[Samba] Howto auth against an NT domain I don't control?

The Amigo theamigo at gmail.com
Sun Sep 21 11:20:56 GMT 2008 

I did this a few years ago (RHEL 4.0 -- samba 3.0.10) and had a nice working
setup... until the drive developed bad sectors and wouldn't boot.  Now I'm
starting with a fresh OS (ArchLinux -- samba 3.0.31) and trying to recreate
what I had working before.

My previous setup (which worked nicely):
  RHEL 4.0 running samba 3.0.10
  security = server
  password server = <DC's IP>
I'm running in a corp environment where I don't have admin rights to the
domain.  Thus I can't run with security=domain because I can't get a domain
admin to add my samba server to the domain.  This appears to be a unique
situation as all the googling I've done on this topic hasn't turned up
anyone else doing this same thing.

But running with security=server allowed anyone I added to the valid users
line access to my samba server without even prompting them for a password.
That is, when they're already logged in to a WinXP box that's joined to the
domain against which I'm authenticating.  Despite the warnings about
security=server, it's the only way I can get seamless[1] authentication and
it's worked great for the past few years.

The problem is that now I'm running on a fresh install and I'm unable to get
that working again.  I have my original smb.conf and secrets.tdb from the
server that worked, but that was an older version of samba (3.0.10 vs
3.0.31).

The symptom I have is:  when I try to connect, samba logs the error:
  [2008/09/21 05:42:00, 1] auth/auth_server.c:check_smbserver_security(363)
    password server 10.102.212.249 rejected the password:
NT_STATUS_LOGON_FAILURE

Suggestions and troubleshooting tips welcome.  I've stayed up too late
working on this and I'm probably not thinking clearly anymore.

1: Seamless in the sense of the end user's experience:  They logon to their
WinXP machine which is a domain member.  They can either click a shortcut or
type \\mysambaserver\sharename and see the share without being prompted for
a password.  Files they create are owned by them, they aren't mapped to
guest user.
-- 
http://theamigo.blogspot.com

More information about the samba mailing list