[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

MAJOR PROBLEMS: Samba (Fedora Core 3) as PDC + Windows XP Pro

Posted on 2005-04-18
7
Medium Priority
?
603 Views
Last Modified: 2008-01-09
Hello.  I am trying to setup my Fedora box as the primary domain controller for my Windows XP Professional machine.  After editing smb.conf, I made the appropriate registry change on my XP machine (requiresignorseal = 0) and was able to join the domain and login.  I had problems setting up roaming profiles, but I was able to get them to work by changing a setting in the group policy editor on my XP machine.  I had three local accounts on my XP mach. (admin, user1, user2).  All (temporarily) were set with administrative abilities.  I made the following changes to my systems:

1.) admin is the only local admin for xp mach. (removed user1, user2)
2.) created directories "/home/samba/profiles/user1" and "/home/samba/profiles/user2" on my Fedora box
3.) did "chmod -R 0700 /home/samba/profiles/user1" and same for user2
4.) did "chown -R user1:user1 /home/samba/profiles/user1" and same for user2
5.) removed the xp machine from the domain, rebooted, reconnected, rebooted ... i don't know why

After removing the computer from the domain, i checked the trust machines on my Fedora box, and made sure the computer was removed.  After reconnecting the computers, I again checked the trusted machines.  Everything is setup fine at this point.  All users are members of the correct group (i created a "trusted" group from allowed samba users) and have entries in the smbpasswd file.

My XP machine allowed me to reconnect to the domain, and told me to reboot.  However, upon reboot, when I try to logon to the domain I get an error telling me the domain is unavailable or the computer is not trusted (not the exact message).  After removing/reconnecting numerous times, I changed the log level to 4 and inspected the smbd.log file.  I noticed that, according to the log, the XP machine was sending the username "" (empty) and password "" (empty) no matter what is entered!  Smbd is then responding with "Can't become connected user!".  I'm clueless at this point.  I've tried everything I could think of.  Any help would be greatly appreciated.  Thank you!
0
Comment
Question by:patjjr
7 Comments
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 13809644
I think the setting you changed with the group policy editor has to do with the problem.
your procedure is correct, but if windows is not sending the user/password that is the point where you need to start troubleshooting.
0
 

Author Comment

by:patjjr
ID: 13809777
Ok.  I can't remember the exact name of the setting currently, but the idea was to disable requiring/checking permissions on the profile directory of the samba serve.  Without this, I was not able to access roaming profiles.  After I did this, everything was ok, until I disconnected and reconnected from the domain.  I'm going to "undo" everything to try and determine at which point everything broke.  I did see somewhere that I could enable acls in the smb.conf file to allow xp roaming profiles.  I am not familiar with this, and I'm not sure what it means.  I'll get the name/values of each change I made in the registry and/or group policy editor when I'm at my machine in an hour and repost.
0
 
LVL 6

Expert Comment

by:bmquintas
ID: 13809828
And you really don't need this "XP machine (requiresignorseal = 0)" , samba's latest versions can handle smb signing, either way is the server not the client the responsible for forcing smb signing.
The profiles issue is probably just a question of setting the correct permissions.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:patjjr
ID: 13812192
Okay.  So, I changed all of the registry keys back and I also undid the changes in the group policy editor.  I removed the computer from the domain and changed it to a workgroup (with a different name).  I then redid EVERYTHING on the samba server.  I created a new smb.conf file (using SWAT) and recreated my netlogon and profiles directories (with the correct permissions - 0775, right?).  I then restarted both the samba server and my XP box.  I attempted to join the domain using the "root" account/password.  Everything worked fine!  I recieved the "Welcome to the <domain-name> domain" message, and was asked to reboot.  After reboot, I go to sign into the domain (tried multiple usernames) and continuously get the following message:

Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found.

I then changed (again) the following registry keys wherever I found instances for them in the registry:

requireSignOrSeal (0), requireStrongKey (0), sealSecureChannel (0), signSecureChannel(0)

I did not change the setting I had originally changed in the group policy editor, as it is for roaming profiles only and (should not) make a difference in this case (for completeness, the change was ... Local Computer Policy\Computer Configuration\Administrative Templates\System\User Profiles\ "Do not check for user ownership of Roaming Profile Folders" [not configured]).  Upon reboot, I'm still getting the same error message.

HELP!!!!!!!!! I'm slowly losing my mind, since I CANNOT FIGURE THIS OUT.  Below you'll find the log (level 4) that is created upon attempting to login to the domain, and my smb.conf file.  Do the user names need to exist on the XP machine before I can logon to the domain?  That is, does "user1" need to be both a user of the domain and a user of the local computer?  Thanks in advance!!!!!

-----

#BEGIN SMBD.LOG

open_oplock_ipc: opening loopback UDP socket.
Linux kernel oplocks enabled
open_oplock ipc: pid = 18999, global_oplock_port = 32838
Serverzone is 14400
Transaction 0 of length 137
switch message SMBnegprot (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [LANMAN1.0]
Requested protocol [Windows for Workgroups 3.1a]
Requested protocol [LM1.2X002]
Requested protocol [LANMAN2.1]
Requested protocol [NT LM 0.12]
using SPNEGO
Selected protocol NT LM 0.12
Transaction 1 of length 240
switch message SMBsesssetupX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
Doing spnego session setup
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Got OID 1 3 6 1 4 1 311 2 2 10
Got secblob of size 40
Got NTLMSSP neg_flags=0xe2088297
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_NEGOTIATE_OEM
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_LM_KEY
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Transaction 2 of length 282
switch message SMBsesssetupX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc807
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
Doing spnego session setup
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
Got user=[] domain=[] workstation=[GRYFFINDOR] len1=1 len2=0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password:  Checking password for unmapped user []\[]@[GRYFFINDOR] with the new password interface
check_ntlm_password:  mapped user is: [DIGITAL-UNKNOWN]\[]@[GRYFFINDOR]
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
check_ntlm_password: guest authentication for user [] succeeded
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
User name: nobody      Real name: nobody
UNIX uid 99 is UNIX user nobody, and will be vuid 100
Transaction 3 of length 88
switch message SMBtconX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Client requested device type [?????] for share [IPC$]
Connect path is '/tmp' for service [IPC$]
get_share_security: using default secdesc for IPC$
se_access_check: user sid is S-1-5-21-1610254698-2918508027-3594251537-501
se_access_check: also S-1-5-21-1610254698-2918508027-3594251537-514
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
se_access_check: also S-1-5-21-1610254698-2918508027-3594251537-1199
Initialising default vfs hooks
change_to_user: SMB user  (unix user nobody, vuid 100) not permitted access to share IPC$.
Can't become connected user!
error packet at smbd/reply.c(416) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
Transaction 4 of length 43
switch message SMBulogoffX (pid 18999) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
ulogoffX vuid=100
timeout_processing: End of file from client (client has disconnected).
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
Closing connections
Yielding connection to
yield_connection: tdb_delete for name  failed with error Record does not exist.
Server exit (normal exit)

#END SMBD.LOG

----

#BEGIN SMB.CONF

# Samba config file created using SWAT
# from 127.0.0.1 (127.0.0.1)
# Date: 2005/04/18 18:20:14

# Global parameters
[global]
      debug timestamp = No
      workgroup = DIGITAL-UNKNOWN
      server string = FC3 Samba PDC
      ;client schannel = Yes
      ;server schannel = Yes
      ;client signing = Yes
      ;server signing = Yes
      allow trusted domains = No
      passwd program = /usr/bin/passwd %u
      unix password sync = Yes
      min protocol = NT1
      time server = Yes
      add machine script = add machine script = /usr/sbin/useradd -d /dev/null -g samba-clients -s /bin/false -M %u
      logon script = logon.bat
      logon path = \\%N\profiles\%u
      domain logons = Yes
      os level = 99
      preferred master = Yes
      domain master = Yes
      wins support = Yes
      ;ldap ssl = no
      valid users = @trusted
      admin users = @trusted
      printer admin = @trusted
      ea support = Yes
      profile acls = Yes

[homes]
      read only = No
      create mask = 0600
      directory mask = 0700
      browseable = No

[netlogon]
      path = /home/samba/netlogon
      guest ok = Yes

[profiles]
      path = /home/samba/profiles
      read only = No
      create mask = 0600
      directory mask = 0700

#END SMB.CONF
0
 

Author Comment

by:patjjr
ID: 13812882
Fixed.  Needed valid users = @trusted @samba-clients
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16375920
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:
PAQ/Refund

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Cyclops3590
EE Cleanup Volunteer
0
 

Accepted Solution

by:
CetusMOD earned 0 total points
ID: 16410796
PAQed with points refunded (500)

CetusMOD
Community Support Moderator
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question