Solved

Cannot log on to SAMBA server from Windows Network

Posted on 2007-03-21
13
4,395 Views
Last Modified: 2013-12-09
I've tried this with FreeBSD, Fedora and SUSE with the same results each time ..

The network consists of two W2k servers and two W2003 servers, with 50+ WXP workstations and laptops.  One of the W2k servers is the PDC, WINS, DHCP, DNS.  The other servers are file, email, sharepoint, database, WUS, etc.

The goal is to add a file server based on Unix or Linux that can act as a file server for the entire network.  

Here is what works:

1) From any windows machine, it is possible to ping the linux machine by it netbios name.  VNC from windows connects to the linux machine.  The linux machine shows up network neighborhood.  Under FreeBSD, I could get to SWAT from a windows machine by logging in to a FreeBSD user account.

2) From the linux machine, it is possible to browse the entire network and log on to any of the windows machines.  With appropriate login credentials it is possible to get to any drive on any of the windows machines.  It is possible to copy files between the linux machine and windows machines, provided one initiates the copy from the linux machine.  It is possible to ping any windows machine by its IP, but not by its name unless the name is in the pertinent hosts file.  It is possible to ping Internet addresses and browse the Internet.

What does not work:

From Windows, it is not possible to access anything on the linux machine.  Attempting to open it from network neighborhood results in a request for a username and password, and no matter what I try nothing works.  I have tried creating a Linux account with same username and password as a Windows account, have tried the root account, etc.  
It is not possible to map any share on the linux machine to a Windows drive letter.

I must be missing something, but I'm not sure what it is .. have tried all the various Samba security modes to no avail.
0
Comment
Question by:RBECKMN
  • 6
  • 3
  • 3
  • +1
13 Comments
 
LVL 3

Expert Comment

by:thomaswright
ID: 18768813
Can you post your samba.conf file?

First thought, in [global]
hosts allow = 192.168.1    - or whateer the subnet
security = user
0
 
LVL 14

Expert Comment

by:ygoutham
ID: 18769150
probably you forgot to provide a smbpasswd for the user

smbpasswd -a <username>

if you have gone with default settings then it is likely that samba is trying to validate users from its own password back end than the system passwords.  but as thomas says it is better to have the

/etc/samba/smb.conf

GLOBAL part posted here for a better solution
0
 

Author Comment

by:RBECKMN
ID: 18771308
here is the smb.conf file:

[global]
      workgroup = ACORNHQ
      printing = cups
      printcap name = cups
      printcap cache time = 750
      cups options = raw
      map to guest = Bad User
      include = /etc/samba/dhcp.conf
      logon path = \\%L\profiles\.msprofile
      logon home = \\%L\%U\.9xprofile
      logon drive = P:
      idmap gid = 10000-20000
      idmap uid = 10000-20000
      realm = ACORNHQ.ACORNCV.COM
      security = ADS
      template homedir = /home/%D/%U
      template shell = /bin/bash
      winbind refresh tickets = yes
      domain logons = No
      domain master = No
      password server = *
      netbios name = Entibor
      usershare max shares = 100
      hosts allow = 192.168.1
[homes]
      comment = Home Directories
      valid users = %S, %D%w%S
      browseable = No
      read only = No
      inherit acls = Yes
[profiles]
      comment = Network Profiles Service
      path = %H
      read only = No
      store dos attributes = Yes
      create mask = 0600
      directory mask = 0700
[users]
      comment = All users
      path = /home
      read only = No
      inherit acls = Yes
      veto files = /aquota.user/groups/shares/
[groups]
      comment = All groups
      path = /home/groups
      read only = No
      inherit acls = Yes
[printers]
      comment = All Printers
      path = /var/tmp
      printable = Yes
      create mask = 0600
      browseable = No
[print$]
      comment = Printer Drivers
      path = /var/lib/samba/drivers
      write list = @ntadmin root
      force group = ntadmin
      create mask = 0664
      directory mask = 0775
=======================================
regarding the password issue, I thought Samba could be configured to get authentication info from the Windows side??
0
 

Author Comment

by:RBECKMN
ID: 18780804
One piece of info that I left out earlier:  after failing to login to the Samba server (for instance when attempting to map a drive to a share on the server, or attempting to open the server in network neighborhood), this message results: There are currently no logon servers available to service the logon request.
0
 
LVL 3

Accepted Solution

by:
thomaswright earned 500 total points
ID: 18781015
Try this:

security = ADS
encrypt passwords =  yes
password server = your.kerberos.server

ADS — The Samba server acts as a domain member in an Active Directory Domain (ADS) realm. For this option, Kerberos must be installed and configured on the server, and Samba must become a member of the ADS realm using the net utility, which is part of the samba-client package. Refer to the net man page for details. This option does not configure Samba to be an ADS Controller.

While logged in as root (or superuser):
# /usr/sbin/useradd -g machines -d /var/lib/nobody \   -c "machine nickname" \ -s /bin/false machine_name$
# passwd -l machine_name$

If that doesn't work I would start with a more basic global configuration and work you way up.




0
 

Author Comment

by:RBECKMN
ID: 18783139
Making progress ..

I had thought Kerberos was installed but it was not, so I installed it.  The Samba server already was a member of the realm.  I'm currently using SUSE Linux 10.1 and it has a nice graphical utility for determining this.

These two lines do not seem to matter -

   encrypt passwords =  yes
   password server = your.kerberos.server

- the result is the same whether or not they are in the smb.conf file.  Security = ADS was already part of the file.

What's now working:
 - Can map drives to Samba shares
 - Can define network places as Samba shares

What's not working:
- have to login to map a drive or set up a network place on the Samba server.
- the only kind of login that works is:
    * linux user with exact same name as Windows user.
    * linux user must own or have r/w permissions for the Samba share.
- there is an exception to the login requirement:  if the windows workstation is logged as a windows user that also exists on the Samba server, there is not a request to log in when mapping a drive or defining a network place.
- the login requirement is a problem because it doubles the amount of maintenance required as users come and go, and as folders and permissions are changed.
- the windows user has the same permissions as the Samba user that was used to log in to the Samba server.  In other words, the granularity of windows file and folder permissions is not present - security is applied entirely from the Samba side.  This is not so useful for private shares, but may be okay for public shares.
0
Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

 
LVL 35

Expert Comment

by:ShineOn
ID: 18787156
- the only kind of login that works is:
    * linux user with exact same name as Windows user.
    * linux user must own or have r/w permissions for the Samba share.

This makes sense to a degree.

To relate it to a Windows environment - a Domain user can get rights to a Workgroup server's share only if the user is added to the local server's user list.  If they match up, they get access.

You are using Kerberos/ADS for Samba, but did you join the SuSE computer to your AD domain. or is it still in its default configuration?  It has to be more than just in the Kerberos realm, if I'm not mistaken.  If you go into your AD Users and Computers MMC, does the SuSE box show up in your AD domain's Computers folder?

Regardless, you won't get share permissions unless you add share permissions at the server, just as you would have to do with Windows.  Are you using groups to assign the permissions, or individual users?

As to it doubling the amount of maintenance as users come and go - how so?  Windows share permissions are all set in the NTFS ACL on the individual Windows servers - how is it double the effort to do the same on your Samba server?  The only thing you gain from AD is the user and group objects - essentially "single sign-on."  Once you've got that part working - which your last comments say to me it's not quite yet - you've got no more work with your Samba shares than you do with NTFS shares.

0
 
LVL 3

Expert Comment

by:thomaswright
ID: 18787203
I found it usefull to ussue a net use command on startup of the workstations to map the network drives.  This method may (or may not) be applicable to you but it's worth mentioning.

1. Create a .bat file  (eg. startup.bat) on the workstation end.
2. In the startup.bat file put the following line

net use p: \\Entibor\<share name>
or
net use p: \\Entibor\<share name> password /user:username /persistent:no

3. Put the startup.bat shortcut (or file) in the Startup folder..
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 18787321
Another thought regarding permissions - did you make sure to enable the directories represented by your shares for ACL?  If not, then share "permissions" won't apply and the only access granted will be via the Linux filesystem rights.
0
 

Author Comment

by:RBECKMN
ID: 18788429
Response to ShineOn:

- Suse has a nice GUI utility that lets you browse for a domain to join, and tells you what domain the server is joined to.  This utility shows the server is joined to the domain.
- The computer does show up in the Computers folder.  AD shows the operating system as "Samba" and lists the OS version as 3.0.22-11-SUSE-CODE10, so it looks like AD is aware of the machine correctly.
- I do not use local computer users and groups to set permissions for server shares.  I set up access permissions via 'global' security groups, then manage by adding/removing users to the appropriate groups.  This way, once permissions for the security groups are defined for each share, everything is managed through AD rather than going to each share on each server to modify something when employees change.  
- What I have noticed with the Samba shares is that the permission level assigned in Windows (by opening the share's properties from Windows) works just like it would for any Windows share - except:
  permissions assigned from Windows are overridden by those assigned from Linux.  In practical terms, if I set up permissions so that a specific Windows group has only read access, but use a linux username to log in to the share where the linux username has r/w access, the Windows user ends up with r/w access.  I expected that the most restrictive permission set would apply but that does not happen.

What I am trying to achieve is the same kind of relatively seamless access that occurs with Windows shares.  This means that once permissions are correctly defined, a Windows user just opens the share without any further ado, no need to log in to it, and permissions for the share are based on the Windows user security group memberships.

-  Sorry, but I don't know what you mean by 'enable the directories.'  How is that done?  This sounds like a key point!
0
 

Author Comment

by:RBECKMN
ID: 18788450
Response to thomaswright:

the net use command without password does not work because the system requests a log on.  I have not tried the command with the password because:

 - this is exactly what I'm trying to avoid - do not want to have the Samba shares available only after a log in.  Also, this would not solve the permission issues described above because the log on user would, at this point in time, have to be a Samba user as described above.
 - the command would be visible for a brief period on the screen, if placed in the logon profile, so the password would be visible.

This would be a good fallback, if the other issues turn out to be unresolvable.
0
 
LVL 35

Expert Comment

by:ShineOn
ID: 18788600
I see now...

Check this tutorial to make sure everything is set up.

You probably missed one little thing somewhere.  Ideally, you should have no need for Linux user IDs...

Leads me to think Winbind isn't working right.
0
 

Author Comment

by:RBECKMN
ID: 18851546
I accepted the post suggesting adding kerberos as the solution to close this question and give some credit to a useful suggestion.  Once Kerberos was added to the configuration, it was possible to access Samba shares under restricted circumstances.

However, it should be noted that I still have not got this working correctly, even though there is plenty of documentation available that implies it should work the way I want it to.

Everything is fine if user accounts with the same username exist in both systems, but otherwise it does not work without requiring a login each time one of the Samba shares is accessed.  I am studying Samba and Linux in more detail, and expect to eventually figure it out.
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Hello, As I have seen there a lot of requests regarding monitoring and reporting for exchange 2007 / 2010 / 2013 I have decided to post some thoughts together and link to articles that have helped me. Of course a lot of information you can get…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now