Samba, NT4 and W2K trust/authentication problem.

Jensen, Rolf jensen at nettspes.no
Tue Mar 6 08:13:14 GMT 2001 

Hi Makis,

Thanks for you answer, but I'm not sure if this is true.
According to the NT admins, a native W2K client use NTLM
if you try to log in to a NT4 domain and there is a trust 
between the W2K domain and the NT4 domain. I've skimmed 
some TechNet articles and as far I can tell, this is correct.

So in a pure Windows world it works. If I use a W2K client 
in a native domain and map a drive to a NT4 server in 
another domain, I'm not prompted for a password.
But if I try to map a drive from the same W2K client 
to a Samba server in the same NT4 domain, it doesn't work.



Rolf


-----Original Message-----
From: m_marmaridis at email.com [mailto:m_marmaridis at email.com]
Sent: 5. mars 2001 23:24
To: Jensen, Rolf
Cc: samba at lists.samba.org
Subject: RE: Samba, NT4 and W2K trust/authentication problem.



Hi Jensen,

when switching a domain from mixed to native mode like you have, all the
Win2K clients will automatically start to use Kerberos authentication to the
DC(s) rather than NTLM, which will also remain in use so that any NT clients
can also log on to the native Win2K domain.

This is what I think causes the problem in your situation. The Win2K clients
have switched over to using Kerberos authentication. There should be a way
to revert the Win2K clients back to using NTLM instead and get your
passthrough authentication working again; - I have not tried that personally
though.

HTH,
Regards,
Makis.




> -----Original Message-----
> From: samba-admin at us5.samba.org [mailto:samba-admin at us5.samba.org]On
> Behalf Of Jensen, Rolf
> Sent: Tuesday, March 06, 2001 1:54 AM
> To: 'samba at lists.samba.org'
> Subject: Samba, NT4 and W2K trust/authentication problem.
>
>
> Hi all,
>
> Set-up:
> Local NT4-RESOURCE domain which the Samba server is a member off.
> One NT4-ADMIN domain with users accounts and one W2K domain
> with some other user accounts. A one way trust from NT4-ADMIN
> to NT4-RESOURCE and a one way trust from W2K to NT4-RESOURCE.
> Samba version 2.0.7 running on Solaris 2.6.
>
> According to the NT admins, the W2K domain is in native mode,
> but they still use Netbios.
>
> The problem is that passthrough authentication only works for
> users in the NT4-ADMIN domain and not for users in the W2K domain
> connecting with W2K workstations.
>
> The relevant section from smb.conf:
> workgroup = NT4-RESOURCE
> security = domain
> password server = NT4-RESOURCE-PDC
> encrypt passwords = yes
>
>
> The error message I get in the client log file:
> domain_client_validate: unable to validate password for user jensero
> in domain W2K to Domain controller NT4-RESOURCE-PDC .
> Error was code 0.
>
> More debug info is at the end of this mail.
>
> I've tried to use a W2K domain controller as the password server,
> but then I get the following error:
> connect_to_domain_password_server: unable to setup the PDC
> credentials
> to machine W2KDC1. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT.
>
>
> Any help is appreciated.
>
> Thanks
>
> Rolf Jensen
>
>
> PS: All Domains are fictitious.
>
>
> [2001/03/05 14:22:43, 0] smbd/password.c:domain_client_validate(1470)
>   domain_client_validate: unable to validate password for
> user jensero in
> domain W2K to Domain controller NT4-RESOURCE-PDC. Error was code 0.
> [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500)
>   Couldn't find user 'jensero' in smb_passwd file.
> [2001/03/05 14:22:43, 2] smbd/reply.c:reply_sesssetup_and_X(914)
>   NT Password did not match for user 'jensero' ! Defaulting to Lanman
> [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500)
>   Couldn't find user 'jensero' in smb_passwd file.
> [2001/03/05 14:22:43, 1] smbd/reply.c:reply_sesssetup_and_X(925)
>   Rejecting user 'jensero': authentication failed
> [2001/03/05 14:22:43, 3] smbd/error.c:error_packet(127)
>   32 bit error packet at line 639 cmd=115 (SMBsesssetupX)
> eclass=c000006d
> [Error: Unknown error (109,49152)]
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list