Samba errors ...

Taking care of your Linux box.
Post Reply
mrkkhattak
Site Admin
Posts: 285
Joined: Wed Aug 07, 2002 8:00 pm
Location: Karachi
Contact:

Samba errors ...

Post by mrkkhattak »

Assalamualaikum,

I am trying to run Samba (Redhat Linux 9) on a windows client. It would act a client of MS windows 2000 client. I configured it using Redhat's own gui configuration tool. Initially it worked (i could copy/paste move/edit/delete data from it), but after sometime it stopped working ...

When I checked the logs, it said "couldn't fetch the password from khi_kal_org" or something like that. somewhere it said "NT_status_failure" or something like that ?

I didn't change anything in my smb.conf file, as it was working initially, so what happened to it now ?

Any help would be greatly appreciated.

Regards,

-Meraj
daberkar
Cadet
Posts: 12
Joined: Fri Aug 22, 2003 2:55 pm
Location: United Arab Emirates
Contact:

Post by daberkar »

Asalaam o Alikum

I have the solution how to configure SAMBA as PDC of win2000

:lol: contact me 8)

moughal74@yahoo.com
Suhail Tariq Moughal
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re: Samba Error

Post by LinuxFreaK »

Dear Meraj Bahi,
Salam,
Asalaam o Alikum
I have the solution how to configure SAMBA as PDC of win2000
:D contact me 8)

moughal74@yahoo.com
___________________
Suhail Tariq Moughal

Dear Meraj Bahi,

Salam All PLUCians,

Sir, As daberkar said that he have the solution then i think he must share the solution with peoples. because there are lots of newbies in our fourm haveing the problem and they need solution. I would like to know that is "khi_kal_org" is valid user on your linux machine, if its not there then its "nobody". if that is so please post your smb.conf at the Fourm. or try this smb.conf

Code: Select all


[global]
workgroup = HOME
netbios name = SERVER
server string = Samba Server
interfaces = 192.168.0.1/32 192.168.1.1/32
encrypt passwords = Yes
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
password level = 8
username level = 3
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
logon script = %U.bat
logon path = \\%L\Profiles\nt\%U
logon home = \\%L\Profiles\98\%U
domain logons = Yes
os level = 85
preferred master = Yes
domain master = Yes
wins proxy = Yes
wins support = Yes
remote announce = 192.168.0.255 192.168.1.255
hosts allow = 192.168.0. 192.168.1. 127.
printing = lprng
printer admin = root
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u

[netlogon]
path = /var/spool/samba/netlogon
browseable = No
root preexec = /var/spool/samba/bin/ntlogon.py -d /var/spool/samba/netlogon/ --user=%U --os=%m
root postexec = rm /var/spool/samba/netlogon/%U.bat
write list = root

[Profiles]
path = /var/spool/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
browseable = No

[public]
comment = Public
path = /var/spool/samba/public
write list = @users
read only = No
create mask = 0644
guest ok = Yes

[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No

[print$]
path = /var/spool/samba/printers
browseable = yes
read only = yes
write list = root

[lp0]
path = /var/spool/samba
read only = No
guest ok = Yes
printable = Yes
printer name = lp0
printer driver = "HP DeskJet 890C"
oplocks = No
Hope it will help you out.
Best Regards.
Farrukh Ahmed
daberkar
Cadet
Posts: 12
Joined: Fri Aug 22, 2003 2:55 pm
Location: United Arab Emirates
Contact:

Configuring Samba as a Windows NT Primary Domain Controller

Post by daberkar »

Configuring Samba as a Windows NT Primary Domain Controller
8)
One of the most important developments over the past two years for GNU/Linux in the enterpise is the increased capabilites of the Samba server package. Samba not only allows GNU/Linux systems and Windows systems to share devices seamlessly, but it can also enable a GNU/Linux system to act as a Primary Domain Controller for a Windows network, something previously reserved for Windows NT server platforms only. Delivering this capability on the stable GNU/Linux platform has made it much easier for large companies to quietly adopt GNU/Linux in the enterprise.

By building into Samba 2.2.x the capacity for a GNU/Linux server to function as a Microsoft Windows NT Primary Domain Controller (PDC), the Samba developers have pushed GNU/Linux into direct competition with Windows NT/2000. In this article, we'll show you how to set up Samba on your GNU/Linux system as a PDC.

Prerequisites:

· Extensive knowledge of Windows networking
· Familiarity with Samba configuration
· Familiarity with Linux and Windows security issues
· Admin rights over all systems on your network

In our demonstration, we'll take a look at a small network configuration with an NT 4.0 workstation, several Microsoft Windows 98/ME machines and one GNU/Linux server using Samba as a Microsoft Windows NT PDC. This configuration can be broken down into three parts: the configuration of the Samba PDC server, the creating of accounts, and then joining the new domain. First, we'll take a look at configuring the Samba server.
The configuration of the Samba PDC server

When configuring Samba to act as an NT Primary Domain Controller, you'll need to make extensive edits to your smb.conf file. First, let's look at the changes you'll make to the global settings for the server.

To start, open smb.conf in your favorite text editor and begin at the top of the file. The following is a commented listing of the global settings you'll need for creating your PDC. Some of the default settings have been pruned out, so don't be alarmed if you don't see a setting from your default smb.conf file. You might want to open another terminal window at this point and view the smb.conf man pages for references.

[global]
# workgroup = Your NT-Domain-Name
workgroup = DEMODOMAIN
#Your PDC identifying comment
server string = Samba/NT PDC
#Your netbios name
netbios name = JERRY

These first three settings establish the PDC server name and the domain it will control. The server string isn't mandatory, but can be helpful in identifying the PDC on the network.

#User-level security is standard for a PDC
security = user
#Encrypted passwords are mandatory
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

These three settings above are mandatory for configuring your PDC. The smbpasswd file should be located in the same directory on your server as the smb.conf file. In this case, the directory specified was created when the RPM Samba package was installed on a Red Hat Linux system. Domain logon users will have user ids in both the /etc/passwd and smbpasswd files. To enable users to change their passwords and keep both the Linux password (/etc/password) and the Samba passwords (smbpasswd) in sync, use the following settings:

unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n
*ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

Obviously, this is an admin control issue. If you need tight security on your PDC and don't want users to be able to change their passwords, then you can leave these settings out. They're only for the end user's convenience. These four settings are also mandatory as they establish the Samba server as your PDC.

# set these to act as the domain and local browser
preferred master = yes
domain master = yes
local master = yes
os level = 64

These settings determine the priority level of your Samba PDC. The os level setting determines the numerical preference level of the server for Domain elections that are forced by the preferred master setting. By default, the os level should be set to 64 for configuring a PDC. As you can see, these settings will make the server "JERRY" the "master of its domain".

Configuring the server logons for Windows clients

The next group of settings will configure the server to accept network/domain logons for Microsoft Windows clients.

#This one is obvious, and mandatory
domain logons = yes
#You can use 3 different methods for user logon scripts
#You can identify the logon by the name of the user's machine
logon script = %m.bat
#You can identify the logon by the username
logon script = %U.bat
#Or you can have a single common logon script for users
logon script = logon.cmd

You'll notice that you can choose three different ways to identify a user logon. But, you can only use one of the three methods at any given time. In the settings we've just listed, we've configured the PDC with a generic user logon script. When you use this setting, the location of the logon script is in the share you'll create for net logons. Next, we'll discuss the mandatory shares you'll create for your Samba PDC next.
Defining Your Shares

Aside from your network devices that will be shared on your network, you will need to define shares that are specific to your PDC configuration. If you decide to use a generic logon script for all of your domain users, you'll need to create the following share:

[netlogon]
path = /etc/samba/netlogon
writeable = no
write list = ntadmin

The path to this share is where your common user logon script that we defined earlier as logon.cmd will exist. Read/write permissions to this share are set for users on the ntadmin list only. We'll explain the write list in the next section on setting up your user accounts on the PDC. You'll need to define one more share for user profiles, and then you're finished with your smb.conf edits.

The profiles share for your PDC is a separate device created for storing user profiles. The path on the server can be anywhere; we suggest you create a new subdirectory on a file system other than your boot file system. This will allow you to recover user profiles in the case of a boot file system crash. In the following share definition, we've set up the profiles share on the /usr filesystem:

[profiles]
path = /usr/smb/ntprofile
writeable = yes
create mask = 0600
directory mask = 0700

Creating machine trust accounts on your PDC

On a Microsoft Windows NT PDC, machine trust accounts are user accounts owned by a single computer. The machine trust account password is a shared secret that allows for secure communication with the domain controller. Under Microsoft Windows NT, these trusted account passwords are stored in the registry. On a Samba PDC under Linux, these passwords are stored in the same location as your smbpasswd file.
Editor's note: Understanding Microsoft Windows NT security schemes is not absolutely necessary at this point, but a basic grasp of these concepts will help. Machine trust passwords shouldn't be confused with user ids and logons. They are machine identifiers for an NT Domain Controller that identify trusted domain machines to the PDC. Unknown to many network administrators, Microsoft Windows 9x machines, which can only use LanMan type passwords, are not true members of a domain. This is because NT, which uses NT password hashes, doesn't recognize LanMan passwords as trusted. Remember this when you need a tidbit to astound your friends at your next party...

You can create trusted machine accounts on your Samba PDC two ways. The first method is to create manually the password with a known value (such as the lower case netbios name of the machine) before you join the machine to the domain. The other method creates the trusted machine account when the admin joins the machine to the domain. This second method uses the session key of the administrative account as an encryption key for setting the password to a random value. The second method is much more secure than the first method, and is recommended. Currently, Samba requires a Linux user id from which a Microsoft Windows NT system id can be generated. For this reason, you'll need to add a configuration line to your smb.conf file if you want your Samba PDC to add Linux user ids on the fly when users access the server from a trusted machine. In your global settings of the smb.conf file, add the setting:

add user script = /usr/sbin/useradd -d /dev/null -g 100 - /bin/false -M %u

The path shown as /usr/sbin/useradd should point to wherever your system stores the useradd program. This setting as shown will work on most GNU/Linux systems.

To manually add a trusted machine account, you must first create an entry in your /etc/passwd file. For example, let's say you're adding the machine "elaine" manually to your domain. Using your favorite text editor as root, open your /etc/password file and create an entry that looks like this:

elaine$:x:505:501:NTMachine:/dev/null:/bin/false

The appended "$" to the user "Elaine" in the /etc/passwd entry signifies this as a machine account. The rest of the settings establish the account without a home directory and no shell access. Once you've created this entry, add the user to your smbpasswd file with the following command run as the superuser root:

smbpasswd -s -m elaine

You should then immediately join the machine to the domain with your NT Admin applet.

Conclusion

Samba is an incredibly powerful server software package that extends GNU/Linux machines and their functionality to the enterprise. In this article, we've demonstrated the configuration of Samba on GNU/Linux as a Microsoft Windows NT Primary Domain Controller.
Suhail Tariq Moughal
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear daberkar,
Salam,

I realy Appreciate you. thanks alot for posting the solution. but i think Meraj bahi had done Samba Configuration and i think his problem was sloved but any way your Contribution help many newbies alot. :D and Meraj Bahi if you have any further Queries then lemme know :)

Best Regards.
Farrukh Ahmed
Post Reply