Solved

Cannot log on to SAMBA server from Windows Network

Posted on 2007-03-21
13
4,405 Views
Last Modified: 2013-12-09
I've tried this with FreeBSD, Fedora and SUSE with the same results each time ..

The network consists of two W2k servers and two W2003 servers, with 50+ WXP workstations and laptops.  One of the W2k servers is the PDC, WINS, DHCP, DNS.  The other servers are file, email, sharepoint, database, WUS, etc.

The goal is to add a file server based on Unix or Linux that can act as a file server for the entire network.  

Here is what works:

1) From any windows machine, it is possible to ping the linux machine by it netbios name.  VNC from windows connects to the linux machine.  The linux machine shows up network neighborhood.  Under FreeBSD, I could get to SWAT from a windows machine by logging in to a FreeBSD user account.

2) From the linux machine, it is possible to browse the entire network and log on to any of the windows machines.  With appropriate login credentials it is possible to get to any drive on any of the windows machines.  It is possible to copy files between the linux machine and windows machines, provided one initiates the copy from the linux machine.  It is possible to ping any windows machine by its IP, but not by its name unless the name is in the pertinent hosts file.  It is possible to ping Internet addresses and browse the Internet.

What does not work:

From Windows, it is not possible to access anything on the linux machine.  Attempting to open it from network neighborhood results in a request for a username and password, and no matter what I try nothing works.  I have tried creating a Linux account with same username and password as a Windows account, have tried the root account, etc.  
It is not possible to map any share on the linux machine to a Windows drive letter.

I must be missing something, but I'm not sure what it is .. have tried all the various Samba security modes to no avail.
0
Comment
Question by:RBECKMN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 3
  • +1
13 Comments
 
LVL 3

Expert Comment

by:thomaswright
ID: 18768813
Can you post your samba.conf file?

First thought, in [global]
hosts allow = 192.168.1    - or whateer the subnet
security = user
0
 
LVL 14

Expert Comment

by:ygoutham
ID: 18769150
probably you forgot to provide a smbpasswd for the user

smbpasswd -a <username>

if you have gone with default settings then it is likely that samba is trying to validate users from its own password back end than the system passwords.  but as thomas says it is better to have the

/etc/samba/smb.conf

GLOBAL part posted here for a better solution
0
 

Author Comment

by:RBECKMN
ID: 18771308
here is the smb.conf file:

[global]
      workgroup = ACORNHQ
      printing = cups
      printcap name = cups
      printcap cache time = 750
      cups options = raw
      map to guest = Bad User
      include = /etc/samba/dhcp.conf
      logon path = \\%L\profiles\.msprofile
      logon home = \\%L\%U\.9xprofile
      logon drive = P:
      idmap gid = 10000-20000
      idmap uid = 10000-20000
      realm = ACORNHQ.ACORNCV.COM
      security = ADS
      template homedir = /home/%D/%U
      template shell = /bin/bash
      winbind refresh tickets = yes
      domain logons = No
      domain master = No
      password server = *
      netbios name = Entibor
      usershare max shares = 100
      hosts allow = 192.168.1
[homes]
      comment = Home Directories
      valid users = %S, %D%w%S
      browseable = No
      read only = No
      inherit acls = Yes
[profiles]
      comment = Network Profiles Service
      path = %H
      read only = No
      store dos attributes = Yes
      create mask = 0600
      directory mask = 0700
[users]
      comment = All users
      path = /home
      read only = No
      inherit acls = Yes
      veto files = /aquota.user/groups/shares/
[groups]
      comment = All groups
      path = /home/groups
      read only = No
      inherit acls = Yes
[printers]
      comment = All Printers
      path = /var/tmp
      printable = Yes
      create mask = 0600
      browseable = No
[print$]
      comment = Printer Drivers
      path = /var/lib/samba/drivers
      write list = @ntadmin root
      force group = ntadmin
      create mask = 0664
      directory mask = 0775
=======================================
regarding the password issue, I thought Samba could be configured to get authentication info from the Windows side??
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 

Author Comment

by:RBECKMN
ID: 18780804
One piece of info that I left out earlier:  after failing to login to the Samba server (for instance when attempting to map a drive to a share on the server, or attempting to open the server in network neighborhood), this message results: There are currently no logon servers available to service the logon request.
0
 
LVL 3

Accepted Solution

by:
thomaswright earned 500 total points
ID: 18781015
Try this:

security = ADS
encrypt passwords =  yes
password server = your.kerberos.server

ADS — The Samba server acts as a domain member in an Active Directory Domain (ADS) realm. For this option, Kerberos must be installed and configured on the server, and Samba must become a member of the ADS realm using the net utility, which is part of the samba-client package. Refer to the net man page for details. This option does not configure Samba to be an ADS Controller.

While logged in as root (or superuser):
# /usr/sbin/useradd -g machines -d /var/lib/nobody \   -c "machine nickname" \ -s /bin/false machine_name$
# passwd -l machine_name$

If that doesn't work I would start with a more basic global configuration and work you way up.




0
 

Author Comment

by:RBECKMN
ID: 18783139
Making progress ..

I had thought Kerberos was installed but it was not, so I installed it.  The Samba server already was a member of the realm.  I'm currently using SUSE Linux 10.1 and it has a nice graphical utility for determining this.

These two lines do not seem to matter -

   encrypt passwords =  yes
   password server = your.kerberos.server

- the result is the same whether or not they are in the smb.conf file.  Security = ADS was already part of the file.

What's now working:
 - Can map drives to Samba shares
 - Can define network places as Samba shares

What's not working:
- have to login to map a drive or set up a network place on the Samba server.
- the only kind of login that works is:
    * linux user with exact same name as Windows user.
    * linux user must own or have r/w permissions for the Samba share.
- there is an exception to the login requirement:  if the windows workstation is logged as a windows user that also exists on the Samba server, there is not a request to log in when mapping a drive or defining a network place.
- the login requirement is a problem because it doubles the amount of maintenance required as users come and go, and as folders and permissions are changed.
- the windows user has the same permissions as the Samba user that was used to log in to the Samba server.  In other words, the granularity of windows file and folder permissions is not present - security is applied entirely from the Samba side.  This is not so useful for private shares, but may be okay for public shares.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 18787156
- the only kind of login that works is:
    * linux user with exact same name as Windows user.
    * linux user must own or have r/w permissions for the Samba share.

This makes sense to a degree.

To relate it to a Windows environment - a Domain user can get rights to a Workgroup server's share only if the user is added to the local server's user list.  If they match up, they get access.

You are using Kerberos/ADS for Samba, but did you join the SuSE computer to your AD domain. or is it still in its default configuration?  It has to be more than just in the Kerberos realm, if I'm not mistaken.  If you go into your AD Users and Computers MMC, does the SuSE box show up in your AD domain's Computers folder?

Regardless, you won't get share permissions unless you add share permissions at the server, just as you would have to do with Windows.  Are you using groups to assign the permissions, or individual users?

As to it doubling the amount of maintenance as users come and go - how so?  Windows share permissions are all set in the NTFS ACL on the individual Windows servers - how is it double the effort to do the same on your Samba server?  The only thing you gain from AD is the user and group objects - essentially "single sign-on."  Once you've got that part working - which your last comments say to me it's not quite yet - you've got no more work with your Samba shares than you do with NTFS shares.

0
 
LVL 3

Expert Comment

by:thomaswright
ID: 18787203
I found it usefull to ussue a net use command on startup of the workstations to map the network drives.  This method may (or may not) be applicable to you but it's worth mentioning.

1. Create a .bat file  (eg. startup.bat) on the workstation end.
2. In the startup.bat file put the following line

net use p: \\Entibor\<share name>
or
net use p: \\Entibor\<share name> password /user:username /persistent:no

3. Put the startup.bat shortcut (or file) in the Startup folder..
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 18787321
Another thought regarding permissions - did you make sure to enable the directories represented by your shares for ACL?  If not, then share "permissions" won't apply and the only access granted will be via the Linux filesystem rights.
0
 

Author Comment

by:RBECKMN
ID: 18788429
Response to ShineOn:

- Suse has a nice GUI utility that lets you browse for a domain to join, and tells you what domain the server is joined to.  This utility shows the server is joined to the domain.
- The computer does show up in the Computers folder.  AD shows the operating system as "Samba" and lists the OS version as 3.0.22-11-SUSE-CODE10, so it looks like AD is aware of the machine correctly.
- I do not use local computer users and groups to set permissions for server shares.  I set up access permissions via 'global' security groups, then manage by adding/removing users to the appropriate groups.  This way, once permissions for the security groups are defined for each share, everything is managed through AD rather than going to each share on each server to modify something when employees change.  
- What I have noticed with the Samba shares is that the permission level assigned in Windows (by opening the share's properties from Windows) works just like it would for any Windows share - except:
  permissions assigned from Windows are overridden by those assigned from Linux.  In practical terms, if I set up permissions so that a specific Windows group has only read access, but use a linux username to log in to the share where the linux username has r/w access, the Windows user ends up with r/w access.  I expected that the most restrictive permission set would apply but that does not happen.

What I am trying to achieve is the same kind of relatively seamless access that occurs with Windows shares.  This means that once permissions are correctly defined, a Windows user just opens the share without any further ado, no need to log in to it, and permissions for the share are based on the Windows user security group memberships.

-  Sorry, but I don't know what you mean by 'enable the directories.'  How is that done?  This sounds like a key point!
0
 

Author Comment

by:RBECKMN
ID: 18788450
Response to thomaswright:

the net use command without password does not work because the system requests a log on.  I have not tried the command with the password because:

 - this is exactly what I'm trying to avoid - do not want to have the Samba shares available only after a log in.  Also, this would not solve the permission issues described above because the log on user would, at this point in time, have to be a Samba user as described above.
 - the command would be visible for a brief period on the screen, if placed in the logon profile, so the password would be visible.

This would be a good fallback, if the other issues turn out to be unresolvable.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 18788600
I see now...

Check this tutorial to make sure everything is set up.

You probably missed one little thing somewhere.  Ideally, you should have no need for Linux user IDs...

Leads me to think Winbind isn't working right.
0
 

Author Comment

by:RBECKMN
ID: 18851546
I accepted the post suggesting adding kerberos as the solution to close this question and give some credit to a useful suggestion.  Once Kerberos was added to the configuration, it was possible to access Samba shares under restricted circumstances.

However, it should be noted that I still have not got this working correctly, even though there is plenty of documentation available that implies it should work the way I want it to.

Everything is fine if user accounts with the same username exist in both systems, but otherwise it does not work without requiring a login each time one of the Samba shares is accessed.  I am studying Samba and Linux in more detail, and expect to eventually figure it out.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ftp to port 21 4 67
CentOS 7 Linux for HP DL380 G4 32Bits 7 75
LINUX Field Separators 7 55
SMTP log file for IMSVA 5 28
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question