Temps de lecture approximatif : 29 minutes
Sommaire
MES NOTES SUR LE SERVICE SAMBA
+> Service Samba: documentations et liens intéressants <+
Conversion des dates pour samba depuis 1.1.1970
*************************************************************
Voir http://dan.drydog.com/unixdatetime.html
HowTo
********
+> Netbios/Wins <+
nmbd est le service Wins de samba qui va gérer les noms Netbios. Les enregistrements de type Wins se font dans le fichier « /var/lib/samba/wins.dat »
root@monserveur:~# nmblookup monserveur
querying monserveur on 192.168.10.255
192.168.10.247 monserveur<00>
root@monserveur:~#
Module smbfs
******************
Problème 1
==========
Erreur smbmnt lors du montage:
root@mail:/data# mount -t smbfs -o username=l_utilisateur,password=le_mot_passe //stratus.lan.monentreprise.coop/common /data/csv_icaDB/ ERROR: smbfs filesystem not supported by the kernel Please refer to the smbmnt(8) manual page smbmnt failed: 255 root@mail:/data#
Solution 1
==========
Activer le module smbfs au niveau de la machine hôte.
Les commandes et outils utiles
**********************************
- Voir la liste des utilisateurs vu par Samba lors de sa connexion à LDAP
pdbedit -b ldapsam:"ldap://monserveur_ldap" -L - Modifier LDAP pour faire en sorte que le mot de passe des utilisateurs n’expire jamais.
pdbedit -b ldapsam:"ldap://monserveur_ldap" -P 'maximum password age' -C -1
Récupérer la valeur de "ldapsam" dans /etc/samba/smb-ldap.conf
+> Monter un partage Samba sur une vz (OpenVZ) <+
– Sur la machine hôte, éteindre la VZ puis:
root@fibratus:/# mount -t cifs -o username=administrator,password=mot_passe //stratus.lan.monentreprise.coop/common/csv_icaDB /mnt/ root@fibratus:/# mount --bind /mnt /data/vz/root/253/data/csv_icaDB/ Le partage est maintenant accessible sur la machine distante.
+> Vérifier les connexions à Samba <+
root@lilas:/usr/share/doc# smbstatus
Samba version 3.0.24
PID Username Group Machine
-------------------------------------------------------------------
13003 ptltest svg-info genepi (192.168.30.209)
12977 ndupond Users fh123 (192.168.40.194)
12852 amustufu Users fhp407 (192.168.40.195)
12972 psoins 5064 fh083 (192.168.40.165)
Service pid machine Connected at
-------------------------------------------------------
ndupond 12977 fh123 Tue Jul 17 15:40:16 2012
ptl-brod 12852 fhp407 Tue Jul 17 15:23:47 2012
psoins 12972 fh083 Tue Jul 17 15:39:46 2012
ptltest 13003 genepi Tue Jul 17 15:46:48 2012
Locked files:
Pid Uid DenyMode Access R/W Oplock SharePath Name Time
--------------------------------------------------------------
12852 4053 DENY_NONE 0x100001 RDONLY NONE /data/shares/ptl-brod Broderie local/Broderie/Quintessence/EMS clair Voiler Tue Jul 17 15:23:47 2012
root@lilas:/usr/share/doc#
+> Gestion des utilisateurs dans Samba <+
Ajout d’un utilisateur
************************
– L’utilisateur UNIX doit être d’abord créé !
Remplacer « mon_nouvel_utilisateur » par le nom de votre utilisateur
utilisateur@serveur:/# useradd mon_nouvel_utilisateur utilisateur@serveur:/# smbpasswd -a mon_nouvel_utilisateur
– On peut vérifier ensuite dans /etc/passwd:
mon_nouvel_utilisateur:x:1013:100::/home/mon_nouvel_utilisateur:/bin/false
Contrôle de l’ID d’un utilisateur
************************************
utilisateur@serveur:/# id mon_utilisateur
uid=10019(mon_utilisateur) gid=10002(Users)groups=10002(Users)
Modifier le mot de passe d’un utilisateur:
*********************************************
Pour uniquement modifier le mot de passe Unix et Samba:
#smbpasswd nom_utilisateur
Pour modifier le mot de passe dans LDAP, Unix et Samba:
#smbldap-passwd nom_utilisateur
+> Domaine Samba <+
Rentrer une machine linux dans un domaine Samba
********************************************************
root@stratus:/# net rpc join -S stratus -W MY_DO -U administrator
Password:
Joined domain MY_DO
root@stratus:
Trouver un contrôleur de domaine
**************************************
moi@estaque:~$ findsmb
*=DMB
+=LMB
IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
--------------------------------------------------------------
192.168.3.168 HOMER *[MY_DO] [Unix] [Samba 3.4.7]
moi@estaque:~$
Commandes utiles pour Samba
***********************************
Tester un montage:
# smbclient //LILAS/netlogon/mon_utilisateur -U mon_utilisateur
>password ; mettre ici le mot de passe de l'utilisateur afin de pouvoir ouvrir le partage
Chercher les membres d’un groupe :
# smbldap-groupshow nom_du_group
Chercher des infos sur un utilisateur
root@monclient_2srv:/etc/samba# smbldap-usershow secretaire
dn: uid=secretaire,ou=People,dc=monclient_2,dc=ch
cn: secretaire
displayName: secretaire
gecos: secretaire
gidNumber: 2002
homeDirectory: /home/secretaire
loginShell: /bin/bash
sambaAcctFlags: [U ]
sambaPrimaryGroupSID: S-1-5-21-1576167295-1879984704-612134452-513
sambaSID: S-1-5-21-1576167295-1879984704-612134452-2410
shadowLastChange: 11778
uid: secretaire
uidNumber: 1155
userPassword: {CRYPT}6NI8b7bXXAjso
sambaLMPassword: 397EF85B82A1976317306D272A9441BB
sambaNTPassword: A59B8700B185739A0D000EB7B8856333
sambaPwdCanChange: 1227002765
sambaPwdLastSet: 1227002765
objectClass: top,account,posixAccount,shadowAccount,sambaSamAccount
root@monclient_2srv:/etc/samba#
Exemple de configuration de partage
[svg_info_deploy] comment = Déploiement de logiciels path = /data/svg_info_deploy public = no writable = yes browseable = no valid users = @svg-info force group = svg-info directory mode = 0770 create mode = 0770
Limitation de lecture pour un groupe
[voi-ergo] comment = partage pour Ergothérapie path = /data/shares/voi-ergo public = no valid users = @voi-soin, @voi-ergo read list = @voi-soin write list = @voi-ergo admin users = @voi-ergo writable = yes create mode = 0750 directory mode = 0750 force group = +voi-ergo
Activation de la corbeille
[redaction] comment = Dossier pour la Redaction path = /data/redaction username = admin valid users = @redac write list = @redac force group = +redac read only = No create mask = 0770 directory mask = 0770 # Definition de la corbeille pour "redaction"... vfs object = recycle recycle:repository = /data/redaction/.corbeille recycle:keeptree = yes recycle:versions = yes recycle:maxsize = 1000000 recycle:exclude = *.tmp recycle:exclude_dir = /tmp
Exemple de configuration du fichier principal de Samba
[global]
# http://oreilly.com/catalog/samba/chapter/book/ch05_01.html
## Browsing/Identification ###
netbios name = mon_serveur
# Change this to the workgroup/NT-domain name your
# Samba server will part of
workgroup = MY_DOM
# server string is the equivalent of the NT Description field
server string = %h server
# cf. http://brneurosci.org/linuxsetup38.html
public = yes
browseable = yes
lm announce = yes
browse list = yes
auto services = yes
schannel client = no
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba
# to enable its WINS Server
# TESTING!!!
wins support = yes
# WINS Server - Tells the NMBD components of Samba
# to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS
# Client, but NOT both
# TESTING!!!
# wins server = 192.168.10.100
# This will prevent nmbd to search for NetBIOS names
# through DNS.
dns proxy = no
# What naming service and in what order should
# we use to resolve host names to IP addresses
name resolve order = host wins bcast
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP
# address/netmask;
# interface names are normally preferred
interfaces = 127.0.0.0/8 192.168.10.0/24 eth0
# Only bind to the named interfaces and/or networks;
# you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature
# if your Samba machine is not protected by a firewall
# or is a firewall itself. However, this option
# cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = true
remote announce = 192.168.0.252 192.168.30.209
remote browse sync = 192.168.0.252 192.168.30.209
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 10000
# PLEASE!!!
# If you change the log levels or amount of log files
# kept for debugging purposes, set them back to the way
# that you found them after you are done. Samba can
# generate incredible amounts of logs that can overflow
# the backup system and uselessly fill the disk
# if you are not careful!
# DO NOT FORGET!!!
# PLEASE!!!
debug level = 1
# If you want Samba to only log through syslog then set
# the following parameter to 'yes'.
; syslog only = no
# We want Samba to log a minimum amount of information
# to syslog. Everything should go to /var/log
# /samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter
# to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail
# the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# "security = user" is always a good idea. This will
# require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs
# /Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
security = user
# You may wish to use password encryption. See the
# section on 'encrypt passwords' in the smb.conf(5)
# manpage before enabling.
encrypt passwords = true
# If you are using encrypted passwords, Samba will
# need to know what password database type you are using.
; passdb backend = tdbsam
; obey pam restrictions = yes
; guest account = nobody
; invalid users = root
# This boolean parameter controls whether Samba attempts
# to sync the Unix password with the SMB password when
# the encrypted SMB password in the passdb is changed.
; unix password sync = no
# For Unix password sync to work on a Debian
# GNU/Linux system, the following parameters must be
# set (thanks to Ian Kahan <<kahan@informatik.tu-
# muenchen.de> for sending the correct chat script for
# the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for
# password changes when requested by an SMB client
# instead of the program listed in 'passwd program'.
# The default is 'no'.
; pam password change = no
# Include standard LDAP config here (if LDAP is used).
# Note that it normally overrides the passdb setting.
include = /etc/samba/smb-ldap.conf
########## Domains ###########
# Is this machine able to authenticate users. Both PDC
# and BDC must have this setting enabled. If you are the
# BDC you must change the 'domain master' setting to
# no.
domain logons = yes
#
# The following setting only takes effect if 'domain
# logons' is set. It specifies the location of the
# user's profile directory from the client point of view)
# The following required a [profiles] share to be setup
# on the samba server (see below).
logon path = \\%N\profiles\%U
# Another common choice is storing the profile in
# the user's home directory
; logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain
# logons' is set It specifies the location of a user's
# home directory (from the client point of view).
# ICI C'EST LE LECTEUR QUI SERA AFFECTER POUR
# MONTER LE "HOME" DE L'UTILISATEUR.
#
logon drive = U:
# INDIQUE L'ENDROIT OU SE TROUVE LE "HOME" DE L'
# UTILISATEUR SUR LE SERVEUR (%N ETANT L'ADRESSE DU SRV)
#
logon home = \\%N\%U
# The following setting only takes effect if 'domain
# logons' is set. It specifies the script to run
# during logon. The script must be stored in the [netlo
# gon] share.
# NOTE: Must be store in 'DOS' file format convention.
# INDIQUE ICI QUE L'ON UTILISERA UN SCRIPT DE
# TYPE "nom_utilisateur.bat" DANS /var/lib/samba/netlogon
#
logon script = %U.bat
# This allows Unix users to be created on the
# domain controller via the SAMRRPC pipe. The example
# command creates a user account with a disabled Unix
# password; please adapt to your needs.
# add user script = /usr/sbin/adduser --quiet
# --disabled-password --gecos "" %u
########## Printing ##########
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes
# lpr(ng) printing. You may wish to override the location
# of the printcap file.
; printing = bsd
; printcap name = /etc/printcap
# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
; printing = cups
; printcap name = cups
# When using [print$], root is implicitly a 'printer
# admin', but you can also give this right to other users
# to add drivers and set printer properties
; printer admin = @ntadmin
############ Misc ############
# Using the following line enables you to customise
# your configuration on a per machine basis. The %m
# gets replaced with the netbios name of the machine that
# is connecting
; include = /home/samba/etc/smb.conf.%m
# Most people will find that this option gives
# better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc
# /htmldocs/Samba3-HOWTO/speed.html
# For details you may want to add the following on a
# Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
# The following parameter is useful only if you have
# the linpopup package installed. The samba maintainer
# and the linpopup maintainer are working to
# ease installation and configuration of linpopup
# and samba.
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
# set local master to no if you don't want Samba to
# become a master browser on your network. Otherwise
# the normal election rules apply
# TESTING!!!
local master = yes
# OS Level determines the precedence of this server
# in master browser elections. The default value should
# be reasonable
os level = 127
# Domain Master specifies Samba to be the Domain
# Master Browser. If this machine will be configured as a
# BDC (a secondary logon server), you must set this to
# 'no'; otherwise, the default behavior is recommended.
domain master = yes
# Preferred Master causes Samba to force a local
# browser election on startup and gives it a slightly
# higher chance of winning the election
# TESTING!!!
preferred master = yes
# Some defaults for winbind (make sure you're not using
# the ranges for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
# The following was the default behaviour in sarge
# but samba upstream reverted the default because it
# might induce
# performance issues in large organizations. See #368251
# for some of the consequences of *not* having
# this setting and smb.conf(5) for all details
; winbind enum groups = yes
; winbind enum users = yes
# We should fix permanently one of these days
; dos charset = 850
; unix charset = ISO8859-1
# no oplocks for MS Office stuff
veto oplock files = /*.doc/*.xls/*.mdb/
# Is this REALLY necessary
; username map = /etc/samba/smbusers
# If "invalid users" is not emptied, root cannot login
invalid users =
#============ Share Definitions =========
[homes]
comment = Dossier Personnel
browseable = no
# By default, the home directories are exported
# read-only. Change next parameter to 'yes' if you want
# to be able to write to them.
writable = yes
# File creation mask is set to 0700 for security reasons. If # you want to create files with group=rw permissions, set
# next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700
# for security reasons. If you want to create dirs.
# with group=rw permissions, set next parameter to 0775.
directory mask = 0700
# Restrict access to home directories
# to the one of the authenticated user
# This might need tweaking when using external
# authentication schemes
valid users = %S
# Un-comment the following and create the netlogon directory # for Domain Logons (you need to configure Samba to act as a # domain controller too.)
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon/
# logon script = %U.bat
guest ok = no
writable = no
share modes = no
browseable=no
case sensitive = no
# Un-comment the following and create the netlogon
# directory for Domain Logons (you need to configure
# Samba to act as a domain controller too.)
[profiles]
browseable = no
create mode = 0600
directory mode = 0700
read only = no
default case = lower
preserve case = no
short preserve case = no
mangle case = yes
case sensitive = no
comment = Profils utilisateurs
path = /var/lib/samba/profiles
# note: profile acls will only have an effect if
# one turns on nt acl support!
nt acl support = yes
profile acls = yes
[printers]
comment = All Printers
browseable = yes
path = /var/spool/samba
printable = yes
public = no
writable = no
create mode = 0700
# Windows clients look for this share name as
# a source of downloadable printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration
# of Windows print drivers.
# Replace 'ntadmin' with the name of the group
# your admin users are members of.
; write list = root, @ntadmin
# A sample share for sharing your CD-ROM with others.
;[cdrom]
; comment = Samba server's CD-ROM
; writable = no
; locking = no
; path = /cdrom
; public = yes
# The next two parameters show how to auto-mount
# a CD-ROM when the cdrom share is accesed. For
# this to work /etc/fstab must contain an entry like this:
#
# /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0
#
# The CD-ROM gets unmounted automatically after the # connection to the
#
# If you don't want to use auto-mounting/unmounting make sure # the CD is mounted on /cdrom
#
; preexec = /bin/mount /cdrom
; postexec = /bin/umount /cdrom
# keep the configuration for simple shares in a seperate file
include = /etc/samba/shares.conf
Intégration Windows 7 avec Samba
1) Récupérer le patch ici: http://wiki.samba.org/index.php/Windows7
2) Patcher la base de registre
3) Exécuter « gpedit.msc » et modifier les options ci dessous ( vu sur le site: http://www.linuxquestions.org/questions/linux-server-73/joining-a-windows-7-client-to-samba-pdc-v-3-4-3-a-815174/ ) :
- Computer|Windows Settings|Security Settings|Local Policies|Security Options
– Network Security: LAN Manager Auth. Level: Send LM&NTLM use NTLMv2 session sec. if negociated
– Network Security: Minimum session…both clients and servr: NO Required 128b encryption
Si vous avez un problème de synchronisation des profiles itinérants essayer de modifier aussi:
- Computer|Admin.Templates|System|User Profiles|
– Do not check for user ownership of roaming profile: Enabled
– Delete cache copies of roaming profile: Enabled
4) Sortir de la console gpedit et REBOOTER LE POSTE pour que les changements prennent effet.
Eventuelles modifications
******************************
Eventuellement à faire si vous avez toujours un problème d’intégration:
Exécuter REGEDIT puis modifier les clés suivantes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]
« QualifyingDestinationThreshold »=dword:00000003
« NV Domain »=« type name of your Samba Workgroup in smb.conf »
« NameServer »=« type name of your Samba Workgroup in smb.conf »
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient]
« NV PrimaryDnsSuffix »= »type name of your Samba Workgroup in smb.conf »
Autres astuces
******************
Source: http://blog.bigsmoke.us/2010/03/17/fixing-extremely-slow-domain-logon-windows-7
* Run gpedit.msc.
* Go to computer configuration.
* Go to Administrative templates.
* Go to System.
* Go to User profiles.
* Enable “Set maximum wait time for the network if a user has a roaming user profile or remote home directory” and set to 0 seconds
+> Quelques commandes de tests <+
Vérification préalables à effectuer et commandes utiles
*************************************************************
1) Vérifier « /etc/network/interface » , Samba à besoin de l’interface « lo » pour fonctionner !
2) Vérifier que le paramètre « wins support = » est bien sur « no » si le controleur de domaine contacter n’est pas le serveur
Wins principal !
3) Vérification des paramètres dans LDAP:
– Exécuter la commande:
# ldapsearch -x '(uid=nom_utilisateur)'
Voici un exemple de resultat
# ldapsearch -x '(uid=adupont)'
# extended LDIF # # LDAPv3 # base <> with scope subtree # filter: (uid=adupont) # requesting: ALL # # adupont, People, monentreprise.fr dn: uid=adupont,ou=People,dc=monentreprise,dc=fr objectClass: top objectClass: person objectClass: posixAccount objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: shadowAccount objectClass: sambaSamAccount uid: adupont cn: Anita Dupont sn: Dupont gecos: Anita Dupont givenName: Anita homeDirectory: /home/adupont loginShell: /bin/bash gidNumber: 3000 uidNumber: 4157 telephoneNumber: 024 765 45 98 sambaSID: S-1-5-21-3877789738-361012426-522534083-9314 displayName: Anita Dupont sambaPwdCanChange: 1195226587 sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000 00000000 mail: dupont@monentreprise.fr sambaHomeDrive: U: sambaLogonScript: \\HIBISCUS\netlogon\adupont sambaProfilePath: \\HIBISCUS\profiles\adupont title: technicien - electricien departmentNumber:: WWFtYW5pIHLDqXNpZGVuY2U= sambaAcctFlags: [U] sambaPwdLastSet: 1222244533 sambaPwdMustChange: 1230798133 sambaHomePath: \\HIBISCUS\adupont ... # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
4) Vérification par rapport aux profiles itinérants:
– Vérifier le paramètre du profil utilisateur sous Windows:
( poste de travail—>propriété—>profil utilisateur—>avancées)
Il doit autoriser l’itinerance du profil et non avoir comme seul paramètre « local » !
– Vérifier dans le fichier « /etc/samba/smb.conf » :
dans la rubrique [profiles]: on doit avoir « profile acls = yes » et « nt acl support = yes »
L’un sans l’autre ne fonctionne pas ! soit on les actives, soit non !
5) Si Samba tourne sur une VZ (OpenVZ), vérifier la place disponible sur « / » et vérifier que les quotas dans « user_beancounter » de la
machine hôte sont correctes.
6) Vérification du SID de Samba pour que ça colle avec celui entré dans LDAP pour tous les users:
idesia:/etc/samba# net getlocalsid CBL SID for domain CBL is: S-1-5-21-1505892832-1682233522-2560333092 idesia:/etc/samba# net getlocalsid SID for domain IDESIA is: S-1-5-21-1505892832-1682233522-2560333092 idesia:/etc/samba#
Le numéro SID du serveur Samba peut être changé afin de faire correspondre le SID de Samba avec celui des users et computers. Exemple pour le SID « S-1-5-21-1505892832-1682233522-2560333092 »
net setlocalsid S-1-5-21-1505892832-1682233522-2560333092
Quelques commandes de test depuis linux
************************************************
root@platane:~# smbstatus
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[profiles]"
params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf"
Processing section "[homes]"
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[profiles]"
Unknown parameter encountered: "mangle case"
Ignoring unknown parameter "mangle case"
Processing section "[data]"
WARNING: The "share modes" option is deprecated
Processing section "[Classe-Therapie]"
Processing section "[Direction]"
Processing section "[Secretariat]"
Processing section "[Dossiers-Residents]"
Processing section "[Educatif]"
Processing section "[Gestion-coordination]"
Processing section "[info]"
Processing section "[Services]"
Processing section "[Soins]"
Processing section "[Public]"
Can't find include file /etc/samba/conf.d/*.conf
Samba version 3.5.6
PID Username Group Machine
--------------------------------------------------------------
Service pid machine Connected at
--------------------------------------------------------------
No locked files
root@platane:~#
root@stratus:/var/log/samba# nmblookup -M MY_DOM -v
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter security = user
doing parameter encrypt passwords = true
doing parameter obey pam restrictions = no
doing parameter invalid users = root
doing parameter domain logons = yes
doing parameter logon drive = U:
doing parameter logon home = \\%N\%U
doing parameter logon script = %U.bat
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter os level = 127
doing parameter veto oplock files = /*.doc/*.xls/*.mdb/
doing parameter level2 oplocks = False
doing parameter domain master = yes
doing parameter local master = yes
doing parameter include = /etc/samba/smb-ldap.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
doing parameter ldap passwd sync = yes
doing parameter passdb backend = ldapsam:ldap://ldap
doing parameter ldap admin dn = "cn=config"
doing parameter ldap suffix = dc=ica,dc=coop
doing parameter ldap group suffix = ou=groups
doing parameter ldap user suffix = ou=people
doing parameter ldap machine suffix = ou=machines
doing parameter obey pam restrictions = no
doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g"
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter add user script = /usr/sbin/smbldap-useradd -m "%u"
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
doing parameter delete group script = /usr/sbin/smbldap-groupdel "%g"
doing parameter delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
doing parameter delete user script = /usr/sbin/smbldap-userdel "%u"
doing parameter ldap delete dn = Yes
doing parameter ldap ssl = no
doing parameter passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
doing parameter passwd program = /usr/sbin/smbldap-passwd %u
pm_process() returned Yes
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.16.252 bcast=192.168.16.255 nmask=255.255.255.0
Socket opened.
querying MY_DOM on 127.255.255.255
querying MY_DOM on 192.168.16.255
name_query failed to find name MY_DOM
root@stratus:/var/log/samba#
root@platane:~# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[profiles]"
Processing section "[homes]"
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[profiles]"
Unknown parameter encountered: "mangle case"
Ignoring unknown parameter "mangle case"
Processing section "[data]"
WARNING: The "share modes" option is deprecated
Processing section "[Classe-Therapie]"
Processing section "[Direction]"
Processing section "[Secretariat]"
Processing section "[Dossiers-Residents]"
Processing section "[Educatif]"
Processing section "[Gestion-coordination]"
Processing section "[info]"
Processing section "[Services]"
Processing section "[Soins]"
Processing section "[Public]"
Can't find include file /etc/samba/conf.d/*.conf
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
[global]
dos charset = 850
unix charset = utf8
display charset = iso-8859-15
workgroup = CBM
server string = %h server (Samba %v)
interfaces = 127.0.0.0/8, 10.0.80.0/24, eth1
map to guest = Bad User
passdb backend = ldapsam:"ldap://ldap.monclient_1.ch"
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
log level = 3
log file = /var/log/samba/log.%m
max log size = 100000
smb ports = 139
name resolve order = host wins bcast
deadtime = 10
socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
add machine script = /usr/sbin/smbldap-useradd -i -t 0 -w "%u"
logon script = netlogon.bat
logon path = \\%L\profiles\%U
logon drive = U:
logon home = \\%L\%U
domain logons = Yes
os level = 254
lm announce = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=cbm,dc=monclient_1,dc=ch
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=cbm,dc=monclient_1,dc=ch
ldap ssl = no
ldap user suffix = ou=People
preload = yes
create mask = 0640
directory mask = 0750
guest ok = Yes
nt acl support = No
map acl inherit = Yes
case sensitive = No
veto oplock files = /*.doc/*.xls/*.mdb/
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
[homes]
comment = Home Directories
path = /home/%u
valid users = %S
read only = No
create mask = 0770
directory mask = 0770
browseable = No
...
...
root@platane:~#
root@platane:~# smbtree -N -d 2
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
interpret_interface: using netmask value 24 from config file on interface eth1
added interface eth1 ip=10.0.80.254 bcast=10.0.80.255 netmask=255.255.255.0
added interface eth1 ip=fe80::218:51ff:fe3a:4e50%eth1 bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
Got a positive name query response from 127.0.0.1 ( 10.0.80.254 )
Got a positive name query response from 127.0.0.1 ( 10.0.80.254 )
WORKGROUP
Got a positive name query response from 10.0.80.188 ( 10.0.80.188 )
CBM
\\RNPF0F4D8
Got a positive name query response from 10.0.80.220 ( 10.0.80.220 )
\\RNPF0F4D8\IPC$
\\RNPF0F4D8\MPC2050
\\PLATANE platane server (Samba 3.5.6)
\\PLATANE\Aficio_SP_C222DN_Ex&Co Aficio SP C222DN_Ex&Co
\\PLATANE\Aficio_SP_C222DN_Ex&Co@10.0.80.3 Aficio SP C222DN_Ex&Co
\\PLATANE\CDJ CDJ
\\PLATANE\Ricoh-Aficio_MP_C2050_PXL Multi_fonction_photocopieur
\\PLATANE\Ricoh-Aficio_MP_C2050_PXL@10.0.80.3 Multi_fonction_photocopieur
\\PLATANE\Ricoh-Cuisine Cuisine
\\PLATANE\Ricoh-Grpe2 2eme etage
\\PLATANE\Ricoh-Grpe3 3eme etage
\\PLATANE\Ricoh-Grpe3@10.0.80.3 3eme etage
\\PLATANE\Ricoh-Grpe4 4eme etage
\\PLATANE\Ricoh-Grpe5 5eme etage
\\PLATANE\Ricoh-Infirmerie Infirmerie
\\PLATANE\RICOH_Aficio_SP_C232DN_PS_serv_techn Local Service Technique
\\PLATANE\Ricoh_Dir_adj_cbm 1er_etage_dir_adj
\\PLATANE\Ricoh_SP_C222SF_ergo_rez Ergoterapie_rez
\\PLATANE\Ricoh_SP_C222SF_ergo_rez@10.0.80.3
Ergoterapie_rez
\\PLATANE\RicohSecretariat 1eme etage
\\PLATANE\IPC$ IPC Service (platane server (Samba 3.5.6))
\\BUFFALO-CBM NAS-TeraStation
Got a positive name query response from 10.0.80.80 ( 10.0.80.80 )
\\BUFFALO-CBM\lp Network Printer for Windows
\\BUFFALO-CBM\info TeraStation Utilities
\\BUFFALO-CBM\multimedia TeraStation folder
\\BUFFALO-CBM\IPC$ IPC Service ("NAS-TeraStation")
root@platane:~#
root@stratus:/var/log/samba# smbclient -L localhost
Password:
Anonymous login successful
Domain=[MY_DOM] OS=[Unix] Server=[Samba 3.0.24]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
common Disk Partage des donnees
MYDOdb Disk Path pour la generation des exports
IPC$ IPC IPC Service (stratus server (Samba 3.0.24))
Anonymous login successful
Domain=[MY_DOM] OS=[Unix] Server=[Samba 3.0.24]
Server Comment
--------- -------
NBK004
NBK010
NBK012
STRATUS stratus server (Samba 3.0.24)
WKS002 Optiplex GX270 (Name, Firstname )
WKS005 Optiplex GX270 (Name. Firstname)
WKS009 Desktop de MCB
WKS010 Desktop de MEC
WKS012 Desktop de GM
Workgroup Master
--------- -------
MY_DOM STRATUS
ICAGE ICASRV01
WORKGROUP LG-XNOTE-PC
root@stratus:/var/log/samba#
root@platane:/var/run/samba# pdbedit -L -v
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CBM))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_paged: base => [dc=cbm,dc=monclient_1,dc=ch], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-4264079089-3509617443-2495841085-500 does not belong to our domain
init_sam_from_ldap: Entry found for user: adupont
init_sam_from_ldap: Entry found for user: infcbm
init_sam_from_ldap: Entry found for user: bdbl
init_sam_from_ldap: Entry found for user: sfro
init_sam_from_ldap: Entry found for user: infcbmgr3
init_sam_from_ldap: Entry found for user: sec-2$
---------------
Unix username: adupont
NT username: adupont
Account Flags: [U ]
User SID: S-1-5-21-2638510728-3434069821-3757585111-31000
Primary Group SID: S-1-5-21-2638510728-3434069821-3757585111-513
Full Name: Anita Dupont<C3><A9>
Home Directory: \\platane\adupont
HomeDir Drive: U:
Logon Script: adupont.bat
Profile Path: \\platane\profiles\adupont
Domain: CBM
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Thu, 13 Aug 2009 17:54:20 CEST
Password can change: Thu, 13 Aug 2009 17:54:20 CEST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username: infcbm
NT username: infcbm
...
...
Contrôle depuis un poste Windows
***************************************
– Test d’une entrée dans le domaine en ligne de commande (commande plus valide sous Seven !, voir si alternative):
Microsoft Windows XP [version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Administrateur>powershell Windows PowerShell Copyright (C) 2009 Microsoft Corporation. Tous droits réservés. PS C:\Documents and Settings\Administrateur> add-computer -domain CBM -cred CBM\cbmadmin Add-Computer : Cette commande ne peut pas être exécutée sur l'ordinateur cible (« ROUGE ») en raison de l'erreur suivante : Un périphérique attaché au système ne fonctionne pas correctement. Au niveau de ligne : 1 Caractère : 13 + add-computer <<<< -domain CBM -cred CBM\cbmadmin + CategoryInfo : InvalidOperation: (ROUGE:String) [Add-Computer], InvalidOperationException + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.AddComputerCommand PS C:\Documents and Settings\Administrateur>
– Test de verification Netbios
C:\Documents and Settings\Administrateur>nbtstat Affiche les statistiques du protocole et les connexions TCP/IP actuelles utilisant NBT (NetBIOS sur TCP/IP). NBTSTAT [-a Nom Distant] [-A adresse IP] [-c] [-n] [-r] [-R] [-RR] [-s] [S] [intervalle] -a (état carte) Liste la table de noms de l'ordinateur distant (nom connu). -A (état carte) Liste la table de noms d'ordinateurs distants (adresse IP). -c (cache) Liste le cache de noms distant y compris les adresses IP. -n (noms) Liste les noms NetBIOS locaux. -r (résolus) Liste les noms résolus par diffusion et via WINS. -R (Recharge) Purge et recharge la table du cache de noms distante. -S (Sessions) Liste la table de sessions avec les adresses destination IP. -s (sessions) Liste la table de sessions convertissant les adresses de destination IP en noms d'hôtes NETBIOS. -RR (ReleaseRefresh) Envoie des paquets de libération de nom à WINS puis actualise Nom Distant Nom de l'ordinateur hôte distant. adresse IP Représentation décimale pointée de l'adresse IP. intervalle Réaffiche les statistiques sélectionnées, en marquant un temps d'arrêt égal à "intervalle" secondes entre chaque affichage. Appuyez sur Ctrl+C pour arrêter l'affichage des statistiques. C:\Documents and Settings\Administrateur>nbtstat -c Connexion au réseau local: Adresse IP du noeud : [10.0.80.188] ID d'étendue : [] Table de nom de cache distant NetBIOS Nom Type Adresse d'hôte Vie [sec] ------------------------------------------------------------ CBM <1B> UNIQUE 10.0.80.254 202 CBM <1C> Groupe 10.0.80.254 202 PLATANE <20> UNIQUE 10.0.80.254 202 C:\Documents and Settings\Administrateur>nbtstat -n Connexion au réseau local: Adresse IP du noeud : [10.0.80.188] ID d'étendue : [] Table nom local NetBIOS Nom Type Statut --------------------------------------------- ROUGE <00> UNIQUE Inscrit WORKGROUP <00> Groupe Inscrit ROUGE <20> UNIQUE Inscrit WORKGROUP <1E> Groupe Inscrit WORKGROUP <1D> UNIQUE Inscrit ..__MSBROWSE__.<01> Groupe Inscrit C:\Documents and Settings\Administrateur>nbtstat -A 10.0.80.254 Connexion au réseau local: Adresse IP du noeud : [10.0.80.188] ID d'étendue : [] Table de noms NetBIOS des ordinateurs distants Nom Type État --------------------------------------------- PLATANE <00> UNIQUE Inscrit PLATANE <03> UNIQUE Inscrit PLATANE <20> UNIQUE Inscrit ..__MSBROWSE__.<01> Groupe Inscrit CBM <1D> UNIQUE Inscrit CBM <1B> UNIQUE Inscrit CBM <1C> Groupe Inscrit CBM <1E> Groupe Inscrit CBM <00> Groupe Inscrit Adresse MAC = 00-00-00-00-00-00 C:\Documents and Settings\Administrateur>
Exemple de Netlogon
************************
Exemple fichier « adupont.bat »
echo off start auth_ocs.exe net use M: \\hibiscus\cre-empl REM REM Ouvrir l'explorateur windows automatiquement sur le REM partage reseau. C:\windows\explorer.exe /e,M: C:\windows\system32\cmd.exe /C REM netlogon de adupont
+> Potentielles erreurs <+
Impossible de joindre le controleur de domaine Samba
***********************************************************
[ Message d’erreur 1]
Problème: Impossible de joindre le domaine à cause du cache Wins ! Après avoir changé l’adresse IP du serveur, j’ai eu un problème dans le fonctionnement de Wins avec NMBD. En effet, il continuait à vouloir utiliser l’ancienne adresse « 192.0.0.209 » alors qu’il fallait utiliser la nouvelle « 10.2.2.2 » ! A cause de ce problème, je n’arrivais plus à configurer des postes sous Win 2000 ou Win NT pour qu’ils joignent à nouveau le domaine.
... [2006/06/20 11:59:17, 0] nmbd/nmbd_browsesync.c:domain_master_node_status_fail(250) Jun 20 11:59:17 cielinux1 nmbd[6223]: domain_master_node_status_fail: Jun 20 11:59:17 cielinux1 nmbd[6223]: Doing a node status request to the domain master browser Jun 20 11:59:17 cielinux1 nmbd[6223]: for workgroup ELOYES at IP 192.0.0.209 failed. Jun 20 11:59:17 cielinux1 nmbd[6223]: Cannot sync browser lists. Jun 20 12:03:43 cielinux1 nmbd[6223]: [2006/06/20 12:03:43, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(327) Jun 20 12:03:43 cielinux1 nmbd[6223]: become_domain_master_browser_wins: Jun 20 12:03:43 cielinux1 nmbd[6223]: Attempting to become domain master browser on workgroup ELOYES, subnet UNICAST_SUBNET. Jun 20 12:03:43 cielinux1 nmbd[6223]: [2006/06/20 12:03:43, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(341) Jun 20 12:03:43 cielinux1 nmbd[6223]: become_domain_master_browser_wins: querying WINS server from IP 10.2.2.2 for domain master browser name ELOYES<1b> on workgroup ELOYES ...
Solution(s):
Pour régler ce problème, j’ai supprimé le fichier « /var/lib/samba/wins.dat » qui contenait en cache l’ancienne adresse IP.
[ Messages d’erreur 2 ]
Problème:
root@stratus:/var/log/samba# nmblookup -M -- - doing parameter panic action = /usr/share/samba/panic-action %d doing parameter security = user doing parameter encrypt passwords = true doing parameter obey pam restrictions = no doing parameter invalid users = root doing parameter domain logons = yes doing parameter logon drive = U: doing parameter logon home = \\%N\%U doing parameter logon script = %U.bat doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter os level = 127 doing parameter veto oplock files = /*.doc/*.xls/*.mdb/ doing parameter level2 oplocks = False doing parameter domain master = yes doing parameter local master = yes doing parameter include = /etc/samba/smb-ldap.conf params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf" doing parameter ldap passwd sync = yes doing parameter passdb backend = ldapsam:ldap://ldap doing parameter ldap admin dn = "cn=config" doing parameter ldap suffix = dc=my_dom,dc=fr doing parameter ldap group suffix = ou=groups doing parameter ldap user suffix = ou=people doing parameter ldap machine suffix = ou=machines doing parameter obey pam restrictions = no doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g" doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u" doing parameter add user script = /usr/sbin/smbldap-useradd -m "%u" doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" doing parameter delete group script = /usr/sbin/smbldap-groupdel "%g" doing parameter delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" doing parameter delete user script = /usr/sbin/smbldap-userdel "%u" doing parameter ldap delete dn = Yes doing parameter ldap ssl = no doing parameter passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* doing parameter passwd program = /usr/sbin/smbldap-passwd %u pm_process() returned Yes added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 added interface ip=192.168.16.252 bcast=192.168.16.255 nmask=255.255.255.0 Socket opened. querying __MSBROWSE__ on 127.255.255.255 querying __MSBROWSE__ on 192.168.16.255 name_query failed to find name __MSBROWSE__#01 root@stratus:/var/log/samba# root@stratus:/var/log/samba# nmblookup -A 192.168.16.252 added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0 added interface ip=192.168.16.252 bcast=192.168.16.255 nmask=255.255.255.0 Looking up status of 192.168.16.252 No reply from 192.168.16.252 root@stratus:/var/log/samba#
Solution(s):
Le process nmbd daté de la semaine passée et donc pas à jour.. wins.dat n’existait pas.. J’ai killé avec la commande « kill -9 » le processus nmbd et redémarré samba… « nmblookup -M MY_DOM – » donne maintenant les bonnes infos .. et wins.dat est OK..
root@stratus:/var/log/samba# nmblookup -M MY_DOM -v
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.16.252 bcast=192.168.16.255 nmask=255.255.255.0
Socket opened.
querying MY_DOM on 127.255.255.255
Got a positive name query response from 127.0.0.1 ( 192.168.16.252 )
192.168.16.252 MY_DOM
root@stratus:/var/log/samba#
[Message d’erreur 3]
Problème:
... [2012/04/05 23:22:05.548991, 0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: failed to get machine password for account WINSRV$: NT_STATUS_NO_TRUST_SAM_ACCOUNT ...
Solution(s):
1) Vérifier que la machine soit bien présente dans LDAP et qu’elle possède l’attribut « sambaAcctFlags » comme le dit la note ci-dessous:
Machine au nom de "YFILER": Please look into the sambaAcctFlags attribute of the object of YFILER$: If it contains a "U", it is wrong. If you make that "W", it might start to work. Alternatively, you might try:
smbpasswd -x yfiler$ smbpasswd -a -m yfiler$
[Messages d’erreur 4]
Problème: impossible d’ouvrir le profile windows. Erreur dans les logs de Samba:
... [2012/04/10 22:34:55.145765, 0] lib/fault.c:326(dump_core) dumping core in /var/log/samba/cores/smbd [2012/04/10 22:34:58.480673, 0] locking/locking.c:804(share_mode_lock_destructor) store returned NT_STATUS_UNSUCCESSFUL [2012/04/10 22:34:58.480792, 0] lib/util.c:1465(smb_panic) PANIC (pid 20741): could not store share mode entry: NT_STATUS_UNSUCCESSFUL ...
Solution(s):
Samba tourne sur une VZ (OpenVZ), pas assez de place de dispo sur « / » + vérification sur la machine hôte du fichier « /proc/user_beancounter »: dépassement de quotas pour la vz concernée !
[Messages d’erreur 5]
Problème: Impossible de joindre la machine dans le domaine
Erreur dans smbd.log:
... May 10 09:56:01 platane smbd[10326]: [2012/05/10 09:56:01.287433, 0] lib/util_sock.c:1441(get_peer_addr_internal) May 10 09:56:01 platane smbd[10326]: getpeername failed. Error was Noeud final de transport n'est pas connecté May 10 09:56:01 platane smbd[10326]: [2012/05/10 09:56:01.288112, 0] lib/util_sock.c:680(write_data) May 10 09:56:01 platane smbd[10326]: [2012/05/10 09:56:01.288171, 0] lib/util_sock.c:1441(get_peer_addr_internal) May 10 09:56:01 platane smbd[10326]: getpeername failed. Error was Noeud final de transport n'est pas connecté May 10 09:56:01 platane smbd[10326]: write_data: write failure in writing to client 0.0.0.0. Error Connexion ré-initialisée par le correspondant May 10 09:56:01 platane smbd[10326]: [2012/05/10 09:56:01.288233, 0] smbd/process.c:79(srv_send_smb) May 10 09:56:01 platane smbd[10326]: Error writing 4 bytes to client. -1. (Noeud final de transport n'est pas connecté) ... ... May 7 13:23:15 platane smbd[28786]: _netr_ServerAuthenticate: no challenge sent to client DIRECTEUR-CBM ... ...
Erreur suite à la commande de vérification « testparm »:
... rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) ...
Erreur smbstatus:
... tdb(unnamed): tdb_open_ex: could not open file /var/run/samba/unexpected.tdb: Aucun fichier ou dossier de ce type ...
Solution(s):
1) J’ai essayé d’ arrêter le daemon « nscd » et de supprimer le cache:
rm /var/cache/nscd/*
puis de redémarrer le daemon: problème non resolu 🙁
2) Le problème « rlimit_max » évoqué lors de l’éxécution de la commande « testparm » et « pdbedit » semble être défini comme un bug dans Samba (https://bugzilla.samba.org/show_bug.cgi?id=7898
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608624)
3) Pour résoudre les problème de correspondance d’adresse dans le serveur Wins, j’ai arrêté Samba puis j’ai supprimé le fichier du
serveur Wins (/var/lib/samba/wins.dat).
4) Pour résoudre le probleme: « tdb(unnamed): tdb_open_ex: could not open file /var/run/samba/unexpected.tdb: Aucun fichier ou dossier de ce type » donné par la commande « smbstatus »
Le masque du réseau de la machine était faut ! J’ai fixé celui-ci dans le fichier » /etc/network/interfaces » !
Malheureusement, le problème d’entrée dans le domaine de la machine Win XP persiste !!!
[Message d’erreur 6]
Problème:
Problème pour l’utilisateur « mtartu » qui viens d’être ajouté au groupe « deploy » pour se connecter au partage associé. L’utilisateur ne fais même pas partie du groupe alors que la commande « getent group » l’affiche dans le groupe !
<code> root@bluet:/data/shares\ NEW$ getent group | grep deploy deploy:*:15076:01eleve,01formateur,02eleve,02formateur,03eleve,03formateur,04eleve,04formateur,05eleve,05formateur,06eleve, mtartu root@bluet:/data/shares/svg-info-pldeploy/logs\ NEW$ root@bluet:/data/shares/svg-info-pldeploy/logs\ NEW$ id mtartu uid=15669(mtartu) gid=3000(Users) groupes=15052(x-svg),15093(x-transfert),20000(help-fina),3000(Users) root@bluet:/data/shares\ NEW$ root@bluet:/data/shares\ NEW$ smbclient //bluet/svg-info -U mtartu Enter mtartu's password: Domain=[MY_DOM] OS=[Unix] Server=[Samba 3.5.6] tree connect failed: NT_STATUS_ACCESS_DENIED root@bluet:
Solutions:
Relancer le daemon nscd !
<code> root@bluet:/data/shares\ NEW$ id mtartu uid=15669(mtartu) gid=3000(Users) groupes=15052(x-svg),15076(deploy),15093(x-transfert),20000(help-fina),3000(Users) root@bluet:/data/shares\ NEW$ root@bluet:/data/shares\ NEW$ smbclient //bluet/svg-info -U mtartu Enter mtartu's password: Domain=[MY_DOM] OS=[Unix] Server=[Samba 3.5.6] smb: \> quit root@bluet:
[Message d’erreur 7]
Problème:
Sous Windows7, la machine refuse d’entrer dans le domaine:
[2012/08/03 15:36:35.809426, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 stty: standard input: Inappropriate ioctl for device Use of uninitialized value $pass in chomp at /usr/sbin/smbldap-useradd line 324. stty: standard input: Inappropriate ioctl for device stty: standard input: Inappropriate ioctl for device Use of uninitialized value $pass2 in chomp at /usr/sbin/smbldap-useradd line 330. stty: standard input: Inappropriate ioctl for device Use of uninitialized value $pass in string ne at /usr/sbin/smbldap-useradd line 334. Use of uninitialized value $pass2 in string ne at /usr/sbin/smbldap-useradd line 334. [2012/08/03 15:36:36.326509, 3] passdb/pdb_interface.c:348(pdb_default_create_user) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -i -t 0 -w "fhp230$"' gave 0 [2012/08/03 15:36:36.326648, 3] passdb/pdb_interface.c:365(pdb_default_create_user) pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER
Solution(s):
J’ai essayé de rentrer la machine manuellement avec la commande:
root@bluet:/var/log/samba\ NEW$ /usr/sbin/smbldap-useradd -i -t 0 -w "fhp230$"
New password :
Retype new password :
root@bluet:/var/log/samba\ NEW$
Puis ensuite j’ai vérifié la config LDAP avec la commande « ldapvi » pour voir si elle était bien inscrite:
root@lotus:~# export EDITOR=vim root@lotus:~# cat /etc/ldap.secret toto1234 root@lotus:~# ldapvi -D "cn=admin,dc=mon_entreprise,dc=fr" -b "ou=Computers,dc=mon_entreprise,dc=fr" --- Login Type M-h for help on key bindings. Filter or DN: cn=admin,dc=mon_entreprise,dc=fr Password: ******** 197 entries read No changes. root@lotus:~#
J’ai supprimé le compte de la machine dans LDAP et effectué une ré-intégration de la machine dans le domaine (depuis Windows 7 ) et là …miracle ça à fonctionné. Comprend qui pourra !
[Message d’erreur 8]
Problème:
[2013/06/19 08:53:27, 1] auth/auth_sam.c:sam_account_ok(179) sam_account_ok: Password expired at 'Tue, 18 Jun 2013 09:31:34 CEST' (1371540694) unix time.
Solution(s):
Modifier le timeStamp pour l’attribut « sambaPwdMustChange » de Samba concernant l’utilisateur dans LDAP
On peut utiliser le site http://www.onlineconversion.com/unix_time.htm pour générer le timeStamp correspondant à
une date et une heure.
“La connaissance a plus de valeur et s’accroît rapidement lorsqu’elle est partagée et accessible librement…”
Ce document est publié sous licence Creative Commons
Attribution, Partage à l’identique, Contexte non commercial 3.0 : http://creativecommons.org/licenses/by-nc/3.0/