Service Samba: quelques notes prises au fil du temps.

Temps de lecture approximatif : 29 minutes

MES NOTES SUR LE SERVICE SAMBA

+> Service Samba: documentations et liens intéressants <+

 

Conversion des dates pour samba depuis 1.1.1970
*************************************************************

Voir http://dan.drydog.com/unixdatetime.html

HowTo
********

Samba HOWTO

+> Netbios/Wins <+

nmbd est le service Wins de samba qui va gérer les noms Netbios. Les enregistrements de type Wins se font dans le fichier « /var/lib/samba/wins.dat »

root@monserveur:~# nmblookup monserveur
querying monserveur on 192.168.10.255
192.168.10.247 monserveur<00>
root@monserveur:~#

Module smbfs
******************

Problème 1
==========

Erreur smbmnt lors du montage:

root@mail:/data# mount -t smbfs -o username=l_utilisateur,password=le_mot_passe //stratus.lan.monentreprise.coop/common /data/csv_icaDB/

ERROR: smbfs filesystem not supported by the kernel
Please refer to the smbmnt(8) manual page
smbmnt failed: 255
root@mail:/data#

Solution 1
==========

Activer le module smbfs au niveau de la machine hôte.
Les commandes et outils utiles
**********************************

  •  Voir la liste des utilisateurs vu par Samba lors de sa connexion à LDAP
    pdbedit -b ldapsam:"ldap://monserveur_ldap" -L
  • Modifier LDAP pour faire en sorte que le mot de passe des utilisateurs n’expire jamais.
pdbedit -b ldapsam:"ldap://monserveur_ldap" -P 'maximum password age' -C -1

Récupérer la valeur de "ldapsam" dans /etc/samba/smb-ldap.conf

 

+> Monter un partage Samba sur une vz (OpenVZ) <+

 

– Sur la machine hôte, éteindre la VZ puis:

root@fibratus:/# mount -t cifs -o username=administrator,password=mot_passe //stratus.lan.monentreprise.coop/common/csv_icaDB /mnt/
root@fibratus:/# mount --bind /mnt /data/vz/root/253/data/csv_icaDB/

Le partage est maintenant accessible sur la machine distante.

 

+> Vérifier les connexions à Samba <+

 

root@lilas:/usr/share/doc# smbstatus
Samba version 3.0.24
 PID     Username      Group         Machine
 -------------------------------------------------------------------
 13003   ptltest       svg-info      genepi       (192.168.30.209)
 12977   ndupond       Users         fh123        (192.168.40.194)
 12852   amustufu      Users         fhp407       (192.168.40.195)
 12972   psoins        5064          fh083        (192.168.40.165)
Service      pid     machine       Connected at
 -------------------------------------------------------
 ndupond      12977   fh123         Tue Jul 17 15:40:16 2012
 ptl-brod     12852   fhp407        Tue Jul 17 15:23:47 2012
 psoins       12972   fh083         Tue Jul 17 15:39:46 2012
 ptltest      13003   genepi        Tue Jul 17 15:46:48 2012
Locked files:
 Pid          Uid        DenyMode   Access      R/W        Oplock           SharePath   Name   Time
 --------------------------------------------------------------
 12852        4053       DENY_NONE  0x100001    RDONLY     NONE             /data/shares/ptl-brod   Broderie local/Broderie/Quintessence/EMS clair Voiler   Tue Jul 17 15:23:47 2012
root@lilas:/usr/share/doc#

 

+> Gestion des utilisateurs dans Samba <+

Ajout d’un utilisateur
************************

–  L’utilisateur UNIX doit être d’abord créé !

Remplacer « mon_nouvel_utilisateur » par le nom de votre utilisateur

utilisateur@serveur:/# useradd mon_nouvel_utilisateur
utilisateur@serveur:/# smbpasswd -a mon_nouvel_utilisateur

– On peut vérifier ensuite dans /etc/passwd:

mon_nouvel_utilisateur:x:1013:100::/home/mon_nouvel_utilisateur:/bin/false

 

Contrôle de l’ID d’un utilisateur
************************************

utilisateur@serveur:/# id mon_utilisateur
uid=10019(mon_utilisateur) gid=10002(Users)groups=10002(Users)

 

Modifier le mot de passe d’un utilisateur:
*********************************************

Pour uniquement modifier le mot de passe Unix et Samba:

#smbpasswd nom_utilisateur

Pour modifier le mot de passe dans LDAP, Unix et Samba:

#smbldap-passwd  nom_utilisateur

 

+> Domaine Samba <+

 

Rentrer une machine linux dans un domaine Samba
********************************************************

root@stratus:/# net rpc join -S stratus -W MY_DO -U administrator
Password:
Joined domain MY_DO
root@stratus:

 

Trouver un contrôleur de domaine
**************************************

moi@estaque:~$ findsmb
*=DMB
+=LMB
IP ADDR         NETBIOS NAME     WORKGROUP/OS/VERSION
--------------------------------------------------------------
192.168.3.168   HOMER         *[MY_DO] [Unix] [Samba 3.4.7]
moi@estaque:~$

 

Commandes utiles pour Samba
***********************************

Tester un montage:

# smbclient //LILAS/netlogon/mon_utilisateur -U mon_utilisateur
 >password       ; mettre ici le mot de passe de l'utilisateur afin de pouvoir ouvrir le partage

 Chercher les membres d’un groupe :

# smbldap-groupshow nom_du_group

Chercher des infos sur un utilisateur

root@monclient_2srv:/etc/samba# smbldap-usershow secretaire
dn: uid=secretaire,ou=People,dc=monclient_2,dc=ch
cn: secretaire
displayName: secretaire
gecos: secretaire
gidNumber: 2002
homeDirectory: /home/secretaire
loginShell: /bin/bash
sambaAcctFlags: [U          ]
sambaPrimaryGroupSID: S-1-5-21-1576167295-1879984704-612134452-513
sambaSID: S-1-5-21-1576167295-1879984704-612134452-2410
shadowLastChange: 11778
uid: secretaire
uidNumber: 1155
userPassword: {CRYPT}6NI8b7bXXAjso
sambaLMPassword: 397EF85B82A1976317306D272A9441BB
sambaNTPassword: A59B8700B185739A0D000EB7B8856333
sambaPwdCanChange: 1227002765
sambaPwdLastSet: 1227002765
objectClass: top,account,posixAccount,shadowAccount,sambaSamAccount
root@monclient_2srv:/etc/samba#

 

Paramètrage du fichier de conf de Samba (/etc/samba/shares.conf)

 

 Exemple de configuration de partage

[svg_info_deploy]
 comment = Déploiement de logiciels
 path = /data/svg_info_deploy
 public = no
 writable = yes
 browseable = no
 valid users = @svg-info
 force group = svg-info
 directory mode = 0770
 create mode = 0770

Limitation de lecture pour un groupe

[voi-ergo]
comment = partage pour Ergothérapie
path = /data/shares/voi-ergo
public = no
valid users = @voi-soin, @voi-ergo
read list = @voi-soin
write list = @voi-ergo
admin users = @voi-ergo
writable = yes
create mode = 0750
directory mode = 0750
force group = +voi-ergo

 Activation de la corbeille

[redaction]
comment = Dossier pour la Redaction
path = /data/redaction
username = admin
valid users = @redac
write list = @redac
force group = +redac
read only = No
create mask = 0770
directory mask = 0770
# Definition de la corbeille pour "redaction"...
vfs object = recycle
recycle:repository = /data/redaction/.corbeille recycle:keeptree = yes
recycle:versions = yes
recycle:maxsize = 1000000
recycle:exclude = *.tmp
recycle:exclude_dir = /tmp

 Exemple de configuration du fichier principal de Samba

[global]
# http://oreilly.com/catalog/samba/chapter/book/ch05_01.html
## Browsing/Identification ###
netbios name = mon_serveur

# Change this to the workgroup/NT-domain name your 
# Samba server will part of
workgroup = MY_DOM

# server string is the equivalent of the NT Description field
server string = %h server

# cf. http://brneurosci.org/linuxsetup38.html
public = yes
browseable = yes
lm announce = yes
browse list = yes
auto services = yes
schannel client = no
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba 
# to enable its WINS Server
# TESTING!!!
wins support = yes

# WINS Server - Tells the NMBD components of Samba 
# to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS 
# Client, but NOT both
# TESTING!!!
# wins server = 192.168.10.100

# This will prevent nmbd to search for NetBIOS names 
# through DNS.
dns proxy = no

# What naming service and in what order should 
# we use to resolve host names to IP addresses
name resolve order = host wins bcast

#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP
# address/netmask;
# interface names are normally preferred
interfaces = 127.0.0.0/8 192.168.10.0/24 eth0

# Only bind to the named interfaces and/or networks; 
# you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature 
# if your Samba machine is not protected by a firewall 
# or is a firewall itself.  However, this option 
# cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = true
remote announce = 192.168.0.252 192.168.30.209
remote browse sync = 192.168.0.252 192.168.30.209

#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
max log size = 10000
# PLEASE!!!
# If you change the log levels or amount of log files 
# kept for debugging purposes, set them back to the way 
# that you found them after you are done.  Samba can 
# generate incredible amounts of logs that can overflow
# the backup system and uselessly fill the disk 
# if you are not careful!
# DO NOT FORGET!!!
# PLEASE!!!
debug level = 1

# If you want Samba to only log through syslog then set 
# the following parameter to 'yes'.
; syslog only = no

# We want Samba to log a minimum amount of information 
# to syslog. Everything should go to /var/log
# /samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter 
# to something higher.
syslog = 0

# Do something sensible when Samba crashes: mail 
# the admin a backtrace
panic action = /usr/share/samba/panic-action %d

####### Authentication #######
# "security = user" is always a good idea. This will 
# require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs
# /Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
security = user

# You may wish to use password encryption.  See the 
# section on 'encrypt passwords' in the smb.conf(5) 
# manpage before enabling.
encrypt passwords = true

# If you are using encrypted passwords, Samba will 
# need to know what password database type you are using.
; passdb backend = tdbsam
; obey pam restrictions = yes
; guest account = nobody
; invalid users = root

# This boolean parameter controls whether Samba attempts 
# to sync the Unix password with the SMB password when 
# the encrypted SMB password in the passdb is changed.
; unix password sync = no

# For Unix password sync to work on a Debian 
# GNU/Linux system, the following parameters must be
# set (thanks to Ian Kahan <<kahan@informatik.tu-
# muenchen.de> for sending the correct chat script for 
# the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for 
# password changes when requested by an SMB client 
# instead of the program listed in 'passwd program'. 
# The default is 'no'.
; pam password change = no

# Include standard LDAP config here (if LDAP is used). 
# Note that it normally overrides the passdb setting.
include = /etc/samba/smb-ldap.conf

########## Domains ###########
# Is this machine able to authenticate users. Both PDC 
# and BDC must have this setting enabled. If you are the 
# BDC you must change the 'domain master' setting to 
# no.
domain logons = yes
#
# The following setting only takes effect if 'domain
# logons' is set. It specifies the location of the 
# user's profile directory from the client point of view)
# The following required a [profiles] share to be setup 
# on the samba server (see below).
logon path = \\%N\profiles\%U
# Another common choice is storing the profile in 
# the user's home directory
; logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain 
# logons' is set It specifies the location of a user's
# home directory (from the client point of view).

# ICI C'EST LE LECTEUR QUI SERA AFFECTER POUR 
# MONTER LE "HOME" DE L'UTILISATEUR.
#
logon drive = U:

# INDIQUE L'ENDROIT OU SE TROUVE LE "HOME" DE L'
# UTILISATEUR SUR LE SERVEUR (%N ETANT L'ADRESSE DU SRV)
#
logon home = \\%N\%U 

# The following setting only takes effect if 'domain 
# logons' is set. It specifies the script to run 
# during logon. The script must be stored in the [netlo
# gon] share.
# NOTE: Must be store in 'DOS' file format convention.
# INDIQUE ICI QUE L'ON UTILISERA UN SCRIPT DE
# TYPE "nom_utilisateur.bat" DANS /var/lib/samba/netlogon
#
logon script = %U.bat

# This allows Unix users to be created on the 
# domain controller via the SAMRRPC pipe. The example 
# command creates a user account with a disabled Unix
# password; please adapt to your needs.
# add user script = /usr/sbin/adduser --quiet 
# --disabled-password --gecos "" %u

########## Printing ##########
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes

# lpr(ng) printing. You may wish to override the location
# of the printcap file.
; printing = bsd
; printcap name = /etc/printcap

# CUPS printing.  See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
; printing = cups
; printcap name = cups

# When using [print$], root is implicitly a 'printer 
# admin', but you can also give this right to other users 
# to add drivers and set printer properties
; printer admin = @ntadmin

############ Misc ############
# Using the following line enables you to customise 
# your configuration on a per machine basis. The %m 
# gets replaced with the netbios name of the machine that 
# is connecting
; include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives 
# better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc
# /htmldocs/Samba3-HOWTO/speed.html
# For details you may want to add the following on a 
# Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY

# The following parameter is useful only if you have 
# the linpopup package installed. The samba maintainer 
# and the linpopup maintainer are working to 
# ease installation and configuration of linpopup 
# and samba.
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

# set local master to no if you don't want Samba to 
# become a master browser on your network. Otherwise 
# the normal election rules apply
# TESTING!!!
local master = yes

# OS Level determines the precedence of this server 
# in master browser elections. The default value should 
# be reasonable
os level = 127

# Domain Master specifies Samba to be the Domain 
# Master Browser. If this machine will be configured as a 
# BDC (a secondary logon server), you must set this to 
# 'no'; otherwise, the default behavior is recommended.
domain master = yes

# Preferred Master causes Samba to force a local 
# browser election on startup and gives it a slightly 
# higher chance of winning the election
# TESTING!!!
preferred master = yes

# Some defaults for winbind (make sure you're not using 
# the ranges for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash

# The following was the default behaviour in sarge
# but samba upstream reverted the default because it 
# might induce
# performance issues in large organizations. See #368251 
# for some of the consequences of *not* having
# this setting and smb.conf(5) for all details

; winbind enum groups = yes
; winbind enum users = yes

# We should fix permanently one of these days
; dos charset = 850
; unix charset = ISO8859-1

# no oplocks for MS Office stuff
veto oplock files = /*.doc/*.xls/*.mdb/

# Is this REALLY necessary
; username map = /etc/samba/smbusers

# If "invalid users" is not emptied, root cannot login
invalid users =
#============ Share Definitions =========
[homes]
comment = Dossier Personnel
browseable = no

# By default, the home directories are exported 
# read-only. Change next parameter to 'yes' if you want 
# to be able to write to them.
writable = yes

# File creation mask is set to 0700 for security reasons. If # you want to create files with group=rw permissions, set
# next parameter to 0775.
create mask = 0700

# Directory creation mask is set to 0700 
# for security reasons. If you want to create dirs. 
# with group=rw permissions, set next parameter to 0775.
directory mask = 0700

# Restrict access to home directories
# to the one of the authenticated user
# This might need tweaking when using external 
# authentication schemes
valid users = %S

# Un-comment the following and create the netlogon directory # for Domain Logons (you need to configure Samba to act as a # domain controller too.)
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon/
# logon script = %U.bat
guest ok = no
writable = no
share modes = no
browseable=no
case sensitive = no

# Un-comment the following and create the netlogon 
# directory for Domain Logons (you need to configure 
# Samba to act as a domain controller too.)
[profiles]
browseable = no
create mode = 0600
directory mode = 0700
read only = no
default case = lower
preserve case = no
short preserve case = no
mangle case = yes
case sensitive = no
comment = Profils utilisateurs
path = /var/lib/samba/profiles
# note: profile acls will only have an effect if
# one turns on nt acl support!
nt acl support = yes
profile acls = yes

[printers]
 comment = All Printers
 browseable = yes
 path = /var/spool/samba
 printable = yes
 public = no
 writable = no
 create mode = 0700

# Windows clients look for this share name as 
# a source of downloadable printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration 
# of Windows print drivers.
# Replace 'ntadmin' with the name of the group 
# your admin users are members of.
;    write list = root, @ntadmin

# A sample share for sharing your CD-ROM with others.
;[cdrom]
;   comment = Samba server's CD-ROM
;   writable = no
;   locking = no
;   path = /cdrom
;   public = yes
# The next two parameters show how to auto-mount 
# a CD-ROM when the cdrom share is accesed. For 
# this to work /etc/fstab must contain an entry like this:
#
#   /dev/scd0   /cdrom  iso9660 defaults,noauto,ro,user    0 0
#
# The CD-ROM gets unmounted automatically after the         #  connection to the
#
# If you don't want to use auto-mounting/unmounting make sure # the CD is mounted on /cdrom
#
;   preexec = /bin/mount /cdrom
;   postexec = /bin/umount /cdrom

# keep the configuration for simple shares in a seperate file
include = /etc/samba/shares.conf

 

Intégration Windows 7 avec Samba

 

1) Récupérer le patch ici:  http://wiki.samba.org/index.php/Windows7

2) Patcher la base de registre

3) Exécuter « gpedit.msc » et modifier les options ci dessous ( vu sur le site: http://www.linuxquestions.org/questions/linux-server-73/joining-a-windows-7-client-to-samba-pdc-v-3-4-3-a-815174/ ) :

  • Computer|Windows Settings|Security Settings|Local Policies|Security Options

– Network Security: LAN Manager Auth. Level:  Send LM&NTLM use NTLMv2 session sec. if negociated

– Network Security: Minimum session…both clients and servr:  NO Required 128b encryption

 

Si vous avez un problème de synchronisation  des profiles itinérants essayer de modifier aussi:

  • Computer|Admin.Templates|System|User Profiles|

– Do not check for user ownership of roaming profile: Enabled

– Delete cache copies of roaming profile: Enabled

 

4)  Sortir de la console gpedit et REBOOTER LE POSTE pour que les changements prennent effet.

 

Eventuelles modifications
**********************
********

Eventuellement à faire si vous avez toujours un problème d’intégration:
Exécuter REGEDIT puis modifier les clés suivantes:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters]

« QualifyingDestinationThreshold »=dword:00000003
« NV Domain »=« type name of your Samba Workgroup in smb.conf »
« NameServer »=« type name of your Samba Workgroup in smb.conf »

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\System\DNSClient]

« NV PrimaryDnsSuffix »= »type name of your Samba Workgroup in smb.conf »

Autres astuces
******************

Source: http://blog.bigsmoke.us/2010/03/17/fixing-extremely-slow-domain-logon-windows-7
*  Run gpedit.msc.
* Go to computer configuration.
* Go to Administrative templates.
* Go to System.
* Go to User profiles.
* Enable “Set maximum wait time for the network if a user has a roaming user profile or remote home directory” and set to 0 seconds

 

+> Quelques commandes de tests <+

 

Vérification préalables à effectuer et commandes utiles
*************************************************************

1) Vérifier « /etc/network/interface » , Samba à besoin de l’interface « lo » pour fonctionner !

2) Vérifier que le paramètre « wins support =  » est bien sur « no » si le controleur de domaine contacter n’est pas le serveur
Wins principal !

3) Vérification des paramètres dans LDAP:

– Exécuter la commande:

# ldapsearch -x '(uid=nom_utilisateur)'

Voici un exemple de resultat

# ldapsearch -x '(uid=adupont)'
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: (uid=adupont)
# requesting: ALL
# # adupont, People, monentreprise.fr
dn: uid=adupont,ou=People,dc=monentreprise,dc=fr
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: shadowAccount
objectClass: sambaSamAccount
uid: adupont cn: Anita Dupont
sn: Dupont
gecos: Anita Dupont
givenName: Anita
homeDirectory: /home/adupont
loginShell: /bin/bash
gidNumber: 3000
uidNumber: 4157
telephoneNumber: 024 765 45 98
sambaSID: S-1-5-21-3877789738-361012426-522534083-9314
displayName: Anita Dupont
sambaPwdCanChange: 1195226587
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
00000000
mail: dupont@monentreprise.fr
sambaHomeDrive: U:
sambaLogonScript: \\HIBISCUS\netlogon\adupont
sambaProfilePath: \\HIBISCUS\profiles\adupont
title: technicien - electricien
departmentNumber:: WWFtYW5pIHLDqXNpZGVuY2U=
sambaAcctFlags: [U]
sambaPwdLastSet: 1222244533
sambaPwdMustChange: 1230798133
sambaHomePath: \\HIBISCUS\adupont ...
# search result
search: 2
result: 0 Success # numResponses: 2
# numEntries: 1

 

4) Vérification par rapport aux profiles itinérants:

– Vérifier le paramètre du profil utilisateur sous Windows:
( poste de travail—>propriété—>profil utilisateur—>avancées)
Il doit autoriser l’itinerance du profil et non avoir comme seul paramètre « local » !

– Vérifier dans le fichier « /etc/samba/smb.conf » :
dans la rubrique [profiles]: on doit avoir « profile acls = yes » et « nt acl support = yes »
L’un sans l’autre ne fonctionne pas ! soit on les actives, soit non !

5) Si Samba tourne sur une VZ (OpenVZ), vérifier la place disponible sur « / » et vérifier que les quotas dans « user_beancounter » de la
machine hôte sont correctes.

6) Vérification du SID de Samba pour que ça colle avec celui entré dans LDAP pour tous les users:

idesia:/etc/samba# net getlocalsid CBL
SID for domain CBL is: S-1-5-21-1505892832-1682233522-2560333092
idesia:/etc/samba# net getlocalsid
SID for domain IDESIA is: S-1-5-21-1505892832-1682233522-2560333092
idesia:/etc/samba#

Le numéro SID du serveur Samba peut être changé afin de faire correspondre le SID de Samba avec celui des users et computers. Exemple pour le SID « S-1-5-21-1505892832-1682233522-2560333092 »

net setlocalsid S-1-5-21-1505892832-1682233522-2560333092

 

Quelques commandes de test depuis linux
************************************************

root@platane:~# smbstatus
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[profiles]"
params.c:pm_process() - Processing configuration file "/etc/samba/shares.conf"
Processing section "[homes]"
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[profiles]"
Unknown parameter encountered: "mangle case"
Ignoring unknown parameter "mangle case"
Processing section "[data]"
WARNING: The "share modes" option is deprecated
Processing section "[Classe-Therapie]"
Processing section "[Direction]"
Processing section "[Secretariat]"
Processing section "[Dossiers-Residents]"
Processing section "[Educatif]"
Processing section "[Gestion-coordination]"
Processing section "[info]"
Processing section "[Services]"
Processing section "[Soins]"
Processing section "[Public]"
Can't find include file /etc/samba/conf.d/*.conf

Samba version 3.5.6
 PID     Username      Group         Machine
 --------------------------------------------------------------

Service      pid     machine       Connected at
--------------------------------------------------------------

No locked files

root@platane:~#

 

root@stratus:/var/log/samba# nmblookup -M MY_DOM -v
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter security = user
doing parameter encrypt passwords = true
doing parameter obey pam restrictions = no
doing parameter invalid users = root
doing parameter domain logons = yes
doing parameter logon drive = U:
doing parameter logon home = \\%N\%U
doing parameter logon script = %U.bat
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter os level = 127
doing parameter veto oplock files = /*.doc/*.xls/*.mdb/
doing parameter level2 oplocks = False
doing parameter domain master = yes
doing parameter local master = yes
doing parameter include = /etc/samba/smb-ldap.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
doing parameter ldap passwd sync = yes
doing parameter passdb backend = ldapsam:ldap://ldap
doing parameter ldap admin dn = "cn=config"
doing parameter ldap suffix = dc=ica,dc=coop
doing parameter ldap group suffix = ou=groups
doing parameter ldap user suffix = ou=people
doing parameter ldap machine suffix = ou=machines
doing parameter obey pam restrictions = no
doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g"
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter add user script = /usr/sbin/smbldap-useradd -m "%u"
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
doing parameter delete group script = /usr/sbin/smbldap-groupdel "%g"
doing parameter delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
doing parameter delete user script = /usr/sbin/smbldap-userdel "%u"
doing parameter ldap delete dn = Yes
doing parameter ldap ssl = no
doing parameter passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
doing parameter passwd program = /usr/sbin/smbldap-passwd %u
pm_process() returned Yes
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.16.252 bcast=192.168.16.255 nmask=255.255.255.0
Socket opened.
querying MY_DOM on 127.255.255.255
querying MY_DOM on 192.168.16.255
name_query failed to find name MY_DOM
root@stratus:/var/log/samba#

 

root@platane:~# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[profiles]"
Processing section "[homes]"
Processing section "[netlogon]"
WARNING: The "share modes" option is deprecated
Processing section "[profiles]"
Unknown parameter encountered: "mangle case"
Ignoring unknown parameter "mangle case"
Processing section "[data]"
WARNING: The "share modes" option is deprecated
Processing section "[Classe-Therapie]"
Processing section "[Direction]"
Processing section "[Secretariat]"
Processing section "[Dossiers-Residents]"
Processing section "[Educatif]"
Processing section "[Gestion-coordination]"
Processing section "[info]"
Processing section "[Services]"
Processing section "[Soins]"
Processing section "[Public]"
Can't find include file /etc/samba/conf.d/*.conf
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
dos charset = 850
unix charset = utf8
display charset = iso-8859-15
workgroup = CBM
server string = %h server (Samba %v)
interfaces = 127.0.0.0/8, 10.0.80.0/24, eth1
map to guest = Bad User
passdb backend = ldapsam:"ldap://ldap.monclient_1.ch"
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
log level = 3
log file = /var/log/samba/log.%m
max log size = 100000
smb ports = 139
name resolve order = host wins bcast
deadtime = 10
socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
add machine script = /usr/sbin/smbldap-useradd -i -t 0 -w "%u"
logon script = netlogon.bat
logon path = \\%L\profiles\%U
logon drive = U:
logon home = \\%L\%U
domain logons = Yes
os level = 254
lm announce = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=cbm,dc=monclient_1,dc=ch
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=cbm,dc=monclient_1,dc=ch
ldap ssl = no
ldap user suffix = ou=People
preload = yes
create mask = 0640
directory mask = 0750
guest ok = Yes
nt acl support = No
map acl inherit = Yes
case sensitive = No
veto oplock files = /*.doc/*.xls/*.mdb/
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
[homes]
comment = Home Directories
path = /home/%u
valid users = %S
read only = No
create mask = 0770
directory mask = 0770
browseable = No
...
...
root@platane:~#

 

root@platane:~# smbtree -N -d 2
interpret_interface: using netmask value 8 from config file on interface lo
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
interpret_interface: using netmask value 24 from config file on interface eth1
added interface eth1 ip=10.0.80.254 bcast=10.0.80.255 netmask=255.255.255.0
added interface eth1 ip=fe80::218:51ff:fe3a:4e50%eth1 bcast=fe80::ffff:ffff:ffff:ffff%eth1 netmask=ffff:ffff:ffff:ffff::
Got a positive name query response from 127.0.0.1 ( 10.0.80.254 )
Got a positive name query response from 127.0.0.1 ( 10.0.80.254 )
WORKGROUP
Got a positive name query response from 10.0.80.188 ( 10.0.80.188 )
CBM
\\RNPF0F4D8
Got a positive name query response from 10.0.80.220 ( 10.0.80.220 )
\\RNPF0F4D8\IPC$
\\RNPF0F4D8\MPC2050
\\PLATANE                platane server (Samba 3.5.6)
\\PLATANE\Aficio_SP_C222DN_Ex&Co    Aficio SP C222DN_Ex&Co
\\PLATANE\Aficio_SP_C222DN_Ex&Co@10.0.80.3    Aficio SP C222DN_Ex&Co
\\PLATANE\CDJ                CDJ
\\PLATANE\Ricoh-Aficio_MP_C2050_PXL   Multi_fonction_photocopieur
\\PLATANE\Ricoh-Aficio_MP_C2050_PXL@10.0.80.3   Multi_fonction_photocopieur
\\PLATANE\Ricoh-Cuisine      Cuisine
\\PLATANE\Ricoh-Grpe2        2eme etage
\\PLATANE\Ricoh-Grpe3        3eme etage
\\PLATANE\Ricoh-Grpe3@10.0.80.3    3eme etage
\\PLATANE\Ricoh-Grpe4        4eme etage
\\PLATANE\Ricoh-Grpe5        5eme etage
\\PLATANE\Ricoh-Infirmerie    Infirmerie
\\PLATANE\RICOH_Aficio_SP_C232DN_PS_serv_techn    Local Service Technique
\\PLATANE\Ricoh_Dir_adj_cbm    1er_etage_dir_adj
\\PLATANE\Ricoh_SP_C222SF_ergo_rez    Ergoterapie_rez
\\PLATANE\Ricoh_SP_C222SF_ergo_rez@10.0.80.3   
Ergoterapie_rez
\\PLATANE\RicohSecretariat    1eme etage
\\PLATANE\IPC$               IPC Service (platane server (Samba 3.5.6))
\\BUFFALO-CBM            NAS-TeraStation
Got a positive name query response from 10.0.80.80 ( 10.0.80.80 )
\\BUFFALO-CBM\lp                 Network Printer for Windows
\\BUFFALO-CBM\info               TeraStation Utilities
\\BUFFALO-CBM\multimedia         TeraStation folder
\\BUFFALO-CBM\IPC$               IPC Service ("NAS-TeraStation")
root@platane:~#

 

root@stratus:/var/log/samba# smbclient -L localhost
Password:
Anonymous login successful
Domain=[MY_DOM] OS=[Unix] Server=[Samba 3.0.24]
Sharename       Type      Comment
---------       ----      -------
print$          Disk      Printer Drivers
common          Disk      Partage des donnees
MYDOdb           Disk      Path pour la generation des exports
IPC$            IPC       IPC Service (stratus server (Samba 3.0.24))
Anonymous login successful
Domain=[MY_DOM] OS=[Unix] Server=[Samba 3.0.24]
Server               Comment
---------            -------
NBK004
NBK010
NBK012
STRATUS              stratus server (Samba 3.0.24)
WKS002               Optiplex GX270 (Name, Firstname )
WKS005               Optiplex GX270 (Name. Firstname)
WKS009               Desktop de MCB
WKS010               Desktop de MEC
WKS012               Desktop de GM
Workgroup            Master
---------            -------
MY_DOM               STRATUS
ICAGE                ICASRV01
WORKGROUP            LG-XNOTE-PC
root@stratus:/var/log/samba#

 

root@platane:/var/run/samba# pdbedit -L -v
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CBM))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
smbldap_search_paged: base => [dc=cbm,dc=monclient_1,dc=ch], filter => [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_paged: search was successful
sid S-1-5-21-4264079089-3509617443-2495841085-500 does not belong to our domain
init_sam_from_ldap: Entry found for user: adupont
init_sam_from_ldap: Entry found for user: infcbm
init_sam_from_ldap: Entry found for user: bdbl
init_sam_from_ldap: Entry found for user: sfro
init_sam_from_ldap: Entry found for user: infcbmgr3
init_sam_from_ldap: Entry found for user: sec-2$
---------------
Unix username:        adupont
NT username:          adupont
Account Flags:        [U          ]
User SID:             S-1-5-21-2638510728-3434069821-3757585111-31000
Primary Group SID:    S-1-5-21-2638510728-3434069821-3757585111-513
Full Name:            Anita Dupont<C3><A9>
Home Directory:       \\platane\adupont
HomeDir Drive:        U:
Logon Script:         adupont.bat
Profile Path:         \\platane\profiles\adupont
Domain:               CBM
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Thu, 13 Aug 2009 17:54:20 CEST
Password can change:  Thu, 13 Aug 2009 17:54:20 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
---------------
Unix username:        infcbm
NT username:          infcbm
...
...

 

Contrôle depuis un poste Windows
***************************************

– Test d’une entrée dans le domaine en ligne de commande (commande plus valide sous Seven !, voir si alternative):

Microsoft Windows XP [version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrateur>powershell
 Windows PowerShell
 Copyright (C) 2009 Microsoft Corporation. Tous droits réservés.
PS C:\Documents and Settings\Administrateur> add-computer -domain CBM -cred CBM\cbmadmin
 Add-Computer : Cette commande ne peut pas être exécutée sur l'ordinateur cible
 (« ROUGE ») en raison de l'erreur suivante : Un périphérique attaché au système
 ne fonctionne pas correctement.
 Au niveau de ligne : 1 Caractère : 13
 + add-computer <<<<  -domain CBM -cred CBM\cbmadmin
 + CategoryInfo          : InvalidOperation: (ROUGE:String) [Add-Computer],
 InvalidOperationException
 + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.AddComputerCommand
PS C:\Documents and Settings\Administrateur>

 

– Test de verification Netbios

C:\Documents and Settings\Administrateur>nbtstat
Affiche les statistiques du protocole et les connexions TCP/IP actuelles
utilisant NBT (NetBIOS sur TCP/IP).
NBTSTAT [-a Nom Distant] [-A adresse IP] [-c] [-n]
 [-r] [-R] [-RR] [-s] [S] [intervalle]
-a (état carte) Liste la table de noms de l'ordinateur distant (nom connu).
 -A (état carte) Liste la table de noms d'ordinateurs distants (adresse IP).
 -c (cache)      Liste le cache de noms distant y compris les adresses IP.
 -n (noms)       Liste les noms NetBIOS locaux.
 -r (résolus)    Liste les noms résolus par diffusion et via WINS.
 -R (Recharge)   Purge et recharge la table du cache de noms distante.
 -S (Sessions)   Liste la table de sessions avec les adresses destination IP.
 -s (sessions)   Liste la table de sessions convertissant les adresses de destination IP en noms d'hôtes NETBIOS.
 -RR  (ReleaseRefresh) Envoie des paquets de libération de nom à WINS puis actualise
Nom Distant     Nom de l'ordinateur hôte distant.
adresse IP      Représentation décimale pointée de l'adresse IP.
intervalle      Réaffiche les statistiques sélectionnées, en marquant un
temps d'arrêt égal à "intervalle" secondes entre chaque
affichage. Appuyez sur Ctrl+C pour arrêter l'affichage des
statistiques.

C:\Documents and Settings\Administrateur>nbtstat -c
Connexion au réseau local:
Adresse IP du noeud : [10.0.80.188] ID d'étendue : []
Table de nom de cache distant NetBIOS
Nom               Type        Adresse d'hôte   Vie [sec]
------------------------------------------------------------
CBM            <1B>  UNIQUE          10.0.80.254         202
CBM            <1C>  Groupe          10.0.80.254         202
PLATANE        <20>  UNIQUE          10.0.80.254         202

C:\Documents and Settings\Administrateur>nbtstat -n
Connexion au réseau local:
Adresse IP du noeud : [10.0.80.188] ID d'étendue : []
Table nom local NetBIOS
Nom                Type         Statut
---------------------------------------------
ROUGE          <00>  UNIQUE      Inscrit
WORKGROUP      <00>  Groupe      Inscrit
ROUGE          <20>  UNIQUE      Inscrit
WORKGROUP      <1E>  Groupe      Inscrit
WORKGROUP      <1D>  UNIQUE      Inscrit
..__MSBROWSE__.<01>  Groupe      Inscrit

C:\Documents and Settings\Administrateur>nbtstat -A 10.0.80.254
Connexion au réseau local:
Adresse IP du noeud : [10.0.80.188] ID d'étendue : []
Table de noms NetBIOS des ordinateurs distants
Nom                Type         État
---------------------------------------------
PLATANE        <00>  UNIQUE      Inscrit
PLATANE        <03>  UNIQUE      Inscrit
PLATANE        <20>  UNIQUE      Inscrit
..__MSBROWSE__.<01>  Groupe      Inscrit
CBM            <1D>  UNIQUE      Inscrit
CBM            <1B>  UNIQUE      Inscrit
CBM            <1C>  Groupe      Inscrit
CBM            <1E>  Groupe      Inscrit
CBM            <00>  Groupe      Inscrit
Adresse MAC = 00-00-00-00-00-00
C:\Documents and Settings\Administrateur>

 

Exemple de Netlogon
************************

Exemple fichier « adupont.bat »

echo off
start auth_ocs.exe
net use M: \\hibiscus\cre-empl
REM
REM Ouvrir l'explorateur windows automatiquement sur le 
REM partage reseau.
C:\windows\explorer.exe /e,M:
C:\windows\system32\cmd.exe /C
REM netlogon de adupont

 

+> Potentielles erreurs <+

 

Impossible de joindre le controleur de domaine Samba
***********************************************************

[ Message d’erreur 1]

Problème:  Impossible de joindre le domaine à cause du cache Wins ! Après avoir changé l’adresse IP du serveur, j’ai eu un problème dans le fonctionnement de Wins avec NMBD. En effet, il continuait à vouloir utiliser l’ancienne adresse « 192.0.0.209 » alors qu’il fallait utiliser la nouvelle « 10.2.2.2 » ! A cause de ce problème,  je n’arrivais plus à configurer des postes sous Win 2000 ou Win NT pour qu’ils joignent à nouveau  le domaine.

...
[2006/06/20 11:59:17, 0] nmbd/nmbd_browsesync.c:domain_master_node_status_fail(250)
Jun 20 11:59:17 cielinux1 nmbd[6223]:   domain_master_node_status_fail:
 Jun 20 11:59:17 cielinux1 nmbd[6223]:   Doing a node status request to the domain master browser
 Jun 20 11:59:17 cielinux1 nmbd[6223]:   for workgroup ELOYES at IP 192.0.0.209 failed.
 Jun 20 11:59:17 cielinux1 nmbd[6223]:   Cannot sync browser lists.
 Jun 20 12:03:43 cielinux1 nmbd[6223]: [2006/06/20 12:03:43, 0]
 nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(327)
 Jun 20 12:03:43 cielinux1 nmbd[6223]:   become_domain_master_browser_wins:
 Jun 20 12:03:43 cielinux1 nmbd[6223]:   Attempting to become domain master browser on workgroup
 ELOYES, subnet UNICAST_SUBNET.
 Jun 20 12:03:43 cielinux1 nmbd[6223]: [2006/06/20 12:03:43, 0]
 nmbd/nmbd_become_dmb.c:become_domain_master_browser_wins(341)
 Jun 20 12:03:43 cielinux1 nmbd[6223]:   become_domain_master_browser_wins: querying WINS server
 from IP 10.2.2.2 for domain master browser name ELOYES<1b> on workgroup ELOYES
 ...

Solution(s):
Pour régler ce problème, j’ai supprimé le fichier « /var/lib/samba/wins.dat » qui contenait en cache l’ancienne adresse IP.

 

[ Messages d’erreur 2 ]

 Problème:

root@stratus:/var/log/samba# nmblookup -M -- -
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter security = user
doing parameter encrypt passwords = true
doing parameter obey pam restrictions = no
doing parameter invalid users = root
doing parameter domain logons = yes
doing parameter logon drive = U:
doing parameter logon home = \\%N\%U
doing parameter logon script = %U.bat
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter os level = 127
doing parameter veto oplock files = /*.doc/*.xls/*.mdb/
doing parameter level2 oplocks = False
doing parameter domain master = yes
doing parameter local master = yes
doing parameter include = /etc/samba/smb-ldap.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
doing parameter ldap passwd sync = yes
doing parameter passdb backend = ldapsam:ldap://ldap
doing parameter ldap admin dn = "cn=config"
doing parameter ldap suffix = dc=my_dom,dc=fr
doing parameter ldap group suffix = ou=groups
doing parameter ldap user suffix = ou=people
doing parameter ldap machine suffix = ou=machines
doing parameter obey pam restrictions = no
doing parameter add group script = /usr/sbin/smbldap-groupadd -p "%g"
doing parameter add machine script = /usr/sbin/smbldap-useradd -w "%u"
doing parameter add user script = /usr/sbin/smbldap-useradd -m "%u"
doing parameter add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
doing parameter delete group script = /usr/sbin/smbldap-groupdel "%g"
doing parameter delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
doing parameter delete user script = /usr/sbin/smbldap-userdel "%u"
doing parameter ldap delete dn = Yes
doing parameter ldap ssl = no
doing parameter passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
doing parameter passwd program = /usr/sbin/smbldap-passwd %u
pm_process() returned Yes
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.16.252 bcast=192.168.16.255 nmask=255.255.255.0
Socket opened.
querying __MSBROWSE__ on 127.255.255.255
querying __MSBROWSE__ on 192.168.16.255
name_query failed to find name __MSBROWSE__#01
root@stratus:/var/log/samba#
root@stratus:/var/log/samba# nmblookup -A 192.168.16.252
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.16.252 bcast=192.168.16.255 nmask=255.255.255.0
Looking up status of 192.168.16.252
No reply from 192.168.16.252
root@stratus:/var/log/samba#

Solution(s):
Le process nmbd daté de la semaine passée et donc pas à jour.. wins.dat n’existait pas.. J’ai killé avec  la commande « kill -9 » le processus nmbd et redémarré samba… « nmblookup -M MY_DOM – » donne maintenant les bonnes infos .. et wins.dat est OK..

root@stratus:/var/log/samba# nmblookup -M MY_DOM -v
params.c:pm_process() - Processing configuration file "/etc/samba/smb-ldap.conf"
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.16.252 bcast=192.168.16.255 nmask=255.255.255.0
Socket opened.
querying MY_DOM on 127.255.255.255
Got a positive name query response from 127.0.0.1 ( 192.168.16.252 )
192.168.16.252 MY_DOM
root@stratus:/var/log/samba#

 

[Message d’erreur 3]

Problème:

...
[2012/04/05 23:22:05.548991,  0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: failed to get machine password for account WINSRV$: NT_STATUS_NO_TRUST_SAM_ACCOUNT
...

Solution(s):

1) Vérifier que la machine soit bien présente dans LDAP et qu’elle possède l’attribut « sambaAcctFlags » comme le dit la note ci-dessous:

Machine au nom de "YFILER":
Please look into the sambaAcctFlags attribute of the object
of YFILER$: If it contains a "U", it is wrong. If you make
that "W", it might start to work. Alternatively, you might
try:
smbpasswd -x yfiler$
smbpasswd -a -m yfiler$

 

[Messages d’erreur 4]

Problème: impossible d’ouvrir le profile windows. Erreur dans les logs de Samba:

...
[2012/04/10 22:34:55.145765,  0] lib/fault.c:326(dump_core)
dumping core in /var/log/samba/cores/smbd
[2012/04/10 22:34:58.480673,  0] locking/locking.c:804(share_mode_lock_destructor)
store returned NT_STATUS_UNSUCCESSFUL
[2012/04/10 22:34:58.480792,  0] lib/util.c:1465(smb_panic)
PANIC (pid 20741): could not store share mode entry: NT_STATUS_UNSUCCESSFUL
...

Solution(s):
Samba tourne sur une VZ (OpenVZ), pas assez de place de dispo sur « / »  + vérification sur la machine hôte du fichier « /proc/user_beancounter »: dépassement de quotas pour la vz concernée !

 

[Messages d’erreur 5]

Problème: Impossible de joindre la machine dans le domaine

Erreur dans smbd.log:

...
May 10 09:56:01 platane smbd[10326]: [2012/05/10 09:56:01.287433,  0] lib/util_sock.c:1441(get_peer_addr_internal)
 May 10 09:56:01 platane smbd[10326]:   getpeername failed. Error was Noeud final de transport n'est pas connecté
 May 10 09:56:01 platane smbd[10326]: [2012/05/10 09:56:01.288112,  0] lib/util_sock.c:680(write_data)
 May 10 09:56:01 platane smbd[10326]: [2012/05/10 09:56:01.288171,  0] lib/util_sock.c:1441(get_peer_addr_internal)
 May 10 09:56:01 platane smbd[10326]:   getpeername failed. Error was Noeud final de transport n'est pas connecté
 May 10 09:56:01 platane smbd[10326]:   write_data: write failure in writing to client 0.0.0.0. Error Connexion ré-initialisée par le correspondant
 May 10 09:56:01 platane smbd[10326]: [2012/05/10 09:56:01.288233,  0] smbd/process.c:79(srv_send_smb)
 May 10 09:56:01 platane smbd[10326]:   Error writing 4 bytes to client. -1. (Noeud final de transport n'est pas connecté)
 ...
 ...
 May 7 13:23:15 platane smbd[28786]: _netr_ServerAuthenticate: no challenge sent to client DIRECTEUR-CBM
 ...
 ...

Erreur suite à la commande de vérification « testparm »:

...
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
...

Erreur smbstatus:

...
tdb(unnamed): tdb_open_ex: could not open file /var/run/samba/unexpected.tdb: Aucun fichier ou dossier de ce type
...

 

 

Solution(s):

1) J’ai essayé d’ arrêter le daemon « nscd » et de supprimer le cache:

rm /var/cache/nscd/*

puis de redémarrer le daemon: problème non resolu 🙁

2) Le problème « rlimit_max » évoqué lors de l’éxécution de la commande « testparm » et « pdbedit » semble être défini comme un bug dans Samba (https://bugzilla.samba.org/show_bug.cgi?id=7898
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608624)

3) Pour résoudre les problème de correspondance d’adresse dans le serveur Wins, j’ai arrêté Samba puis j’ai supprimé le fichier du
serveur Wins (/var/lib/samba/wins.dat).

4) Pour résoudre le probleme: « tdb(unnamed): tdb_open_ex: could not open file /var/run/samba/unexpected.tdb: Aucun fichier ou dossier de ce type » donné par la commande « smbstatus »
Le masque du réseau de la machine était faut ! J’ai fixé celui-ci dans le fichier  » /etc/network/interfaces » !

Malheureusement, le problème d’entrée dans le domaine de la machine Win XP persiste !!!

 

[Message d’erreur 6]

Problème:
Problème pour l’utilisateur « mtartu » qui viens d’être ajouté au groupe « deploy » pour se connecter au partage associé. L’utilisateur ne fais même pas partie du groupe alors que la commande « getent group » l’affiche dans le groupe !

<code>
 root@bluet:/data/shares\ NEW$ getent group | grep deploy
deploy:*:15076:01eleve,01formateur,02eleve,02formateur,03eleve,03formateur,04eleve,04formateur,05eleve,05formateur,06eleve,
 mtartu
root@bluet:/data/shares/svg-info-pldeploy/logs\ NEW$
root@bluet:/data/shares/svg-info-pldeploy/logs\ NEW$ id mtartu
 uid=15669(mtartu) gid=3000(Users) groupes=15052(x-svg),15093(x-transfert),20000(help-fina),3000(Users)
 root@bluet:/data/shares\ NEW$
 root@bluet:/data/shares\ NEW$ smbclient //bluet/svg-info -U mtartu                                                           Enter mtartu's password:
 Domain=[MY_DOM] OS=[Unix] Server=[Samba 3.5.6]
 tree connect failed: NT_STATUS_ACCESS_DENIED
 root@bluet:

Solutions:
Relancer le daemon nscd !

<code>
 root@bluet:/data/shares\ NEW$ id mtartu
 uid=15669(mtartu) gid=3000(Users) groupes=15052(x-svg),15076(deploy),15093(x-transfert),20000(help-fina),3000(Users)
 root@bluet:/data/shares\ NEW$
 root@bluet:/data/shares\ NEW$ smbclient //bluet/svg-info -U mtartu                                                          Enter mtartu's password:
 Domain=[MY_DOM] OS=[Unix] Server=[Samba 3.5.6]
 smb: \> quit
 root@bluet:

 

[Message d’erreur 7]

Problème:
Sous Windows7, la machine refuse d’entrer dans le domaine:

[2012/08/03 15:36:35.809426,  3] smbd/sec_ctx.c:310(set_sec_ctx)
 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
 stty: standard input: Inappropriate ioctl for device
 Use of uninitialized value $pass in chomp at /usr/sbin/smbldap-useradd line 324.
 stty: standard input: Inappropriate ioctl for device
 stty: standard input: Inappropriate ioctl for device
 Use of uninitialized value $pass2 in chomp at /usr/sbin/smbldap-useradd line 330.
 stty: standard input: Inappropriate ioctl for device
 Use of uninitialized value $pass in string ne at /usr/sbin/smbldap-useradd line 334.
 Use of uninitialized value $pass2 in string ne at /usr/sbin/smbldap-useradd line 334.
 [2012/08/03 15:36:36.326509,  3] passdb/pdb_interface.c:348(pdb_default_create_user)
 _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -i -t 0 -w "fhp230$"' gave 0
 [2012/08/03 15:36:36.326648,  3] passdb/pdb_interface.c:365(pdb_default_create_user)
 pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER

Solution(s):

J’ai essayé de rentrer la machine manuellement avec la commande:

root@bluet:/var/log/samba\ NEW$ /usr/sbin/smbldap-useradd -i -t 0 -w "fhp230$"
New password :
Retype new password :
root@bluet:/var/log/samba\ NEW$

Puis ensuite j’ai vérifié la config LDAP avec  la commande « ldapvi » pour voir si elle était bien inscrite:

root@lotus:~# export EDITOR=vim
root@lotus:~# cat /etc/ldap.secret
toto1234
root@lotus:~# ldapvi -D "cn=admin,dc=mon_entreprise,dc=fr" -b "ou=Computers,dc=mon_entreprise,dc=fr"
--- Login
 Type M-h for help on key bindings.
Filter or DN: cn=admin,dc=mon_entreprise,dc=fr
Password: ********
197 entries read
No changes.
root@lotus:~#

J’ai supprimé le compte de la machine dans LDAP et effectué une ré-intégration de la machine dans le domaine (depuis Windows 7 ) et là …miracle ça à fonctionné. Comprend qui pourra !

 

[Message d’erreur 8]

Problème:

[2013/06/19 08:53:27, 1] 
auth/auth_sam.c:sam_account_ok(179)
sam_account_ok: Password expired at 'Tue, 18 Jun 2013 09:31:34 CEST' (1371540694) unix time.

Solution(s):
Modifier le timeStamp pour l’attribut « sambaPwdMustChange » de Samba concernant l’utilisateur dans LDAP

On peut utiliser le site http://www.onlineconversion.com/unix_time.htm pour générer le timeStamp correspondant à
une date et une heure.

 

 

 


“La connaissance a plus de valeur et s’accroît rapidement lorsqu’elle est partagée et accessible librement…”

Ce document est publié sous licence Creative Commons
Attribution, Partage à l’identique, Contexte non commercial 3.0 : http://creativecommons.org/licenses/by-nc/3.0/

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Le temps imparti est dépassé. Merci de saisir de nouveau le CAPTCHA.