By default, XP does cache domain logins and passwords. So I can see
that if you have disabled that, then it would be effectively impossible
for a domain user to use the machine offline- which should really only
be an issue for laptop users.
I don't use roaming profiles- they caused more problems then they
solved in our environment.
I didn't go for the "map user = bad password" option since it means that
a valid user who messes up the password might not realize it right way
and think he or she was connected to a share with full permissions. I
would rather make sure he or she gets the fully authorized connection.
On 06/09/2011 02:23 PM, upen wrote:
Well, what more should I say Gaiseric, you are genius. You fixed my issue!
Thanks for the hint about 'map to guest= bad user'. Upon adding 'map
to guest' to global section and 'guest account = nobody' to [printer],
I restarted samba and there you go printing now works for local users
on XP
One thing to note I used 'bad password' as suggested here at
http://wiki.samba.org/index.php/Frequently_Asked_Questions (Guest
access section). Things may work with bad user as well.
How easy it is to configure to have only 1 or 2 domain users to store
data locally? Some times steady state software plays big role as we
don't allow caching of passwords/hash as well as don't allow locked
and roaming profiles not found on computer from logging in, Do not
cache copies of locked /roaming profile users previously logged on to
this computer, and also do not store username/passwords used for
domain.
We also wanted users not be able to write to c:\ except Document and
settings and locked local user profiles which is currently nicely
taken care by steady state..
All in all we were able to achieve balance between steady state
configuration and things that users able to do..
Thanks,
~A
On Thu, Jun 9, 2011 at 10:33 AM, Gaiseric Vandal
<[email protected]> wrote:
I think
guest account = nobody
is enabled by default. But I found when I went from 3.0.x to 3.4.x that
samba would complain if the unix nobody user didn't already exist. I
created a separate "smb_nobody" account so that I could set permissions for
the "Windows" guest account if needed without accidentally granting rights
for anonymous or general unix or nfs users.
FYI
You could still use domain accounts and have people store data locally (i.e.
don't use roaming profiles.) I found- in my experience- that once you
have more than 5 XP machines that not having centralized accounts got to be
a PITA- at least if they were sharing data. I guess it is also in my
nature to like to keep network control as structured as possible.
On 06/09/2011 10:55 AM, upen wrote:
Hi,
Thanks for helping me out.
Why are users using non-domain accounts?
Answer : We provided 2 options 2 end users. One they can have domain
accounts if they want to use store data for long term and want to
access it remotely. Second, they can use local account where the data
gets deleted after each logoff(locked account using steady state).
Some users wish to use that local account and don't have domain
account. They see printer ready but it doesn't print for them.
Just want to provide extra information about guest account,
testparm -s -v | grep "guest account"
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[netlogon]"
Global parameter logon script found in service section!
Processing section "[Profiles]"
Processing section "[printers]"
Global parameter guest account found in service section!
Global parameter null passwords found in service section!
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
guest account = nobody
Does this mean it is already mapped to nobody, if it is then do I
still need to create a new account and replace nobody with that?
If you can help me a little more I think I will have it working :)
Thanks,
~A
On Thu, Jun 9, 2011 at 9:45 AM, Gaiseric Vandal
<[email protected]> wrote:
I am not sure about printers but I ran into a similar issue with a guest
share. I had security=user, and set up a guest share. But users in
different domain could not connect, and the samba logs showed that the
user
was unknown. (in this case domain trusts were not being user.)
Finally last week found the solution which was to set
map to guest= bad user
i.e. if the user is valid but the password is bad, the user can't
connect.
But if the user is just unknown then treat them as a guest. You may
also
need to explicitly create unix "guest" user account that is specified in
smb.conf (at least with samba 3.4. and higher.)
e.g.
guest account = smb_nobody
Why are users using non-domain accounts?
On 06/09/2011 10:31 AM, upen wrote:
Alright, let's not assume.
Load smb config files from /etc/samba/smb.conf
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[netlogon]"
Global parameter logon script found in service section!
Processing section "[Profiles]"
Processing section "[printers]"
Global parameter guest account found in service section!
Global parameter null passwords found in service section!
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
security = USER
paranoid server security = Yes
security mask = 0777
force security mode = 00
directory security mask = 0777
force directory security mode = 00
I did those printer settings already but due to security=user it won't
let the localuser on XP machine to print. Is there anyway to let
everyone print with security=user enabled.
On Thu, Jun 9, 2011 at 9:22 AM, Gaiseric Vandal
<[email protected]> wrote:
You know what they say about ASS-U-ME ....
"testparm -v" will show you the current settings (whether explicitly
set
or
default)
man smb.conf (3.5.) shows a possible samba printer share as :
[aprinter]
path = /usr/spool/public
read only = yes
printable = yes
guest ok = yes
On 06/09/2011 10:05 AM, upen wrote:
Hello,
I have configured samba as a PDC for Windows XP machines. It is
running as domain. I haven't configured security = paramter but I
assume it defaults to value 'user' . In this case if I have to share
ALL printers on this system for anonymous printing, can I use security
= share inside [printer] section and guest = ok then will it allow
printing from local accounts on windows XP machines which are in
domain? I don't want to set security=share in Global section.
I believe there must be a way to get this to work. Any advise is
appreciated.
Thanks,
~A
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
