Topic: How to get a second sme server to accept sme domain controller's passwords?

[joshAU]

Hello.
I posted about this issue a while ago:

http://forums.contribs.org/index.php?topic=40205.msg185467#msg185467

Geez, February 25, that was a while ago, without much luck.
Despite the help of RayMitchell and girkers, I still havent found a solution. (although I havent had much time to research it)

And yes, i have searched the forums, the web, etc.
If I missed a relevant page, I apologise.

My problem:
I have 2x sme 7.3 servers, both in the same domain, one in server-gateway mode as domain controller, the other in server only mode as a file server.
When a client tries to access network shares on the second sme server, they have to input the admin password to access these files.

Therefore, links to programs/files on the file server will fail unless the client first clicks on the mapped network share and enters the domain admin password...ie \\SME1\admin.

I have identical admin passwords on both sme servers.
I tried to duplicate the list of users on both sme boxes (hardly domain control, I know), but if I do this I then get an access denied error when I try to access shares, unless I use the admin password.

I thought that as a domain controller, it should authenticate any valid client and allow them access.

Both Sme servers are standard installations, the only changes I have made have been to the squid cache, the smb.conf changes noted below, and minor changes via the web interface. I havent even installed any updates...( know I should have)
The second sme I have added a second drive to, which contains the shares I wish to access. I thought that maybe the way I installed the 2nd hard disk was causing some permissions issue, but as I cannot access any shares on either drive of sme2 without putting in my password, I dont think thats the issue.

What I have done
I have modified the smb.conf files on both servers, as follows.

SME1(dc)
domain logons = yes
domain master = yes
encrypt passwords = yes
security = domain
workgroup = (name of domain)
wins support = yes

SME2
domain logons = yes
domain master = no
encrypt passwords = yes
security = domain
workgroup = (name of domain)
wins support = yes
password server = name of domain controller

for the actual ibay the smb.conf on sme2 has the following
path = correct path
readonly = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660

Even if I try to access the sme fileserver using start-run and then put in \\fileservername, I get prompted for a password, and the only one it accepts is the admin password.

I guess I could put the login details in the netlogon.bat file to map the share and authenticate, but that would require the password to be in the bat file in clear text, which I'd prefer not to do with an admin password.

Anyone have any luck getting a second sme to accept authentication via the sme domain controller?... and if so, how.

I know I could just put the files on the sme1, but I dont like having all my eggs in one basket.
And as for using a cleartxt admin password in a netlogon.bat.....I like even less....

Any help greatly appreciated.
josh

[zatnikatel]

i quick way you can try is create a custom template and add or change this in the smb.conf i should say add this line
password server = <NT-Server-Name> or the other sme server have never tried this myself with 2 samba server's before it works fine with a win2k server but this is something fast you could try it is a cool thing in samba when u user logs in samba gets the passwords from another server

[cactus]

i quick way you can try is create a custom template and add or change this in the smb.conf i should say add this line
password server = <NT-Server-Name> or the other sme server have never tried this myself with 2 samba server's before it works fine with a win2k server but this is something fast you could try it is a cool thing in samba when u user logs in samba gets the passwords from another server

My guess is you ill have to do a lot more like configuring PAM for all necessary services yo use winbind.

[joshAU]

Thanks for your input zatnktel and cactus.

Re; Password server = ....
I already have this line in the smb.conf on the second server:
password server = name of domain controller,
where the name is obviously the name of the SME domain controller, however it hasn't helped.

And yes, I didnt directly edit smb.conf, I created a custom template in the templates-custom directory, stopped samba, expanded  template, restarted samba and checked that /etc/samba/smb.conf reflected the changes correctly.

So, I think you are correct about having to do more, cactus.
Just wish there was 48 hours in the day so I had enough time to learn more about it.

just reading up on winbind and pam here...
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html

using that page.....
I can join the domain correctly by using the following command:
net rpc join -S PDC -U admin
(it returned "successfully joined domainname")

however if I try to get a list of domain users with
wbinfo -u

It returns "Error looking up domain users"

Guess I'll have to do some more reading.....

If anyone has any further info it would be greatly appreciated.

josh

[jester]

Hi JoshAU,

I think work is being done in that direction (samba+ldap and smeserver-adv-samba packages),
but until then take a look at Bug 1355. There is a link to a howto that might do what you want.

HTH.

[janet]

joshAU

I have the same setup, and access to shares on the second sme server works OK.

Your Windows workstation users must be members of the sme server (DC) domain, and must be logged on to Windows using a password (ie network login).

On the second sme server you must duplicate users and passwords, and groups, and group membership, and ibay ownership. Make sure both servers are in the same workgroup name.

eg if you have a group called workers on the main domain controller sme server, and you have ibays owned by that group, you would have added the users who need to access those ibays to the workers group.

You also need to add a workers group to the second sme server, and users to that group, and give ownership of ibays to the same workers group.

Undo any special changes you have made to smb.conf

[joshAU]

Thanks for the input people, I appreciate it.

Jester - wow...  a link that has a how-to ....that's just what I'm after....excellent.
I think the main things I don't already have in my smb.conf is the "Guest ok = yes", the prefered master.
I also haven't created a wins server entry. I can however join the domain using "smbpasswd -j .....".
I guess my other changes to smb.conf may be causing issues, I'll reset the smb.conf to default and try
to set it up as in the how-to, if it dosent work using mary's method.

Mary - I'm pretty sure I tried it with the smb.conf with defaults originally without success,
however, as I'll have to reset the smb.conf to try jester's links method, I'll try it again.
The workstations all log into the domain OK, and are logged in with a domain password.
When I last tried it (again I think with a default smb.conf), if i duplicated the user accounts,passwords, groups and ibay ownership, I got an access denied message if I tried to log in with any account other than the admin account. Yes they are both in the same workgroup.
However, I will retry it as you seem to have it working, and my memory re the smb.conf details when I first tried it has faded somewhat over the last 6 months...

If that fails, then I'll try jester's link, as it seems to be quite straight-forward.

Thanks again for both of your input.
JoshAU

[janet]

joshAU

Give us an actual setting for the ibay ownership, from server manager panel.

[uniqsys]

I am in the planning stage of setting up a similar network, i.e. SME1 as Gateway server and SME2 as Server only file server.  However, I was going to make the PDC the SME2 server.  I haven't done it yet but I was wondering what effect it might have on this authentication issue? Must the gateway server always be the PDC too?  I would think not, but I'm not sure. 

[joshAU]

Hello, and sorry for the delayed reply.

I have deleted both smb.conf files on both servers from the templates-custom folder and restarted smb. I have opened both /etc/samba/smb.confs and confirmed they are back to defaults. The situation is the same - can only access it with the admin password, domain accounts are still not working.

Mary - the issue is with any Ibay on the second server, including the default primary.
The Ibay I want domain access to has (had) the following smb.conf details:

comment = main file share
path = /home/e-smith/files/ibays/data/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660

This Ibay is on a secondary hard disk, and dosen't appear from within the server manager.
I installed it using the proceedure outlined in:

http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs//mblotwijk/HowToGuides/AddExtraHardDisk.htm

However I don't think that the ibay permissions specific to this ibay are affecting this, as I cannot access any ibay, or log on full stop, without an admin password.

Another question Mary, on your second server, does your smb.conf specify "domain logins = no", and "security = user" which I believe are default? If so, how can your member server accept a domain password with the default configuration, or have you duplicated usernames/passwords on both servers? Thats got me confused.

I'll try the ideas in Jester's link (unless someone has another idea) and report back in a few days.

Thanks again for your input
joshAU

[janet]

joshAU

the issue is with any Ibay on the second server, including the default primary.

The primary ibay is normally only accessible by admin

I don't think that the ibay permissions specific to this ibay are affecting this, as I cannot access any ibay, or log on full stop, without an admin password.

Please give us an actual setting for ownership re at least one of the problematic ibays, from server manager ibays panel.
Is that hard to do ?

If group ownership is not set correctly for any of the ibays, then of course you may only be able to access the ibay as admin.

[joshAU]

Wow, that was fast Mary, thanks

Re: The primary ibay is normally only accessible by admin
Yes, I was aware of that.

Re: Please give us an actual setting for ownership re at least one of the problematic ibays, from server manager ibays panel.
Is that hard to do ?

No, It just doesn't seem relevant, if there were no ibays I should still be able to log into the 2nd sme server.
Correct me if I'm wrong. Here is the server manager panel info from the second sme, just in case.

Correction to my previous post - yes It (the ibay) is in the server panel, security settings for this are:

group = main group(main)
user access = write group read group
public access = no access

The group is duplicated on both sme servers, however the users are not.
the admin is a member of this group on both servers.
a test user - eg "counter", is only on the domain controller.

If I log in with counter, I can only access shares on the DC, I cannot log on to the second sme at all, let alone ibay authentication.

I just cannot see how you can have a user from one sme server accessing shares on the second sme in the default configuration. How does the 2nd sme server authenticate the user if it has no info in smb.conf re: domain controller, domain login rights, password server, etc?

The only way I can see it working is if you have done one of the following:

You are using a net use command in your netlogin.bat file to map a drive using a user that exists on the second sme. (and I dont like cleartxt passwords on systems)

or
you are duplicating all users and groups on both servers.
(Which I guess means no real domain authentication, just like a workgroup)

Neither way is very appealing.

I hope I have this wrong.

Thanks again for your input.
JoshAU

[janet]

joshAU

Re: The primary ibay is normally only accessible by admin
I was aware of that.

So if you are aware of that, what is the issue then ? Why are you complaining that a user cannot access it when you know only the admin user can access it ?

group = main group(main)
user access = write group read group
public access = no access

That looks OK.

The group is duplicated on both sme servers, however the users are not.

I'm sure you were told earlier to duplicate the users also (on the second server), and to make them members of the same groups.

If I log in with counter, I can only access shares on the DC, I cannot log on to the second sme at all, let alone ibay authentication.

Well that would be right. The second sme server has no knowledge of that user. Windows login authentication (as the user counter) is passed to the server. If the server has no knowledge of that user then the credentials cannot be verified and therefore you will not be able to access shares.

To quote all of my first post to you again, which you seem to have not fully read.

"I have the same setup, and access to shares on the second sme server works OK.

Your Windows workstation users must be members of the sme server (DC) domain, and must be logged on to Windows using a password (ie network login).

On the second sme server you must duplicate users and passwords, and groups, and group membership, and ibay ownership. Make sure both servers are in the same workgroup name.

eg if you have a group called workers on the main domain controller sme server, and you have ibays owned by that group, you would have added the users who need to access those ibays to the workers group.

You also need to add a workers group to the second sme server, and users to that group, and give ownership of ibays to the same workers group.

Undo any special changes you have made to smb.conf "

[joshAU]

Thanks again Mary.

Sorry Mary, I mustn't have read/remembered the full contents of your post - your right.

So you are not using domain authentication, just standard workgroup authentication.
I was wanting domain authentication.

Its hardly a domain controller if you have to duplicate users, groups, group membership, passwords, ibay ownership, etc. What a nightmare.

RE: So if you are aware of that, what is the issue then ? Why are you complaining that a user cannot access it when you know only the admin user can access it ?

What I was saying that it was irrelevant what ibay we talked about, it is the login to the server, not the Ibay, that is the problem.

I guess I'm off to try the link in the link Jester provided, sigh.
http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/HowToGuides/SME_DomainClientHowto.htm

Thank you for you help once again, I do appreciate it.

[janet]

joshAU

I guess I'm off to try the link in the link Jester provided, sigh.
http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/HowToGuides/SME_DomainClientHowto.htm

Do let us know if that Howto works (or not), and what you may have needed to do to get it working.