Re: [Samba] Logins require local admin membership on Windows XP
If anyone is interested I finally got to the bottom of this.
The problem? ntuser.dat. Why? The domain SID was different to the one
listed in the ntuser.dat files.
Solved using the profiles command and a -c (change) and -n (new) switch.
For example, the ntuser.dat files inside each person profiles contained
a reference to the a domain SID, but not the correct one, must be the
old one I thought.
Running the command profiles -c {old domain ID} -n {new domain ID}
ntuser.dat changes the ntuser.dat file to what it should be. However, if
you just do this on the roaming profile and leave one locally on the
clients machine then when you login it will just use the local one
rather then the roaming one.
I know I could change the domain SID that is currently set to the old
one (how it should have been done after the upgrade) but a) I don't
quite know how and b) I'm sure it will break the new ntuser.dat files
that have been created (new users) and will break some other things as I
noticed that some people had the correct references in their .dat files.
Although this appears to work, there is one Windows XP machine and user
account which has given me a headache.Even though I removed all traces
of the users profiles and account from the machine and updated the
ntuser.dat file on the server it still changed back once the user had
logged in. Weird.
Only NT based OS's use the SIDs in this, which is why the Windows 98
clients didn't have a problem as they are dumb when it comes to
security. I guess adding local administrator rights allows any user on a
domain to alter the HKey Local User registry settings.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Logins require local admin membership on Windows XP
I am still working through this problem and I think (take that lightly) that I am nearing a solution. I believe that the problem is related to the tdb files. I am currently going through these files using tdbdump. My question is, what is the process that creates these files? I have seen articles (posts, mailing lists etc) that state that the /var/cache can be emptied as it gets recreated. So if this dir gets recreated then there is something else that I need to modify otherwise my changes to the tdb files won't be permanent. Thanks Eric Hines wrote: http://us1.samba.org/samba/docs/Samba3-HOWTO.pdf , newly updated. You'll likely want Chapt 34, in particular. Eric Hines Lee Ball wrote: Is there a process that you should do when migrating from Samba 2 to Samba 3? I have spoken to my colleague who did the migration and the way it was done was to copy the files that contain the user accounts over. The symptoms we seem to have is that a workstation won't allow access to certain files unless it recognises that you are either a member of the domain admins group or a member of the administrators group on the local machine. This is what causes the programs to not function. It appears to be only programs that require specific access to things stored on the local machine. I think one of these examples is the ODBC files used to communicate with access databases. Trackit for example. I've googled for migration information but turned up with nothing specific at the moment. I'm going to re-read the Samba 3 docs now though incase there is something in there. -- Lee Ball 08707 45 87 14 effective it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Logins require local admin membership on Windows XP
Hello, This is my first post to this list so if I break any rules be gentle :) I will try to put in as much detail into this as I can, here I go: We have a domain at work with Samba (samba-3.0.10-1.fc2) as the PDC. The Linux box is running FC2 as the rpm suggests running on a 2.6.5-1.358smp kernel. The problems that we exhibit is that unless you have your domain account made a member of the administrators group on the workstation for things to work correctly, if your not various things break: Desktop wallpaper displays when logging in then is replaced with a blue background default desktop Outlook won't run and reports Outlook cannot start when trying to run it (although Thunderbird works) Track-it won't run, it just simply hangs and then ends with Not responding This behaviour only happened once we moved our domain from being on Samba (samba-2.2.7-5.8.0) running on Red Hat Linux release 8.0 (Psyche) on a 2.4.20 kernel. We imported the old smbpassd file onto the new server (I didn't do this but could find out the process taken if required). This behaviour has happened on a customers site too which is the same story except that their installation is samba-3.0.10-1.4E running on CentOS release 4.0 (Final) on a 2.6.11.12 kernel. I've tried lots of things recently and I'm starting to get a little bit lost and would like some ideas from you learned lot. If you require anything like samba configs and the like just request and I shall post a non-user specific list to retain anonymity. One of the entries in my samba logs for logging into the machine I've been working on whilst the user is a non admin: [2005/07/05 13:30:45, 0] rpc_server/srv_samr.c:api_samr_set_userinfo(786) api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO. Cheers -- Lee Ball 08707 45 87 14 effective it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Logins require local admin membership on Windows XP
Lee Ball wrote: Hello, This is my first post to this list so if I break any rules be gentle :) I will try to put in as much detail into this as I can, here I go: We have a domain at work with Samba (samba-3.0.10-1.fc2) as the PDC. The Linux box is running FC2 as the rpm suggests running on a 2.6.5-1.358smp kernel. The problems that we exhibit is that unless you have your domain account made a member of the administrators group on the workstation for things to work correctly, if your not various things break: Desktop wallpaper displays when logging in then is replaced with a blue background default desktop Outlook won't run and reports Outlook cannot start when trying to run it (although Thunderbird works) Track-it won't run, it just simply hangs and then ends with Not responding I've only experienced this during some kind of upgrade. It's typically the result of trying to load a profile that has a different SID. Always the best way to do these things (if running XP Pro) is to use the files and settings transfer wizard on client machines, do upgrade and reimport the profile into the user account. Of course on large networks this is not a good option. For larger situations, or if running nt4/w2k you need to keep your SID, and your user SID's. This behaviour only happened once we moved our domain from being on Samba (samba-2.2.7-5.8.0) running on Red Hat Linux release 8.0 (Psyche) on a 2.4.20 kernel. We imported the old smbpassd file onto the new server (I didn't do this but could find out the process taken if required). This behaviour has happened on a customers site too which is the same story except that their installation is samba-3.0.10-1.4E running on CentOS release 4.0 (Final) on a 2.6.11.12 kernel. I've tried lots of things recently and I'm starting to get a little bit lost and would like some ideas from you learned lot. If you require anything like samba configs and the like just request and I shall post a non-user specific list to retain anonymity. One of the entries in my samba logs for logging into the machine I've been working on whilst the user is a non admin: [2005/07/05 13:30:45, 0] rpc_server/srv_samr.c:api_samr_set_userinfo(786) api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO. Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Logins require local admin membership on Windows XP
Hello, This is my first post to this list so if I break any rules be gentle :) I will try to put in as much detail into this as I can, here I go: We have a domain at work with Samba (samba-3.0.10-1.fc2) as the PDC. The Linux box is running FC2 as the rpm suggests running on a 2.6.5-1.358smp kernel. The problems that we exhibit is that unless you have your domain account made a member of the administrators group on the workstation for things to work correctly, if your not various things break: Desktop wallpaper displays when logging in then is replaced with a blue background default desktop Outlook won't run and reports Outlook cannot start when trying to run it (although Thunderbird works) Track-it won't run, it just simply hangs and then ends with Not responding I've only experienced this during some kind of upgrade. It's typically the result of trying to load a profile that has a different SID. Always the best way to do these things (if running XP Pro) is to use the files and settings transfer wizard on client machines, do upgrade and reimport the profile into the user account. Of course on large networks this is not a good option. For larger situations, or if running nt4/w2k you need to keep your SID, and your user SID's. How does making the user a local administrator cure this though? Also, I thought this could have been something like that so what I did was remove all of the domain profiles from the workstation (by right clicking My Computer and going through Profiles and deleting them) and then I removed the machine from the domain and rejoined it again. This didn't solve anything though (as you will gather from me emailing the list). Its almost as if a domain account doesn't have any rights on the machine. For example the My Documents mapping doesn't get done (it should remap to H:\ although this isn't in the netlogon script), I can't access the clock on the machine either, it complains saying You do not have the proper privilege level to change the System Time. Thanks for the swift reply, -- Lee Ball 08707 45 87 14 effective it. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
