add machine script unter samba opensuse 11

G

gnoovy

Eroberer
hi leutz,

habe nun samba V. 3.2.3-0.1.128-1882 installiert und verwende unter add machine script /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ eingetragen. Ein Windows XP-Client Service Pack 3 habe ich über Computername - Netzwerkkennung in die Domäne eingefügt, um den Root-Account auch gleich als lokaler Administrator hinzuzufügen. Hat auch wunderbar geklappt, nur als ich den User root zur lokalen Administratorengruppe hinzugefügt habe bekam ich die Meldung, dass noch keine Vertrauensstellung zwischen Client und Server besteht. Als ich dann nach der Domänenintegration die Integration wiederholt hatte, kam keine Fehlermeldung. Ich denke, dass die Problematik in dem vorhin noch fehlenden Maschinenkonto auf dem Linux-Server bestand. Allerdings hatte ich früher solche Probleme noch nicht. Woran könnte dies noch liegen? Wenn ich die Domänenintegration nicht mit Netzwerkkennung, sondern mit Ändern durchführe, wird ja der Root-Account nicht automatisch zur lokalen Administratorengruppe hinzugefügt werden. Mache ich noch was falsch? Anbei mal meine smb.conf:

Code:
# Samba config file created using SWAT
# from UNKNOWN (i��z��z�P�b�Ⱥ迎/t��z�A���)
# Date: 2008/08/31 22:48:53

[global]
dos charset = CP850
unix charset = UTF-8
display charset = LOCALE
workgroup = LINUXNET.LOCAL
realm =
netbios name = LINUX-SERVER01
netbios aliases =
netbios scope =
server string = Samba 3.2.3-0.1.128-1882-SUSE-SL11.0
interfaces = eth0
bind interfaces only = Yes
config backend = file
security = USER
auth methods =
encrypt passwords = Yes
update encrypted = No
client schannel = Auto
server schannel = Auto
allow trusted domains = Yes
map to guest = Bad User
null passwords = No
obey pam restrictions = No
password server = *
smb passwd file = /etc/samba/smbpasswd
private dir = /etc/samba
passdb backend = smbpasswd
algorithmic rid base = 1000
root directory =
guest account = nobody
enable privileges = Yes
pam password change = No
passwd program =
passwd chat = *new*password* %n\n *new*password* %n\n *changed*
passwd chat debug = No
passwd chat timeout = 2
check password script =
username map = /etc/samba/smbusers
password level = 0
username level = 0
unix password sync = No
restrict anonymous = 0
lanman auth = No
ntlm auth = Yes
client NTLMv2 auth = No
client lanman auth = No
client plaintext auth = No
preload modules =
use kerberos keytab = No
log level = 0
syslog = 1
syslog only = No
log file =
max log size = 5000
debug timestamp = Yes
debug prefix timestamp = No
debug hires timestamp = No
debug pid = No
debug uid = No
debug class = No
enable core files = Yes
smb ports = 445 139
large readwrite = Yes
max protocol = NT1
min protocol = CORE
min receivefile size = 0
read raw = Yes
write raw = Yes
disable netbios = No
reset on zero vc = No
acl compatibility = auto
defer sharing violations = Yes
nt pipe support = Yes
nt status support = Yes
announce version = 4.9
announce as = NT
max mux = 50
max xmit = 16644
name resolve order = lmhosts wins host bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
time server = Yes
unix extensions = Yes
use spnego = Yes
client signing = auto
server signing = No
client use spnego = Yes
client ldap sasl wrapping = plain
enable asu support = No
svcctl list =
deadtime = 0
getwd cache = Yes
keepalive = 300
lpq cache time = 30
max smbd processes = 0
paranoid server security = Yes
max disk size = 0
max open files = 10000
socket options = TCP_NODELAY
use mmap = Yes
hostname lookups = No
name cache timeout = 660
ctdbd socket =
cluster addresses =
clustering = No
load printers = Yes
printcap cache time = 750
printcap name = cups
cups server =
iprint server =
disable spoolss = No
addport command =
enumports command =
addprinter command =
deleteprinter command =
show add printer wizard = Yes
os2 driver map =
mangling method = hash2
mangle prefix = 1
max stat cache size = 256
stat cache = Yes
machine password timeout = 604800
add user script =
rename user script =
delete user script =
add group script =
delete group script =
add user to group script =
delete user from group script =
set primary group script =
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
shutdown script =
abort shutdown script =
username map script =
logon script =
logon path =
logon drive =
logon home =
domain logons = Yes
os level = 20
lm announce = Auto
lm interval = 60
preferred master = No
local master = Yes
domain master = Auto
browse list = Yes
enhanced browsing = Yes
dns proxy = Yes
wins proxy = No
wins server =
wins support = No
wins hook =
kernel oplocks = Yes
lock spin time = 200
oplock break wait time = 0
ldap admin dn =
ldap delete dn = No
ldap group suffix =
ldap idmap suffix =
ldap machine suffix =
ldap passwd sync = no
ldap replication sleep = 1000
ldap suffix =
ldap ssl = no
ldap timeout = 15
ldap connection timeout = 2
ldap page size = 1024
ldap user suffix =
ldap debug level = 0
ldap debug threshold = 10
eventlog list =
add share command =
change share command =
delete share command =
config file =
preload =
lock directory = /var/lib/samba
pid directory = /var/run/samba
utmp directory =
wtmp directory =
utmp = No
default service =
message command =
get quota command =
set quota command =
remote announce =
remote browse sync =
socket address = 0.0.0.0
homedir map = auto.home
afs username map =
afs token lifetime = 604800
log nt token command =
time offset = 0
NIS homedir = No
registry shares = No
usershare allow guests = Yes
usershare max shares = 0
usershare owner only = Yes
usershare path = /var/lib/samba/usershares
usershare prefix allow list =
usershare prefix deny list =
usershare template share =
panic action =
host msdfs = Yes
passdb expand explicit = No
idmap domains =
idmap backend =
idmap alloc backend =
idmap cache time = 900
idmap negative cache time = 120
idmap uid =
idmap gid =
template homedir = /home/%D/%U
template shell = /bin/false
winbind separator = \
winbind cache time = 300
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 1
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
comment =
path =
username =
invalid users =
valid users =
admin users =
read list =
write list =
printer admin =
force user =
force group =
read only = Yes
acl check permissions = Yes
acl group control = No
acl map full control = Yes
create mask = 0744
force create mode = 00
security mask = 0777
force security mode = 00
directory mask = 0755
force directory mode = 00
directory security mask = 0777
force directory security mode = 00
force unknown acl user = No
inherit permissions = No
inherit acls = No
inherit owner = No
guest only = No
administrative share = No
guest ok = No
only user = No
hosts allow = 192.168.178.
hosts deny =
allocation roundup size = 1048576
aio read size = 0
aio write size = 0
aio write behind =
ea support = No
nt acl support = Yes
profile acls = No
map acl inherit = No
afs share = No
smb encrypt = auto
block size = 1024
change notify = Yes
directory name cache size = 100
kernel change notify = Yes
max connections = 0
min print space = 0
strict allocate = No
strict sync = No
sync always = No
use sendfile = No
write cache size = 0
max reported print jobs = 0
max print jobs = 1000
printable = No
printing = cups
cups options = raw
print command =
lpq command = %p
lprm command =
lppause command =
lpresume command =
queuepause command =
queueresume command =
printer name =
use client driver = No
default devmode = Yes
force printername = No
printjob username = %U
default case = lower
case sensitive = Auto
preserve case = Yes
short preserve case = Yes
mangling char = ~
hide dot files = Yes
hide special files = No
hide unreadable = No
hide unwriteable files = No
delete veto files = No
veto files =
hide files =
veto oplock files =
map archive = Yes
map hidden = No
map system = No
map readonly = yes
mangled names = Yes
store dos attributes = No
dmapi support = No
browseable = Yes
blocking locks = Yes
csc policy = manual
fake oplocks = No
locking = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
posix locking = Yes
strict locking = Auto
share modes = Yes
dfree cache time = 0
dfree command =
copy =
include = /etc/samba/dhcp.conf
preexec =
preexec close = No
postexec =
root preexec =
root preexec close = No
root postexec =
available = Yes
volume =
fstype = NTFS
set directory = No
wide links = Yes
follow symlinks = Yes
dont descend =
magic script =
magic output =
delete readonly = No
dos filemode = No
dos filetimes = Yes
dos filetime resolution = No
fake directory create times = No
vfs objects =
msdfs root = No
msdfs proxy =

[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes

[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/

[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes

[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775

[Daten]
path = /daten
read only = No

[test]
path = /etc
 
Zuletzt bearbeitet von einem Moderator:
hi leutz,

also habe, glaube ich, meine Probleme selbst gelöst. Konnte automatisch die Root-Administratorengruppe der lokalen Windows-Administratorengruppe zuordnen:

net groupmap add rid=512 ntgroup=“root“ unixgroup=“ntadmin“

Nach einem Clientneustart konnte ich in der lokalen Administratorengruppe die Gruppe linuxnet.local\root auffinden. Im Gerätemanager hat er mir keine Einschränkungsmeldung gebracht. Hier könnte ich nun auch Hardware hinzufügen / deinstallieren.

Durch obigen Befehl kann ich auch ganz normal über Computername - Ändern den Client zur Domäne integrieren und muss nicht über Netzwerkkennungen gehen. Habe testweise den Maschinenaccount aus smbpasswd und group entfernt und den Client neu in die Domäne integriert. Keine Fehlermeldungen.

Nun nur noch eine Frage: Wisst Ihr, ob die lokale Administratorengruppe von Windows XP immer die Rid 512 hat?
 

Ähnliche Themen

Samba 4.9.5-Debian - Kennwort von unix übernehmen

Zugriff Ubuntu 16.04. auf Freigabe 18.04. LTS nicht möglich

Samba Dateien und Ordner verschieben

Samba-Server mit Univention Corporate Server

Problem bei der Vergabe von Sciherheitsinformationen auf eine Freiagbe

Zurück
Oben