[Gloucs] samba - XP logon problems

Guy Edwards guy_j_edwards at HotPOP.com
Wed Feb 25 22:35:08 GMT 2004 

On Tue, 2004-02-24 at 22:41, Dave Addison wrote:
> I was looking through the Samba release notes today and noticed that 
> 3.02 (released last week) fixed a bug with XP client logons. I wondered 
> if it might help with the problem you were mentioning on Sunday night

I'm actually using 3.02 (debian stable with samba\testing tacked on) but
thanks for the thought. I did check the samba site for something along
the lines of "new samba 3.0.2.1 fixes bug you're having" but that would
have been far too easy. Anyway I finally fixed it today. (whay)

The problem (if anyones interested or gets stuck in the future and wants
some ideas) was that users on windows 2000 clients could login via the
samba domain controller fine but not from XP clients. The error was
along the lines of "the domain controller could not be contacted"
despite the fact that the same machine had joined the domain fine
earlier and could be seen commmunicating with the domain controller when
you ran a packet sniffer during the logon. The xp machine could also
login as a local user and then browse a share on the domain controller
after giving the right username/password for the share.

Just to dispell any passing thought anyone might have that I know what
I'm doing, here's how I fixed it with a bit of luck, some complete
fumbling and lots of googling.

I'd already made the "signorseal" registry change that you have to do to
XP clients but it still wasnt working.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters
RequiresSignOrSeal - set it to zero

With a bit of googling I found I had a few possible problems:

* firstly the windows groups weren't mapped to the unix groups. You see
an error in /var/log/samba/log.clientcomputername like
"get_domain_user_groups: primary gid of user
[yourusernameyoutriedtologinas] is not a Domain group !"
"get_domain_user_groups: You should fix it, NT doesn't like that"

so I mapped Windows "Domain Users" to Linux "users" with something like 
$> net groupmap modify ntgroup="Domain Users" unixgroup=users

* then I used the windows group policy editor to set some value along
the lines of "dont check for logon directory ownership" or something
similar.

* then I deleted certain tdb files from /var/lib/samba that a page I
found when googling had said would recreate themselves when deleted, and
could be the cause of similar errors to mine. (Dont delete them all)

I had started making dns entries for various active directory name
queries but that was completely the wrong problem.

There might have been other things too but that's all I remember right
now. After all that it logged on fine but gave a message that it
couldn't find the profile. That one was fairly easy to fix. When trying
to fix the previous problem, I'd made the smb.conf quite small to help
troubleshoot and had accidently deleted the logon path statement which
tells windows where the profile is:

logon path = \\%L\profiles\%U

where %L is the servers netbios name and %U the users unix name.

Anyway, all fixed now. If anyone is doing samba and thinking of a good
book to buy, The O'Reilly "Using Samba" is really cool. I've got the
2000 1st edition which doesn't feature xp/samba 3 but it's got lots of
stuff on how to benchmark the system and tune it and good explanations
for different scenarios. 2d edition came out in 2003 and covers XP but
not samba3
http://www.oreilly.com/catalog/samba2/

hope it helps someone
Guy

-- 
Guy Edwards <guy_j_edwards at HotPOP.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.lug.org.uk/pipermail/gloucs/attachments/20040225/a03c04d3/attachment.bin

More information about the gloucs mailing list