Link to home
Start Free TrialLog in
Avatar of RBECKMN
RBECKMNFlag for United States of America

asked on

Cannot log on to SAMBA server from Windows Network

I've tried this with FreeBSD, Fedora and SUSE with the same results each time ..

The network consists of two W2k servers and two W2003 servers, with 50+ WXP workstations and laptops.  One of the W2k servers is the PDC, WINS, DHCP, DNS.  The other servers are file, email, sharepoint, database, WUS, etc.

The goal is to add a file server based on Unix or Linux that can act as a file server for the entire network.  

Here is what works:

1) From any windows machine, it is possible to ping the linux machine by it netbios name.  VNC from windows connects to the linux machine.  The linux machine shows up network neighborhood.  Under FreeBSD, I could get to SWAT from a windows machine by logging in to a FreeBSD user account.

2) From the linux machine, it is possible to browse the entire network and log on to any of the windows machines.  With appropriate login credentials it is possible to get to any drive on any of the windows machines.  It is possible to copy files between the linux machine and windows machines, provided one initiates the copy from the linux machine.  It is possible to ping any windows machine by its IP, but not by its name unless the name is in the pertinent hosts file.  It is possible to ping Internet addresses and browse the Internet.

What does not work:

From Windows, it is not possible to access anything on the linux machine.  Attempting to open it from network neighborhood results in a request for a username and password, and no matter what I try nothing works.  I have tried creating a Linux account with same username and password as a Windows account, have tried the root account, etc.  
It is not possible to map any share on the linux machine to a Windows drive letter.

I must be missing something, but I'm not sure what it is .. have tried all the various Samba security modes to no avail.
Avatar of thomaswright

Can you post your samba.conf file?

First thought, in [global]
hosts allow = 192.168.1    - or whateer the subnet
security = user
probably you forgot to provide a smbpasswd for the user

smbpasswd -a <username>

if you have gone with default settings then it is likely that samba is trying to validate users from its own password back end than the system passwords.  but as thomas says it is better to have the


GLOBAL part posted here for a better solution
Avatar of RBECKMN


here is the smb.conf file:

      workgroup = ACORNHQ
      printing = cups
      printcap name = cups
      printcap cache time = 750
      cups options = raw
      map to guest = Bad User
      include = /etc/samba/dhcp.conf
      logon path = \\%L\profiles\.msprofile
      logon home = \\%L\%U\.9xprofile
      logon drive = P:
      idmap gid = 10000-20000
      idmap uid = 10000-20000
      security = ADS
      template homedir = /home/%D/%U
      template shell = /bin/bash
      winbind refresh tickets = yes
      domain logons = No
      domain master = No
      password server = *
      netbios name = Entibor
      usershare max shares = 100
      hosts allow = 192.168.1
      comment = Home Directories
      valid users = %S, %D%w%S
      browseable = No
      read only = No
      inherit acls = Yes
      comment = Network Profiles Service
      path = %H
      read only = No
      store dos attributes = Yes
      create mask = 0600
      directory mask = 0700
      comment = All users
      path = /home
      read only = No
      inherit acls = Yes
      veto files = /aquota.user/groups/shares/
      comment = All groups
      path = /home/groups
      read only = No
      inherit acls = Yes
      comment = All Printers
      path = /var/tmp
      printable = Yes
      create mask = 0600
      browseable = No
      comment = Printer Drivers
      path = /var/lib/samba/drivers
      write list = @ntadmin root
      force group = ntadmin
      create mask = 0664
      directory mask = 0775
regarding the password issue, I thought Samba could be configured to get authentication info from the Windows side??
Avatar of RBECKMN


One piece of info that I left out earlier:  after failing to login to the Samba server (for instance when attempting to map a drive to a share on the server, or attempting to open the server in network neighborhood), this message results: There are currently no logon servers available to service the logon request.
Avatar of thomaswright

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of RBECKMN


Making progress ..

I had thought Kerberos was installed but it was not, so I installed it.  The Samba server already was a member of the realm.  I'm currently using SUSE Linux 10.1 and it has a nice graphical utility for determining this.

These two lines do not seem to matter -

   encrypt passwords =  yes
   password server = your.kerberos.server

- the result is the same whether or not they are in the smb.conf file.  Security = ADS was already part of the file.

What's now working:
 - Can map drives to Samba shares
 - Can define network places as Samba shares

What's not working:
- have to login to map a drive or set up a network place on the Samba server.
- the only kind of login that works is:
    * linux user with exact same name as Windows user.
    * linux user must own or have r/w permissions for the Samba share.
- there is an exception to the login requirement:  if the windows workstation is logged as a windows user that also exists on the Samba server, there is not a request to log in when mapping a drive or defining a network place.
- the login requirement is a problem because it doubles the amount of maintenance required as users come and go, and as folders and permissions are changed.
- the windows user has the same permissions as the Samba user that was used to log in to the Samba server.  In other words, the granularity of windows file and folder permissions is not present - security is applied entirely from the Samba side.  This is not so useful for private shares, but may be okay for public shares.
Avatar of ShineOn
- the only kind of login that works is:
    * linux user with exact same name as Windows user.
    * linux user must own or have r/w permissions for the Samba share.

This makes sense to a degree.

To relate it to a Windows environment - a Domain user can get rights to a Workgroup server's share only if the user is added to the local server's user list.  If they match up, they get access.

You are using Kerberos/ADS for Samba, but did you join the SuSE computer to your AD domain. or is it still in its default configuration?  It has to be more than just in the Kerberos realm, if I'm not mistaken.  If you go into your AD Users and Computers MMC, does the SuSE box show up in your AD domain's Computers folder?

Regardless, you won't get share permissions unless you add share permissions at the server, just as you would have to do with Windows.  Are you using groups to assign the permissions, or individual users?

As to it doubling the amount of maintenance as users come and go - how so?  Windows share permissions are all set in the NTFS ACL on the individual Windows servers - how is it double the effort to do the same on your Samba server?  The only thing you gain from AD is the user and group objects - essentially "single sign-on."  Once you've got that part working - which your last comments say to me it's not quite yet - you've got no more work with your Samba shares than you do with NTFS shares.

I found it usefull to ussue a net use command on startup of the workstations to map the network drives.  This method may (or may not) be applicable to you but it's worth mentioning.

1. Create a .bat file  (eg. startup.bat) on the workstation end.
2. In the startup.bat file put the following line

net use p: \\Entibor\<share name>
net use p: \\Entibor\<share name> password /user:username /persistent:no

3. Put the startup.bat shortcut (or file) in the Startup folder..
Another thought regarding permissions - did you make sure to enable the directories represented by your shares for ACL?  If not, then share "permissions" won't apply and the only access granted will be via the Linux filesystem rights.
Avatar of RBECKMN


Response to ShineOn:

- Suse has a nice GUI utility that lets you browse for a domain to join, and tells you what domain the server is joined to.  This utility shows the server is joined to the domain.
- The computer does show up in the Computers folder.  AD shows the operating system as "Samba" and lists the OS version as 3.0.22-11-SUSE-CODE10, so it looks like AD is aware of the machine correctly.
- I do not use local computer users and groups to set permissions for server shares.  I set up access permissions via 'global' security groups, then manage by adding/removing users to the appropriate groups.  This way, once permissions for the security groups are defined for each share, everything is managed through AD rather than going to each share on each server to modify something when employees change.  
- What I have noticed with the Samba shares is that the permission level assigned in Windows (by opening the share's properties from Windows) works just like it would for any Windows share - except:
  permissions assigned from Windows are overridden by those assigned from Linux.  In practical terms, if I set up permissions so that a specific Windows group has only read access, but use a linux username to log in to the share where the linux username has r/w access, the Windows user ends up with r/w access.  I expected that the most restrictive permission set would apply but that does not happen.

What I am trying to achieve is the same kind of relatively seamless access that occurs with Windows shares.  This means that once permissions are correctly defined, a Windows user just opens the share without any further ado, no need to log in to it, and permissions for the share are based on the Windows user security group memberships.

-  Sorry, but I don't know what you mean by 'enable the directories.'  How is that done?  This sounds like a key point!
Avatar of RBECKMN


Response to thomaswright:

the net use command without password does not work because the system requests a log on.  I have not tried the command with the password because:

 - this is exactly what I'm trying to avoid - do not want to have the Samba shares available only after a log in.  Also, this would not solve the permission issues described above because the log on user would, at this point in time, have to be a Samba user as described above.
 - the command would be visible for a brief period on the screen, if placed in the logon profile, so the password would be visible.

This would be a good fallback, if the other issues turn out to be unresolvable.
I see now...

Check this tutorial to make sure everything is set up.

You probably missed one little thing somewhere.  Ideally, you should have no need for Linux user IDs...

Leads me to think Winbind isn't working right.
Avatar of RBECKMN


I accepted the post suggesting adding kerberos as the solution to close this question and give some credit to a useful suggestion.  Once Kerberos was added to the configuration, it was possible to access Samba shares under restricted circumstances.

However, it should be noted that I still have not got this working correctly, even though there is plenty of documentation available that implies it should work the way I want it to.

Everything is fine if user accounts with the same username exist in both systems, but otherwise it does not work without requiring a login each time one of the Samba shares is accessed.  I am studying Samba and Linux in more detail, and expect to eventually figure it out.