Samba casuse xp machine to reboot during login

It took me a while…
But I finally got samba to be a pdc.
I was able to join a test xp machine to the new domain samba made.
That part worked well.

In my Swat I added a samba new user and password.
restarted samba etc… Then tried to log in from the xp with the new user name as the password. As I hit enter im waiting for it to log in…the XP machine reboots. It seems to do that ever time I try.

Im sure theres something not qit right in samba.conf or is it something else.:frowning:

On Tue May 18 2010 02:46 pm, ventiman wrote:

>
> It took me a while…
> But I finally got samba to be a pdc.
> I was able to join a test xp machine to the new domain samba made.
> That part worked well.
>
> In my Swat I added a samba new user and password.
> restarted samba etc… Then tried to log in from the xp with the new
> user name as the password. As I hit enter im waiting for it to log
> in…the XP machine reboots. It seems to do that ever time I try.
>
> Im sure theres something not qit right in samba.conf or is it
> something else.:frowning:
>
>
ventiman;

It might help if you posted the contents of /etc/samba/smb.conf. Conceal any
sensitive information (public IPs etc.) with substitute values. Make sure
the firewall is open for both the Samba server and Netbios server and while
testing disable any third part firewall on XP. Without seeing your smb.conf
it’s kind of hard to say, but I suspect the problem may be on the XP side.
Normally if Samba is poorly configured you just get a login failure on
Windows.


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Samba ]
Home Globals Shares Printers Wizard Status View Config Password Management
Current Config

Samba config file created using SWAT

from UNKNOWN (�0.0.��ҿ)

Date: 2010/05/18 19:38:16

[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = GAGING
realm =
netbios name = GAGONE
netbios aliases =
netbios scope =
server string = Samba OPEN-SUSE-SL11.2
interfaces =
bind interfaces only = No
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Never
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = smbpasswd
algorithmic rid base = 1000
root directory =
guest account = nobody
enable privileges = Yes
pam password change = No
passwd program =
passwd chat = newpassword* %n
newpassword* %n
changed
passwd chat debug = No
passwd chat timeout = 2
check password script =
username map =
password level = 6
username level = 2
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = No
client plaintext auth = No
preload modules =
dedicated keytab file =
kerberos method = default
map untrusted to domain = No
log level = 0
syslog = 1
syslog only = No
log file =
max log size = 5000
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = No
debug pid = No
debug uid = No
debug class = No
enable core files = Yes
smb ports = 445 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
min receivefile size = 0
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
acl compatibility = auto
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts wins host bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = No
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
client ldap sasl wrapping = plain
enable asu support = No
svcctl list =
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 1024
socket options = TCP_NODELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
ctdbd socket =
cluster addresses =
clustering = No
load printers = Yes
printcap cache time = 750
printcap name = cups
cups server =
cups connection timeout = 30
iprint server =
disable spoolss = No
addport command =
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
max stat cache size = 256
stat cache = Yes
machine password timeout = 604800
add user script =
rename user script =
delete user script =
add group script =
delete group script =
add user to group script =
delete user from group script =
set primary group script = /usr/sbin/usermod -g ‘%g’ ‘%u’
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
shutdown script =
abort shutdown script =
username map script =
logon script = scripts%U.bat
logon path = \%N%U\profile
logon drive = logon drive = z:
logon home = \%N%U
domain logons = Yes
init logon delayed hosts =
init logon delay = 100
os level = 65
lm announce = Auto
lm interval = 60
preferred master = Yes
local master = Yes
domain master = Yes
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = No
wins server =
wins support = No
wins hook =
kernel oplocks = Yes
lock spin time = 200
oplock break wait time = 0
ldap admin dn =
ldap delete dn = No
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap passwd sync = no
ldap replication sleep = 1000
ldap suffix = frames
ldap ssl = start tls
ldap ssl ads = No
ldap timeout = 15
ldap connection timeout = 2
ldap page size = 1024
ldap user suffix =
ldap debug level = 0
ldap debug threshold = 10
eventlog list =
add share command =
change share command =
delete share command =
preload =
lock directory = /var/lib/samba
state directory = /var/lib/samba
cache directory = /var/lib/samba
pid directory = /var/run/samba
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
get quota command =
set quota command =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map = auto.home
afs username map =
afs token lifetime = 604800
log nt token command =
time offset = 0
NIS homedir = No
registry shares = No
usershare allow guests = No
usershare max shares = 0
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
panic action =
perfcount module =
host msdfs = Yes
passdb expand explicit = No
idmap backend = tdb
idmap alloc backend =
idmap cache time = 604800
idmap negative cache time = 120
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator =
winbind cache time = 300
winbind reconnect delay = 30
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 1
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
comment =
path =
username =
invalid users =
valid users =
admin users = ventiman
read list =
write list =
printer admin =
force user =
force group =
read only = Yes
acl check permissions = Yes
acl group control = No
acl map full control = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = No
inherit permissions = No
inherit acls = No
inherit owner = No
guest only = No
administrative share = No
guest ok = No
only user = No
hosts allow =
hosts deny =
allocation roundup size = 1048576
aio read size = 0
aio write size = 0
aio write behind =
ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
smb encrypt = auto
block size = 1024
change notify = Yes
directory name cache size = 100
kernel change notify = Yes
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
printing = cups
cups options =
print command =
lpq command = %p
lprm command =
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = Yes
force printername = No
printjob username = %U
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map archive = Yes
map hidden = No
map system = No
map readonly = yes
mangled names = Yes
store dos attributes = No
dmapi support = No
browseable = Yes
access based share enum = No
browsable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Auto
share modes = Yes
dfree cache time = 0
dfree command =
copy =
preexec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = No
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = Yes
dos filetime resolution = No
fake directory create times = No
vfs objects =
msdfs root = No
msdfs proxy =

[music]
comment = For Music
path = /home/ventiman/Music
read only = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root


My xp firewall is off I dont use it…
and the one on suse is off as well
I use pfsence firewall box instead.

Now on XP if ive log into the computer. It logs in fine of course.
But If i goto my network places I see my samba server and click on it an opens up a window asking for user name and pass
And I type one of the samba users and its password I chose for the user. And poof logs in fine I can see the samba folders.

etlogon \music \printers and faxes

PS
I should add that On the xp box if I try and log in under domain, reboot was a understatement, It does a hard reboot not a normal reboot procedure.
Thats why I wasnt sure if I had some kind of samba script doing that

On Tue May 18 2010 06:46 pm, ventiman wrote:

>
> Samba ]
> Home Globals Shares Printers Wizard Status View Config Password
> Management
> Current Config
>
> # Samba config file created using SWAT
> # from UNKNOWN (�0.0.��ҿ)
> # Date: 2010/05/18 19:38:16
>
> [global]
<snip>
> name resolve order = lmhosts wins host bcast
<snip>
> logon path = \%N%U\profile
<snip>
>
> [music]
> comment = For Music
> path = /home/ventiman/Music
> read only = No
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> write list = root
>
> ----------------
>
> My xp firewall is off I dont use it…
> and the one on suse is off as well
> I use pfsence firewall box instead.
>
ventiman;

What jumped out was the lack of a profiles share and a logon path pointing to
a NIS server (this happens to be the default). Unless you have good reasons
for this, I would suggest that you use something like:


logon path = \\%L\profiles\%U

Then add a profiles share like:



[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = No
profile acls = Yes

There are other variations of this, but the above will place profiles in the
users home directory on the PDC. You can set the path in [profiles] to any
directory you want as long as windows user has write permission to the
directory. Say path = /var/lib/samba/profiles.

Without knowing your domain topology, I’m guessing you do not have a NIS
server and %N is replaced by the name of your NIS home directory.

Although I’ve never checked this, I believe you can set “logon path =” with no
path and it will force the clients to use local profiles. But IMHO that kind
of defeats the reason for configuring a domain in the first place.

I’ve not had time to read through all of your smb.conf and will post later if
anything else jumps out.

It might help you understand the use of the variables and parameters in your
smb.conf if you read through man smb.conf.

See: http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Although not directly related, your name resolve order parameter is unlikely
to allow the PDC to resolve domain names. It will expect the names to be in
the lmhost file and unless you want to do a lot of maintenance keeping that
up. You might do better with:


name resolve order = bcast lmhosts wins host

This means Samba will first try to resolve names by broadcast.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

On Tue May 18 2010 07:16 pm, ventiman wrote:

>
> Now on XP if ive log into the computer. It logs in fine of course.
> But If i goto my network places I see my samba server and click on it
> an opens up a window asking for user name and pass
> And I type one of the samba users and its password I chose for the
> user. And poof logs in fine I can see the samba folders.
>
>
etlogon \music \printers and faxes
>
> PS
> I should add that On the xp box if I try and log in under domain,
> reboot was a understatement, It does a hard reboot not a normal reboot
> procedure.
> Thats why I wasnt sure if I had some kind of samba script doing that
>
>
ventiman;

I’m willing to bet that this user is a local user and is authenticated as
guest. You should be able to use the username/password of the user you
created with smbpasswd. Do you mind also posting the results of:


sudo pdbedit -L


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

sudo pdbedit -L

root:0:root
ventiman:1000:scott frank
videomaker$:1001:Machine
testing:1002:testing

It might help you understand the use of the variables and parameters in your
smb.conf if you read through man smb.conf.

I have been looking at it alot.well at least through swat I have.
Im use to using suse/linux alot as a standalone workstation and or one as a member of a workgroup, This is the 1st trying it as a PDC. A few at work like the idea of using suse as a low cost alternative as a PDC and file/print server, to the win2008.

So Im trying to succeed it testing one to work :slight_smile:

On Tue May 18 2010 10:46 pm, ventiman wrote:

>
> sudo pdbedit -L
>
> root:0:root
> ventiman:1000:scott frank
> videomaker$:1001:Machine
> testing:1002:testing
>
>
For your second question the name/password you would enter would be ventiman
or testing and their passwords from smbpasswd. However check your Linux
permissions on the directories. Samba must obey these, so if a user does not
have permission to access the directory /home/ventiman/Music he/she will not
be allowed.

It’s hard to say just how far XP got when it crashed. Once you have patched up
the logon path it may be necessary to do a regedit. If XP entered the user
in the registry you may need to delete the key in :
HKEY_Local_Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Profilelist
which points to that user. Be careful not to delete a key that belongs to a
local user or system resource. If you look inside the keys, listed by SID,
the centralprofile points to the location of the profile on the server. See
if there is a SID with a bad entry there and delete the entire key for that
SID. (note: local users will not have a centralprofile entry)

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

On Tue May 18 2010 10:56 pm, ventiman wrote:

> I have been looking at it alot.well at least through swat I have.
ventiman;

Reading the first few chapters of “Samba3 By Example” may help you get
started: See: http://www.samba.org/samba/docs/man/Samba3-ByExample/

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

Webmin and Swat seem decent gui set up’s for samba
Yast seems to lack alot. I was showing my head tech one day.Hes 100 percent windows server tech.And the lack of a solid samba gui configuration and maintenance. Just seem to him a lack of solid windows server killer, I told him if you grasp the solid basics of samba conf. One can set a windows samba network up fairly fast,

But gui’s sure are nice though:)

Any issues with this?
I did a testparm and it came out ok
server role PDC.
Yet the xp client sees the server. but does not see the domain when I try to join it


[global]
workgroup = FRAMES
netbios name = OPEN_SUSE_SAMBA_SERVER
passdb backend = smbpasswd
security = user
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script =
/usr/sbin/useradd -s /bin/false -d /dev/null
-g machines %u

The following specifies the default logon script

Per user logon scripts can be specified in the user

account using pdbedit

logon script = logon.bat

This sets the default profile path.

Set per user paths with pdbedit

logon path = \%L\Profiles%U
logon drive = H:
logon home = \%L%U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
writable = Yes

[public]
comment = Data
path = /home/samba
force user = docsbot
force group = users
guest ok = Yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon/scripts
admin users = ventiman, scott,
guest ok = No
browseable = No
writable = No

On Sun May 23 2010 10:36 pm, ventiman wrote:

>
> Any issues with this?
> I did a testparm and it came out ok
> server role PDC.
> Yet the xp client sees the server. but does not see the domain when I
> try to join it
>
> ---------------------------
>
> [global]
> workgroup = FRAMES
> netbios name = OPEN_SUSE_SAMBA_SERVER
> passdb backend = smbpasswd
> security = user
> add user script = /usr/sbin/useradd -m %u
> delete user script = /usr/sbin/userdel -r %u
> add group script = /usr/sbin/groupadd %g
> delete group script = /usr/sbin/groupdel %g
> add user to group script = /usr/sbin/usermod -G %g %u
> add machine script =
> /usr/sbin/useradd -s /bin/false -d /dev/null
> -g machines %u
> # The following specifies the default logon script
> # Per user logon scripts can be specified in the user
> # account using pdbedit
> logon script = logon.bat
> # This sets the default profile path.
> # Set per user paths with pdbedit
> logon path = \%L\Profiles%U
> logon drive = H:
> logon home = \%L%U
> domain logons = Yes
> os level = 35
> preferred master = Yes
> domain master = Yes
> idmap uid = 15000-20000
> idmap gid = 15000-20000
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browseable = No
> writable = Yes

Try this:


[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No

Setting “read only = No” means exactly the same as “writable = Yes”. No need
for both. Notice also that in the above the valid users adds a domain
qualifier.

[public]
comment = Data
path = /home/samba
force user = docsbot
force group = users
guest ok = Yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon/scripts
admin users = ventiman, scott,
guest ok = No
browseable = No
writable = No

ventiman;

You need to add the [profiles] share. See my earlier post for an example.

Have you checked that the samba server and netbios server are both allowed
through the firewall? (YaST–>Security and Users → Firewall–> Allowed
Services). While your testing try disabling the firewalls on both the
server and clients. Many(most) 3rd party window’s firewalls block windows
networking by default. Enable the firewalls after you have Samba working. If
it breaks when one of the firewalls is enabled you know where to look.

Have you checked that nmbd and smbd services are running?


ps -A|grep [s,n]mb

If these services are not started, go to YaST–>System–>System Services and
enable both nmb and smb.

Is XP still crashing when you try to login? Probably yes, since you still do
not have the [profiles] share.


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

No it no longer crashes
Though If I try to join domain… XP says it cant see domain or the domain frames is not found

ps -A|grep [s,n]mb
11948 ? 00:00:00 smbd
11952 ? 00:00:00 smbd
11958 ? 00:00:00 nmbd
12792 ? 00:00:00 gvfsd-smb-brows
12797 ? 00:00:00 smbd
12838 ? 00:00:00 smbd
12853 ? 00:00:00 smbd

Profiles put in.

[global]
workgroup = FRAMES
netbios name = OPEN_SUSE_SAMBA_SERVER
passdb backend = tdbsam
security = user
printcap name = cups
admin users = root, admin
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r %u
add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd –s /bin/false –d /dev/null %u

The following specifies the default logon script

Per user logon scripts can be specified in the user

account using pdbedit

#logon script = logon.bat

This sets the default profile path.

Set per user paths with pdbedit

#logon path = \%L\profiles%U%a
logon drive = H:
logon home = \%L %U
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000
map archive = No
map readonly = no
store dos attributes = Yes

[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
admin users = root, ventiman
guest ok = No
browseable = No

[Profiles]
profile acls = Yes
browseable = no
comment = Roaming Profile Share
writable = yes
path = /var/lib/samba/profiles

[pdfdocuments]
comment = pdf-documents
writeable = yes
path = /home/pdf-documents
browseable = yes

On Mon May 24 2010 02:46 pm, ventiman wrote:

>
> Profiles put in.
> ------------------------
>
> [global]
> workgroup = FRAMES
> netbios name = OPEN_SUSE_SAMBA_SERVER
<snip>
>
ventiman;

For one thing netbios names can only be 15 characters long. Try a much
shorter netbios name. You can use the parameter “server string” to display
a longer name when browsing the Samba shares. For an example:


netbios name = SUSE
server string = Open SuSE Samba Server

The default name resolve order does not normally work real well. I don’t think
this is involved in your immediate problem but it will interfere with
accessing Windows machines by name. Try adding this to the [global] section
of smb.conf:


name resolve order = bcast host lmhosts wins

Are all the machines in your domain on the same subnet? If not you will need
to configure a Wins Server.

Have you disabled firewalls for testing purpose?

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

On Mon May 24 2010 06:11 pm, PV wrote:

> On Mon May 24 2010 02:46 pm, ventiman wrote:
>
>>
>> Profiles put in.
>> ------------------------
>>
>> [global]
>> workgroup = FRAMES
>> netbios name = OPEN_SUSE_SAMBA_SERVER
> <snip>
>>
> ventiman;
>
> For one thing netbios names can only be 15 characters long. Try a much
> shorter netbios name. You can use the parameter “server string” to display
> a longer name when browsing the Samba shares. For an example:
>


> netbios name = SUSE
> server string = Open SuSE Samba Server
> 

The default name resolve order does not normally work real well. I don’t
think
this is involved in your immediate problem but it will interfere with
accessing Windows machines by name. Try adding this to the [global] section
of smb.conf:


> name resolve order = bcast host lmhosts wins
> 

Are all the machines in your domain on the same subnet? If not you will
need
to configure a Wins Server.

Have you disabled firewalls for testing purpose?
Addenda:

Have you joined the PDC to it’s own domain? If not, in a terminal Window
enter:


su
net rpc JOIN PDC -U root%<root'sPassword>


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

No ive not joined the PDC to its own domain.

net rpc testjoin -S FRAMES
get_schannel_session_key: could not fetch trust account password for domain ‘FRAMES’
net_rpc_join_ok: failed to get schannel session key from server FRAMES for domain FRAMES. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain ‘FRAMES’ is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO