# Samba--connections work from Gentoo box, not from win

## fidel

Hi there!

I've got a Gentoo box running with dhcp, iptables, samba, apache, proftpd.

All services seem to work properly, still there is an issue with samba:

I can mount my shares from my gentoo box on my laptop with ease. No problem at all, got in my hosts file of the laptop the server mentionned:

```
192.168.1.1     hektor.nigel hektor
```

Therefore no problem to mount the shares with my fstab:

```
//hektor.nigel/musica   /mnt/smb/musica smbfs   username=user,password=pwd,auto,user,uid=me
```

But now my girlfriend came and brought her Windows XP Pro along....

I cannot get access to my (let's call it..) server. On the windows machine the server called hektor gets listed in the network neighbourhood, when I click on it, the expected box appears to enter username and password. Unfortunately though, none of all (on the server existing!) smbusers get accepted. The box just pops up again and again....

I looked into the samba logs:

```

## cat /var/log/samba/log.nmbd

  *****

[2005/05/27 19:52:10, 0] nmbd/nmbd_browsesync.c:get_domain_master_name_node_status_fail(488)

  get_domain_master_name_node_status_fail:

  Doing a node status request to the domain master browser at IP 192.168.2.5 failed.

  Cannot get workgroup name.

[2005/05/27 20:07:13, 0] nmbd/nmbd_browsesync.c:get_domain_master_name_node_status_fail(488)

  get_domain_master_name_node_status_fail:

  Doing a node status request to the domain master browser at IP 192.168.2.5 failed.

  Cannot get workgroup name.

```

And here the real strange thing appears!

--> There is no IP 192.168.2.5 any more!! I used to have the box running in a 192.168.2.x network before! I changed my network to 192.168.1.x though... I just can't figure out, where this comes from..

hmm, here some configs (of the server...):

```

# cat /etc/hosts

#

127.0.0.1       hektor.nigel localhost hektor

# IPV6 versions of localhost and co

::1 ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts

```

```

# cat /etc/conf.d/net

iface_eth0="dhcp"

iface_eth1="192.168.1.1 broadcast 192.168.1.255 netmask 255.255.255.0"

```

```

# cat /etc/dhcp/dhcpd.conf

authoritative;

ddns-update-style none;

option domain-name "nigel";

option domain-name-servers 192.168.1.1;

option routers 192.168.1.1;

option broadcast-address 192.168.1.255;

default-lease-time 600;

max-lease-time 7200;

log-facility local7;

subnet 192.168.1.0 netmask 255.255.255.0 {

#  range dynamic-bootp 192.168.1.20 192.168.1.29;

  range 192.168.1.2 192.168.1.255;

  option routers 192.168.1.1;

  option subnet-mask 255.255.255.0;

}

host medulis {

  hardware ethernet 02:54:CE:F8:54:48;

  fixed-address 192.168.1.60;

}

host vcr {

        hardware ethernet 45:8A:C4:D8:98:21;

        fixed-address 192.168.1.70;

}

host mirjams {

        hardware ethernet 00:01:67:E8:B5:65;

        fixed-address 192.168.1.61;

}

```

```

# cat /etc/samba/smb.conf

[global]

        workgroup = nigel

        server string = hektor

        netbios name = hektor

        guest account = nobody

        keep alive = 30

        allow hosts = 192.168.1. 127.

        strict locking = yes

        security = user

        log file = /var/log/samba/log.%m

        max log size = 50

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        interfaces = lo eth1

        bind interfaces only = yes

        encrypt passwords = yes

        guest ok = yes

        smb passwd file = /etc/smbpasswd

        browsable = yes

        local master = yes

        os level = 65

        domain master = yes

        preferred master = yes

        null passwords = no

        hide unreadable = yes

        hide dot files = yes

        wins support = yes

        socket address = 192.168.1.1

        name resolve order = wins lmhosts hosts bcast

        dns proxy = no

#        unix charset = ISO8859-1

        public=yes

        Kernel oplocks = no

        default = global

[xulp]

        path = /mnt/xulp

        read only = no

        writable = yes

        guest ok = no

        browsable = yes

        public = no

        user = tarzan

        valid users = tarzan

[musica]

        path = /mnt/musica

        read only = no

        guest ok = yes

        browsable = yes

        public = yes

[fatty]

        path = /mnt/fatty

        read only = no

        guest ok = yes

        browsable = yes

        public = yes

[uru]

        path = /mnt/uru

        read only = no

        guest ok = yes

        browsable = yes

        public = yes

[tank]

        path = /mnt/tank

        read only = no

        guest ok = yes

        browsable = yes

        public = yes

```

```

# testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[xulp]"

Processing section "[musica]"

Processing section "[fatty]"

Processing section "[uru]"

Processing section "[tank]"

Loaded services file OK.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

# Global parameters

[global]

        workgroup = NIGEL

        server string = hektor

        interfaces = lo, eth1

        bind interfaces only = Yes

        smb passwd file = /etc/smbpasswd

        log file = /var/log/samba/log.%m

        max log size = 50

        name resolve order = wins lmhosts hosts bcast

        keepalive = 30

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        os level = 65

        preferred master = Yes

        domain master = Yes

        dns proxy = No

        wins support = Yes

        kernel oplocks = No

        default service = global

        socket address = 192.168.1.1

        guest ok = Yes

        hosts allow = 192.168.1., 127.

        hide unreadable = Yes

[xulp]

        path = /mnt/xulp

        username = tarzan

        valid users = tarzan

        read only = No

        guest ok = No

[musica]

        path = /mnt/musica

        read only = No

[fatty]

        path = /mnt/fatty

        read only = No

[uru]

        path = /mnt/uru

        read only = No

[tank]

        path = /mnt/tank

        read only = No

```

```

# smbclient -L //hektor

Password:

session setup failed: NT_STATUS_LOGON_FAILURE

```

But from my notebook (with the same password):

```
$ smbclient -L //hektor

Password:

Domain=[HEKTOR] OS=[Unix] Server=[Samba 3.0.10]

        Sharename       Type      Comment

        ---------       ----      -------

        xulp            Disk

        musica          Disk

        fatty           Disk

        uru             Disk

        tank            Disk

        IPC$            IPC       IPC Service (hektor)

        ADMIN$          IPC       IPC Service (hektor)

Domain=[HEKTOR] OS=[Unix] Server=[Samba 3.0.10]

        Server               Comment

        ---------            -------

        Workgroup            Master

        ---------            -------

        NIGEL                HEKTOR

```

And still, from my Gentoo I can mount all shares with ease!... just from any windoze: no connection possible!..  :Sad: 

What is wrong with my configuration? Why can't I list my shares on the server?... Why can't I connect to the server from windows?...

----------

## dliefbroer

Check the windows firewall it can be a pain in the ****

When you have to firewall on a windows machine (one "normal", one from windows) you won't see any warnings about connections being made and you won't get a question if you would like to allow this.

Another tip: Alway try to eliminate all possible problems, so you should start by disabling ALL firewalls on your network. Then when you can connect start enabling the firewalls until you get your problem back...

----------

## fidel

Thanks for the tip! The firewall on the windows machine is not working, normally zone-alarm is on, but at all tries to connect it has been out.

Hmm!

I found out, that when I look for the server by tiping the IP address in win-explorers address box, the server suddenly appears and accepts logins!...

weird!.. 

```
# cat /var/log/samba/log.nmbd

---------------------------

[2005/05/27 21:22:27, 0] nmbd/nmbd_browsesync.c:get_domain_master_name_node_status_fail(488)

  get_domain_master_name_node_status_fail:

  Doing a node status request to the domain master browser at IP 192.168.2.5 failed.

  Cannot get workgroup name.

```

What is there going on with checking any IP 192.168.2.5 ???

```
# ifconfig

eth0      Link encap:Ethernet  HWaddr 00:70:E7:76:18:F1

          inet addr:82.217.190.141  Bcast:255.255.255.255  Mask:255.255.252.0

          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:674390 errors:0 dropped:0 overruns:0 frame:0

          TX packets:3001 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:42844605 (40.8 Mb)  TX bytes:454113 (443.4 Kb)

          Interrupt:12 Base address:0xa800

eth1      Link encap:Ethernet  HWaddr 00:50:48:D2:73:A2

          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:20631 errors:0 dropped:0 overruns:0 frame:0

          TX packets:26943 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:2767218 (2.6 Mb)  TX bytes:23436046 (22.3 Mb)

          Interrupt:10 Base address:0xa400

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:102 errors:0 dropped:0 overruns:0 frame:0

          TX packets:102 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:13062 (12.7 Kb)  TX bytes:13062 (12.7 Kb)
```

----------

## fidel

ok! The error about the nonexistant IP disappeared by stopping samba and 

```
#rm -rf /var/cache/samba
```

```
#/etc/init.d/samba start
```

I now configured samba as a PDC using winbind, logins from both, Gentoo and Windows work, still I can't browse the network though, neither with nautilus from Gnome, nor with the windows explorer. It only works using the IP Adress.

If someone knows how to make the samba server visible and browseable (yes, set in [global]!) I'd be happy to know!

Greets

fidel

----------

## fidel

Things get a lot more confusing now!..

I played around with my configuration until I could mount samba shares from my Gentoo box as well as from the Windoze. From windoze only tries with the IP address work, the Samba server pops up in the network neighbourhood, I cannot browse it though, the windoze asks for no username but a password (accepts only '\Computername\Guest' as user). 

The problem now:

I want to have my Samba server as a file server and a domain controller. File server works, I unfortunately though cannot join the domain, whether with Gentoo nor with windoze:

from my Gentoo box:

```

# net join nigel

Password:

[2005/06/02 22:03:30, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(279)

  error setting trust account password: NT_STATUS_ACCESS_DENIED

Unable to join domain NIGEL.

```

From the windoze box, when I try to join the domain, I use user "root" with the samba root's password I get an access denied error message. In the logs I can't find any hint. I have tried all I could think of...

and keep asking myself: What am I doing wrong?....

Here my actual configs:

```
# cat /etc/samba/smb.conf

[global]

workgroup = NIGEL

netbios name = HEKTOR

server string = Hektor

passdb backend = tdbsam

printcap name = cups

load printers = no

printer admin = @admins, root

write list = @admins, root

admin users = @admins, root

log file = /var/log/samba/log.%m

max log size = 50

log level = 3

encrypt passwords = yes

socket address = 192.168.1.1

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

interfaces = 192.168.1.1/24 127.0.0.1

bind interfaces only = yes

remote announce = 192.168.1.255

wins support = yes

guest ok = yes

unix charset = ISO8859-1

add user script = /usr/sbin/useradd -m %u

delete user script = /usr/sbin/userdel -r %u

add group script = /usr/sbin/groupadd %g

delete group script = /usr/sbin/groupdel %g

add user to group script = /usr/sbin/usermod -G %g %u

add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

passwd program = /usr/bin/passwd %u

passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"

null passwords = no

hide unreadable = yes

hide dot files = yes

logon script = %U.bat

logon path = \\%L\Profiles\%U

logon drive = H:

domain logons = Yes

os level = 65

preferred master = Yes

domain master = Yes

#idmap uid = 15000-20000

#idmap gid = 15000-20000

printing = cups

[homes]

        path = /mnt/xulp/home/%U

        comment = Home-Directories

        valid users = %S

        read only = No

        browseable = No

        guest ok = no

        inherit permissions = yes

[netlogon]

        comment = Network-Logon

        path = /var/lib/samba/netlogon

        browseable = no

        public = no

        writeable = no

[Profiles]

        comment = Roaming Profile Share

        path = /var/lib/samba/profiles

        browseable = no

        writeable = yes

        default case = lower

        preserve case = no

        short preserve case = no

        case sensitive = no

        hide files = /desktop.ini/ntuser.ini/NTUSER.*/

        write list = @smbusers @root @admins

        create mode = 0600

        directory mode = 0700

[printers]

   comment = Alle Drucker

   path = /var/spool/samba

   browseable = no

# to allow user 'guest account' to print.

   guest ok = yes

   printable = yes

   create mask = 0600

[print$]

   comment = Druckertreiber-Freigabe

   path = /var/lib/samba/drivers

   browseable = yes

#

# The Shares

#

[musica]

        path = /mnt/musica

        read only = no

        guest ok = yes

        browsable = yes

        public = yes

[fatty]

        path = /mnt/fatty

        read only = no

        guest ok = yes

        browsable = yes

        public = yes

[uru]

        path = /mnt/uru

        read only = no

        guest ok = yes

        browsable = yes

        public = yes

[tank]

        path = /mnt/tank

        read only = no

        guest ok = yes

        browsable = yes

        public = yes

[xulp]

        path = /mnt/xulp

        read only = no

        writable = yes

        guest ok = no

        browsable = yes

        public = no

        user = fita

        valid users = fita

```

```
# testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[netlogon]"

Processing section "[Profiles]"

Processing section "[printers]"

Processing section "[print$]"

Processing section "[musica]"

Processing section "[fatty]"

Processing section "[uru]"

Processing section "[tank]"

Processing section "[xulp]"

Loaded services file OK.

Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions

# Global parameters

[global]

        unix charset = ISO8859-1

        workgroup = NIGEL

        server string = Hektor

        interfaces = 192.168.1.1/24, 127.0.0.1

        bind interfaces only = Yes

        passdb backend = tdbsam

        passwd program = /usr/bin/passwd %u

        passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r \ "*Password changed*"

        log level = 3

        log file = /var/log/samba/log.%m

        max log size = 50

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        load printers = No

        printcap name = cups

        add user script = /usr/sbin/useradd -m %u

        delete user script = /usr/sbin/userdel -r %u

        add group script = /usr/sbin/groupadd %g

        delete group script = /usr/sbin/groupdel %g

        add user to group script = /usr/sbin/usermod -G %g %u

        add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

        logon script = %U.bat

        logon path = \\%L\Profiles\%U

        logon drive = H:

        domain logons = Yes

        os level = 65

        preferred master = Yes

        domain master = Yes

        wins support = Yes

        remote announce = 192.168.1.255

        socket address = 192.168.1.1

        admin users = @admins, root

        write list = @admins, root

        printer admin = @admins, root

        guest ok = Yes

        hide unreadable = Yes

[homes]

        comment = Home-Directories

        path = /mnt/xulp/home/%U

        valid users = %S

        read only = No

        inherit permissions = Yes

        guest ok = No

        browseable = No

[netlogon]

        comment = Network Logon

        path = /var/lib/samba/netlogon

        guest ok = No

        browseable = No

[Profiles]

        comment = Roaming Profile Share

        path = /var/lib/samba/profiles

        write list = @smbusers, @root, @admins

        read only = No

        create mask = 0600

        directory mask = 0700

        case sensitive = No

        preserve case = No

        short preserve case = No

        hide files = /desktop.ini/ntuser.ini/NTUSER.*/

        browseable = No

[printers]

        comment = All Printers

        path = /var/spool/samba

        create mask = 0600

        printable = Yes

        browseable = No

[print$]

        comment = Printer Driver Share

        path = /var/lib/samba/drivers

[musica]

        path = /mnt/musica

        read only = No

[fatty]

        path = /mnt/fatty

        read only = No

[uru]

        path = /mnt/uru

        read only = No

[tank]

        path = /mnt/tank

        read only = No

[xulp]

        path = /mnt/xulp

        username = schlauch

        valid users = schlauch

        read only = No

        guest ok = No

```

```
# cat /etc/nsswitch.conf

# /etc/nsswitch.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      compat files winbind

shadow:      compat files

group:       compat files winbind

hosts:       files dns wins

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

```
# net groupmap list

System Operators (S-1-5-32-549) -> admins

Replicators (S-1-5-32-552) -> -1

Guests (S-1-5-32-546) -> -1

Domain Users (S-1-5-21-519665242-431327600-2754619603-513) -> users

Power Users (S-1-5-32-547) -> -1

Domain Guests (S-1-5-21-519665242-431327600-2754619603-514) -> nobody

Print Operators (S-1-5-32-550) -> admins

Administrators (S-1-5-32-544) -> admins

Account Operators (S-1-5-32-548) -> -1

Backup Operators (S-1-5-32-551) -> -1

Users (S-1-5-32-545) -> -1

Domain Admins (S-1-5-21-519665242-431327600-2754619603-512) -> admins

```

I created the machine accounts like this:

```
#useradd -d /dev/null -s /bin/false pcoffice$

```

And added the machine account to the samba:

```
#pdbedit -a -m -u pcoffice

```

And:

```
# cat /etc/pam.d/samba

#%PAM-1.0

# * pam_smbpass.so authenticates against the smbpasswd file

# * changed Redhat's 'pam_stack' with 'include' for *BSD compatibility

#    (Diego "Flameeyes" Petteno')

auth       required     pam_smbpass.so nodelay

account    required     pam_pwdb.so audit nodelay

session    required     pam_pwdb.so nodelay

password   required     pam_smbpass.so nodelay smbconf=/etc/samba.d/smb.conf

```

Winbind is running, I don't know anymore, if that is needed at all...  :Confused: 

Can anybody help, pleeeeaaase!??

----------

## fidel

Ah, when I now run the following as root on the server (via ssh):

```
# smbclient -L //hektor

added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0

added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0

Client started (version 3.0.14a).

resolve_lmhosts: Attempting lmhosts lookup for name hektor<0x20>

Connecting to 192.168.1.1 at port 445

Password:

Doing spnego session setup (blob length=58)

got OID=1 3 6 1 4 1 311 2 2 10

got principal=NONE

Got challenge flags:

Got NTLMSSP neg_flags=0x60890215

NTLMSSP: Set final flags:

Got NTLMSSP neg_flags=0x60080215

NTLMSSP Sign/Seal - Initialising with flags:

Got NTLMSSP neg_flags=0x60080215

Domain=[NIGEL] OS=[Unix] Server=[Samba 3.0.14a]

dos_clean_name []

        Sharename       Type      Comment

        ---------       ----      -------

        print$          Disk      Printer Driver Share

        musica          Disk

        fatty           Disk

        uru             Disk

        tank            Disk

        xulp            Disk

        IPC$            IPC       IPC Service (Hektor)

        ADMIN$          IPC       IPC Service (Hektor)

        root            Disk      Home-Directories

Connecting to 192.168.1.1 at port 139

Doing spnego session setup (blob length=58)

got OID=1 3 6 1 4 1 311 2 2 10

got principal=NONE

Got challenge flags:

Got NTLMSSP neg_flags=0x60890215

NTLMSSP: Set final flags:

Got NTLMSSP neg_flags=0x60080215

NTLMSSP Sign/Seal - Initialising with flags:

Got NTLMSSP neg_flags=0x60080215

Domain=[NIGEL] OS=[Unix] Server=[Samba 3.0.14a]

dos_clean_name []

        Server               Comment

        ---------            -------

        HEKTOR               Hektor

        Workgroup            Master

        ---------            -------

        NIGEL                HEKTOR

```

When I run this from my Gentoo laptop:

```
$ smbclient -L //hektor

Password:

Domain=[NIGEL] OS=[Unix] Server=[Samba 3.0.14a]

        Sharename       Type      Comment

        ---------       ----      -------

        print$          Disk      Printer Driver Share

        musica          Disk

        fatty           Disk

        uru             Disk

        tank            Disk

        xulp            Disk

        IPC$            IPC       IPC Service (Hektor)

        ADMIN$          IPC       IPC Service (Hektor)

        fita          Disk      Home-Directories

Domain=[NIGEL] OS=[Unix] Server=[Samba 3.0.14a]

        Server               Comment

        ---------            -------

        HEKTOR               Hektor

        Workgroup            Master

        ---------            -------

        NIGEL                HEKTOR

```

-->??  :Confused:   :Confused: 

----------

## fidel

Really nobody???.. just a whatever kind of tip?... ok, I try it this way:

- What is required in order to join a samba domain with windows?..

I got the machine name as a user added, even though the windows box says, the nebtios name would be something like "PCOFFICE", i cannot add a user with useradd -d /dev/null -s /bin/false -u PCOFFICE$, I get: invalid name...

Therefore I added the user with useradd -d /dev/null -s /bin/false -u pcoffice$

-> Is this a problem?.../ Wrong?..

- What do I have to pay attention to concerning users and rights they have?.. 

-> Thanks for any help!

greets

fidel

----------

## m4chine

Have you checked out this post? https://forums.gentoo.org/viewtopic.php?t=114837&highlight=samba+active+directory It has a bunch of usefull tips, and multiple approaches for integrating your gentoo box on a Active Directory network.

However, I am having a problem close to yours; I can only browse shares via their IP Address, not via the netbios name set in smb.conf. I would really like to get this fixed if anyone has any suggestions.

----------

## m4chine

I found the solution so I thought I would share, and this is the wierdest problem I've seen, but hey, it does revolve around windows so nothing is too surprising.

The clock skew was too great between the client machines trying to connect to the samba share! I sync'd the time between the numerous machines and it worked.

Hope this helps someone, cheers!

----------

## arachno

 * wrote:*   

> I found the solution so I thought I would share, and this is the wierdest problem I've seen, but hey, it does revolve around windows so nothing is too surprising. 

 That is not so much a windows issue as it is a Kerberos issue. Active directory uses Kerberos for authentication, and the authentication mechanism involves sending the current time encrypted in some of the packets. If the difference between the client time and the server time get's to be to big, it is assumed someone is trying to re-play a captured authentication. (or something like that)

The default skew is 15 min  in a windows domain (IIRC)[/url].

To avoid problems like these, in a windows domain all domain members automagically sync the time with the domain controllers.

Look here for some background on Kerberos

[edit] the default maximum allowed time skew between client and DC in  a windows domain is 5 minutesLast edited by arachno on Sun Jul 31, 2005 11:16 am; edited 1 time in total

----------

## beakerman

fidel ,

do you have a command in your smb.conf that says 

client schannel = no

I had to add this line in my gentoo samba smb.config

----------

