[Samba] Is Samba PDC + NT4 DOM Trust using NTLMv2 possible?
Aaron J. Zirbes
ajz at umn.edu
Mon Dec 10 17:21:36 GMT 2007
I haven't found a solution yet. I think I may post a bug to the
bugtrack database.
--
Aaron
Hans-Wilhelm Heisinger wrote:
> Did you come across a solution to this problem? I have the same issue.
>
> Mit freundlichen Grüßen / With kind regards
> Hans
>
> Aaron J. Zirbes wrote:
>> My Question:
>> ------------
>>
>> Is it possible to get 2-way Interdomain Trust relationships working
>> between a Samba domain and an
>> NT4 SP6a domain, while restricting all password hashes to NTLMv2 only?
>>
>> Everything works except the inter-domain trust
>>
>> I'm able to get the NT4 domain to trust the Samba domain, but not the
>> other way around.
>>
>> My System:
>> ----------
>>
>> I have a perfectly running Samba domain w/ ~60 client WinXP
>> workstations, and Win 2003 member
>> servers. All machines are set to use NTLMv2 only.
>>
>> My Config:
>> ----------
>>
>> I'm running Samba Version 3.0.27a, compiled with
>> --with-ldap --with-winbind --with-utmp --with-acl-support
>>
>> LDAP backend with the new:
>> ldapsam:trusted=yes
>> ldapsam:editposix=yes
>>
>> Key NTLMv2 security settings are:
>> ntlm auth = no
>> lanman auth = no
>> client plaintext auth = no
>> client lanman auth = no
>> client ntlmv2 auth = yes
>> client schannel = yes
>> server schannel = yes
>> client signing = auto
>> server signing = auto
>>
>> I added an idmap config section for the trusted domain
>>
>> I created the "Machine" account entry in LDAP for the trusted
>> domain. I setup the domain trust
>> using the net command, I added access to one of my shares by adding
>> TESTDOM\azirbes to the "valid
>> users" parameter as I usually do, but the trusted domain still
>> prompts for a user name and password,
>> and the samba log dumps the following:
>>
>> [2007/11/09 12:55:09, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would
>> close all old resources.
>> [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info_map(161)
>> make_user_info_map: Mapping user [TESTDOM]\[azirbes] from
>> workstation [nt4test]
>> [2007/11/09 12:55:09, 5] auth/auth_util.c:is_trusted_domain(2198)
>> is_trusted_domain: Checking for domain trust with [TESTDOM]
>> [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(75)
>> attempting to make a user_info for azirbes (azirbes)
>> [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(85)
>> making strings for azirbes's user_info struct
>> [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(117)
>> making blobs for azirbes's user_info struct
>> [2007/11/09 12:55:09, 3] auth/auth.c:check_ntlm_password(221)
>> check_ntlm_password: Checking password for unmapped user
>> [TESTDOM]\[azirbes]@[nt4test] with the
>> new password interface
>> [2007/11/09 12:55:09, 3] auth/auth.c:check_ntlm_password(224)
>> check_ntlm_password: mapped user is: [TESTDOM]\[azirbes]@[nt4test]
>> [2007/11/09 12:55:09, 6] auth/auth_sam.c:check_samstrict_security(421)
>> check_samstrict_security: TESTDOM is not one of my local names or
>> domain name (DC)
>> [2007/11/09 12:55:09, 5] auth/auth.c:check_ntlm_password(273)
>> check_ntlm_password: winbind authentication for user [azirbes]
>> FAILED with error
>> NT_STATUS_ACCESS_DENIED
>> [2007/11/09 12:55:09, 2] auth/auth.c:check_ntlm_password(319)
>> check_ntlm_password: Authentication for user [azirbes] ->
>> [azirbes] FAILED with error
>> NT_STATUS_ACCESS_DENIED
>> [2007/11/09 12:55:09, 5] auth/auth_util.c:free_user_info(2045)
>> attempting to free (and zero) a user_info structure
>>
>>
>> --
>> Aaron
>>
>
>
>
More information about the samba
mailing list