Re: [Samba] Problems connecting win7 client to new Samba PDC
The Domain Users group should have automatically been added to the local users group when you joined the domain. When I upgraded from Samba 3.0.x to 3.5.x I had a error in the group mappings on one of the DC's that cause problems for a while. I also had to explicitly add a mapping for the nobody user and group. I think I may have explicitly granted the domain administrator the privileged to add machines to the domain http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html#rp-privs But I think I only had to do that because the administrator was not recognized as being a domain admin (or local admin) because the group mapping was broken. If you add a network user to the local admin group, and login works, then there is definitely a local security issue.My guess is that the OS creates the new user local profile directory but then has problems assigning file permissions/ownership for the network user. On XP , if you right click My Computer and look at profiles, you could see if the profile for a user was local, roaming or temporary. Win 7 should have the same option. On 08/09/12 18:03, Brandon wrote: Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? An update to this: I was able to add domain users after a reboot. So I've added MYWORKGROUP\myadmin to my Users group on the local machine. I was also able to search my domain for users, and came up with a list of my users, a nobody user, and a Domain Admins group. I've added MYWORKGROUP\myadmin (user) and MYWORKGROUP\Domain Admins (group) to the User group on the local machine. I am still getting the same errors when logging on though. It seems to me like it's trying to pull a roaming profile when I have roaming profiles disabled (or I thought I did), and/or windows doesn't actually know the netbios name, based on the series of these events: Windows cannot copy file \\?\C:\Users\Default\Documents to location \\?\C:\Users\TEMP.MYWORKGROUP\Documents. This error may be caused by network problems or insufficient security rights. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
Here's some more information on my problem: smb.conf: --- begin smb.conf --- [global] workgroup = MYWORKGROUP server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u logon script = logon.cmd logon path = logon home = domain logons = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = Yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers --- end smb.conf --- Here's the pdbedit -Lv spitout for my user: --- begin output--- Unix username:myadmin NT username: Account Flags:[U ] User SID: S-1-5-21-2762049607-2166809996-183419993-1000 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name: Home Directory: HomeDir Drive: Logon Script: logon.cmd Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 17:54:50 EDT Password can change: Wed, 08 Aug 2012 17:54:50 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- end output --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
did you make the appropriate registry changes on Win 7 as per http://wiki.samba.org/index.php/Windows7 On 08/09/12 09:28, Brandon wrote: Here's some more information on my problem: smb.conf: --- begin smb.conf --- [global] workgroup = MYWORKGROUP server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u logon script = logon.cmd logon path = logon home = domain logons = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = Yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers --- end smb.conf --- Here's the pdbedit -Lv spitout for my user: --- begin output--- Unix username:myadmin NT username: Account Flags:[U ] User SID: S-1-5-21-2762049607-2166809996-183419993-1000 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name: Home Directory: HomeDir Drive: Logon Script: logon.cmd Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 17:54:50 EDT Password can change: Wed, 08 Aug 2012 17:54:50 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- end output --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
Have you tried adding a machine account for your CLIENTPC i.e. # pdbedit -a -m -u CLIENTPC This will create the CLIENTPC$ account it was squawking about. In my experience, the machine needs a Samba account too. Cheers, Andrew Mark | Development Analyst | www.aimsystems.ca local: 519-837-1072 | fax: 519-837-4063 | int'l 800-465-2961 12-350 Speedvale Ave. W. | Guelph, ON | N1H 7M7 | Canada On 12-08-09 09:28 AM, Brandon wrote: Here's some more information on my problem: smb.conf: --- begin smb.conf --- [global] workgroup = MYWORKGROUP server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u logon script = logon.cmd logon path = logon home = domain logons = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S read only = No create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /srv/samba/netlogon guest ok = Yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers --- end smb.conf --- Here's the pdbedit -Lv spitout for my user: --- begin output--- Unix username:myadmin NT username: Account Flags:[U ] User SID: S-1-5-21-2762049607-2166809996-183419993-1000 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name: Home Directory: HomeDir Drive: Logon Script: logon.cmd Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 17:54:50 EDT Password can change: Wed, 08 Aug 2012 17:54:50 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- end output --- -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
did you make the appropriate registry changes on Win 7 as per http://wiki.samba.org/index.php/Windows7 Yes, I've downloaded the 3.6.3 script and ran it on the client, as well as manually checked that the settings were only the two described in the wiki article Have you tried adding a machine account for your CLIENTPC i.e. # pdbedit -a -m -u CLIENTPC Yes, I let the account be auto-generated when connecting to the domain. I should have specified that there are other users I didn't include in the print out. Here is the machine account from pdbedit (note that I changed the logon script in smb.conf from .cmd to .bat a few minutes ago, and the update can be seen here): --- Unix username:CLIENTPC$ NT username: Account Flags:[W ] User SID: S-1-5-21-2762049607-2166809996-183419993-1001 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name:CLIENTPC$ Home Directory: HomeDir Drive: Logon Script: logon.bat Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 13:44:36 EDT Password can change: Wed, 08 Aug 2012 13:44:36 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- Also, I've got a bit more information from the log.CLIENTPC: [2012/08/09 10:14:56.686577, 0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind) pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2 [2012/08/09 10:14:56.794994, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENTPC machine account CLIENTPC$ There are also a number of windows events: --- begin windows events paste --- The winlogon notification subscriber Profiles failed a critical notification event. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\myadmin\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Videos to location \\?\C:\Users\myadmin\Videos. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Saved Games to location \\?\C:\Users\myadmin\Saved Games. This error may be caused by network problems or insufficient security rights. Note: To keep e-mail shorter I won't paste them all, but the last events repeat with a bunch of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\TEMP.MYWORKGROUP\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Note: This last event again repeats with a number of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. The winlogon notification subscriber Sens failed a notification event. --- end windows events paste --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
that looks OK. You should not need a login script defined for a computer account. Are you able to login as the Domain Administrator? Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? On 08/09/12 10:37, Brandon wrote: did you make the appropriate registry changes on Win 7 as per http://wiki.samba.org/index.php/Windows7 Yes, I've downloaded the 3.6.3 script and ran it on the client, as well as manually checked that the settings were only the two described in the wiki article Have you tried adding a machine account for your CLIENTPC i.e. # pdbedit -a -m -u CLIENTPC Yes, I let the account be auto-generated when connecting to the domain. I should have specified that there are other users I didn't include in the print out. Here is the machine account from pdbedit (note that I changed the logon script in smb.conf from .cmd to .bat a few minutes ago, and the update can be seen here): --- Unix username:CLIENTPC$ NT username: Account Flags:[W ] User SID: S-1-5-21-2762049607-2166809996-183419993-1001 Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513 Full Name:CLIENTPC$ Home Directory: HomeDir Drive: Logon Script: logon.bat Profile Path: Domain: MYWORKGROUP Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Wed, 06 Feb 2036 10:06:39 EST Kickoff time: Wed, 06 Feb 2036 10:06:39 EST Password last set:Wed, 08 Aug 2012 13:44:36 EDT Password can change: Wed, 08 Aug 2012 13:44:36 EDT Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FF --- Also, I've got a bit more information from the log.CLIENTPC: [2012/08/09 10:14:56.686577, 0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind) pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2 [2012/08/09 10:14:56.794994, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENTPC machine account CLIENTPC$ There are also a number of windows events: --- begin windows events paste --- The winlogon notification subscriber Profiles failed a critical notification event. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\myadmin\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Videos to location \\?\C:\Users\myadmin\Videos. This error may be caused by network problems or insufficient security rights. Windows cannot copy file \\?\C:\Users\Default\Saved Games to location \\?\C:\Users\myadmin\Saved Games. This error may be caused by network problems or insufficient security rights. Note: To keep e-mail shorter I won't paste them all, but the last events repeat with a bunch of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off. Windows cannot copy file C:\Users\Default\NTUSER.DAT to location C:\Users\TEMP.MYWORKGROUP\NTUSER.DAT. This error may be caused by network problems or insufficient security rights. Note: This last event again repeats with a number of similar directories There are too many profile copy errors. Refer to the previous events for details. Windows will not log any additional copy errors for this copy process. Windows cannot log you on because your profile cannot be loaded. Check that you are connected to the network, and that your network is functioning correctly. The winlogon notification subscriber Sens failed a notification event. --- end windows events paste --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
On 8/9/2012 10:58 AM, Gaiseric Vandal wrote: that looks OK. You should not need a login script defined for a computer account. This must have been generated from smb.conf, I didn't actually change anything. Are you able to login as the Domain Administrator? No. myadmin is supposed to be the domain administrator. I followed this guide for setting up domain admins (even though I'm running 12.04): https://help.ubuntu.com/11.04/serverguide/samba-dc.html # net rpc rights list -U myadmin Enter myadmin's password: SeMachineAccountPrivilege Add machines to domain SeTakeOwnershipPrivilege Take ownership of files or other objects SeBackupPrivilege Back up files and directories SeRestorePrivilege Restore files and directories SeRemoteShutdownPrivilege Force shutdown from a remote system SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeDiskOperatorPrivilege Manage disk shares SeSecurityPrivilege System security Is this correct? Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? When I try to add MYWORKGROUP\myadmin to Users group from the local admin I get this: The following error occurred while using the user name and password you entered: Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. As far as I know, I don't have any other connections going with the server (except SSH). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems connecting win7 client to new Samba PDC
Are your group mappings correct? I ask because it may be that the Domain Users is not properly recognized as a member of the Users group on the PC. Can you login as the domain (or local) admins and explicitly add domain users and domain groups to a local group? An update to this: I was able to add domain users after a reboot. So I've added MYWORKGROUP\myadmin to my Users group on the local machine. I was also able to search my domain for users, and came up with a list of my users, a nobody user, and a Domain Admins group. I've added MYWORKGROUP\myadmin (user) and MYWORKGROUP\Domain Admins (group) to the User group on the local machine. I am still getting the same errors when logging on though. It seems to me like it's trying to pull a roaming profile when I have roaming profiles disabled (or I thought I did), and/or windows doesn't actually know the netbios name, based on the series of these events: Windows cannot copy file \\?\C:\Users\Default\Documents to location \\?\C:\Users\TEMP.MYWORKGROUP\Documents. This error may be caused by network problems or insufficient security rights. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems connecting win7 client to new Samba PDC
Hey, I'm running the latest Ubuntu 12.04 Samba 3.6.3, I just want a simple PDC for authentication. Client is win7 32 bit with latest updates. The client can join the domain, but I can't log in with any users, it gives me The User Profile Service service failed the logon. User profile cannot be loaded. Looking at the log, I've found this: [2012/08/08 17:08:39.747592, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENTPC machine account CLIENTPC$ Any ideas on what the problem is? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba