patjjr
asked on
MAJOR PROBLEMS: Samba (Fedora Core 3) as PDC + Windows XP Pro
Hello. I am trying to setup my Fedora box as the primary domain controller for my Windows XP Professional machine. After editing smb.conf, I made the appropriate registry change on my XP machine (requiresignorseal = 0) and was able to join the domain and login. I had problems setting up roaming profiles, but I was able to get them to work by changing a setting in the group policy editor on my XP machine. I had three local accounts on my XP mach. (admin, user1, user2). All (temporarily) were set with administrative abilities. I made the following changes to my systems:
1.) admin is the only local admin for xp mach. (removed user1, user2)
2.) created directories "/home/samba/profiles/user
3.) did "chmod -R 0700 /home/samba/profiles/user1
4.) did "chown -R user1:user1 /home/samba/profiles/user1
5.) removed the xp machine from the domain, rebooted, reconnected, rebooted ... i don't know why
After removing the computer from the domain, i checked the trust machines on my Fedora box, and made sure the computer was removed. After reconnecting the computers, I again checked the trusted machines. Everything is setup fine at this point. All users are members of the correct group (i created a "trusted" group from allowed samba users) and have entries in the smbpasswd file.
My XP machine allowed me to reconnect to the domain, and told me to reboot. However, upon reboot, when I try to logon to the domain I get an error telling me the domain is unavailable or the computer is not trusted (not the exact message). After removing/reconnecting numerous times, I changed the log level to 4 and inspected the smbd.log file. I noticed that, according to the log, the XP machine was sending the username "" (empty) and password "" (empty) no matter what is entered! Smbd is then responding with "Can't become connected user!". I'm clueless at this point. I've tried everything I could think of. Any help would be greatly appreciated. Thank you!
1.) admin is the only local admin for xp mach. (removed user1, user2)
2.) created directories "/home/samba/profiles/user
3.) did "chmod -R 0700 /home/samba/profiles/user1
4.) did "chown -R user1:user1 /home/samba/profiles/user1
5.) removed the xp machine from the domain, rebooted, reconnected, rebooted ... i don't know why
After removing the computer from the domain, i checked the trust machines on my Fedora box, and made sure the computer was removed. After reconnecting the computers, I again checked the trusted machines. Everything is setup fine at this point. All users are members of the correct group (i created a "trusted" group from allowed samba users) and have entries in the smbpasswd file.
My XP machine allowed me to reconnect to the domain, and told me to reboot. However, upon reboot, when I try to logon to the domain I get an error telling me the domain is unavailable or the computer is not trusted (not the exact message). After removing/reconnecting numerous times, I changed the log level to 4 and inspected the smbd.log file. I noticed that, according to the log, the XP machine was sending the username "" (empty) and password "" (empty) no matter what is entered! Smbd is then responding with "Can't become connected user!". I'm clueless at this point. I've tried everything I could think of. Any help would be greatly appreciated. Thank you!
ASKER
Ok. I can't remember the exact name of the setting currently, but the idea was to disable requiring/checking permissions on the profile directory of the samba serve. Without this, I was not able to access roaming profiles. After I did this, everything was ok, until I disconnected and reconnected from the domain. I'm going to "undo" everything to try and determine at which point everything broke. I did see somewhere that I could enable acls in the smb.conf file to allow xp roaming profiles. I am not familiar with this, and I'm not sure what it means. I'll get the name/values of each change I made in the registry and/or group policy editor when I'm at my machine in an hour and repost.
And you really don't need this "XP machine (requiresignorseal = 0)" , samba's latest versions can handle smb signing, either way is the server not the client the responsible for forcing smb signing.
The profiles issue is probably just a question of setting the correct permissions.
The profiles issue is probably just a question of setting the correct permissions.
ASKER
Okay. So, I changed all of the registry keys back and I also undid the changes in the group policy editor. I removed the computer from the domain and changed it to a workgroup (with a different name). I then redid EVERYTHING on the samba server. I created a new smb.conf file (using SWAT) and recreated my netlogon and profiles directories (with the correct permissions - 0775, right?). I then restarted both the samba server and my XP box. I attempted to join the domain using the "root" account/password. Everything worked fine! I recieved the "Welcome to the <domain-name> domain" message, and was asked to reboot. After reboot, I go to sign into the domain (tried multiple usernames) and continuously get the following message:
Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found.
I then changed (again) the following registry keys wherever I found instances for them in the registry:
requireSignOrSeal (0), requireStrongKey (0), sealSecureChannel (0), signSecureChannel(0)
I did not change the setting I had originally changed in the group policy editor, as it is for roaming profiles only and (should not) make a difference in this case (for completeness, the change was ... Local Computer Policy\Computer Configuration\Administrati
HELP!!!!!!!!! I'm slowly losing my mind, since I CANNOT FIGURE THIS OUT. Below you'll find the log (level 4) that is created upon attempting to login to the domain, and my smb.conf file. Do the user names need to exist on the XP machine before I can logon to the domain? That is, does "user1" need to be both a user of the domain and a user of the local computer? Thanks in advance!!!!!
-----
#BEGIN SMBD.LOG
open_oplock_ipc: opening loopback UDP socket.
Linux kernel oplocks enabled
open_oplock ipc: pid = 18999, global_oplock_port = 32838
Serverzone is 14400
Transaction 0 of length 137
switch message SMBnegprot (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [LANMAN1.0]
Requested protocol [Windows for Workgroups 3.1a]
Requested protocol [LM1.2X002]
Requested protocol [LANMAN2.1]
Requested protocol [NT LM 0.12]
using SPNEGO
Selected protocol NT LM 0.12
Transaction 1 of length 240
switch message SMBsesssetupX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
Doing spnego session setup
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Got OID 1 3 6 1 4 1 311 2 2 10
Got secblob of size 40
Got NTLMSSP neg_flags=0xe2088297
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_LM_KEY
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_S
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Transaction 2 of length 282
switch message SMBsesssetupX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
Doing spnego session setup
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Got user=[] domain=[] workstation=[GRYFFINDOR] len1=1 len2=0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password: Checking password for unmapped user []\[]@[GRYFFINDOR] with the new password interface
check_ntlm_password: mapped user is: [DIGITAL-UNKNOWN]\[]@[GRYF
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password: guest authentication for user [] succeeded
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_S
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
User name: nobody Real name: nobody
UNIX uid 99 is UNIX user nobody, and will be vuid 100
Transaction 3 of length 88
switch message SMBtconX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Client requested device type [?????] for share [IPC$]
Connect path is '/tmp' for service [IPC$]
get_share_security: using default secdesc for IPC$
se_access_check: user sid is S-1-5-21-1610254698-291850
se_access_check: also S-1-5-21-1610254698-291850
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
se_access_check: also S-1-5-21-1610254698-291850
Initialising default vfs hooks
change_to_user: SMB user (unix user nobody, vuid 100) not permitted access to share IPC$.
Can't become connected user!
error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
Transaction 4 of length 43
switch message SMBulogoffX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
ulogoffX vuid=100
timeout_processing: End of file from client (client has disconnected).
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
Yielding connection to
yield_connection: tdb_delete for name failed with error Record does not exist.
Server exit (normal exit)
#END SMBD.LOG
----
#BEGIN SMB.CONF
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2005/04/18 18:20:14
# Global parameters
[global]
debug timestamp = No
workgroup = DIGITAL-UNKNOWN
server string = FC3 Samba PDC
;client schannel = Yes
;server schannel = Yes
;client signing = Yes
;server signing = Yes
allow trusted domains = No
passwd program = /usr/bin/passwd %u
unix password sync = Yes
min protocol = NT1
time server = Yes
add machine script = add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
logon script = logon.bat
logon path = \\%N\profiles\%u
domain logons = Yes
os level = 99
preferred master = Yes
domain master = Yes
wins support = Yes
;ldap ssl = no
valid users = @trusted
admin users = @trusted
printer admin = @trusted
ea support = Yes
profile acls = Yes
[homes]
read only = No
create mask = 0600
directory mask = 0700
browseable = No
[netlogon]
path = /home/samba/netlogon
guest ok = Yes
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
#END SMB.CONF
Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found.
I then changed (again) the following registry keys wherever I found instances for them in the registry:
requireSignOrSeal (0), requireStrongKey (0), sealSecureChannel (0), signSecureChannel(0)
I did not change the setting I had originally changed in the group policy editor, as it is for roaming profiles only and (should not) make a difference in this case (for completeness, the change was ... Local Computer Policy\Computer Configuration\Administrati
HELP!!!!!!!!! I'm slowly losing my mind, since I CANNOT FIGURE THIS OUT. Below you'll find the log (level 4) that is created upon attempting to login to the domain, and my smb.conf file. Do the user names need to exist on the XP machine before I can logon to the domain? That is, does "user1" need to be both a user of the domain and a user of the local computer? Thanks in advance!!!!!
-----
#BEGIN SMBD.LOG
open_oplock_ipc: opening loopback UDP socket.
Linux kernel oplocks enabled
open_oplock ipc: pid = 18999, global_oplock_port = 32838
Serverzone is 14400
Transaction 0 of length 137
switch message SMBnegprot (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [LANMAN1.0]
Requested protocol [Windows for Workgroups 3.1a]
Requested protocol [LM1.2X002]
Requested protocol [LANMAN2.1]
Requested protocol [NT LM 0.12]
using SPNEGO
Selected protocol NT LM 0.12
Transaction 1 of length 240
switch message SMBsesssetupX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
Doing spnego session setup
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Got OID 1 3 6 1 4 1 311 2 2 10
Got secblob of size 40
Got NTLMSSP neg_flags=0xe2088297
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_LM_KEY
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_S
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Transaction 2 of length 282
switch message SMBsesssetupX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
Doing spnego session setup
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Got user=[] domain=[] workstation=[GRYFFINDOR] len1=1 len2=0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password: Checking password for unmapped user []\[]@[GRYFFINDOR] with the new password interface
check_ntlm_password: mapped user is: [DIGITAL-UNKNOWN]\[]@[GRYF
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password: guest authentication for user [] succeeded
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_S
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
User name: nobody Real name: nobody
UNIX uid 99 is UNIX user nobody, and will be vuid 100
Transaction 3 of length 88
switch message SMBtconX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Client requested device type [?????] for share [IPC$]
Connect path is '/tmp' for service [IPC$]
get_share_security: using default secdesc for IPC$
se_access_check: user sid is S-1-5-21-1610254698-291850
se_access_check: also S-1-5-21-1610254698-291850
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
se_access_check: also S-1-5-21-1610254698-291850
Initialising default vfs hooks
change_to_user: SMB user (unix user nobody, vuid 100) not permitted access to share IPC$.
Can't become connected user!
error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
Transaction 4 of length 43
switch message SMBulogoffX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
ulogoffX vuid=100
timeout_processing: End of file from client (client has disconnected).
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
Yielding connection to
yield_connection: tdb_delete for name failed with error Record does not exist.
Server exit (normal exit)
#END SMBD.LOG
----
#BEGIN SMB.CONF
# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2005/04/18 18:20:14
# Global parameters
[global]
debug timestamp = No
workgroup = DIGITAL-UNKNOWN
server string = FC3 Samba PDC
;client schannel = Yes
;server schannel = Yes
;client signing = Yes
;server signing = Yes
allow trusted domains = No
passwd program = /usr/bin/passwd %u
unix password sync = Yes
min protocol = NT1
time server = Yes
add machine script = add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
logon script = logon.bat
logon path = \\%N\profiles\%u
domain logons = Yes
os level = 99
preferred master = Yes
domain master = Yes
wins support = Yes
;ldap ssl = no
valid users = @trusted
admin users = @trusted
printer admin = @trusted
ea support = Yes
profile acls = Yes
[homes]
read only = No
create mask = 0600
directory mask = 0700
browseable = No
[netlogon]
path = /home/samba/netlogon
guest ok = Yes
[profiles]
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
#END SMB.CONF
ASKER
Fixed. Needed valid users = @trusted @samba-clients
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
PAQ/Refund
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Cyclops3590
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
PAQ/Refund
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
Cyclops3590
EE Cleanup Volunteer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
your procedure is correct, but if windows is not sending the user/password that is the point where you need to start troubleshooting.