[Samba] session setup failed: NT_STATUS_LOGON_FAILURE

[Roger Wu]

Hi,

I installed samba 4.0.0rc4 with CentOS 6.7.
I'm now trying to setup samba server using NIS authentication and access
from Windows 7,
but I hit one question I don't know how to deal with.
After starting service, I tried the following command, but got an error
message

[root@testcad16 samba]# smbclient -L //testcad16
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE

I looked into log.nmbd and log.smbd, the following messages were showed up
as below,

[root@testcad16 samba]# tail -20 log.nmbd
[2015/11/03 10:04:48, 0] ../source3/nmbd/nmbd.c:883(main)
nmbd version 4.0.0rc4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
[2015/11/03 10:04:48, 0] ../source3/nmbd/nmbd.c:922(main)
standard input is not a socket, assuming -D option

[root@testcad16 samba]# tail -20 log.smbd
[2015/11/03 10:04:44, 0] ../source3/smbd/server.c:1200(main)
smbd version 4.0.0rc4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
[2015/11/03 10:04:44.577027, 0] ../source3/smbd/server.c:1280(main)
standard input is not a socket, assuming -D option

Then I gave the following command, but I had no idea how to debug.

[root@testcad16 samba]# smbclient -d3 -L //testcad16
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface eth0 ip=fe80::20c:29ff:fe2a:2d99%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=172.26.85.211 bcast=172.26.87.255
netmask=255.255.248.0
Client started (version 4.0.0rc4).
Enter root's password:
Connecting to 172.26.85.211 at port 445
session setup failed: NT_STATUS_LOGON_FAILURE

My smb.conf setting is as below,
[global]
workgroup = TESTSMB
server string = Samba Server Version %v
netbios name = testcad16
encrypt passwords = No
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes
security = user
passdb backend = tdbsam
dns proxy = No
idmap config * : backend = tdb
hosts allow = 127., 172.26.
cups options = raw

[homes]
comment = Home Directories
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No

For more information,

[root@testcad16 samba]# rpm -qa | grep samba
samba4-4.0.0-66.el6_6.rc4.x86_64
samba4-libs-4.0.0-66.el6_6.rc4.x86_64
samba4-winbind-4.0.0-66.el6_6.rc4.x86_64
samba4-client-4.0.0-66.el6_6.rc4.x86_64
samba4-common-4.0.0-66.el6_6.rc4.x86_64

[root@testcad16 samba]# netstat -tulnp | grep mbd
tcp 0 0 0.0.0.0:445 0.0.0.0:*
LISTEN 19363/smbd
tcp 0 0 0.0.0.0:139 0.0.0.0:*
LISTEN 19363/smbd
tcp 0 0 :::445 :::*
LISTEN 19363/smbd
tcp 0 0 :::139 :::*
LISTEN 19363/smbd
udp 0 0 172.26.87.255:137 0.0.0.0:*
19382/nmbd
udp 0 0 172.26.85.211:137 0.0.0.0:*
19382/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:*
19382/nmbd
udp 0 0 172.26.87.255:138 0.0.0.0:*
19382/nmbd
udp 0 0 172.26.85.211:138 0.0.0.0:*
19382/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:*
19382/nmbd


Regards,
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny]

Is there any way you can use a later version of samba ? i.e. by using
the Sernet packages:

https://portal.enterprisesamba.com/

Version 4.0.x is EOL and a later version may contain the fix for your
problem.

Rowland

[Roger Wu]

Hi, Rowland,

Thanks for your advise. I've been updated the version to 4.2.5, the rpm
query is as below,
but it still didn't work.

[root@testcad16 samba]# rpm -qa | grep samba

sernet-samba-4.2.5-19.el6.x86_64
sernet-samba-libs-4.2.5-19.el6.x86_64
sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
sernet-samba-client-4.2.5-19.el6.x86_64
sernet-samba-common-4.2.5-19.el6.x86_64

[root@testcad16 samba]# netstat -tulnp| grep mbd
tcp 0 0 0.0.0.0:445 0.0.0.0:*

LISTEN 27139/smbd

tcp 0 0 0.0.0.0:139 0.0.0.0:*

LISTEN 27139/smbd

tcp 0 0 :::445 :::*

LISTEN 27139/smbd

tcp 0 0 :::139 :::*

LISTEN 27139/smbd

udp 0 0 172.26.87.255:137 0.0.0.0:*

27094/nmbd

udp 0 0 172.26.85.211:137 0.0.0.0:*

27094/nmbd

udp 0 0 0.0.0.0:137 0.0.0.0:*

27094/nmbd

udp 0 0 172.26.87.255:138 0.0.0.0:*

27094/nmbd

udp 0 0 172.26.85.211:138 0.0.0.0:*

27094/nmbd

udp 0 0 0.0.0.0:138 0.0.0.0:*

27094/nmbd

[root@testcad16 samba]# smbclient -d 3 -L //testcad16

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

Processing section "[global]"

added interface eth0 ip=172.26.85.211 bcast=172.26.87.255
netmask=255.255.248.0

Client started (version 4.2.5-SerNet-RedHat-19.el6).

Enter root's password:
Connecting to 172.26.85.211 at port 445
session setup failed: NT_STATUS_LOGON_FAILURE

My smb.conf setting is as followed,

# Global parameters

[global]
workgroup = TESTSMB
server string = Samba Server Version %v
netbios name = testcad16

security = USER
passdb backend = tdbsam

encrypt passwords = No
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes

dns proxy = No
idmap config * : backend = tdb

hosts allow = 127. 172.26.

cups options = raw


[homes]
comment = Home Directories
read only = No
browseable = No


[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No

[mathias dufresne]

Hi,

Samba always comes with its own users database. When you have AD, that's
clear enough, AD purpose is often to get a users database.

When using Samba in a different way, as there with "security = user" you
have to fill Samba database and then to use Samba accounts to connect to
your shares.

[root@testcad16 samba]# smbpasswd -a toto
New SMB password:
Retype new SMB password:

Then:
smbclient -d 3 -L //testcad16 -U toto

[Rowland Penny]

On 04/11/15 06:24, Roger Wu wrote:
> Hi, Rowland,
>
> Thanks for your advise. I've been updated the version to 4.2.5, the
> rpm query is as below,
> but it still didn't work.
>
> [root@testcad16 samba]# rpm -qa | grep samba
> sernet-samba-4.2.5-19.el6.x86_64
> sernet-samba-libs-4.2.5-19.el6.x86_64
> sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
> sernet-samba-client-4.2.5-19.el6.x86_64
> sernet-samba-common-4.2.5-19.el6.x86_64
>
> [root@testcad16 samba]# netstat -tulnp| grep mbd

> tcp 0 0 0.0.0.0:445 <http://0.0.0.0:445> 0.0.0.0:*
> LISTEN 27139/smbd
> tcp 0 0 0.0.0.0:139 <http://0.0.0.0:139> 0.0.0.0:*

> LISTEN 27139/smbd
> tcp 0 0 :::445 :::*
> LISTEN 27139/smbd
> tcp 0 0 :::139 :::*
> LISTEN 27139/smbd

> udp 0 0 172.26.87.255:137 <http://172.26.87.255:137>
> 0.0.0.0:* 27094/nmbd
> udp 0 0 172.26.85.211:137 <http://172.26.85.211:137>
> 0.0.0.0:* 27094/nmbd
> udp 0 0 0.0.0.0:137 <http://0.0.0.0:137> 0.0.0.0:*
> 27094/nmbd
> udp 0 0 172.26.87.255:138 <http://172.26.87.255:138>
> 0.0.0.0:* 27094/nmbd
> udp 0 0 172.26.85.211:138 <http://172.26.85.211:138>
> 0.0.0.0:* 27094/nmbd
> udp 0 0 0.0.0.0:138 <http://0.0.0.0:138> 0.0.0.0:*

OK, you seem to be trying to set up a standalone server, you do realise
that you will need to create your users on this as well as on the
windows machines.

You might as well remove these lines, they are the defaults:

security = USER
passdb backend = tdbsam

You might as well remove this line, it isn't needed on a standalone server:

idmap config * : backend = tdb

and you don't need to run the winbindd deamon.

You really should remove these lines, you are trying to make windows do
something with passwords it really doesn't want to do:

encrypt passwords = No
client NTLMv2 auth = No
client lanman auth = Yes
client plaintext auth = Yes

[Roger Wu]

yes, but I hope samba can use NIS authentication instead of using it's own
database.
Do I need to use smbpasswd to create user accounts again? It's against what
I need...

>
> You might as well remove these lines, they are the defaults:
>
> security = USER
> passdb backend = tdbsam
>

Don't I need to set the security level?

>
> You might as well remove this line, it isn't needed on a standalone server:
>
> idmap config * : backend = tdb
>

I didn't set these parameters. They are reported by testparm command.
Where can I remove that?

>
> and you don't need to run the winbindd deamon.
>
> You really should remove these lines, you are trying to make windows do
> something with passwords it really doesn't want to do:
>
> encrypt passwords = No
> client NTLMv2 auth = No
> client lanman auth = Yes
> client plaintext auth = Yes
>
> Rowland
>

I searched some articles on the internet said I need to set above lines for
the samba server and
plaintextpasswords = 1 for windows due to different encrypted methods
between windows and workstation.
I added those lines and It seems worked for samba old version (3.6.23) .
How come it wind up irrelevant for 4.2.5 version?
Don't I need to set anything for this issue?

I've been removed most of these lines you suggested, which means I nearly
set nothing.
but it still didn't work and I got the same message.

[root@testcad16 samba]# smbclient -L //testcad16
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Here is my smb.conf setting.

[root@testcad16 samba]# testparm
Load smb config files from /etc/samba/smb.conf

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters
[global]
workgroup = SMBTEST

server string = Samba Server Version %v

idmap config * : backend = tdb
hosts allow = 127. 172.26.
cups options = raw


[homes]
comment = Home Directories
read only = No
browseable = No


[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
print ok = Yes
browseable = No

Regards,
Roger

[mathias dufresne]

NIS users are system users. The fact they come from NIS, AD, /etc/passwd or
the moon don't change anything. They are system users.
He needs Samba users now...

2015-11-04 11:41 GMT+01:00 Rowland Penny <rowlandpe...@gmail.com>:

> On 04/11/15 10:28, Roger Wu wrote:
>
>>
>>
>>
>> OK, you seem to be trying to set up a standalone server, you do
>> realise that you will need to create your users on this as well as
>> on the windows machines.
>>
>>
>> yes, but I hope samba can use NIS authentication instead of using it's
>> own database.
>> Do I need to use smbpasswd to create user accounts again? It's against
>> what I need...
>>
>

> Well, as I don't know what you what, I can only advise on what I see, and
> I see you trying to setup a standalone server.

>
>
>> You might as well remove these lines, they are the defaults:
>>
>> security = USER
>> passdb backend = tdbsam
>>
>>
>> Don't I need to set the security level?
>>
>

> You don't need them because they are the *default* settings.

>
>
>> You might as well remove this line, it isn't needed on a
>> standalone server:
>>
>> idmap config * : backend = tdb
>>
>> I didn't set these parameters. They are reported by testparm command.
>>
>

> Don't post a smb.conf from testparm without saying so, this is probably
> why you are getting the other two lines above, testparm shows *all* lines
> in smb.conf, the ones you added *and* the default ones.

> I think you are going to have to tell us just what you are trying to
> achieve. Also if your windows machines are part of a domain.
>
> Rowland

[Rowland Penny]

On 04/11/15 10:28, Roger Wu wrote:
>
>
>

> OK, you seem to be trying to set up a standalone server, you do
> realise that you will need to create your users on this as well as
> on the windows machines.
>
>
> yes, but I hope samba can use NIS authentication instead of using it's
> own database.
> Do I need to use smbpasswd to create user accounts again? It's against
> what I need...

Well, as I don't know what you what, I can only advise on what I see,
and I see you trying to setup a standalone server.

>

> You might as well remove these lines, they are the defaults:
>
> security = USER
> passdb backend = tdbsam
>
>
> Don't I need to set the security level?

You don't need them because they are the *default* settings.

>

> You might as well remove this line, it isn't needed on a
> standalone server:
>
> idmap config * : backend = tdb
>
> I didn't set these parameters. They are reported by testparm command.

Don't post a smb.conf from testparm without saying so, this is probably
why you are getting the other two lines above, testparm shows *all*
lines in smb.conf, the ones you added *and* the default ones.

I think you are going to have to tell us just what you are trying to
achieve. Also if your windows machines are part of a domain.

Rowland

[mathias dufresne]

Once again:

Samba always comes with its own users database.

You have Samba so you have Samba users in addition of systems users. You
have to use smbpasswd -a username. And telling that, I'm not asking you
anything, I'm telling you what you have to do to solve your issue.

[Rowland Penny]

On 04/11/15 10:44, mathias dufresne wrote:
> Once again: Samba always comes with its own users database.

Not always, if you are running Samba as a domain member, then the main
user database is stored on a DC, although they will be cached locally.
If however as the OP seems to be doing, you are running samba as a
Standalone server, you need to have a local database that is totally
separate from any other user database, this is known as running as a
WORKGROUP and it gets terribly messy after about 10 users.

The OP needs to explain just what his requirements are.

>
>
> You have Samba so you have Samba users in addition of systems users.
> You have to use smbpasswd -a username. And telling that, I'm not
> asking you anything, I'm telling you what you have to do to solve
> your issue.
>
>

Yes, in a workgroup, you have to have system users and Samba users.

Rowland

[mathias dufresne]

2015-11-04 11:57 GMT+01:00 Rowland Penny <rowlandpe...@gmail.com>:

> On 04/11/15 10:44, mathias dufresne wrote:
>
>> Once again: Samba always comes with its own users database.
>>
>
> Not always, if you are running Samba as a domain member, then the main
> user database is stored on a DC

True. My way to understand that is AD is the Samba users database. From a
Linux system point of view AD users are nothing until you deploy something
to use this database as a system users DB. So (in my mind ;) AD is the
Samba DB when joining a member server to AD and we deploy winbind or other
in PAM for AD becomes also part of the system users DB, to avoid the need
to recreate locally AD users. But still, there is Samba DB and system DB
(in my way of understanding :p)

[Roger Wu]

2015-11-04 18:41 GMT+08:00 Rowland Penny <rowlandpe...@gmail.com>:

> On 04/11/15 10:28, Roger Wu wrote:
>
>>
>>
>>
>> OK, you seem to be trying to set up a standalone server, you do
>> realise that you will need to create your users on this as well as
>> on the windows machines.
>>
>>
>> yes, but I hope samba can use NIS authentication instead of using it's
>> own database.
>> Do I need to use smbpasswd to create user accounts again? It's against
>> what I need...
>>
>
> Well, as I don't know what you what, I can only advise on what I see, and
> I see you trying to setup a standalone server.
>
>
>> You might as well remove these lines, they are the defaults:
>>
>> security = USER
>> passdb backend = tdbsam
>>
>>
>> Don't I need to set the security level?
>>
>
> You don't need them because they are the *default* settings.
>
>
>> You might as well remove this line, it isn't needed on a
>> standalone server:
>>
>> idmap config * : backend = tdb
>>
>> I didn't set these parameters. They are reported by testparm command.
>>
>
> Don't post a smb.conf from testparm without saying so, this is probably
> why you are getting the other two lines above, testparm shows *all* lines
> in smb.conf, the ones you added *and* the default ones.
>
>>
>>

> I think you are going to have to tell us just what you are trying to
> achieve. Also if your windows machines are part of a domain.
>
> Rowland
>

> Please pardon me for poor English. I tried to describe what I want as
clear as I can.
My goal is to make our users can access their own workstation account and
personal files from windows XP/7.
So, it seems to me that if I can setup a samba server and let users login
from windows using NIS authentication,
that would be perfect, then I don't need to create smb accounts again.
The only thing a user needs to do is to explore the link such as
\\testcad16\<user_account>, then one can access his own
workstation account and files.

In such case, how should I do to achieve my goal?
I've been tried many samba versions, and each version seems to have mild
difference while setting smb.conf.
some parameters work and some don't for one version, but maybe stands in
opposite for another.
I am kind of confused which parameters are what I need.

Here is my smb.conf (not from testparm), I removed comments and disabled
lines.
I did remove those lines you suggested,

[global]
workgroup = SMBTEST
server string = Samba Server Version %v

netbios name = testcad16

hosts allow = 127. 172.26.

dns proxy = no

load printers = yes

cups options = raw

[homes]
comment = Home Directories

browseable = no
writable = yes
; valid users = %S
; valid users = MYDOMAIN\%S

[printers]
comment = All Printers
path = /var/spool/samba

browseable = no
guest ok = no
writable = no
printable = yes

and I tried some test as below

[root@testcad16 samba]# /etc/init.d/sernet-samba-smbd start
Starting SAMBA smbd : [ OK ]
[root@testcad16 samba]# /etc/init.d/sernet-samba-nmbd start
Starting SAMBA nmbd : [ OK ]
[root@testcad16 samba]# service sernet-samba-smbd status
Checking for SAMBA smbd : [ OK ]
[root@testcad16 samba]# service sernet-samba-nmbd status
Checking for SAMBA nmbd : [ OK ]

[root@testcad16 samba]# smbclient -L //testcad16
Enter root's password:
session setup failed: NT_STATUS_LOGON_FAILURE

[root@testcad16 samba]# smbclient -d3 -L //testcad16

lp_load_ex: refreshing parameters
Initialising global parameters

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

Processing section "[global]"
added interface eth0 ip=172.26.85.211 bcast=172.26.87.255
netmask=255.255.248.0
Client started (version 4.2.5-SerNet-RedHat-19.el6).
Enter root's password:
Connecting to 172.26.85.211 at port 445

Doing spnego session setup (blob length=74)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=not_defined_in_RFC4178@please_ignore
Got challenge flags:
Got NTLMSSP neg_flags=0x608a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE



Regards,
Roger

[Rowland Penny]

On 04/11/15 11:33, Roger Wu wrote:
>
>
> 2015-11-04 18:41 GMT+08:00 Rowland Penny <rowlandpe...@gmail.com

> <mailto:rowlandpe...@gmail.com>>:

OK, what you are trying to do is possible, but before we can help you,
we need just a little more information.
How many users and workstations do you have?
Do you have any Unix Workstations?

You should never apologise for poor English, I do not know what your
language is, but I can guarantee I don't speak it, I only speak English :-)

Rowland

> The only thing a user needs to do is to explore the link such as
> \\testcad16\<user_account>, then one can access his own
> workstation account and files.
>
> In such case, how should I do to achieve my goal?
> I've been tried many samba versions, and each version seems to have
> mild difference while setting smb.conf.
> some parameters work and some don't for one version, but maybe stands
> in opposite for another.
> I am kind of confused which parameters are what I need.
>
>

[Roger Wu]

Thanks for your kindness. We do have Unix/Linux Workstations, I'm not
really sure how many machines we have,
maybe around 30 with different domains.
But I believe only few persons need samba service, it will be less than 20.
Does that matter?

Roger

[Rowland Penny]

On 04/11/15 12:58, Roger Wu wrote:
>
>
> 2015-11-04 19:43 GMT+08:00 Rowland Penny <rowlandpe...@gmail.com

> <mailto:rowlandpe...@gmail.com>>:

>
> On 04/11/15 11:33, Roger Wu wrote:
>
>
>
> 2015-11-04 18:41 GMT+08:00 Rowland Penny
> <rowlandpe...@gmail.com
> <mailto:rowlandpe...@gmail.com>

> <mailto:rowlandpe...@gmail.com

Doh! now you have raised more questions :-D

First, the more users that you have, the harder it gets to maintain them
in a workgroup, about 8 users is the maximum from my experience. Some of
them will never use more than one machine, but most will move from one
machine to another and so they will have to have login details on *all*
machines they will log into. This is where a domain comes in, you create
the user in one place and the user can then login everywhere.

Now we come to the new questions, will the Unix machines need to be part
of the domain ?
You mention that they are in different domains, do you mean domains or
do you mean workgroups?
Are any machines in a windows domain already?
Finally, if you cannot set up a new domain, do your users need to own
files on your samba server or do they just need to read & store files on
the samba server.

Rowland

[Roger Wu]

I don't really get it. Maybe I misinterpret what you said.
If our samba server works, users only want to access samba service using
their own PC,
that's what they need, they are not allowed to use others' PCs but their
own.

And yes, users can move from one machine to another, that's how a domain
works,
but we don't need to provide samba service between Workstation,
only one way access from PCs to Workstations is needed for users.

I am not worried about users limitation, it's just as I said that not so
many users need this service.
If so, I'll figure it out.

>
> Now we come to the new questions, will the Unix machines need to be part
> of the domain ?
>

What do you mean "to be part of the domain"?
We have unix/linux machines in each NIS domain, they are a part of their
domain.
Could you define your question more precisely?

> You mention that they are in different domains, do you mean domains or do
> you mean workgroups?
>

What I mean is NIS domain. We have three different domains, so I plan to
start up one samba server for each domain separately
As for workgroup, we only have one workgroup for windows, so it won't be an
issue.

> Are any machines in a windows domain already?
>

No.

> Finally, if you cannot set up a new domain, do your users need to own
> files on your samba server or do they just need to read & store files on
> the samba server.
>
> Rowland
>

> They just need to read & store files on the samba server.

Regards,
Roger

[Rowland Penny]

On 04/11/15 14:34, Roger Wu wrote:
>
>
>
>

OK, from what you have posted, you have Unix & windows workstations and
they are in groups. You will probably be better of creating a new AD
domain with a number of sites, you can use the DCs to authenticate all
the users & groups and if push comes to shove, use the DCs as
fileservers. Your users would log into their workstation (either windows
or Unix) and have all their data to hand, the windows users would use
the standard AD capabilities and the Unix users would use the RFC2307
attributes that are built into a Samba AD as standard.

This will give you is centralisation of user & group maintenance, your
users info will exist in just one place, you only need to add a user
once, you can do it without leaving your chair, unlike a WORKGROUP,
where you will have to visit *every* workstation or server that a user
will connect to. I have been there, done that and my workgroup was
scattered over three counties! It isn't easy.

Rowland

[Roger Wu]

Geez! It's too deep for me to understand.
I did achieve what I want with old samba version only doing some simple
settings,
I tried to reduplicate the result using new samba version but it failed.
I didn't expect it comes to this way you mentioned, it seems more
complicated.

We do have an AD for PC windows workgroup. Why should I need to create a
new AD?
Would you please give me an example or show me how to setup samba as you
said?

I have no experience creating a AD domain and DCs.

Roger

[Rowland Penny]

On 04/11/15 15:38, Roger Wu wrote:
>
>
> 2015-11-04 22:55 GMT+08:00 Rowland Penny <rowlandpe...@gmail.com

> <mailto:rowlandpe...@gmail.com>>:

No, I doubt if you will be unable to understand it, you just haven't had
any experience yet.

>
> We do have an AD for PC windows workgroup. Why should I need to create
> a new AD?

No, again I doubt you are using an AD for a workgroup, domain yes,
workgroup no.

> Would you please give me an example or show me how to setup samba as
> you said?
>

OK, start here:
https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

> I have no experience creating a AD domain and DCs.

Everybody has to start somewhere.


OK, if you do not want to go down this path, then try this smb.conf

[global]
workgroup = WORKGROUP
server string = ****
netbios name = *****
printcap name = /dev/null
load printers = no
disable spoolss = yes
printing = bsd
dns proxy = no
map to guest = Bad User
guest ok = yes

This should work without adding any users to the server, anybody that
connects gets mapped to the guest user, but this does mean that your
users cannot own anything on the server and anybody will be able to read
or delete anything!!!

You just need to add whatever shares you require (and alter it to suit
your workgroup etc).

Rowland

[Roger Wu]

>> I am still confused why can't I use NIS as centralization of user
authentication?
I can do it at samba3x, or samba4x do it in a total different way?

>
>> Geez! It's too deep for me to understand.
>> I did achieve what I want with old samba version only doing some simple
>> settings,
>> I tried to reduplicate the result using new samba version but it failed.
>> I didn't expect it comes to this way you mentioned, it seems more
>> complicated.
>>
>
> No, I doubt if you will be unable to understand it, you just haven't had
> any experience yet.
>
>
>> We do have an AD for PC windows workgroup. Why should I need to create a
>> new AD?
>>
>
> No, again I doubt you are using an AD for a workgroup, domain yes,
> workgroup no

It's my misunderstanding. you're right we are using an AD for windows
domain.
Even so, I still need to create another new AD for what ?

> .
>
> Would you please give me an example or show me how to setup samba as you
>> said?
>>
>>
> OK, start here:
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>

> I'm try to study the above link you suggest, but I can't find samba-tool
for my installed packages
Where can I find samba-tool?
[root@testcad16 ~]# rpm -qa | grep samba

sernet-samba-4.2.5-19.el6.x86_64
sernet-samba-libs-4.2.5-19.el6.x86_64
sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
sernet-samba-client-4.2.5-19.el6.x86_64
sernet-samba-common-4.2.5-19.el6.x86_64

> I have no experience creating a AD domain and DCs.
>>
>
> Everybody has to start somewhere.
>
>
> OK, if you do not want to go down this path, then try this smb.conf
>
> [global]
> workgroup = WORKGROUP
> server string = ****
> netbios name = *****
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
> printing = bsd
> dns proxy = no
> map to guest = Bad User
> guest ok = yes
>
> This should work without adding any users to the server, anybody that
> connects gets mapped to the guest user, but this does mean that your users
> cannot own anything on the server and anybody will be able to read or
> delete anything!!!
>

> I've tried the above smb.conf, and ya, it worked, but it's definitely not
what I want.
I'll jump to the other option you suggested, but it will takes me time to
learn it.

Roger

[Rowland Penny]

> I'm try to study the above link you suggest, but I can't find
> samba-tool for my installed packages
> Where can I find samba-tool?
> [root@testcad16 ~]# rpm -qa | grep samba
> sernet-samba-4.2.5-19.el6.x86_64
> sernet-samba-libs-4.2.5-19.el6.x86_64
> sernet-samba-libsmbclient0-4.2.5-19.el6.x86_64
> sernet-samba-client-4.2.5-19.el6.x86_64
> sernet-samba-common-4.2.5-19.el6.x86_64

If you install the sernet packages, you should just be able to run
'samba-tool --help'

>
> I have no experience creating a AD domain and DCs.
>
>
> Everybody has to start somewhere.
>
>
> OK, if you do not want to go down this path, then try this smb.conf
>
> [global]
> workgroup = WORKGROUP
> server string = ****
> netbios name = *****
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
> printing = bsd
> dns proxy = no
> map to guest = Bad User
> guest ok = yes
>
> This should work without adding any users to the server, anybody
> that connects gets mapped to the guest user, but this does mean
> that your users cannot own anything on the server and anybody will
> be able to read or delete anything!!!
>
> I've tried the above smb.conf, and ya, it worked, but it's definitely
> not what I want.
> I'll jump to the other option you suggested, but it will takes me time
> to learn it.
>

You have a few options here, you could create all your users on the
samba machine, then recreate then again as samba users, this of course
means knowing all your users passwords and changing them on the samba
machine when they change them on the workstations. This way the files
will be owned by whoever creates them.

You could setup a new NT4-style domain, but as these are on the way out,
I wouldn't bother.

Probably the best way to go is to setup a new AD domain, this may think
this is hard, but once you get into it, it is fairly logical. There is a
lot of info out there on the internet, but I would start with the Samba
wiki:

https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

Create your first domain in a test environment (this way it won't matter
if you make a big error) and once you are sure it works as you want, you
can move it to production.

Any problems or questions, just ask.

[mathias dufresne]

As you said you have an AD domain already set up, this AD domain contains
already your users and certainly some groups to manage them. You can re-use
this AD of course, that's the whole point of AD since 15 years: to be
re-used.

You seem to want to have files server, add this server as a member of your
already existing domain. Doing that this server will become part of your
domain, it will be able to retrieve users from your already existing AD to
use them as local users, to grant these users (coming from your AD domain)
for authenticating them when they will access the file server. In others
words, AD users will be able to access your file server. After some
configuration of course, but without recreating users, they are existing in
your already existing domain.

https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
This page gives links, read them.

[Roger Wu]

No. It's weird that I can't find where it is.
That said samba-tools should be at /usr/local/samba/bin, but I can't find
anything

[root@testcad16 samba]# ls /usr/bin/samb*
/usr/bin/samba-regedit
[root@testcad16 samba]# ls /usr/sbin/samb*
ls: cannot access /usr/sbin/samb*: No such file or directory
[root@testcad16 samba]# ls /usr/local/bin/samb*
ls: cannot access /usr/local/bin/samb*: No such file or directory
[root@testcad16 samba]# ls /usr/local/sbin/samb*
ls: cannot access /usr/local/sbin/samb*: No such file or directory
[root@testcad16 samba]# ls /usr/local/samba/bin/samb*
ls: cannot access /usr/local/samba/bin/samb*: No such file or directory
[root@testcad16 samba]# ls /usr/local/samba/sbin/samb*
ls: cannot access /usr/local/samba/sbin/samb*: No such file or directory
[root@testcad16 samba]# ls /usr/local/sam*
ls: cannot access /usr/local/sam*: No such file or directory

I've tried this option on old samba version.
I know this can work, but users have to reset their passwords, and I have
to maintain one more account system
which is not the best option for me apparently. I considered it as second
option.

Anyway, considering not so many users need this service, if setting a new
AD can't goes well,
I may go this way.

>
> You could setup a new NT4-style domain, but as these are on the way out, I
> wouldn't bother.
>
> Probably the best way to go is to setup a new AD domain, this may think
> this is hard, but once you get into it, it is fairly logical. There is a
> lot of info out there on the internet, but I would start with the Samba
> wiki:
>
>
> https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
>
> Create your first domain in a test environment (this way it won't matter
> if you make a big error) and once you are sure it works as you want, you
> can move it to production.
>
> Any problems or questions, just ask.

Thanks for your suggestion, I'll try that.