Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: joshAU on August 04, 2008, 08:08:26 AM
-
Hello.
I posted about this issue a while ago:
http://forums.contribs.org/index.php?topic=40205.msg185467#msg185467
Geez, February 25, that was a while ago, without much luck.
Despite the help of RayMitchell and girkers, I still havent found a solution. (although I havent had much time to research it)
And yes, i have searched the forums, the web, etc.
If I missed a relevant page, I apologise.
My problem:
I have 2x sme 7.3 servers, both in the same domain, one in server-gateway mode as domain controller, the other in server only mode as a file server.
When a client tries to access network shares on the second sme server, they have to input the admin password to access these files.
Therefore, links to programs/files on the file server will fail unless the client first clicks on the mapped network share and enters the domain admin password...ie \\SME1\admin.
I have identical admin passwords on both sme servers.
I tried to duplicate the list of users on both sme boxes (hardly domain control, I know), but if I do this I then get an access denied error when I try to access shares, unless I use the admin password.
I thought that as a domain controller, it should authenticate any valid client and allow them access.
Both Sme servers are standard installations, the only changes I have made have been to the squid cache, the smb.conf changes noted below, and minor changes via the web interface. I havent even installed any updates...( know I should have)
The second sme I have added a second drive to, which contains the shares I wish to access. I thought that maybe the way I installed the 2nd hard disk was causing some permissions issue, but as I cannot access any shares on either drive of sme2 without putting in my password, I dont think thats the issue.
What I have done
I have modified the smb.conf files on both servers, as follows.
SME1(dc)
domain logons = yes
domain master = yes
encrypt passwords = yes
security = domain
workgroup = (name of domain)
wins support = yes
SME2
domain logons = yes
domain master = no
encrypt passwords = yes
security = domain
workgroup = (name of domain)
wins support = yes
password server = name of domain controller
for the actual ibay the smb.conf on sme2 has the following
path = correct path
readonly = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660
Even if I try to access the sme fileserver using start-run and then put in \\fileservername, I get prompted for a password, and the only one it accepts is the admin password.
I guess I could put the login details in the netlogon.bat file to map the share and authenticate, but that would require the password to be in the bat file in clear text, which I'd prefer not to do with an admin password.
Anyone have any luck getting a second sme to accept authentication via the sme domain controller?... and if so, how.
I know I could just put the files on the sme1, but I dont like having all my eggs in one basket.
And as for using a cleartxt admin password in a netlogon.bat.....I like even less....:)
Any help greatly appreciated.
josh
-
i quick way you can try is create a custom template and add or change this in the smb.conf i should say add this line
password server = <NT-Server-Name> or the other sme server have never tried this myself with 2 samba server's before it works fine with a win2k server but this is something fast you could try it is a cool thing in samba when u user logs in samba gets the passwords from another server
-
i quick way you can try is create a custom template and add or change this in the smb.conf i should say add this line
password server = <NT-Server-Name> or the other sme server have never tried this myself with 2 samba server's before it works fine with a win2k server but this is something fast you could try it is a cool thing in samba when u user logs in samba gets the passwords from another server
My guess is you ill have to do a lot more like configuring PAM for all necessary services yo use winbind.
-
Thanks for your input zatnktel and cactus.
Re; Password server = ....
I already have this line in the smb.conf on the second server:
password server = name of domain controller,
where the name is obviously the name of the SME domain controller, however it hasn't helped.
And yes, I didnt directly edit smb.conf, I created a custom template in the templates-custom directory, stopped samba, expanded template, restarted samba and checked that /etc/samba/smb.conf reflected the changes correctly.
So, I think you are correct about having to do more, cactus.
Just wish there was 48 hours in the day so I had enough time to learn more about it.
just reading up on winbind and pam here...
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html
using that page.....
I can join the domain correctly by using the following command:
net rpc join -S PDC -U admin
(it returned "successfully joined domainname")
however if I try to get a list of domain users with
wbinfo -u
It returns "Error looking up domain users"
Guess I'll have to do some more reading.....
If anyone has any further info it would be greatly appreciated.
josh
-
Hi JoshAU,
I think work is being done in that direction (samba+ldap and smeserver-adv-samba packages),
but until then take a look at Bug 1355 (http://bugs.contribs.org/show_bug.cgi?id=1355). There is a link to a howto that might do what you want.
HTH.
-
joshAU
I have the same setup, and access to shares on the second sme server works OK.
Your Windows workstation users must be members of the sme server (DC) domain, and must be logged on to Windows using a password (ie network login).
On the second sme server you must duplicate users and passwords, and groups, and group membership, and ibay ownership. Make sure both servers are in the same workgroup name.
eg if you have a group called workers on the main domain controller sme server, and you have ibays owned by that group, you would have added the users who need to access those ibays to the workers group.
You also need to add a workers group to the second sme server, and users to that group, and give ownership of ibays to the same workers group.
Undo any special changes you have made to smb.conf
-
Thanks for the input people, I appreciate it.
Jester - wow... a link that has a how-to ....that's just what I'm after....excellent.
I think the main things I don't already have in my smb.conf is the "Guest ok = yes", the prefered master.
I also haven't created a wins server entry. I can however join the domain using "smbpasswd -j .....".
I guess my other changes to smb.conf may be causing issues, I'll reset the smb.conf to default and try
to set it up as in the how-to, if it dosent work using mary's method.
Mary - I'm pretty sure I tried it with the smb.conf with defaults originally without success,
however, as I'll have to reset the smb.conf to try jester's links method, I'll try it again.
The workstations all log into the domain OK, and are logged in with a domain password.
When I last tried it (again I think with a default smb.conf), if i duplicated the user accounts,passwords, groups and ibay ownership, I got an access denied message if I tried to log in with any account other than the admin account. Yes they are both in the same workgroup.
However, I will retry it as you seem to have it working, and my memory re the smb.conf details when I first tried it has faded somewhat over the last 6 months...:)
If that fails, then I'll try jester's link, as it seems to be quite straight-forward.
Thanks again for both of your input.
JoshAU
-
joshAU
Give us an actual setting for the ibay ownership, from server manager panel.
-
I am in the planning stage of setting up a similar network, i.e. SME1 as Gateway server and SME2 as Server only file server. However, I was going to make the PDC the SME2 server. I haven't done it yet but I was wondering what effect it might have on this authentication issue? Must the gateway server always be the PDC too? I would think not, but I'm not sure.
-
Hello, and sorry for the delayed reply.
I have deleted both smb.conf files on both servers from the templates-custom folder and restarted smb. I have opened both /etc/samba/smb.confs and confirmed they are back to defaults. The situation is the same - can only access it with the admin password, domain accounts are still not working.
Mary - the issue is with any Ibay on the second server, including the default primary.
The Ibay I want domain access to has (had) the following smb.conf details:
comment = main file share
path = /home/e-smith/files/ibays/data/files
read only = no
writable = yes
printable = no
inherit permissions = yes
create mode = 0660
This Ibay is on a secondary hard disk, and dosen't appear from within the server manager.
I installed it using the proceedure outlined in:
http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs//mblotwijk/HowToGuides/AddExtraHardDisk.htm
However I don't think that the ibay permissions specific to this ibay are affecting this, as I cannot access any ibay, or log on full stop, without an admin password.
Another question Mary, on your second server, does your smb.conf specify "domain logins = no", and "security = user" which I believe are default? If so, how can your member server accept a domain password with the default configuration, or have you duplicated usernames/passwords on both servers? Thats got me confused.
I'll try the ideas in Jester's link (unless someone has another idea) and report back in a few days.
Thanks again for your input
joshAU
-
joshAU
the issue is with any Ibay on the second server, including the default primary.
The primary ibay is normally only accessible by admin
I don't think that the ibay permissions specific to this ibay are affecting this, as I cannot access any ibay, or log on full stop, without an admin password.
Please give us an actual setting for ownership re at least one of the problematic ibays, from server manager ibays panel.
Is that hard to do ?
If group ownership is not set correctly for any of the ibays, then of course you may only be able to access the ibay as admin.
-
Wow, that was fast Mary, thanks
Re: The primary ibay is normally only accessible by admin
Yes, I was aware of that.
Re: Please give us an actual setting for ownership re at least one of the problematic ibays, from server manager ibays panel.
Is that hard to do ?
No, It just doesn't seem relevant, if there were no ibays I should still be able to log into the 2nd sme server.
Correct me if I'm wrong. Here is the server manager panel info from the second sme, just in case.
Correction to my previous post - yes It (the ibay) is in the server panel, security settings for this are:
group = main group(main)
user access = write group read group
public access = no access
The group is duplicated on both sme servers, however the users are not.
the admin is a member of this group on both servers.
a test user - eg "counter", is only on the domain controller.
If I log in with counter, I can only access shares on the DC, I cannot log on to the second sme at all, let alone ibay authentication.
I just cannot see how you can have a user from one sme server accessing shares on the second sme in the default configuration. How does the 2nd sme server authenticate the user if it has no info in smb.conf re: domain controller, domain login rights, password server, etc?
The only way I can see it working is if you have done one of the following:
You are using a net use command in your netlogin.bat file to map a drive using a user that exists on the second sme. (and I dont like cleartxt passwords on systems)
or
you are duplicating all users and groups on both servers.
(Which I guess means no real domain authentication, just like a workgroup)
Neither way is very appealing.
I hope I have this wrong.
Thanks again for your input.
JoshAU
-
joshAU
Re: The primary ibay is normally only accessible by admin
I was aware of that.
So if you are aware of that, what is the issue then ? Why are you complaining that a user cannot access it when you know only the admin user can access it ?
group = main group(main)
user access = write group read group
public access = no access
That looks OK.
The group is duplicated on both sme servers, however the users are not.
I'm sure you were told earlier to duplicate the users also (on the second server), and to make them members of the same groups.
If I log in with counter, I can only access shares on the DC, I cannot log on to the second sme at all, let alone ibay authentication.
Well that would be right. The second sme server has no knowledge of that user. Windows login authentication (as the user counter) is passed to the server. If the server has no knowledge of that user then the credentials cannot be verified and therefore you will not be able to access shares.
To quote all of my first post to you again, which you seem to have not fully read.
"I have the same setup, and access to shares on the second sme server works OK.
Your Windows workstation users must be members of the sme server (DC) domain, and must be logged on to Windows using a password (ie network login).
On the second sme server you must duplicate users and passwords, and groups, and group membership, and ibay ownership. Make sure both servers are in the same workgroup name.
eg if you have a group called workers on the main domain controller sme server, and you have ibays owned by that group, you would have added the users who need to access those ibays to the workers group.
You also need to add a workers group to the second sme server, and users to that group, and give ownership of ibays to the same workers group.
Undo any special changes you have made to smb.conf "
-
Thanks again Mary.
Sorry Mary, I mustn't have read/remembered the full contents of your post - your right.
So you are not using domain authentication, just standard workgroup authentication.
I was wanting domain authentication.
Its hardly a domain controller if you have to duplicate users, groups, group membership, passwords, ibay ownership, etc. What a nightmare.
RE: So if you are aware of that, what is the issue then ? Why are you complaining that a user cannot access it when you know only the admin user can access it ?
What I was saying that it was irrelevant what ibay we talked about, it is the login to the server, not the Ibay, that is the problem.
I guess I'm off to try the link in the link Jester provided, sigh.
http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/HowToGuides/SME_DomainClientHowto.htm
Thank you for you help once again, I do appreciate it.
-
joshAU
I guess I'm off to try the link in the link Jester provided, sigh.
http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/HowToGuides/SME_DomainClientHowto.htm
Do let us know if that Howto works (or not), and what you may have needed to do to get it working.
-
RE: So if you are aware of that, what is the issue then ? Why are you complaining that a user cannot access it when you know only the admin user can access it ?
What I was saying that it was irrelevant what ibay we talked about, it is the login to the server, not the Ibay, that is the problem.
JoshAU, could you please use the standard quote code?
Thank you
Ciao
Stefano
-
Please follow my work over at the SME Bug Tracker:
http://bugs.contribs.org/show_bug.cgi?id=4172
I have developed patches against e-smith-samba to allow SME to function in server modes other than a Workgroup server or a Primary Domain Controller. In my situation, I wanted SME to perform as both a Domain Member and a Backup Domain Controller.
The patches contained in bug report 4172 and this bug report:
http://bugs.contribs.org/show_bug.cgi?id=4196
will allow SME to function in multiple server roles.
I will work with the SME Dev Team to incorporate this work in some fashion into the base SME packages. I am hopeful that we will get some support for additional server roles. From here, I'll further develop my smeserver-adv-samba package to allow SME to function in a variety of Windows Network configurations.
Greg
-
I guess I'm off to try the link in the link Jester provided, sigh.
http://distro.ibiblio.org/pub/linux/distributions/smeserver/contribs/gzartman/HowToGuides/SME_DomainClientHowto.htm
This Howto was created for SME 6.x. It WILL NOT WORK for SME 7.x. It will get you in the ball park, but there are many missing pieces.
Please see my previous post on this topic.
Greg
-
Please follow my work over at the SME Bug Tracker:
http://bugs.contribs.org/show_bug.cgi?id=4172
http://bugs.contribs.org/show_bug.cgi?id=4196
will allow SME to function in multiple server roles.
this is absolutely fantastic work greg. do we need to install both the RPM and the patch? or do they both do the same thing? can't wait to test it out. will finally allow remote office SME's to authenticate over VPN to PDC. etc etc.
regards,
brentonv
-
this is absolutely fantastic work greg. do we need to install both the RPM and the patch? or do they both do the same thing? can't wait to test it out. will finally allow remote office SME's to authenticate over VPN to PDC. etc etc.
Brent,
I am very happy you are excited about the work I've been doing with SME and Samba. Please participate in the bug report I started on this topic: http://bugs.contribs.org/show_bug.cgi?id=4172
Just to make things clear: The work I have done with SME and Samba has nothing to do with VPN.
In a nut shell, I am working with the SME Dev Team to advance SME's ability to participate in a MS Windows Networks. It is my desire to enable SME Server to function as if it were any MS Network Server. However, I also respect that the SME Dev team proceeds with caution with respect to change so that SME will remain stable. In time, I am confident that SME Server will provide full support for Windows Networks. Until this time occurs, smeserver-adv-samba will fill the gap.
Greg
-
First.
JoshAU, could you please use the standard quote code?
Done! :)
Sorry about that.
OK, as gzartman mentioned, my above link is a bit outdated....like 5 years plus...
However, gzartman has kindly provided info in his links on how to achieve this.
AND NOW.... its working! - I can now log into the SME DC and access shares from the SME fileserver!
Oh, I'm so happy
And a big thank you to gzartman for providing the means to do it. (see his above links for info).
Lets hope this gets included as a standard feature.
Thank you for all your input.
JoshAU
-
I've got this setup working fine. Having duplicated the user accounts on the second server
security = domain
password server = *
Can't see anything else that needed changing apart from joining the domain
Ibays need to be set up to allow the user group, or everyone, access
-
hello again greg,
It is my desire to enable SME Server to function as if it were any MS Network Server.
i assume you will be posting a how-to when development is complete, but if you have time could you please elaborate on the following?
1: i am still unclear if i apply a series of patches? e-smith-samba-1.14.1-serverrole.patch, e-smith-pptpd-1.12.0-serverrole.patch, e-smith-lib-1.18.0-serverrole.path, e-smith-base-4.18.1-serverrole.patch from http://bugs.contribs.org/show_bug.cgi?id=4172 or do i use the smeserver-adv-samba-0.1.0-1.src.rpm from http://bugs.contribs.org/show_bug.cgi?id=4196
2: ServerRole=PDC: SME will perform as a Windows Primary Domain Controller.
ServerRole=DM: SME will peroform as a Windows Domain Member.
ServerRole=WG (or undefined): SME will function as a Windows Workgroup Member.
ServerRole=BDC: SME will function as a Windows Backup Domain Controller (preliminary support only).
ServerRole=ADS: SME will function as a Windows Active Domain Server (preliminary support only).
ServerRole=ADM: SME will function as a Windows Active Domain Member (preliminary support only).
i was hoping you could explain the operating functionality (or perhaps limitations) of these additional roles, such as ServerRole=ADS (because as far as i was aware AD functionality is still in development in samba 4) and also possible examples of additional smb.conf parameters for *preliminary support.
thanks again for your efforts. i believe that this additional functionality will advance SME to a new level.
regards,
brentonv
-
hello again greg,i assume you will be posting a how-to when development is complete, but if you have time could you please elaborate on the following?
I can certainly put together some documentation and post it up on the wiki or something.
1: i am still unclear if i apply a series of patches? e-smith-samba-1.14.1-serverrole.patch, e-smith-pptpd-1.12.0-serverrole.patch, e-smith-lib-1.18.0-serverrole.path, e-smith-base-4.18.1-serverrole.patch from http://bugs.contribs.org/show_bug.cgi?id=4172 or do i use the smeserver-adv-samba-0.1.0-1.src.rpm from http://bugs.contribs.org/show_bug.cgi?id=4196
The serverrole patches represent an updates of e-smith-samba. These updates fall into three categories:
1. Cleanup up some relic fragments that date back many years (house-cleaning);
2. Improvement to the way SME functions in a windows network with respect to Network Browsing. The changes will definitely improve network browsing speed, especially when a workgroup/domain spans subnets.
3. Replaced the DomainMaster smb dbase property with ServerRole. The DomainMaster smb property dates back to days in SME dev when all we were worried about was making SME perform as a member of a workgroup or as a Primary Domain Controller.
Server Roles (via the ServerRole Property):
1: Workgroup Server: SME functions as a standalone file server and requires local user accounts for authentication (SME offers this now);
2. Primary Domain Controller: SME functions as a WinNT 4 type authentication server for windows domains -- unified login (SME Offers this now);
3. Domain Member: SME functions as a member to a WinNT 4 type domain. Authentication to shares it hosts is done via another authentication server such as an SME Primary Domain controller or a Windows Domain Controller. Basically, SME configured as a Domain Member makes it act like any Windows Machine that is a member of the Windows Domain. (SME does not offer this functionality now, but the patches I provided and my smeserver-adv-samba package to provide this functionality).
4. Backup Domain Controller: Very similar to a Primary Domain Controller except the BDC will yield authentication authority to the PDC if the PDC is present and able to respond to authentication requests. The patches to the base rpms and my smeserver-adv-samba package provide this functionality with one exception: replication of the user accounts. Like the PDC, the BDC must have copies of all user and machine accounts. Once we get full LDAP support for SME, then we can reliably replicate user and machine accounts and, thus fully implement SME as a BDC. Until then, the only way to replicate these accounts is for the PDC to push the txt dbase files to the BDC, which can be a bit tricky and does not provide a means to replicate changes made on the BDC back tot he PDC. In other words, this server mode is highly experiential and you really need to know what you are doing to use it. I've successfully deployed it, but I had to really keep and eye on it.
5. Active Directory Server: Almost identical to SME as a PDC, except it allows SME to manage active directory queries. This functionality is still very much in the beginning phase of being implemented, but it is possible with Samba 3 to provide these functions. Frankly, I don't use ADS, so I have little incentive to spend a bunch of time working on it. If someone would like to jump in and help, that would be wonderful.
6. Active Directory Member: Almost identical to SME as a Domain Member except it has the ability to query active directory services. Once again: I don't use ADS, so I have little incentive to spend a bunch of time working on it. If someone would like to jump in and help, that would be wonderful.
Preliminary Support simply means that additional configuration is necessary to fully deploy these server modes. It is not possible to completely separate all configuration to support these functions for inclusion in another package (e.g., smeserver-adv-samba) as many of the configuration parameters are integral to Samba.
I hope this helps
-
thankyou greg. explains everything for me. i also read through your scripts, a lot of work gone into this! i noticed many changes and as you mentioned it brings a lot of things up-to-date. this will also solve a lot of trivial issues which still get posted regularly by people new to SME.
regards,
brentonv