[Samba] problem configuring smbd for domain authentication

rohitm at engr.uconn.edu rohitm at engr.uconn.edu
Tue Feb 25 14:28:42 GMT 2003 

One other thing I noticed, if I set "security = server" it works fine (Windows clients can authenticate
of Windows DC and access samba resources), but I still cannot get it to work with "security = domain"

Has anyone had success with security = domain?  I would love to read your configuration files.

Thanks

Rohit

On Mon, Feb 24, 2003 at 04:46:45PM -0500, rohitm at engr.uconn.edu wrote:
> Hello everyone, I am trying to configure a Samba 2.2 server to allow users to mount their home
> directories (stored on a UNIX filesystem) from Windows after authenticating against a Windows 2000
> Domain Controller.  
> 
> The Samba server is 2.2.3a compiled with acl support on Solaris 8.  I think I am experiencing  some (hopefully)
> basic configuration issues and can't seem to get it to work.  I really hope some can help! 
> 
> The name of our Windows 2000 Domain is ad.... The domain controller is (aptly named) dc.  I have placed a static
> record in WINs for the samba server, and added a record to the Active Directory Computers container for it as well.
> The domain controller is a mixed-mode controller (I read in the docs that doesn't make any difference but I thought
> I'd mention it) and it the only domain controller for the AD domain. 
> 
> With the command, "smbpasswd -r DC -j ad... -UAdministrator%mypassword", I get a successful response:
> 		Joined domain AD.
> 
> However, when I get on a Windows 2000 machine (which is also a member of the domain AD), and try
> to mount \\mysambaserver\acls as a user who is already authenticated in the AD domain, it fails
> (the windows end seems to hang and *eventually* prompts me for another username password) and 
> I see the following in my samba logs:
> 
>  cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> [2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
>   cli_nt_setup_creds: auth2 challenge failed
> [2003/02/24 16:35:19, 0] smbd/password.c:connect_to_domain_password_server(1336)
>   connect_to_domain_password_server: unable to setup the PDC credentials to machine DC. Error was : NT_STATUS_OK.
> [2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554)
>   domain_client_validate: Domain password server not available.
> [2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
>   unable to open passdb database.
> [2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
>   unable to open passdb database.
> [2003/02/24 16:35:19, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
>   cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> [2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
>   cli_nt_setup_creds: auth2 challenge failed
> [2003/02/24 16:35:19, 0] smbd/password.c:connect_to_domain_password_server(1336)
>   connect_to_domain_password_server: unable to setup the PDC credentials to machine DC. Error was : NT_STATUS_OK.
> [2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554)
>   domain_client_validate: Domain password server not available.
> 
> Here is a listing of my smb.conf file:
> [global]
> # debug level = 2
>    # Stuff needed by nmdb first
>    interfaces = myip
>    domain master = no
>    local master = no
>    preferred master = no
>    os level = 0
>    log file = /tmp/slog
>    wins server = 192.168.28.13
>    guest account = nobody
>    encrypt passwords = Yes
> #   security = server
>    security = domain
>    workgroup = ad
>    password server = dc
>    username map=/usr/local/samba/lib/ntstaff.map
>    invalid users = root
> 
> [homes]
>    comment = Home Directories
>    locking = no
>    browseable = no
>    read only = no
>    force create mode = 0750
>    create mode = 0750
>    force directory mode = 0750
>    directory mode = 0750
>    preserve case = yes
> 
> [acls]
>    Comments = Account information
>    path = /export/home/acls
>    create mode = 660
>    force create mode = 660
>    directory mode = 770
>    force directory mode = 770
>    preserve case = yes
>    browseable = yes
> 
> 
> I am fairly certain the ntstaff.map file is correct as it works in other configurations. I'll post the line with the username
> I used:
> !rotest2 = rotest2
> 
> 
> If anyone would like any more information I'd be happy to provide it.  I am really stumped right now as I think everything I am
> trying to do should work, but I don't know what I am doing wrong.  I would be most grateful for any assistance.
> 
> Thanks,
> 
> 
> Rohit Kumar Mehta
> University of Connecticut
> School of Engineering
> Systems Manager
> rohitm at engr.uconn.edu
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list