
2121 Euclid Avenue
Cleveland, Ohio, 44115
voice: [216] 687-4820
fax: [216] 687-6972
w.clapham at csuohio.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20091209/c8e66cd7/attachment.html>
More information about the ubuntu-users
mailing list