MAJOR PROBLEMS: Samba (Fedora Core 3) as PDC + Windows XP Pro

Hello.  I am trying to setup my Fedora box as the primary domain controller for my Windows XP Professional machine.  After editing smb.conf, I made the appropriate registry change on my XP machine (requiresignorseal = 0) and was able to join the domain and login.  I had problems setting up roaming profiles, but I was able to get them to work by changing a setting in the group policy editor on my XP machine.  I had three local accounts on my XP mach. (admin, user1, user2).  All (temporarily) were set with administrative abilities.  I made the following changes to my systems:

1.) admin is the only local admin for xp mach. (removed user1, user2)
2.) created directories "/home/samba/profiles/user1" and "/home/samba/profiles/user2" on my Fedora box
3.) did "chmod -R 0700 /home/samba/profiles/user1" and same for user2
4.) did "chown -R user1:user1 /home/samba/profiles/user1" and same for user2
5.) removed the xp machine from the domain, rebooted, reconnected, rebooted ... i don't know why

After removing the computer from the domain, i checked the trust machines on my Fedora box, and made sure the computer was removed.  After reconnecting the computers, I again checked the trusted machines.  Everything is setup fine at this point.  All users are members of the correct group (i created a "trusted" group from allowed samba users) and have entries in the smbpasswd file.

My XP machine allowed me to reconnect to the domain, and told me to reboot.  However, upon reboot, when I try to logon to the domain I get an error telling me the domain is unavailable or the computer is not trusted (not the exact message).  After removing/reconnecting numerous times, I changed the log level to 4 and inspected the smbd.log file.  I noticed that, according to the log, the XP machine was sending the username "" (empty) and password "" (empty) no matter what is entered!  Smbd is then responding with "Can't become connected user!".  I'm clueless at this point.  I've tried everything I could think of.  Any help would be greatly appreciated.  Thank you!
patjjrAsked:
Who is Participating?
 
CetusMODConnect With a Mentor Commented:
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0
 
Gabriel OrozcoSolution ArchitectCommented:
I think the setting you changed with the group policy editor has to do with the problem.
your procedure is correct, but if windows is not sending the user/password that is the point where you need to start troubleshooting.
0
 
patjjrAuthor Commented:
Ok.  I can't remember the exact name of the setting currently, but the idea was to disable requiring/checking permissions on the profile directory of the samba serve.  Without this, I was not able to access roaming profiles.  After I did this, everything was ok, until I disconnected and reconnected from the domain.  I'm going to "undo" everything to try and determine at which point everything broke.  I did see somewhere that I could enable acls in the smb.conf file to allow xp roaming profiles.  I am not familiar with this, and I'm not sure what it means.  I'll get the name/values of each change I made in the registry and/or group policy editor when I'm at my machine in an hour and repost.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
bmquintasCommented:
And you really don't need this "XP machine (requiresignorseal = 0)" , samba's latest versions can handle smb signing, either way is the server not the client the responsible for forcing smb signing.
The profiles issue is probably just a question of setting the correct permissions.
0
 
patjjrAuthor Commented:
Okay.  So, I changed all of the registry keys back and I also undid the changes in the group policy editor.  I removed the computer from the domain and changed it to a workgroup (with a different name).  I then redid EVERYTHING on the samba server.  I created a new smb.conf file (using SWAT) and recreated my netlogon and profiles directories (with the correct permissions - 0775, right?).  I then restarted both the samba server and my XP box.  I attempted to join the domain using the "root" account/password.  Everything worked fine!  I recieved the "Welcome to the <domain-name> domain" message, and was asked to reboot.  After reboot, I go to sign into the domain (tried multiple usernames) and continuously get the following message:

Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found.

I then changed (again) the following registry keys wherever I found instances for them in the registry:

requireSignOrSeal (0), requireStrongKey (0), sealSecureChannel (0), signSecureChannel(0)

I did not change the setting I had originally changed in the group policy editor, as it is for roaming profiles only and (should not) make a difference in this case (for completeness, the change was ... Local Computer Policy\Computer Configuration\Administrative Templates\System\User Profiles\ "Do not check for user ownership of Roaming Profile Folders" [not configured]).  Upon reboot, I'm still getting the same error message.

HELP!!!!!!!!! I'm slowly losing my mind, since I CANNOT FIGURE THIS OUT.  Below you'll find the log (level 4) that is created upon attempting to login to the domain, and my smb.conf file.  Do the user names need to exist on the XP machine before I can logon to the domain?  That is, does "user1" need to be both a user of the domain and a user of the local computer?  Thanks in advance!!!!!

-----

#BEGIN SMBD.LOG

open_oplock_ipc: opening loopback UDP socket.
Linux kernel oplocks enabled
open_oplock ipc: pid = 18999, global_oplock_port = 32838
Serverzone is 14400
Transaction 0 of length 137
switch message SMBnegprot (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [LANMAN1.0]
Requested protocol [Windows for Workgroups 3.1a]
Requested protocol [LM1.2X002]
Requested protocol [LANMAN2.1]
Requested protocol [NT LM 0.12]
using SPNEGO
Selected protocol NT LM 0.12
Transaction 1 of length 240
switch message SMBsesssetupX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
Doing spnego session setup
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Got OID 1 3 6 1 4 1 311 2 2 10
Got secblob of size 40
Got NTLMSSP neg_flags=0xe2088297
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_NEGOTIATE_OEM
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_LM_KEY
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Transaction 2 of length 282
switch message SMBsesssetupX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
Doing spnego session setup
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Got user=[] domain=[] workstation=[GRYFFINDOR] len1=1 len2=0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password:  Checking password for unmapped user []\[]@[GRYFFINDOR] with the new password interface
check_ntlm_password:  mapped user is: [DIGITAL-UNKNOWN]\[]@[GRYFFINDOR]
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password: guest authentication for user [] succeeded
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
User name: nobody      Real name: nobody
UNIX uid 99 is UNIX user nobody, and will be vuid 100
Transaction 3 of length 88
switch message SMBtconX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Client requested device type [?????] for share [IPC$]
Connect path is '/tmp' for service [IPC$]
get_share_security: using default secdesc for IPC$
se_access_check: user sid is S-1-5-21-1610254698-2918508027-3594251537-501
se_access_check: also S-1-5-21-1610254698-2918508027-3594251537-514
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
se_access_check: also S-1-5-21-1610254698-2918508027-3594251537-1199
Initialising default vfs hooks
change_to_user: SMB user  (unix user nobody, vuid 100) not permitted access to share IPC$.
Can't become connected user!
error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
Transaction 4 of length 43
switch message SMBulogoffX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
ulogoffX vuid=100
timeout_processing: End of file from client (client has disconnected).
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
Yielding connection to
yield_connection: tdb_delete for name  failed with error Record does not exist.
Server exit (normal exit)

#END SMBD.LOG

----

#BEGIN SMB.CONF

# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2005/04/18 18:20:14

# Global parameters
[global]
      debug timestamp = No
      workgroup = DIGITAL-UNKNOWN
      server string = FC3 Samba PDC
      ;client schannel = Yes
      ;server schannel = Yes
      ;client signing = Yes
      ;server signing = Yes
      allow trusted domains = No
      passwd program = /usr/bin/passwd %u
      unix password sync = Yes
      min protocol = NT1
      time server = Yes
      add machine script = add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
      logon script = logon.bat
      logon path = \\%N\profiles\%u
      domain logons = Yes
      os level = 99
      preferred master = Yes
      domain master = Yes
      wins support = Yes
      ;ldap ssl = no
      valid users = @trusted
      admin users = @trusted
      printer admin = @trusted
      ea support = Yes
      profile acls = Yes

[homes]
      read only = No
      create mask = 0600
      directory mask = 0700
      browseable = No

[netlogon]
      path = /home/samba/netlogon
      guest ok = Yes

[profiles]
      path = /home/samba/profiles
      read only = No
      create mask = 0600
      directory mask = 0700

#END SMB.CONF
0
 
patjjrAuthor Commented:
Fixed.  Needed valid users = @trusted @samba-clients
0
 
Cyclops3590Commented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
PAQ/Refund

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Cyclops3590
EE Cleanup Volunteer
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.