Topic: Can't access files in my ibay if logged into Windows domain

[rshiras]

I have a SME 7 server and now a new SBS2003 server to use for calendar and contact sharing (not for e-mail, SME does that).
When I look at my Microsoft Windows Network, the server "workgroup" is called PCMH, and the domain is Pcmh.local (I don't know why they appear to differ).
I have tried setting the workgroup on the SME to PCMH and also to Pcmh.local, (logging out and back in each time) but it still won't let me see the folders on the server machine.
I have searched the forums and I find hints but no answers.
I need to belong to the domain so my smartphone can synch with Exchange 2003.
What else can I tell you... 
I know this is not a Windows forum, but I really need the SME server to just act as a web and e-mail server, and act as a machine on my domain at the same time.

[zatnikatel]

can you get to the SME server this \\ipaddress\share name
like this say \\192.168.1.20\share name if that does work could be a problem with DNS
the other problem is the setting in SMB.CONF is the os level = 65 so the windows server and the SME server are trying to both to be master browsers you have to reduce the os level = 65 on SME to say os level = 30 so it wont be the master browser any more you need to use the template system in SME to change that then you should be able to see the SME server in the work group domain
or the DB command i myself have never done this so if one of the dev's see this post they could give you the command
you could put something up in the bug report the dev's read that more just ask how to change os level = 65 in sme.conf
http://bugs.contribs.org/

[mercyh]

Here is the DB command

config setprop smb OsLevel xxx
signal-event workgroup-update


as per CharlieBrady from here:
http://forums.contribs.org/index.php?topic=35724.msg157146#msg157146

[zatnikatel]

cool i will remember that as i don't do much with windows server i hate AD i work with Linux 99% of the time
it will also help rshiras
thanks again mercyh

[rshiras]

I have tried
config setprop smb OsLevel 30
signal-event workgroup-update

I still get a dialog prompting me for my sme username and password when I try to browse to iBays or user directories.  No username and password work.  My Windows username and password match those of my sme username and password, ditto the windows domain username and password.
I tried 030 instead of 30 as per the config setprop smb OsLevel xxx syntax given, but I still get the same result.

Perhaps this is a DNS issue as zatnktel suggests.  Please elaborate on this a bit...where would I look for a DNS problem, on the SME or the SBS or on the workstation?
Thanks

[zatnikatel]

files thing i would try is to try and get the the sme server via it IP Address in windows click start run then type \\sme ip address\share name
it would be more to do the the SBS as you are useing a something.local doamin it would say that DNS was not setup
try and get the the SME server via the ipaddres if that works it would be a DNS problem
also can you see the SME server in the workgroup on the windows server computer try that as well are you workstation vista or xp
can you ping the sme server via its ipaddress form the windows command prompt

[rshiras]

All good suggestons here are results -- same results from SBS and from workstation.
SBS is at 192.168.2.1
SME is at 192.168.2.2
SBS and SME each have their own external IP addresses.
Start->Run
\\192.168.2.2\our-directory\
Access is Denied.
start \\192.168.2.2\our-directory\
I get the login prompt from SME
So using the IP address gets the same result as using the SME server name:
\\MyServer\our-directory\
Access is Denied.
start \\MyServer\our-directory\
I get the login prompt from SME
So perhaps this is not a DNS problem after all.

[zatnikatel]

if you don't log in to the domain can you see the server on the network and lo on to it if you can then it looks like AD could be the problem i will have to check up on it but you may need to change some stuff on samba to make it play on a SBS server domain with AD active directory there can be odd problem with active directory and samba
but find out if you can see and login to sme if you logon local to a workstation and not the domain and get in to SME

[rshiras]

Yes I can log on no problem if I am logged into the workstation and not the domain.
Thanks

[zatnikatel]

this is what you have to do i Hate AD
here is the link to the whole page the part i put in is the quick and dirty fpr win2k3 server and SBS server
http://www.wlug.org.nz/ActiveDirectorySamba
i know this is a bit of work but to get samba working on AD this is what needs to be done
if some one else here has a faster way or a DEV know a faster way that would help
also remember with SME you have bto use the template system or the DB commands
------------------------------------------------------------------------------------------------------------------------

These are the absolute bare minimum steps to get your Samba server integrated as a member server in an AD controlled domain with Win2k3 as the DC.

1. ENSURE your samba box has an A record and associated PTR in DNS.

2. On your DC, disable signing: Run Domain Controller Policy tool and edit Account Policies -> Security Options -> Microsoft network client: Digitally sign communications (always) Set this to Disabled. Do the same in the Domain Policy tool. Note, you will need to reboot the server for this step, though it won't tell you to. Disable on your samba server as well with the following in smb.conf

Note (PvtJoker?): In my experience that wasn't needed, this tutorial concentrates on windows 2003, and works without disabling these options.

        client signing = no
        client use spnego = no

3. On your samba server, install kerberos5, and edit /etc/krb5.conf. It should contain:

[libdefaults]
        default_realm = YOUR.ADS.DOMAIN
        dns_lookup_kdc = false
        dns_lookup_realm = false

[domain_realm]
        .your.domain.name=YOUR.ADS.DOMAIN
        your.domain.name=YOUR.ADS.DOMAIN

[realms]
YOUR.ADS.DOMAIN = {
        default_domain = your.domain.name
        kdc = IP.OF.THE.DC
}

4. Ensure smb.conf contains

        realm = YOUR.ADS.DOMAIN
        workgroup = YOUR
        security = ADS

5. Get a ticket using kerberos: kinit administrator (enter the administrator password when prompted). The klist command should then list a ticket.

6. Join the domain using 'net ads join'. This should use the credentials in your kerberos ticket.

7. Set up winbind - ensure the following is in smb.conf

        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum groups = yes
        winbind enum users = yes

8. store your winbind credentials with wbinfo --set-auth-user=DOMAIN\\administrator%password

NOTE: This step may fail with one or more of the following errors:

        could not obtain winbind separator!
        could not obtain winbind domain name!

Should you receive either or both errors, it is because winbind is not currently running continue with the remaining steps and return to this step after winbind has been started.

9. modify /etc/pam.d/samba (on woody) or the appropriate pam file to add "sufficient" for auth and account using pam_winbind.so. These need to go BEFORE the pam_unix.so calls for samba. My /etc/pam.d/samba is as follows:

auth            sufficient      pam_winbind.so
auth            required        pam_unix.so nullok
account         sufficient      pam_winbind.so
account         required        pam_unix.so
session         required        pam_unix.so
password        required        pam_unix.so

10. Modify /etc/nsswitch.conf with the following:

passwd:         winbind compat
group:          winbind compat
shadow:         winbind compat

11. Restart samba and winbind.

12. All should work. Browse your server and see...
Samba and software deployment

Software deployment is a useful feature of a domain controller, as it allows to distribute software to many clients - and thus, the administrator doesn't have to walk from one workstation to another (10, 20, ... 100 machines...) to install the same piece of software (and uninstall it or upgrade a couple of days later).

One common misconception when comparing Samba to Active Directory, is that with Samba you can't deploy software to your Windows workstations. Another misconception, this time about Active Directory, is that with AD you can deploy software to your workstations. So, what's this all about?

Active Directory can only deploy packages in MSI format. This isn't very widely used; mostly software is available in EXE format.

With Samba, as in whole *NIX philosophy, one tool does the job, but does it well.

To distribute software with Samba, one can use WPKG - with this tool, you just configure the software which should be installed / upgraded / uninstalled on a given machine or a group of machines - and next time these Windows workstations are booted, the software you specified is installed / upgraded / uninstalled automatically.
Footnotes

   1. %Systemroot% is a variable set by Windows NT and onward to mean "the location where Windows is installed", ie c:\winnt, c:\windows, etc.

[rshiras]

Thanks, this is all very useful information.  Now I need to know how to do this on my SMC 7.3 server.
Which templates to modify
Which services to restart afterwards
What to put in for the following:

My SMC domain is abcd.net but my server domain is PCCH.local
There is no workgroup name but the full computer name under properties on the SBS box is pcchserv.pcch.local
My external IP addrss is 216.231.xx.xx but my internal IP is 192.168.2.2 for the SMC and 192.186.1.1 for the SBS
Will you please help me to fill in the blanks?  I know if I get just one of these wrong, it will not work.
I have placed gusses in parentheses, will you please correct them for me?

[libdefaults]
default_realm = YOUR.ADS.DOMAIN  (pcchserv.pcch.local)?
.your.domain.name=YOUR.ADS.DOMAIN (pcchserv.pcch.local)?


[realms]
YOUR.ADS.DOMAIN = { (pcchserv.pcch.local)?
        default_domain = your.domain.name (pcch.local)?
        kdc = IP.OF.THE.DC (192.168.2.1)?
}

4. Ensure smb.conf contains

        realm = YOUR.ADS.DOMAIN (pcchserv.pcch.local)?
        workgroup = YOUR (pcchserv)?
        security = ADS (pcch)?

[zatnikatel]

that looks ok but i have not down a lot with AD one thing you don't need is the server name just pcch.local

were did you get that information from samba's web site

look at this site will help as well
http://lists.freebsd.org/pipermail/freebsd-ports/2004-May/012370.html

also your workgroup is the same name as the domain but take of the .local from the end

have a read in the wiki how to make custom templates to much to type here

[otis]

I am having a fairly similar problem... except I don't have any other servers to worry about. I can access the primary ibay when logged in to the domain, but can't make any changes to it from any user that I have tried. The personal file stores work fine.

The SME Server is working in Server Only mode, it is my PDC and all I have done is add the relevant ntlogon line to set up the Primary iBay as the S: drive because it didn't show up before (I didn't test write before, just read, so I don't know if this has made a difference). I get the same problem when I try \\ipaddress\primary or \\servername\primary - it will read but not write.

Does anyone know where I'm going wrong?

[rshiras]

I need more information on how to set up the templates to accomplish what zatnktel suggests above.

Otis, your situation is not related to this thread, but have you tried this:
Open a shell with rights to make changes to permissions.
Navigate to the folder you can't write to.
# chmod -R g+w *
Make sure you are logged into the workstation with the exact same username and password as assigned on the server.
If you have any other questions about this please find another thread to make your post.

This thread is regarding allowing permission to access files on the  e-smith server when a Windows server is the domain controller.
If anyone else has anything to contribute here, I'm sure there are many who will thank you for your post.