Samba4 as a member server against an NT4 PDC

Andrew Bartlett abartlet at samba.org
Fri Apr 1 23:59:34 GMT 2005 

On Fri, 2005-04-01 at 15:40 -0800, Richard Sharpe wrote:
> On Fri, 1 Apr 2005, Richard Sharpe wrote:
> 
> > I am having some problems with a Samba 4 server as a member server against
> > an NT4 PDC ...
> >
> > I seem to be able to join the domain OK, and good stuff gets put in the
> > secrets.ldb, but when I connect from a workstation, the samr_LogonSamLogon
> > fails in the NetrServerAuthenticate2 RPC.
> >
> > We get back ACCESS_DENIED, and Samba tells me that it failed to setup the
> > credentials ...
> >
> > The only interesting thing I can see at this point is that the negotiate
> > flags on the ServerAuthenticate2 are 0x600FFFFF, while another more
> > successful capture I have for an NT4 PDC uses 0x000001FF.
> 
> OK, so I forced the negotiate_flags to 0x1FF at the appropriate point, and
> now we get past the ServerAuthenticate2 request, but things went to hell
> in a handbasket after that (SMB_PANIC ...)

This is the issue with being unable to map these SIDs to posix
identities?  We need idmap (no, not again!), but in the meantime we can
have as-root access by setting 'ntvfs handler = default' rather than the
default of 'ntvfs handler = unixuid default'. 

For my work with Samba4, I'm looking to develop a 'everybody is nobody'
solution (which is all the particular task I have requires).  But adding
a real idmap shouldn't be too hard however...

> Perhaps we need to fall back at appropriate points, or perhaps there is
> some way to tell Samba not to use NETLOGON_NEG_AUTH2_ADS_FLAGS or
> DCERPC_SCHANNEL_128.

We should be falling back - I'll work on that logic.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050402/def4b149/attachment.bin

More information about the samba-technical mailing list