[Samba] RE: TOSHARG: Samba ADS domain membership notes

John H Terpstra samba at primastasys.com
Wed Oct 13 13:40:30 GMT 2004 

Jeremy,

Thanks for this feedback. I will include this info as soon as  I get a
moment. Good work.

- John T.
---
John H Terpstra
Samba-Team
email: jht at samba.org


> -------- Original Message --------
> Subject: TOSHARG: Samba ADS domain membership notes
> From: "Jeremy Naylor" <jnaylor at gmail.com>
> Date: Wed, October 13, 2004 5:27 am
> To: jht at samba.org
>
> Hi John,
>
> I ran into a few problems adding a samba machine to my Win2k3 AD
> domain for Squid authentication.  I pinned it down to two specific
> settings in the Security Policy on the domain controller.  I googled
> for days and found a few other cases of the same problem but never any
> solutions.  I finally found them through trial and error.  I think
> these two would be good tips to add to the how-to, since the settings
> are recommended by Microsoft as a best practice for security.
>
> At first, I was always getting this message:
>
> [2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183)
>   ads_connect: Strong(er) authentication required
>
> This directly correlated with this setting in the Security Policy:
>   Domain Controller: LDAP server signing requirements = Require Signing
> Changing this to "None" got it working as a workaround.  I'm still
> trying to get it to work with that enabled.
>
> The other issue I had was testing authentication with "wbinfo -a
> user%pass".  That would never succeed, even once I had joined the
> domain.  It would always come back with:
>
> plaintext password authentication failed
> error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
> error messsage was: Wrong Password
> Could not authenticate user user%pass with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
> error messsage was: Wrong Password
> Could not authenticate user user with challenge/response
>
> It also failed when using the ntlm_auth helper (with basic or NTLM
> authentication).  I found out this is because neither wbinfo or
> ntlm_auth support NTLMv2, and I had this setting in my Security
> Policy:
>
>   Network security: LAN Manager authentication level = Send NTLMv2
> response only\refuse LM & NTLM
>
> I configured Squid for NTLMv2 (ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp) authentication and that worked
> fine.  I could have saved a lot of time had I realized the other tools
> would never work.
>
> Thanks!

More information about the samba mailing list