Samba PDC and Windows XP - SMB

This is a discussion on Samba PDC and Windows XP - SMB ; I am trying to setup a PDC on my home network, but I have not been able to get a Windows XP machine to be a member of the domain that I have created. I followed the steps in the ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: Samba PDC and Windows XP

  1. Samba PDC and Windows XP

    I am trying to setup a PDC on my home network, but I have not been able
    to get a Windows XP machine to be a member of the domain that I have
    created. I followed the steps in the online tutorial on
    www.ibm.com/developerworks. I tried manually create the machine
    account by using the useradd function (machine$) and smbpasswd -a -m
    commands. I created a group 200 for the machine accounts. 300 for smb
    accounts. I have admin account added to the system as a unix account
    using the 300 gid. The uid for this account is 300. The uid for the
    machine account is 200. The admin account is in the smbuser file
    associated with root in this file. But I get an "Access Denied"
    message when I try add the computer to the domain using the admin
    account.

    I had run testparm against my smb.conf file and everything checks out
    okay. Here is a copy of my smb.conf file. The file was initially
    created with SWAT, but I ended up modifying smb.conf through vi.

    I am running 3.0.23 Samba on Fedora 4.


    # Samba config file created using SWAT
    # from 192.168.1.100 (192.168.1.100)
    # Date: 2006/08/16 15:50:13

    [global]
    ;basic server settings
    workgroup = HAHMNET
    netbios name = intrepid
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
    SO_RCVBUF=8192
    interfaces = 192.168.1.5/24
    ;idmap uid = 15000-20000
    ;idmap gid = 15000-20000

    ;PDC and master browser settings
    os level = 64
    preferred master = yes
    local master = yes
    domain master = yes
    ;wins server = 192.168.1.5
    wins support = Yes

    ;security and logging settings
    security = user
    encrypt passwords = yes
    domain logons = yes
    log file = /var/log/samba/log.%m
    log level = 2
    max log size = 50
    hosts allow = 127.0.0.1 192.168.1.0/255.255.255.0

    ;user profiles and home directory
    logon home = \\%L\%U\
    logon drive = H:
    logon path = \\%L\profiles\%U
    logon script = netlogon.bat

    ;add user script = /usr/sbin/useradd -m %u
    ;delete user script = /usr/sbin/userdel -r %u
    ;add group script = /usr/sbin/groupadd %g
    ;delete group script = /usr/sbin/groupdel %g
    ;add user to group script = /usr/sbin/groupmod -A %u %g
    ;delete user from group script = /usr/sbin/groupmod -R %u %g
    ;add machine script = /usr/sbin/useradd -s /bin/false -d
    /var/lib/nobody %u
    create mask = 0775
    directory mask = 0775


    [netlogon]
    path = /home/samba/netlogon
    read only = No
    guest ok = Yes

    [profiles]
    path = /home/samba/profiles
    writeable = yes
    create mask = 0600
    directory mask = 0700

    [homes]
    comment = Home Directories
    read only = No

    [htmldir]
    path = /home/www/html
    read only = No

    [samba]
    path = /home/samba
    read only = No
    guest ok = Yes
    share modes = No

    [video]
    path = /home/video
    read only = No


  2. Re: Samba PDC and Windows XP

    On 18 Aug 2006 04:59:58 -0700, in comp.protocols.smb , "maxima2k"
    wrote:

    >I am trying to setup a PDC on my home network, but I have not been able
    >to get a Windows XP machine to be a member of the domain


    Create a [tmp] share. Seems that samba needs this in order to operate
    the domain. Worked for me, anyway.
    Also check that netlogon and profiles are writable - here's the
    relevant part of my config.

    [netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon

    [profiles]
    comment = Network Profiles
    path = /var/lib/samba/profiles
    read only = No
    create mask = 0600
    directory mask = 0700
    browseable = No

    [tmp]
    comment = temporary files
    path = /tmp

    [homes]
    comment = Users Home Directories
    valid users = %S
    read only = No
    browseable = No
    --
    Mark McIntyre

  3. Re: Samba PDC and Windows XP

    Mark McIntyre wrote:

    > Create a [tmp] share. Seems that samba needs this in order to operate
    > the domain. Worked for me, anyway.
    > Also check that netlogon and profiles are writable - here's the
    > relevant part of my config.


    I tried the settings suggested. I still get Access Denied messages
    when trying to get my Windows XP machine to join as a member of the
    domain. Here is a snippet of the log file for the computer. This is
    from the Samba server.

    [2006/08/18 18:18:01, 2] auth/auth.c:check_ntlm_password(309)
    check_ntlm_password: authentication for user [admin] -> [admin] ->
    [admin] succeeded
    [2006/08/18 18:18:01, 2] lib/access.c:check_access(324)
    Allowed connection from (192.168.1.9)
    [2006/08/18 18:18:01, 2] smbd/reply.c:reply_tcon_and_X(711)
    Serving IPC$ as a Dfs root
    [2006/08/18 18:18:02, 2] auth/auth.c:check_ntlm_password(309)
    check_ntlm_password: authentication for user [admin] -> [admin] ->
    [admin] succeeded
    [2006/08/18 18:18:02, 2] lib/access.c:check_access(324)
    Allowed connection from (192.168.1.9)
    [2006/08/18 18:18:02, 2] smbd/reply.c:reply_tcon_and_X(711)
    Serving IPC$ as a Dfs root
    [2006/08/18 18:18:02, 2]
    rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797)
    Returning domain sid for domain HAHMNET ->
    S-1-5-21-3055600407-3896144620-1783176775
    [2006/08/18 18:18:02, 2]
    rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797)
    Returning domain sid for domain HAHMNET ->
    S-1-5-21-3055600407-3896144620-1783176775


    Needless to say I am really stumped.


  4. Re: Samba PDC and Windows XP

    maxima2k enlightened us comp.protocols.smb - (ab)users with:

    > Mark McIntyre wrote:
    >
    >> Create a [tmp] share. Seems that samba needs this in order to operate
    >> the domain. Worked for me, anyway.
    >> Also check that netlogon and profiles are writable - here's the
    >> relevant part of my config.

    >
    > I tried the settings suggested. I still get Access Denied messages
    > when trying to get my Windows XP machine to join as a member of the
    > domain. Here is a snippet of the log file for the computer. This is
    > from the Samba server.
    >
    > [2006/08/18 18:18:01, 2] auth/auth.c:check_ntlm_password(309)
    > check_ntlm_password: authentication for user [admin] -> [admin] ->
    > [admin] succeeded
    > [2006/08/18 18:18:01, 2] lib/access.c:check_access(324)
    > Allowed connection from (192.168.1.9)
    > [2006/08/18 18:18:01, 2] smbd/reply.c:reply_tcon_and_X(711)
    > Serving IPC$ as a Dfs root
    > [2006/08/18 18:18:02, 2] auth/auth.c:check_ntlm_password(309)
    > check_ntlm_password: authentication for user [admin] -> [admin] ->
    > [admin] succeeded
    > [2006/08/18 18:18:02, 2] lib/access.c:check_access(324)
    > Allowed connection from (192.168.1.9)
    > [2006/08/18 18:18:02, 2] smbd/reply.c:reply_tcon_and_X(711)
    > Serving IPC$ as a Dfs root
    > [2006/08/18 18:18:02, 2]
    > rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797)
    > Returning domain sid for domain HAHMNET ->
    > S-1-5-21-3055600407-3896144620-1783176775
    > [2006/08/18 18:18:02, 2]
    > rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797)
    > Returning domain sid for domain HAHMNET ->
    > S-1-5-21-3055600407-3896144620-1783176775
    >
    >
    > Needless to say I am really stumped.


    There is no error notice in your logfile, probably you didn't post the
    relevant part.
    What does "testparm" say for "ROLE"?
    --
    vista policy violation: Microsoft optical mouse found penguin patterns
    on mousepad. Partition scan in progress to remove offending
    incompatible products. Reactivate MS software.
    Linux 2.6.17-mm1,Xorg7.1/nvidia [LinuxCounter#295241,ICQ#4918962]

  5. Re: Samba PDC and Windows XP


    "maxima2k" wrote in message
    news:1155902398.396291.299770@m73g2000cwd.googlegr oups.com...
    >I am trying to setup a PDC on my home network, but I have not been able
    > to get a Windows XP machine to be a member of the domain that I have
    > created. I followed the steps in the online tutorial on
    > www.ibm.com/developerworks. I tried manually create the machine
    > account by using the useradd function (machine$) and smbpasswd -a -m
    > commands. I created a group 200 for the machine accounts. 300 for smb
    > accounts. I have admin account added to the system as a unix account
    > using the 300 gid. The uid for this account is 300. The uid for the
    > machine account is 200. The admin account is in the smbuser file
    > associated with root in this file. But I get an "Access Denied"
    > message when I try add the computer to the domain using the admin
    > account.


    Did you patch the XP machines to disable the digital encryption ?

    This is known to cause logon problems onto the domain ..

    You need to patch the registry on each XP machine using gpedit.msc and
    change the 4 consecutive values to "disabled"

    under the local security settings ..

    You can do a google search, This is documented ..







  6. Re: Samba PDC and Windows XP

    imbsysop enlightened us comp.protocols.smb - (ab)users with:

    ......
    > Did you patch the XP machines to disable the digital encryption ?
    >

    You mean the "sign_or_seal" thing?

    > This is known to cause logon problems onto the domain ..
    >
    > You need to patch the registry on each XP machine using gpedit.msc and
    > change the 4 consecutive values to "disabled"
    >
    > under the local security settings ..
    >
    > You can do a google search, This is documented ..


    Now I think it isn't necessary anymore since 3.0.10 or so.
    Unfortunately the OP didn't reveal anything about his samba version
    neither a snippet from smb.conf.
    --
    vista policy violation: Microsoft optical mouse found penguin patterns
    on mousepad. Partition scan in progress to remove offending
    incompatible products. Reactivate MS software.
    Linux 2.6.17-mm1,Xorg7.1/nvidia [LinuxCounter#295241,ICQ#4918962]

  7. Re: Samba PDC and Windows XP


    Walter Mautner wrote:

    >
    > There is no error notice in your logfile, probably you didn't post the
    > relevant part.
    > What does "testparm" say for "ROLE"?


    This is what testparm says:

    [root@INTREPID samba]# testparm
    Load smb config files from /etc/samba/smb.conf
    Processing section "[netlogon]"
    Processing section "[profiles]"
    Processing section "[tmp]"
    Processing section "[homes]"
    Processing section "[htmldir]"
    Processing section "[samba]"
    Processing section "[video]"
    Loaded services file OK.
    Server role: ROLE_DOMAIN_PDC
    Press enter to see a dump of your service definitions


  8. Re: Samba PDC and Windows XP


    imbsysop wrote:

    > Did you patch the XP machines to disable the digital encryption ?
    >
    > This is known to cause logon problems onto the domain ..
    >
    > You need to patch the registry on each XP machine using gpedit.msc and
    > change the 4 consecutive values to "disabled"
    >
    > under the local security settings ..
    >
    > You can do a google search, This is documented ..


    For the digital encryption, do you mean the SIGN_OR_SEAL registry hack?
    As near has I can figure out things are okay with this.

    requiresignorseal REG_DWORD 0x00000000

    I will need to do more research on the gpedit.msc that you refer to.


  9. Re: Samba PDC and Windows XP


    Walter Mautner wrote:

    > Now I think it isn't necessary anymore since 3.0.10 or so.
    > Unfortunately the OP didn't reveal anything about his samba version
    > neither a snippet from smb.conf.
    > --
    > vista policy violation: Microsoft optical mouse found penguin patterns
    > on mousepad. Partition scan in progress to remove offending
    > incompatible products. Reactivate MS software.
    > Linux 2.6.17-mm1,Xorg7.1/nvidia [LinuxCounter#295241,ICQ#4918962]


    I am running the following SAMBA version:

    samba-3.0.23a-1.fc4.1


  10. Re: Samba PDC and Windows XP

    maxima2k enlightened us comp.protocols.smb - (ab)users with:

    > I am running the following SAMBA version:
    >
    > samba-3.0.23a-1.fc4.1


    You may try

    enable privileges (G)
    This parameter controls whether or not smbd will honor privi-
    leges assigned to specific SIDs via either net rpc rights or one
    of the Windows user and group manager tools. This parameter is
    disabled by default to prevent members of the Domain Admins
    group from being able to assign privileges to users or groups
    which can then result in certain smbd operations running as root
    that would normally run under the context of the connected user.

    An example of how privileges can be used is to assign the right
    to join clients to a Samba controlled domain without providing
    root access to the server via smbd.

    Please read the extended description provided in the Samba docu-
    mentation.

    as well as the "admin users" statement.
    --
    vista policy violation: Microsoft optical mouse found penguin patterns
    on mousepad. Partition scan in progress to remove offending
    incompatible products. Reactivate MS software.
    Linux 2.6.17-mm1,Xorg7.1/nvidia [LinuxCounter#295241,ICQ#4918962]

  11. Re: Samba PDC and Windows XP


    "Walter Mautner" wrote in
    message news:jhnjr3-tg7.ln1@woodpecker.woodpecker.fdns.net...
    > imbsysop enlightened us comp.protocols.smb - (ab)users with:
    >
    > .....
    >> Did you patch the XP machines to disable the digital encryption ?
    >>

    > You mean the "sign_or_seal" thing?
    >
    >> This is known to cause logon problems onto the domain ..
    >>
    >> You need to patch the registry on each XP machine using gpedit.msc and
    >> change the 4 consecutive values to "disabled"
    >>
    >> under the local security settings ..
    >>
    >> You can do a google search, This is documented ..

    >
    > Now I think it isn't necessary anymore since 3.0.10 or so.
    > Unfortunately the OP didn't reveal anything about his samba version
    > neither a snippet from smb.conf.


    Ha thnx for that info .. it's an headache less .. I'm not closely following
    the Samba evolutions .. Now I feel I should have done so 'cos I upgraded my
    RH9 server configuration to a fully new HW config with an sata drive and
    Fedora 5 .. It may be considered a miracle that I've not gone completely
    bonkers .. and my server is still not up and running ... :-(




  12. Re: Samba PDC and Windows XP


    "maxima2k" wrote in message
    news:1156048670.755466.129730@75g2000cwc.googlegro ups.com...
    >
    > imbsysop wrote:
    >
    >> Did you patch the XP machines to disable the digital encryption ?
    >>
    >> This is known to cause logon problems onto the domain ..
    >>
    >> You need to patch the registry on each XP machine using gpedit.msc and
    >> change the 4 consecutive values to "disabled"
    >>
    >> under the local security settings ..
    >>
    >> You can do a google search, This is documented ..

    >
    > For the digital encryption, do you mean the SIGN_OR_SEAL registry hack?
    > As near has I can figure out things are okay with this.
    >
    > requiresignorseal REG_DWORD 0x00000000
    >
    > I will need to do more research on the gpedit.msc that you refer to.
    >


    No I was refering to the "digital encryption" entries under Local Policies
    => Security ..




  13. Re: Samba PDC and Windows XP


    Walter Mautner wrote:
    > You may try
    >
    > enable privileges (G)
    > This parameter controls whether or not smbd will honor privi-
    > leges assigned to specific SIDs via either net rpc rights or one
    > of the Windows user and group manager tools. This parameter is
    > disabled by default to prevent members of the Domain Admins
    > group from being able to assign privileges to users or groups
    > which can then result in certain smbd operations running as root
    > that would normally run under the context of the connected user.
    >
    > An example of how privileges can be used is to assign the right
    > to join clients to a Samba controlled domain without providing
    > root access to the server via smbd.
    >
    > Please read the extended description provided in the Samba docu-
    > mentation.


    You know the smb.conf.5.html documentation is pretty confusing on this
    one. In the paragraph it says that it is disabled by default, but the
    default definition says that it is enabled. Meaning if you do not
    explicitly define it in your smb.conf file it is enabled. So I am a
    little bit confused.


  14. Re: Samba PDC and Windows XP


    imbsysop wrote:
    >
    > No I was refering to the "digital encryption" entries under Local Policies
    > => Security ..


    I am unfamilar with gpedit.msc. I took a look and there are a bunch of
    policies there. The path that I used to get there is:

    Computer Configuration => Windows Settings => Local Policies =>
    Security Options

    I had disabled the following policies.

    Domain member: Digitally encrypt or sign secure channel data (always)
    Domain member: Digitally encrypt secure channel data (when possible)
    Domain member: Digitally sign security channel data (when possible)

    I did not find a fourth policy to disable.

    Still can't get the Windows XP machine to become a domain member.


  15. Re: Samba PDC and Windows XP

    maxima2k enlightened us comp.protocols.smb - (ab)users with:

    .....
    > Still can't get the Windows XP machine to become a domain member.


    You have tried to explicitely enable privileges, as well as the "admin
    user", or (the common way at least for home setups) just add root to
    smbpasswd and do it with the root account?
    Once a while ago the "admin users" statement was deprecated in favor to
    the SID-based net groupmap thing .... but it appears they kept that.
    --
    vista policy violation: Microsoft optical mouse found penguin patterns
    on mousepad. Partition scan in progress to remove offending
    incompatible products. Reactivate MS software.
    Linux 2.6.17-mm1,Xorg7.1/nvidia [LinuxCounter#295241,ICQ#4918962]

  16. Re: Samba PDC and Windows XP

    "maxima2k" wrote in news:1155902398.396291.299770
    @m73g2000cwd.googlegroups.com:

    > I am trying to setup a PDC on my home network, but I have not been

    able
    > to get a Windows XP machine to be a member of the domain that I have
    > created. I followed the steps in the online tutorial on
    > www.ibm.com/developerworks. I tried manually create the machine
    > account by using the useradd function (machine$) and smbpasswd -a -m
    > commands. I created a group 200 for the machine accounts. 300 for

    smb
    > accounts. I have admin account added to the system as a unix account
    > using the 300 gid. The uid for this account is 300. The uid for the
    > machine account is 200. The admin account is in the smbuser file
    > associated with root in this file. But I get an "Access Denied"
    > message when I try add the computer to the domain using the admin
    > account.


    Hello,
    I have two suggestions:
    - Create a Samba account for root and use this account
    to join the domain. Once the PC has joined the domain
    you can remove the Samba account for root (alternatively
    change the Samba password).
    - Make sure the client does not have a network share
    from the server assigned to a drive letter.
    Hope this helps.
    Regards,

    Dirk


    --
    Dirk Krause
    Please do not respond to the e-mail address shown in the newsreader.
    Use the web form below instead. Thanks.
    http://www.fh-schmalkalden.de/url.ph...lect_wert/3023

  17. Re: Samba PDC and Windows XP


    Walter Mautner wrote:
    > enable privileges (G)
    > This parameter controls whether or not smbd will honor privi-


    Looks like this did the trick. I have everything working now.

    Thanks for all the suggestions.


+ Reply to Thread