| View previous topic :: View next topic |
| Author |
Message |
tdi
Apprentice
Joined: 25 Aug 2004
Posts: 170
|
 Posted: Wed Nov 09, 2005 2:17 pm Post subject: Samba PDC problems |
 |
|
Ive got such problems with samba pdc:
1. When user A wants to browse shares of computer B of user Bu, he cannot..
Windows shows popus saying : You have no rights to browse that host.
( all users are logged into the same domain).
2. I want domain members, when installing my shared printer, to get drivers from samba somehow.
3. also nmbd show sth like taht :
| Code: | [2005/11/09 14:11:49, 0] nmbd/nmbd_workgroupdb.c:dump_workgroups(284)
dump_workgroups()
dump workgroup on subnet UNICAST_SUBNET: netmask= 192.168.0.10:
COGNIFIDE(1) current master browser = UNKNOWN
BOSS 40099b0b (Samba Gentoo Server 3.0.20b)
|
this is my smb.conf
| Code: | [global]
# Workgroup
workgroup = COGNIFIDE
netbios name = BOSS
server string = Samba Gentoo Server %v
#logging
log file = /var/log/samba/log.%m
#log level=3
max log size = 50
# acls
hosts allow = 192.168.0.0/24
logon path=
# security
security = user
password server = *
#passdb backend =tdbsam
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
encrypt passwords = yes
#unix password sync = yes
#pam password change = yes
null passwords=no
hide unreadable = yes
hide dot files = yes
smb passwd file = /etc/samba/private/smbpasswd
passwd program = /usr/bin/passwd %u
passwd chat = *New password* %n\n *Re*ype*new*password* %n\n \
# general printing
printcap name=cups
load printers=yes
printing =cups
# PDC options
local master = yes
os level = 255
domain master = yes
preferred master = yes
domain logons = yes
#/logon script = /home/samba/netlogon/login.bat
# user management options
add user script = /usr/sbin/useradd -s /bin/false '%u'
delete user script = /usr/sbin/userdel '%s'
add user to group script = /usr/bin/gpasswd -a '%u' '%g'
delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print $3}'
delete group script = /usr/sbin/groupdel '%g'
add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M '%u'
# net options
name resolve order = wins lmhosts bcast host
wins support = yes
#dns proxy = yes
# locale options
dos charset = 851
unix charset = ISO8859-1
#### SHARES ####
[homes]
path = /home/%U
comment = Home Directories
browseable = no
writable = yes
valid users=%S
read only =no
guest ok =no
inherit permissions=yes
#[Profiles]
#path =
#browsable = no
#guest ok = yes
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
public = no
read only=yes
browsable = no
[pub]
path = /home/pub
public = yes
only guest = yes
writable = yes
printable = no
[doc]
path = /home/doc
public = yes
only guest=yes
writable=yes
printable = no
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public=yes
guest ok = yes
writable = yes
printable = yes
create mode = 0700
#printer admin = root
print command = lpr-cups -P %p -o raw %s -r
[print$]
comment = Net Printer
path = /var/lib/samba/printers
browseable = yes
read only = yes
write list = @adm root tdi
guest ok = yes
|
|
|
| Back to top |
|
 |
slam_head
Guru
Joined: 06 Jan 2003
Posts: 449
Location: New York City
|
| Posted: Wed Nov 09, 2005 2:42 pm Post subject: |
|
|
As for problem 1, is the share the can't be browsed on the pdc? If not this is probably not a samba issue but... Make sure the user who needs to access the share has permissions to do so or just set the perms to Full Control for Domain Users.
Also you should probably remove the password server = * from your smb.conf |
|
| Back to top |
|
|
tdi
Apprentice
Joined: 25 Aug 2004
Posts: 170
|
| Posted: Wed Nov 09, 2005 3:45 pm Post subject: |
|
|
no they cannot browse their shares, shares on PDC can be browsed without problems.
why remove password server=* |
|
| Back to top |
|
|
slam_head
Guru
Joined: 06 Jan 2003
Posts: 449
Location: New York City
|
| Posted: Wed Nov 09, 2005 6:46 pm Post subject: |
|
|
From the man page on smb.conf
| Code: | password server (G)
By specifying the name of another SMB server or Active Directory domain controller with this option, and using security = [ads|domain|server] it is possible to get Samba to to do all its username/password validation using a specific remote server. |
Most likely samba isn't even proccessing the line. If you run a testparm it will show you the running config samba interprets from your smb.conf. |
|
| Back to top |
|
|
tdi
Apprentice
Joined: 25 Aug 2004
Posts: 170
|
| Posted: Sat Nov 12, 2005 2:05 pm Post subject: |
|
|
that is not an issue.
password server = * means that samba searches for pass server.
my PDC works with or without it.
problem is that users cannot browse each other's shares. |
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Sun Nov 13, 2005 7:44 am Post subject: |
|
|
They cannot browse because they do not have a permission to do so. Check share/ntfs permissions? Its a bad security policy but set NTFS group "Everyone" permission. You should also set the Share permission to give everyone FC.
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
slam_head
Guru
Joined: 06 Jan 2003
Posts: 449
Location: New York City
|
| Posted: Mon Nov 14, 2005 7:35 pm Post subject: |
|
|
Samba filesharing has three layers of security.
- File actual permisions of files and directories
- Stanza permissions applied to a share in the smb.conf
- Share permissions applied to a share through the windows mmc
File and Stanza permissions can be changed from the Samba machine. Although Share permissions are stored in a .tdb file on the samba controller, they can only be altered from the MMC on a windows box. If memory serves me right, the default permissions applied to Share level permissions are 'Full Control' for 'everyone.' The samba team is planning to provide a mechanism to alter Share level permissions in a future release, but until then.... |
|
| Back to top |
|
|
nobspangle
Veteran
Joined: 23 Mar 2004
Posts: 1318
Location: Manchester, UK
|
| Posted: Mon Nov 14, 2005 10:00 pm Post subject: |
|
|
You have got shares that require users and shares that explicitly require guest access on the same box, this will not work, windows NT/2000/XP will always use the same credentials for all shares on a server.
The best way to set shares is everyone full control, then use file permissions to restrict usage. If you have extended permissions enabled on your Gentoo box and samba compiled with USE=acl you can adjust the file permissions using the windows gui.
Also make sure all your windows clients have their wins server address set to the IP of the PDC. |
|
| Back to top |
|
|
tdi
Apprentice
Joined: 25 Aug 2004
Posts: 170
|
| Posted: Tue Nov 15, 2005 6:28 am Post subject: |
|
|
shares on PDC work perfectly !
problem is when user A wants to browse user B's shares on B's machine.
this worked properly before migration to samba (from w2k3). |
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Tue Nov 15, 2005 7:46 am Post subject: |
|
|
| tdi wrote: | shares on PDC work perfectly !
problem is when user A wants to browse user B's shares on B's machine.
this worked properly before migration to samba (from w2k3). |
So a person opens tries to open up a share, but gets permission denied, right? Or is this happening up trying to connect to the computer(before you can see the shares). If its the former then you can start with giving Full Control to everyone.
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
slam_head
Guru
Joined: 06 Jan 2003
Posts: 449
Location: New York City
|
| Posted: Tue Nov 15, 2005 3:07 pm Post subject: |
|
|
Here's a good way to get extended debugging info. In your smb.conf add:
| Code: | | include = /etc/samba/include/%m.smb.conf |
Now create the /etc/samba/include/directory and create a file in it that has the netbios machine name of Computer B.smb.conf. IE if computer b is name Elephant create a file called /etc/samba/include/elephant.smb.conf with the following line:
| Code: | [global]
log level = 5
max log size = 0 |
This will create verbose logging for just that one client. Also when reading the logfile it can help to do a
| Code: | | grep -v "\[200" elephant.log|less |
to strip out the useless information from the logs. |
|
| Back to top |
|
|
nobspangle
Veteran
Joined: 23 Mar 2004
Posts: 1318
Location: Manchester, UK
|
| Posted: Tue Nov 15, 2005 10:13 pm Post subject: |
|
|
how about the wins server
can you post the output of
from both windows boxes? |
|
| Back to top |
|
|
tdi
Apprentice
Joined: 25 Aug 2004
Posts: 170
|
| Posted: Sun Nov 20, 2005 4:38 pm Post subject: |
|
|
| petrjanda wrote: | | tdi wrote: | shares on PDC work perfectly !
problem is when user A wants to browse user B's shares on B's machine.
this worked properly before migration to samba (from w2k3). |
So a person opens tries to open up a share, but gets permission denied, right? Or is this happening up trying to connect to the computer(before you can see the shares). If its the former then you can start with giving Full Control to everyone. |
yes person sees shares, but it happens when trying to browse (clicking) |
|
| Back to top |
|
|
petrjanda
Veteran
Joined: 05 Sep 2003
Posts: 1557
Location: Brno, Czech Republic
|
| Posted: Tue Nov 22, 2005 7:40 am Post subject: |
|
|
| tdi wrote: | | petrjanda wrote: | | tdi wrote: | shares on PDC work perfectly !
problem is when user A wants to browse user B's shares on B's machine.
this worked properly before migration to samba (from w2k3). |
So a person opens tries to open up a share, but gets permission denied, right? Or is this happening up trying to connect to the computer(before you can see the shares). If its the former then you can start with giving Full Control to everyone. |
yes person sees shares, but it happens when trying to browse (clicking) |
did you try to give full control to everyone? (share & ntfs permission)
_________________
There is, a not-born, a not-become, a not-made, a not-compounded. If that unborn, not-become, not-made, not-compounded were not, there would be no escape from this here that is born, become, made and compounded. - Gautama Siddharta |
|
| Back to top |
|
|
|
Networking & Security
