High,
I found out, where the problem was:
The Domain Admin user "domadmin" must have the root-policies on the /etc/passwd like this:
domadmin:x:0:0:
The user domadmin get the same rights as Root has, then it works properly. Then I am able to join a Windows2000-workstation with the user "domadmin".
In my opinion it is not fine, because it is a security-hole, but it works.
Heinz Allerberger Systemadministrator Zentrum Neurologie Universit�tsklinikum Frankfurt am Main Tel: 069/6301-4274 Fax: 069/6301-6842 Piepser 18-0455
Heinz Allerberger wrote:
Dear Samba Friends,
I've a problem to join with Windows2000-Clients a Samba-PDC.
When I join the samba-pdc with a WinNT4.0-Client it is no problem, first I create a machine-account for the machine:
1. in /etc/group exists the group: machines:x:515:
2. useradd -g machines -d /dev/null -c nickname -s /bin/false neuch205$
3. pdbedit -a -m -u neuch205
In this way, it isn't a problem to join the PDC with WinNT4.0-Clients, only that I log in as Administrator into the Windows-machine and give in the domainname an,
then the client answers, without password-asking, I should reboot and the client joined successfully.
When I try to do the same, I get an asking for an password. Ok, for that I created the user "domadmin" on the Samba as a member of the "Domain Adminstrators", but this user is not accepted from the W2K-Client. I can not understand why not. Normally it should going on.
Please have a look of my documentation about this:
------------------------------------------------------------------------
# Samba config file # [EMAIL PROTECTED] # Date: 2004/09/03
# Global parameters [global] unix charset = ISO8859-1 workgroup = NEUROCH server string = %h server (Samba %v) preferred master = Yes domain master = Yes local master = yes os level = 33 # entspricht NT Server dns proxy = No ldap ssl = no
security = user encrypt passwords = yes update encrypted = Yes obey pam restrictions = Yes passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . invalid users = root domain logons = Yes logon path = \\%N\profiles\%U logon drive = H: logon home = \\neuch240\%U\.winprofile logon script = logon.cmd
add machine script = /usr/sbin/useradd -g machines -d /dev/null -s /bin/false -M %u add user script = /usr/sbin/useradd "%u" delete user script = /usr/sbin/userdel "%u" add group script = /usr/local/bin/smbgrpadd.sh "%g" delete group script = /usr/sbin/groupdel "%g" add user to group script = /usr/bin/gpasswd -a "%u" "%g" delete user from group script = /usr/bin/gpasswd -d "%u" "%g" set primary group script = /usr/sbin/usermod -g "%g" "%u"
syslog = 0 log file = /var/log/samba/log.%m max log size = 1000
panic action = /usr/share/samba/panic-action %d
[netlogon] path = /var/lib/samba/netlogon read only = yes browseable = no
[profiles] path = /var/lib/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No
[homes] comment = Home Directories read only = No create mask = 0755 browseable = No
[shared] comment = shared Directory path = /home/shared read only = No create mask = 0777 browseable = no
[printers] comment = All Printers path = /tmp create mask = 0700 printable = Yes browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
------------------------------------------------------------------------
Unix username: neuch205$ NT username: Account Flags: [W ] User SID: S-1-5-21-1656000120-2433418590-619812953-4006 Primary Group SID: S-1-5-21-1656000120-2433418590-619812953-515 Full Name: neuch205$ Home Directory: \\neuch240\neuch205_\.winprofile HomeDir Drive: H: Logon Script: logon.cmd Profile Path: \\neuch240\profiles\neuch205_ Domain: NEUROCH Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 21:45:51 GMT Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT Password last set: Wed, 08 Sep 2004 10:26:17 GMT Password can change: Wed, 08 Sep 2004 10:26:17 GMT Password must change: Fri, 13 Dec 1901 21:45:51 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
------------------------------------------------------------------------
Unix username: domadmin NT username: Account Flags: [U ] User SID: S-1-5-21-1656000120-2433418590-619812953-2000 Primary Group SID: S-1-5-21-1656000120-2433418590-619812953-512 Full Name: Home Directory: \\neuch240\domadmin\.winprofile HomeDir Drive: H: Logon Script: logon.cmd Profile Path: \\neuch240\profiles\domadmin Domain: NEUROCH Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Fri, 13 Dec 1901 21:45:51 GMT Kickoff time: Fri, 13 Dec 1901 21:45:51 GMT Password last set: Fri, 03 Sep 2004 11:18:37 GMT Password can change: Fri, 03 Sep 2004 11:18:37 GMT Password must change: Fri, 13 Dec 1901 21:45:51 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
