Jonathan,
You are a genius!
That fixed it. Using root = Administrator never seemed to make much
sense to me when I was setting up my Samba domain, and now I know why. I
simply didn't set it up correctly. I set the root password and made root
user ID 0, but when I mapped root = Administrator, I didn't make the
connection that the Administrator account on the local windows machine
should have the samba/LDAP root password also. I commented out the line
root = Administrator from the smbusers file and all works excellent now.
The reason I never noticed it before, was because I didn't have bad
password set. About a week or so ago I set the bad password attempt
limit to 8, thats when I started having this problem. When I would
browse the Samba domain shares under the Administrator account in
Windows, it was passing the local account credentials for Administrator
to the server, and the server was complaining because, really, root =
Administrator and Administrator = root, but the passwords didn't match.
Thanks again for the quick reply.
*Jason Baker
*/IT Coordinator/
*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.4444
www.glastender.com <http://www.glastender.com>
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT$ d- s: a C++$ LU+++$ P+ L++>L++++ !E--- W+++ N o? K?
w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h---
r+++ y+++
------END GEEK CODE BLOCK------
Jonathan Johnson wrote:
This sounds like you have 'root = Administrator' in your
/etc/samba/smbusers file. Is the password you are using for
Administrator *different* from what is set for root in Samba
("smbpasswd root" to change)? That could be the issue.
Note that typically, Linux and Samba use different password databases,
so even though they map the same user name, the passwords may be
different.
Jon Johnson
Sutinen Consulting, Inc.
www.sutinen.com
------------------------------------------------------------------------
*From:* Jason Baker [mailto:[EMAIL PROTECTED]
*Sent:* Wed 8/8/2007 1:51 PM
*To:* Jonathan Johnson
*Cc:* [email protected]
*Subject:* Re: [Samba] SERIOUS PROBLEM - Root Account Locked
Do you have a process (like a service or scheduled task) running on a
client machine as user 'root' with an incorrect cached password?
No actually, this is what seems to be happening:
I log into a windows xp pro workstation as Administrator and browse
the network. I double-click on a network share, in this case a samba
computer called HENBANE. If I view pdbedit -Lv -u root from another
computer while I'm doing this, I can watch the bad login count rise
from 0 to 8. I then get a message that pops up on the Windows
workstation that says something to the effect of "account locked".
I added guest account = nobody to my smb.conf file and now I can
browse the HENBANE share after being prompted for a username and
password, but the bad password count for root now shows 2, and it
rises higher each time I access a share that requires a username and
password.
*Jason Baker
*/IT Coordinator/
*Glastender Inc.*
5400 North Michigan Road
Saginaw, Michigan 48604 USA
800.748.0423
Phone: 989.752.4275 ext. 228
Fax: 989.752.4444
www.glastender.com <http://www.glastender.com/>
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT$ d- s: a C++$ LU+++$ P+ L++>L++++ !E--- W+++ N o? K?
w !O M !V PS PE++ Y? PGP- t 5? X+ R+ tv+ b- DI-- D++ G e+ h---
r+++ y+++
------END GEEK CODE BLOCK------
Jonathan Johnson wrote:
Do you have a process (like a service or scheduled task) running on a
client machine as user 'root' with an incorrect cached password?
Jon Johnson
Sutinen Consulting, Inc.
www.sutinen.com
Jason Baker wrote:
My root account keeps getting locked out automatically. I am running
Samba 3.0.25b on a CentOS server, as PDC with LDAP backend. I have
accounts set to lock after 8 un-successful login attempts. I zeroed
out the bad password count, and then in less than a few seconds the
account gets locked again and a /pdbedit -Lv -u root /yields the
following:
Unix username: root
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Wed, 01 Jan 1969 03:00:00 EST
Password can change: Wed, 08 Jan 1969 03:00:00 EST
Password must change: never
Last bad password : Wed, 08 Aug 2007 13:51:14 EDT
Bad password count : 8
If I enter w on the command line, it only shows that two
(authorized) users are logged into the server. So I'm confident that
no one from the outside is attempting to log in as root. Below is my
conf file. If I go into LDAP Account Manager and unlock the account,
it will stay unlocked for a few minutes (or seconds), then it is
locked out again. With the account lock I cannot join machines to
the domain, nor change domain permissions for users and groups. Any
suggestions would be helpful.
[global]
unix charset = LOCALE
workgroup = glastendernet
netbios name = aster
server string = Glastender Domain Controller running %v
interfaces = eth1, lo, tun+
bind interfaces only = yes
os level = 255
preferred master = yes
local master = yes
domain master = yes
security = user
time server = yes
username map = /etc/samba/smbusers
wins support = yes
encrypt passwords = yes
pam password change = yes
name resolve order = wins bcast hosts
winbind nested groups = no
passdb backend = ldapsam:ldap://aster.glastender.com
ldap passwd sync = Yes
ldap suffix = dc=glastender,dc=com
ldap admin dn = cn=Manager,dc=glastender,dc=com
ldap ssl = no
ldap group suffix = ou=Groups
ldap user suffix = ou=People
ldap machine suffix = ou=People
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://aster.glastender.com
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = yes
add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
#delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"
add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
add user to group script = /opt/IDEALX/sbin/smbldap-groupmod
-m "%u" "%g"
delete user from group script =
/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /opt/IDEALX/sbin/smbldap-usermod
-g "%g" "%u"
domain logons = yes
log file = /var/log/samba/log.%m
log level = 0
syslog = 0
max log size = 50
#smb ports = 139 445
smb ports = 139
hosts allow = 127.0.0.1 172.16.0.0/255.255.0.0
192.168.100.0/255.255.255.0
# User profiles and home directories
logon drive = U:
logon path = \\%L\profiles\%U
logon script = %U.bat
large readwrite = no
read raw = no
write raw = no
printcap name = /etc/printcap
load printers = no
printing =
template shell = /bin/false
winbind use default domain = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
