Interfacing to Samba

  • Thread starter Thread starter Simon Dean
  • Start date Start date
S

Simon Dean

So I just upgraded to Vista from XP. Had a few issues with security,
couldn't open Control Panel or windows Explorer, was getting "Windows
Cannot Access the Specified Device, path. or file" etc.

That was until the Windows updates are installed.

Now, it's asking for authentication whenever I do anything.

I don't have a working domain server (I have Samba, but that doesn't
seem to be authenticating). I can't change the registry settings or use
secpol because I don't have an administrative account, despite, my
domain account blargle\sjdean supposedly being in the local
Administrators group of the PC. I can't install any programs, drivers or
make changes to the network, or even, hell, reset passwords...

Any thoughts?

Im desperate.

Cheers
Simon
 
Simon said:
So I just upgraded to Vista from XP. Had a few issues with security,
couldn't open Control Panel or windows Explorer, was getting "Windows
Cannot Access the Specified Device, path. or file" etc.

That was until the Windows updates are installed.

Now, it's asking for authentication whenever I do anything.

I don't have a working domain server (I have Samba, but that doesn't
seem to be authenticating). I can't change the registry settings or use
secpol because I don't have an administrative account, despite, my
domain account blargle\sjdean supposedly being in the local
Administrators group of the PC. I can't install any programs, drivers or
make changes to the network, or even, hell, reset passwords...
Click to expand...

Networking Vista with a *nix or OS X box:

From Michael Bishop (MS) - Basically, the issue with Samba and Vista is
that Vista no longer permits LM or NTLM authentication by default; only
NTLMv2. Samba versions 1.x and 2.x only support LM and NTLM, so there's
an issue there.

Mr. Bishop's recommended solution: upgrade to Samba 3.x and enable
NTLMv2 by adding "client ntlmv2 auth = yes" to your smb.conf file.
Because of another issues with previous versions, I strongly recommend
upgrading to 3.0.22 or later regardless of your choice for this
particular instance.

An alternate solution: change Vista's security settings to permit
lower-security authentications. (as below)

To enable Windows Vista to connect to Mac OS X or other *nix with
Windows File Sharing enabled, you will need to change the following
policy in Windows Vista:

Start>Run>secpol.msc [enter]

Click on "Local Policies" --> "Security Options"

Navigate to the policy "Network Security: LAN Manager authentication
level" and double-click it to get its Properties. By default Windows
Vista sets the policy to "NTVLM2 responses only". Use the drop-down
arrow to change this to "LM and NTLM – use NTLMV2 session security if
negotiated".

In Vista Home Premium, you won't have this tool so per Steve Winograd, do:

1. Run the registry editor and open this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

1. If it doesn't already exist, create a DWORD value named
LmCompatibilityLevel

3. Set the value to 1

4. Reboot


Malke
 
Thanks for the reply... I'll try and work through this...
Networking Vista with a *nix or OS X box:

From Michael Bishop (MS) - Basically, the issue with Samba and Vista
is that Vista no longer permits LM or NTLM authentication by default;
only NTLMv2. Samba versions 1.x and 2.x only support LM and NTLM, so
there's an issue there.

Mr. Bishop's recommended solution: upgrade to Samba 3.x and enable
NTLMv2 by adding "client ntlmv2 auth = yes" to your smb.conf file.
Because of another issues with previous versions, I strongly
recommend upgrading to 3.0.22 or later regardless of your choice for
this particular instance.
Click to expand...

I have upgraded to version 3.0.24 from 3.0.23. I have enabled ntlmv2,
without joy. I have tested this works from another Linux box and ntlmv2
authentication with success. However Vista -> Samba = no go.

An alternate solution: change Vista's security settings to permit
lower-security authentications. (as below)

To enable Windows Vista to connect to Mac OS X or other *nix with
Windows File Sharing enabled, you will need to change the following
policy in Windows Vista:

Start>Run>secpol.msc [enter]
Click to expand...

That won't work for me. I need to enter the domain administrator's
password to get into secpol, which then, doesn't authenticate!

In Vista Home Premium, you won't have this tool so per Steve
Winograd, do:

1. Run the registry editor and open this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

1. If it doesn't already exist, create a DWORD value named
LmCompatibilityLevel

3. Set the value to 1

4. Reboot
Click to expand...

I have Business, but that key is there. However Windows tells me that it
cannot save the changes. So, that doesn't work either.

Guess I'll try and fall back to basics and reconfigure my Samba a line
at a time. However at this moment, I am completely puzzled.


Cya
Simon
 
havent you got a local admin account
Simon Dean said:
Thanks for the reply... I'll try and work through this...
Networking Vista with a *nix or OS X box:

From Michael Bishop (MS) - Basically, the issue with Samba and Vista
is that Vista no longer permits LM or NTLM authentication by default;
only NTLMv2. Samba versions 1.x and 2.x only support LM and NTLM, so
there's an issue there.

Mr. Bishop's recommended solution: upgrade to Samba 3.x and enable
NTLMv2 by adding "client ntlmv2 auth = yes" to your smb.conf file.
Because of another issues with previous versions, I strongly
recommend upgrading to 3.0.22 or later regardless of your choice for
this particular instance.
Click to expand...

I have upgraded to version 3.0.24 from 3.0.23. I have enabled ntlmv2,
without joy. I have tested this works from another Linux box and ntlmv2
authentication with success. However Vista -> Samba = no go.

An alternate solution: change Vista's security settings to permit
lower-security authentications. (as below)

To enable Windows Vista to connect to Mac OS X or other *nix with Windows
File Sharing enabled, you will need to change the following policy in
Windows Vista:

Start>Run>secpol.msc [enter]
Click to expand...

That won't work for me. I need to enter the domain administrator's
password to get into secpol, which then, doesn't authenticate!

In Vista Home Premium, you won't have this tool so per Steve
Winograd, do:

1. Run the registry editor and open this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

1. If it doesn't already exist, create a DWORD value named
LmCompatibilityLevel

3. Set the value to 1

4. Reboot
Click to expand...

I have Business, but that key is there. However Windows tells me that it
cannot save the changes. So, that doesn't work either.

Guess I'll try and fall back to basics and reconfigure my Samba a line at
a time. However at this moment, I am completely puzzled.


Cya
Simon
Click to expand...
 
Dyawlak said:
havent you got a local admin account
Click to expand...

I should do, but it doesn't like my password now. And there's no option
to create a password disk!

I have read about starting in Safe Mode because Vista disables your
local admin accounts? I'll give that a try...

Cya
Simon
 
Simon said:
I should do, but it doesn't like my password now. And there's no option
to create a password disk!

I have read about starting in Safe Mode because Vista disables your
local admin accounts? I'll give that a try...

Cya
Simon
Click to expand...

Simon, having read your first thread and now this one, my guess (and of
course it's a guess since I can't see your computer!) is that the
upgrade did not go well. You shouldn't be having all those
authentication errors since you don't have a domain.

If I were you, I'd back up my data and do a clean install of Vista. Then
install drivers, programs (one at a time, testing after each and of
course having made sure they are Vista-compatible first), restore data
from backup. I know it's a lot of work, but my experience in cases like
yours is that it is the cleanest, most efficient solution.

You can do a "clean" install with an upgrade in an unofficial (but
effective) way:

1. Boot from the Windows Vista Upgrade DVD and start the setup program.
2. When prompted to enter your product key, DO NOT enter it. Click
"Next" and proceed with setup. This will install Windows Vista as a
30-day trial.
3. When prompted, select the edition of Vista which you have
purchased and continue with setup.
4. Once setup has been completed and you have been brought to the
desktop for the first time, run the install program from within Windows
Vista.
5. This time, type in your product key when prompted.
6. When asked whether to perform an Upgrade or Custom (advanced)
install, choose Custom (advanced) to perform a clean install of Vista.
Yes, this means that you will have to install Vista for a second time.
7. Once setup has completed for the second time, you should be able
to activate Windows Vista normally. You can also delete the Windows.old
directory which contains information from the first Vista install.


Malke
 
Avoided the dreaded re-install...

I managed to find a work around.

Reboot using the CD, Rescue and Recovery, do a system restore to remove
all Microsoft Updates which gave me back administrative rights to my
domain user.

This allowed me to go into User Accounts and set up an extra local admin
user, enable the original administrator, and change all passwords just
in case.

From here I then managed to re-join my domain and everythings working
now as it should.

I just need to copy one local profile to another since I thought it
would be a good time to change the domain name. I tried editing the
registry and the ProfileImagePath, but I keep getting logged off
everytime I try to log in. Looks like I'll just have to copy everything
by hand.

Cya
Simon
 
Simon said:
Avoided the dreaded re-install...

I managed to find a work around.

Reboot using the CD, Rescue and Recovery, do a system restore to remove
all Microsoft Updates which gave me back administrative rights to my
domain user.

This allowed me to go into User Accounts and set up an extra local admin
user, enable the original administrator, and change all passwords just
in case.

From here I then managed to re-join my domain and everythings working
now as it should.

I just need to copy one local profile to another since I thought it
would be a good time to change the domain name. I tried editing the
registry and the ProfileImagePath, but I keep getting logged off
everytime I try to log in. Looks like I'll just have to copy everything
by hand.
Click to expand...

I'm glad that worked for you. I did not realize that you did have a
domain since in the first post in this thread you said "I don't have a
working domain server". So I guess you *did* have a domain server.
Whatever, I'm glad you got things sorted.


Malke
 
Malke said:
I'm glad that worked for you. I did not realize that you did have a
domain since in the first post in this thread you said "I don't have
a working domain server". So I guess you *did* have a domain server.
Whatever, I'm glad you got things sorted.
Click to expand...

Sorry for the confusion. I mean, I don't have a Windows domain server, I
have Samba. But that's setup to be a domain server, but it's not
working. It should be, I can't authenticate to it. Still couldn't all
through that, though XP was fine, and somehow, I was able to see shares
on it, but I still couldn't authenticate to it despite setting up the
approrpiate ntlmv2.

Remove the Windows Updates, and hey presto!

There has to be something more to it than that.

CYa
Simon
 
Hi,

Bear in mind also that if the Vista box is not seen as being joined to a
domain, the local accounts (who are members of the Administrators group)
can no longer be used to Admin the box. This is a potential disaster
recovery disaster!

On win2k and XP, if the secure channel broke, you could still remotely
fix all the boxes by connecting as a local Administrator, on Vista (by
default) you can't. Domain Admins are the exception, but you need to be
 
Gerry said:
Hi,

Bear in mind also that if the Vista box is not seen as being joined to a
domain, the local accounts (who are members of the Administrators group)
can no longer be used to Admin the box. This is a potential disaster
recovery disaster!

On win2k and XP, if the secure channel broke, you could still remotely
fix all the boxes by connecting as a local Administrator, on Vista (by
default) you can't. Domain Admins are the exception, but you need to be
on a domain, catch-22.
Click to expand...

Then I somehow managed to break the trust relationship, and even
disconnecting Samba/Domain Controller from the network, Vista would not
allow me to login.

Yet that simple thing of rolling back the Windows updates, starting
again, then redownloading the updates, has, well, worked flawlessly.

I don't get it. Im not getting any requests for Domain Adminstrators
passwords whenever i try and log into Control Panel or whatever.

Cya
Simon
 
Simon said:
Then I somehow managed to break the trust relationship, and even
disconnecting Samba/Domain Controller from the network, Vista would not
allow me to login.
Click to expand...

That's exactly my point. I don't think anyone has realized this yet
except Jimmy Brush who used to post here.
Yet that simple thing of rolling back the Windows updates, starting
again, then redownloading the updates, has, well, worked flawlessly.
Click to expand...

Yes, but not exactly a good disaster recovery strategy for a corporation
with thousands of desktops PCs?

Out of interest, is Samba now supporting "signed SMB" and Kerberos auth?
 
Back
Top