Wednesday, July 05, 2006

XP (Home) Client + Linux Domain Controller + Samba Share = a whole world of fun

Just spent two hours getting a Windows XP (Home) laptop to access a Samba share on a Linux server.... FECK ME, that was fun! There was nothing wrong with the share itself, because we could access it fine from a Mac using the same username and password, but could we get Windows XP to authenticate? Could we hell.....

Here's the setup - the Linux box was the domain controller, and it exposed a Workgroup to the Windows Network (under My Network Places -> Entire Network -> Microsoft Windows Network -> ) but it just couldn't authenticate, no matter what we tried.

I'll cut a long, exasperating and expletive-ridden story short, missing out all the entertaining cursing of various rude bits of various animals to various circles of hell, and jump straight to the end. Turns out the problem was that WinXP Home couldn't resolve the domain properly without an LMHOSTS file.

Pretty much everyone who's worked with Windows and the web for any length of time knows about the HOSTS file. This lives in (Windows Root)/System32/drivers/etc and is an extensionless file, mapping host names (e.g. to IP addresses. Handy for those occasions when you need multiple domain names mapping to your own pc, for instance when you have a system serving multiple sites from one codebase resolving via the hostname.

The LMHOSTS file is similar, and lives in the same place, but is not quite as straightforward. Its purpose is to tell Windows how to resolve NetBios names, and the format is... well... non-trivial. Full information is here : How to Write an LMHOSTS File for Domain Validation and Other Name Resolution Issues

The important entries you'll need are: PDCNAME #PRE #DOM:DOMAIN_NAME "DOMAIN_NAME \0x1b" #PRE

Replace with the IP address of the Linux domain controller
Replace PDCNAME with the hostname of the Linux domain controller
Replace DOMAIN_NAME with the name of the WORKGROUP

Now for the fiddly bit : on the second line, you need EXACTLY 20 characters between the quotes. Between your domain name and the \0x1b there must be spaces, exactly the right number of spaces, and nothing but spaces. The MS reference above gives more detail.

But once I'd created an extensionless file called lmhosts in the right place, with the right entries, and the right number of spaces, suddenly I could authenticate.

As for the more fundamental question of which person at Microsoft decided on that format of the lmhosts file, where he/she lives, and how to gain access to their bedroom undetected while armed with a large fish, I'll leave that as an exercise for the reader.


Anonymous said...

Win XP home can't join a domain, which may be your problem.
I have Win XP clients connecting to a Samba server (not a PDC, just file shares) just fine, with per-share (or the [home] share) passwords fine, though.

Anonymous said...

I am trying to do the same as you descibe and connect my windows XP home box with a Samba server without a PDC. Can you give me the details on how you were able to get it to work?


Alistair Davidson said...

It really was all about the LMHOSTS file, as in the main body of the post.

In (Windows Dir)/System32/drivers/etc you should see a file called lmhosts.sam. Copy this to lmhosts (no extension!) and replace the entries as I describe in the post and see if that works.

Anonymous said...

Fantastic. Thank you, sir. Worked like a charm. Either that or I finally remembered to do a smbpasswd -a on the linux box. :( But I don't think it was that because I also tried mapping as a different user that I know worked on other XP boxes here. None of them seemed to work until I followed your notes here.

Thanks again.

Alistair Davidson said...

No problem - glad to save someone else the headbanging frustration that i went through!

Joost said...

Could you please explain what settings you have in you smb.conf file? I followed you instructions but i already have messed up/with smb.conf

Alistair Davidson said...

Joost: sure-

map to guest = bad user
workgroup = << workgroup name >>
netbios name = << machine name >>
server string = %h server (Samba %v)
wins support = yes
dns proxy = yes
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
guest account = nobody
invalid users = root
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword
:* %n\n .
socket options = TCP_NODELAY
comment = Home Directories
browseable = yes
writable = yes
create mask = 0775
directory mask = 0775

# list of shares in the following format
comment = << description >>
writable = yes
path = << path on the server >>
public = yes
guest ok = yes
browseable = yes

... and that's it. Everything else is commented-out.

Make sure you replace any values in double-arrows, like << VALUE >>, with the appropriate value for your config, and remove the double-arrows.

E.g. where my config says
path = << path on the server >>

your config should say something like

path = /home/shared

World of Warcraft Gold Guides said...

nice post!