[TriLUG] My SAMBA hell continues

Josef Whiter jmwhiter at unity.ncsu.edu
Wed Sep 25 15:23:06 EDT 2002 

i'm not sure if you have done this yet, but i had problems with it when i was attemting something similar, did you add the computer as a user?  its something weird, and they explain how to do it in chapter 8 i think of the samba HOWTO.

Josef
> Thanks to Jon for his response.
> Troubles remain...
> 
> My distribution is Redhat 7.3 with smbd version 2.2.3a
> I now have security=server set in the smb.conf on 2 of my Linux servers.
> These point at my third Linux server which is set with security=user.
> Other settings are listed at the bottom of this message.  No Win2K or NT
> servers are members of this workgroup.  User PC's are running Win2K Pro
> and are members of another domain.
> 
> I am able to browse, map drives and manipulate files using shares of all
> 3 Linux servers.  My user ID and password stored on the 'security=user'
> server happen to be the same as the user ID and password I use  to
> access the company domain.  
> 
> Problem:  When I try to map drives to Linux SMB shares using the
> credentials of another user (other than what I used when I logged into
> my Win2K PC in the company domain) the mapping fails.  Here is an
> example.
> 
> =============================================================
> D:\>net use * \\IP_address_of_target\testuser /u:testuser
> The password or user name is invalid for
> \\IP_address_of_target\testuser.
> 
> Type the password for \\IP_address_of_target\testuser:
> System error 1326 has occurred.
> 
> Logon failure: unknown user name or bad password.  
> 
> I have verified that the user id and password are correct and I have
> updated the smbpasswd file using the same shell script used for my
> working account.
> It seems to me that the credentials used for my company domain should
> have nothing to do with authentication on my Linux servers - the fact
> that the same strings are used is coincidence.
> Still, this is the only account that can browse and map drives both in
> the company domain and the Linux server workgroup.
> Am I wrong ?  Is there something else going on ?
> 
> Ryan
> 
>  
> # Global parameters
> [global]
>         workgroup = PILOT
>         netbios name = PILOT1
>         server string = Dell 8450 Redhat 7.3
>         interfaces = eth2
>         encrypt passwords = Yes
>         obey pam restrictions = Yes
>         pam password change = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>         unix password sync = Yes
>         log file = /var/log/samba/%m.log
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         preferred master = True
>         dns proxy = No
>         hosts allow = (x.x.x. my RFC 1918 subnet here)
>         printing = lprng
> 
> [homes]
>         comment = Home Directories
>         valid users = %S
>         read only = No
>         create mask = 0664
>         directory mask = 0775
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         browseable = No
> 
> [additional shares have been sanitized]
> 		
> 
>  
> 
> 
> There are few reason not to add the servers to your present network.
> 
> You have an existing PDC on your subnet (even though its a windows
> server...) - point your samba server to that for authentication. You can
> use either server authentication or domain authentication. If you use
> server authentication then point to either a PDC or a BDC.
> 
> Please note that if you use server, it will authenticate each and every
> file access, while if you choose domain, it will cache the
> authentication for a period or time.
> 
> If you choose to Authenticate to a local samba server then you have
> quite a bit of work ahead for yourself - but I'm sure you already know
> that.
> 
> In any case you will have to setup local users/groups on each server
> (though Samba lets you create these automagically on authenticated
> access).
> 
> Browseability of the servers should be easy enough. You can use either
> WINS or DNS (Win2k pro has the ability to use DNS for its browseable
> base).
> 
> At my former company I authenticated using all of the above methods with
> no difficulties. Good Luck in your quest.  BTW: what distribution are
> you using? and what version of Samba?
> 
> Jon Carnes
> 
> On Tue, 2002-09-24 at 17:45, Ryan Leathers wrote:
> > I'm migrating services from Win2k to Linux.  The majority of my end
> > users are sticking with windows on their desktop PC's. 
> > I am in need of some sound advice in handling authentication of users
> > who "browse" SMB shares on Linux servers.
> >
> > In my pilot, I have 3 Linux servers running SMB.  They are part of the
> > same workgroup/domain.  I am compelled to leave the existing domain
> > alone and build this new workgroup during the pilot.  I suppose it's
> > most correct to call it a workgroup since there are no NT or Win2k
> hosts
> > (no domain controllers).
> > Authentication is being handled per user.  End users have Win2k Pro on
> > their PC's and are generally logged in as members of another domain.
> My
> > problems are: synchronization of credentials, visibility of Linux SMB
> > shares in browse lists on the Win2k hosts. 
> >
> > My current plan: configure the Linux servers to point to one place for
> > credentials.  I will still have a credential conflict since users are
> > members of a domain and a workgroup.  They want to use a single set of
> > uid/passwd for both.  By setting the security=server option and
> picking
> > one of the Linux servers to be that server I hope to simplify my life.
> > At least this way the credentials will be consistent for all shares on
> > the Linux servers.  To aid in my quest for "browsability" I plan on
> > making the authentication server handle WINS chores and point the
> others
> > at it.     
> >
> > Any thoughts ?
> >
> > Ryan
> > -----Original Message-----
> > From: Jon Carnes [mailto:jonc at nc.rr.com]
> > Sent: Tuesday, September 24, 2002 7:53 AM
> > To: trilug at trilug.org
> > Subject: Re: [TriLUG] Suse releases exchange server clone ($999) no
> > client licenses
> >
> > It's also worthy to note that this is now the cheapest drop-in
> > replacement for an Exchange server. It's 40% cheaper than the previous
> > Linux solution. This may not be a mile-stone for Open Source, but it
> is
> > certainly one for the evolution of Linux in the workplace.
> >
> > Migrating folks off of proprietary MS solutions is made difficult by
> > their dependence on Exchange. If you remove the Exchange dependency
> then
> > you break the strongest lock that MS has on small and medium sized
> > businesses.
> >
> > Also, this adds more competition into that market - which drops prices
> > and encourages better more responsive programming and services.  It's
> a
> > big deal for Linux to have these solutions available and actively
> being
> > developed. It's also a big deal to contractors (like me) who setup
> Linux
> > based services for folks - or even help them migrate off of MS
> products
> > over to cheaper Linux based solutions.
> >
> > The next nice thing will be when LDAP (or some Directory Services) is
> > fully functional and supported with easy installations and
> > administration.
> >
> > Jon Carnes
> >
> > On Tue, 2002-09-24 at 08:43, Ben Pitzer wrote:
> > > Can this group ever get past the flame-bait distro bashing?  C'mon,
> > > folks, whatever your personal preference, other distros have
> redeeming
> > > qualities, too.  And while the Skyrix portion of this product may be
> > > closed source, it may be exactly what somebody needs to start to
> move
> > > towards Linux and an open source, non-Exchange clone groupware
> > platform.
> > >
> > > Regards,
> > > Ben Pitzer
> > >
> > > PS - Sorry to pick on you, Tom.  Nothing personal.  I've seen it,
> and
> > > thought about it before, and your post just reminded me that I
> wanted
> > to
> > > say something.
> > >
> > > > I looked at this product before they released, and the important
> > pieces
> > > > (Skyrix) are closed source, in typical SuSE fashion.
> > >
> > > _______________________________________________
> > > TriLUG mailing list
> > >     http://www.trilug.org/mailman/listinfo/trilug
> > > TriLUG Organizational FAQ:
> > >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> >
> >
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> 
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>

More information about the TriLUG mailing list