Samba4 as a member server against an NT4 PDC
Andrew Bartlett
abartlet at samba.org
Fri Apr 1 23:59:34 GMT 2005
On Fri, 2005-04-01 at 15:40 -0800, Richard Sharpe wrote:
> On Fri, 1 Apr 2005, Richard Sharpe wrote:
>
> > I am having some problems with a Samba 4 server as a member server against
> > an NT4 PDC ...
> >
> > I seem to be able to join the domain OK, and good stuff gets put in the
> > secrets.ldb, but when I connect from a workstation, the samr_LogonSamLogon
> > fails in the NetrServerAuthenticate2 RPC.
> >
> > We get back ACCESS_DENIED, and Samba tells me that it failed to setup the
> > credentials ...
> >
> > The only interesting thing I can see at this point is that the negotiate
> > flags on the ServerAuthenticate2 are 0x600FFFFF, while another more
> > successful capture I have for an NT4 PDC uses 0x000001FF.
>
> OK, so I forced the negotiate_flags to 0x1FF at the appropriate point, and
> now we get past the ServerAuthenticate2 request, but things went to hell
> in a handbasket after that (SMB_PANIC ...)
This is the issue with being unable to map these SIDs to posix
identities? We need idmap (no, not again!), but in the meantime we can
have as-root access by setting 'ntvfs handler = default' rather than the
default of 'ntvfs handler = unixuid default'.
For my work with Samba4, I'm looking to develop a 'everybody is nobody'
solution (which is all the particular task I have requires). But adding
a real idmap shouldn't be too hard however...
> Perhaps we need to fall back at appropriate points, or perhaps there is
> some way to tell Samba not to use NETLOGON_NEG_AUTH2_ADS_FLAGS or
> DCERPC_SCHANNEL_128.
We should be falling back - I'll work on that logic.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20050402/def4b149/attachment.bin
More information about the samba-technical
mailing list