Hello, I'm having a problem with what I think is a problem with samba joining my windows 2000 domain. Bear with me, I've been beating my head on a couple problems but this takes priority.

Setup: Using samba 2.2.5 on mandrake 8.2. I installed it by compiling the program since the rpm won't work.

Whenever I turn on the samba server(specifically module smbd) it starts hammering my PDC with logon requests...all which fail. Here's a sample of the error codes I get in the windows server security logs:

1) The logon to account: SAMBATESTLINUXBOX by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 failed. The error code was: 3221225578
2) Logon Failure:
Reason: Unknown user name or bad password
User Name: SAMBATESTLINUXBOX
<blah blah blah>
3) The logon to account: ROOT by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 failed. The error code was: 3221226036

and then it locks out root.

Okay first I have NO idea where it's getting the user SAMBATESTLINUXBOX from and I added ROOT hoping that would solve the problem but it keeps give error #3 until the account locks out.

I used the "smbpasswd -j..." command to add my linuxbox to the domain to no affect even though it successfully joins. The security part of my smb.conf file looks like this:

# SECURITY
hosts allow = 10.10. 10.2.
security = server
password server = PDC, CF2, CF3, SMS1
password level = 4
encrypt passwords = yes
smb passwd file = /etc/samba/passwd
unix password sync = yes

If I change the order of the password servers the first one on the list gets the errors. I originally didn't have password level specified but put it in there to see if it helps..nope.

Anyone have any ideas where to go from here? Do you need anymore information that I didn't include? Thanks.


add on: Okay the error '3221225578' means that the password was bad or misspelled. My main 2 questions are: 1) Where in the world is SAMBATESTLINUXBOX coming from and 2) where would I specify the user password when it tries to log on as root?

Since you actually joined your Win2k domain from your Samba server you need to set your security to "security = domain" instead of security = server. You also need to be sure that the workgroup designated in your smb.conf file matches the name of your Win2k domain.

You mention starting smbd. Are you also starting nmbd? That is a must.
If you execute:

smbclient -L localhost -N

from the Samba server, what do you see?

If you can't get it to work, post your entire smb.conf file here.

Well, I've had partial success. First off, thanks for replying cowanrl. To answer your questions, yes, I'm starting nmbd as well as winbind in my smb script. I was disabling each module to see which one was generating all the log in problems.

I found this this morning http://www.data-based-systems.com/downloadables/LinuxSambaWithWindows2000.htm and followed it's directions and it sorta of worked or at least I think it helped. I still got all those login errors until I set password level up pretty high. The problem I'm having now is it doesn't seem to authenticate users properly. If I reboot my client(win2K pro) and then try to access the linuxbox I get an "incorrect password or invalid user for \\linuxbox". It requests but will not accept any user/password combo (I have my password the same in 2K/linux/samba...is that necessary?) BUT if I restart samba it gives me access to the shares...until I reboot my machine again.

Here is my smb.conf file, a few names are changed to protect the innocent.

*******
[global]
# GENERAL
workgroup = CF
netbios name =
lm announce = yes
lm interval = 900
server string = %h Samba %v Server
local master = no
domain master = no
os level = 1
preferred master = no
dns proxy = no
wins server = 15.15.2.13
# WINBIND
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
# PRINTING
printcap name = lpstat
printing = cups
load printers = yes
; printer driver file = /etc/cups/printers.conf
printer admin = @GrpMis
# LOGGING
log file = /var/log/samba/log.%m
max log size = 50
# SECURITY
hosts allow = 15.15. 15.2.
security = domain
password server = PDC, CF2, CF3, SMS1
password level = 10
encrypt passwords = yes
update encrypted = yes
null passwords = yes
unix password sync = yes
smb passwd file = /etc/samba/passwd
passwd program = /usr/bin/passwd %u
passwd chat = *New*Unix*password* %n\n *Retype*new*UNIX*password* %n\n*passwd:*all*authentication*tokens*updated*suc cessfully*
# BROWSER & NETWORK OPTIONS
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# ---------- Share Section -------------------

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
printable = yes
create mode = 0700
writable = no
print command = lp -d %p -o raw %s; rm -f %s
; print command = lpr-cups -P%p %s

[print$]
path = /etc/samba/drivers
browseable = yes
read only = yes
guest ok = no
create mask = 0644
directory mask = 0755
write list = @GrpMis

# Home Directories

[homes]
comment = Home Directories
browseable = no
writable = yes
create mode = 0660
directory mode = 0770

# Shared Directories

[public]
comment = Public Stuff
path = /public
public = yes
writable = yes
create mode = 0664
directory mode = 0770
force group = AllCOF

[GrpMis]
comment = Test MIS Stuff
path = /home/COFSHARES/GrpMis
browseable = yes
readonly = yes
create mode = 0660
directory mode = 0770
force group = GrpMis
write list = @GrpMis


**************

Any corrections for areas I'm not specifically talking about now is appreciated. Thanks.

First, unless you have some OS/2 clients on your network you don't need:

lm announce = yes
lm interval = 900

They only apply to OS/2.

In your "host allow = " line, you should also add 127.0.0.1. Make it look like this:

host allow = 15.5. 15.2. 127.0.0.1

I've never used winbind but I do know there are a lot of steps you need to go through beside just putting the lines in your smb.conf file. Have you done that? I believe if it is successful, you should be able to telnet and/or ftp in to your Linux box using usernam/password combinations from your Win2k domain.

If winbind isn't working, you can always remove the winbind lines and create users on your Linux machine. They have to have tha same username as the Windows domain users but not the same password. They don't even have to have login access to the server. You don't need to create Samba users when using domain security.

Since you are using domain security you can remove these lines:

unix password sync = yes
smb passwd file = /etc/samba/passwd
passwd program = /usr/bin/passwd %u
passwd chat = *New*Unix*password* %n\n *Retype*new*UNIX*password* %n\n*passwd:*all*authentication*tokens*updated*suc cessfully*

They only apply when you are using security = user and are using a local smbpasswd file. You don't use that with security = domain.

The update encrypted option can be removed. It's of no use in your situation.

Try those and see if that helps any.

Thanks for the suggestions.

>In your "host allow = " line, you should also add 127.0.0.1.

Why would you have to tell it that it's allowed access to itself?

I made all the changes, then beat my head for a while about why I couldn't get PAM and SAMBA working. I finally came to the conclusion that you can't use them together if windows is sending encrypted passwords. What's the point in having SAMBA pam-enabled? It seems you'd only use it in a low security situation.

Anyway, I'm down to that one last annoying problem. I can get access to all my drives until I reboot my pc. Then it will not give me access to the drive asking repeatedly for a name and password until I restart smb(smbd, nmbd, winbindd) then it'll work perfectly. I've been scratching my head trying to figure out what my client is losing when I reboot. An ID number? If so, why doesn't it take restarting samba to reinitialize it?

Originally posted by Olydus
Thanks for the suggestions.

>In your "host allow = " line, you should also add 127.0.0.1.

Why would you have to tell it that it's allowed access to itself?

You're not allowing access to itself, you're allowing it to be accessed by itself. That loopback address is used by internal processes on the computer to communicate with each other via the TCP/IP stack. That's one reason why it's so important to have the 127.0.0.1 line in your /etc/hosts file.

I've never tried to use winbind or PAM. One of the reasons is that all of the documentation says that you can't use PAM with encrypted passwords. That's too much of a security risk for me.


Anyway, I'm down to that one last annoying problem. I can get access to all my drives until I reboot my pc. Then it will not give me access to the drive asking repeatedly for a name and password until I restart smb(smbd, nmbd, winbindd) then it'll work perfectly. I've been scratching my head trying to figure out what my client is losing when I reboot. An ID number? If so, why doesn't it take restarting samba to reinitialize it?

When you say "reboot my pc", are you talking about the Samba server, the Win2k server or a client workstation?

You say it won't work until you restart smbd, nmbd and winbindd. Then you ask why doesn't it take restarting Samba to reinitialize it. Restarting smbd, nmbd and winbindd is restarting Samba.

I'm not real clear what your exact problem is now.

>That's too much of a security risk for me.

lol, I agree with you there.

>When you say "reboot my pc", are you talking about the Samba server, the Win2k server or a client workstation?

Sorry, I wasn't being clear. I'm talking about rebooting my client.

Assume my PDC(win2K server) and my linux server are both up and running. I boot my client(win2K pro) and log into the Win2K domain. If I try to access the shares on the linux server it won't give me access...just ask for a name and password over and over. Next I restart samba. Bingo, I can now access every share on my client computer. Everything looks beautiful. Until I reboot. Then I'm right back where I started.

Do you still have winbind running? There might be some sort of a problem there if it's not configured properly. It would be interesting to disable winbind, create just the one user account on Linux to match the account you are logging in to the client PC with and see if that works.

Have you tried looking through any of the Samba log files? In /var/log there should be an smbd.log, nmbd.log and a log file with an extension of the Win2k clients name. There might be something in there that would give a clue.

Looking at the logs..duh, I feel stupid.

Well, to make a VERY long story short, I'm going to take a short break from this...I've found problems in the log but the problems shouldn't be happening. I've had some success when I start the samba modules manually rather than depending on the script. It will work, even when I reboot the client...for a limited while. I'm not getting any consistency that I can find so I'm going to take a short break, wipe the logs and start over and come back here with some data.

Thanks again for all the help and I'll get back here soon.

Good Luck!!