security = domain

Ryan Koski Ryan at US.Distribution.com
Thu Aug 13 00:49:05 GMT 1998 

Hello...

Forgive my naivete with the alpha development efforts of SAMBA, as I
must ask a newbie question.

I am running the bleeding edge code from CVS and the security = domain
option.  My understanding was that this setup should use get its auth
info from our NT PDC.  However, it appears as if SAMBA is still trying
to look up users and groups via the passwd and group file on the Linux
box.

My goal:  My RH5.1 box with the latest CVS code (daily updates and
rebuilds) should join an existing domain controlled by an NT 4.0 Server.
Being on this domain, it should serve requests from other NTWS & NTS
boxes on its domain and the trusted domains without having to create
those user accounts anywhere on the Linux box.

What I have done so far:  As mentioned above, daily code updates and
rebuilds.  I have set the following global parameters in my smb.conf:

encrypt passwords = yes
local master = no
password server = SRV-DAIPDC SRV-DAIBDC
security = domain
workgroup = DAI
 
Per the NTDOM FAQ, I created the machine account, and used smbpasswd -j
DAI to join the domain, which smbpasswd reported as successful.  I have
the MACHINE.SID and the .mac file in the private directory.

However, when I try to test this by browsing the available shares on the
SAMBA server in Network Neighborhood from my NTWS, I get the Windows
dialog box prompting me for a Connect As: username and password.  These
are the log entries I receive (My domain user account is "Ryan"):

[1998/08/12 17:38:08, 3] smbd/reply.c:reply_sesssetup_and_X(594)
  Domain=[DAI]  NativeOS=[Windows NT 1381] NativeLanMan=[]
[1998/08/12 17:38:08, 3] smbd/reply.c:reply_sesssetup_and_X(598)
  sesssetupX:name=[Ryan]
[1998/08/12 17:38:08, 3] libsmb/namequery.c:resolve_name(506)
  resolve_name: Attempting wins lookup for name SRV-DAIPDC<0x20>
[1998/08/12 17:38:08, 3] lib/util.c:open_socket_in(3384)
  bind succeeded on port 0
[1998/08/12 17:38:08, 4] libsmb/nmblib.c:debug_nmb_packet(112)
  nmb packet from <ip masked>(137) header: id=8530 opcode=Query(0)
response=No
      header: flags: bcast=No rec_avail=No rec_des=Yes trunc=No auth=No
      header: rcode=0 qdcount=1 ancount=0 nscount=0 arcount=0
      question: q_name=SRV-DAIPDC<20> q_type=32 q_class=1
[1998/08/12 17:38:08, 4] libsmb/nmblib.c:debug_nmb_packet(112)
  nmb packet from <ip masked>(137) header: id=8530 opcode=Query(0)
response=Yes
      header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No
auth=Yes
      header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0
      answers: nmb_name=SRV-DAIPDC<20> rr_type=32 rr_class=1 ttl=0
      answers   0 char `.....   hex 6000C0BC1496
[1998/08/12 17:38:08, 2] libsmb/namequery.c:name_query(291)
  Got a positive name query response from <ip masked> ( <ip masked> )
[1998/08/12 17:38:11, 3] lib/util.c:open_socket_out(3416)
  Connecting to <ip masked> at port 139
[1998/08/12 17:38:11, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(208)
  cli_net_req_chal: LSA Request Challenge from SRV-DAIPDC to SRV-SMG:
1399EA5BEADCFC34
[1998/08/12 17:38:11, 4] libsmb/credentials.c:cred_session_key(64)
  cred_session_key
[1998/08/12 17:38:11, 4] libsmb/credentials.c:cred_create(95)
  cred_create
[1998/08/12 17:38:11, 4] rpc_client/cli_netlogon.c:cli_net_auth2(127)
  cli_net_auth2: srv:\\SRV-DAIPDC acct:SRV-SMG$ sc:2 mc: SRV-SMG chal
445BB52E96FB2B3B neg: 1ff
[1998/08/12 17:38:11, 4] libsmb/credentials.c:cred_create(95)
  cred_create
[1998/08/12 17:38:11, 4] libsmb/credentials.c:cred_assert(126)
  cred_assert
[1998/08/12 17:38:11, 4] libsmb/credentials.c:cred_create(95)
  cred_create
[1998/08/12 17:38:11, 4]
rpc_client/cli_netlogon.c:cli_net_sam_logon(337)
  cli_net_sam_logon: srv:\\SRV-DAIPDC mc:SRV-SMG clnt F9BD26B822EE960E
35d23573 ll: 2
[1998/08/12 17:38:11, 4] libsmb/credentials.c:cred_create(95)
  cred_create
[1998/08/12 17:38:11, 4] libsmb/credentials.c:cred_assert(126)
  cred_assert
[1998/08/12 17:38:11, 3] smbd/password.c:setup_groups(187)
  ryan is in 4 groups
[1998/08/12 17:38:11, 3] smbd/password.c:setup_groups(189)
  500 0 4 501 
[1998/08/12 17:38:11, 3] smbd/password.c:register_vuid(264)
  uid 500 registered to name ryan
[1998/08/12 17:38:11, 3] smbd/password.c:register_vuid(266)
  Clearing default real name
[1998/08/12 17:38:11, 3] smbd/server.c:chain_reply(4872)
  Chained message
[1998/08/12 17:38:11, 3] smbd/server.c:switch_message(4687)
  switch message SMBtconX (pid 18860)
[1998/08/12 17:38:11, 4] smbd/reply.c:reply_tcon_and_X(318)
  Got device type IPC
[1998/08/12 17:38:11, 2] lib/access.c:check_access(232)
  Allowed connection from CANDIDATE.distribution.com (<ip masked>)
[1998/08/12 17:38:11, 3] smbd/password.c:authorise_login(700)
  ACCEPTED: validated uid ok as non-guest
[1998/08/12 17:38:11, 3] smbd/server.c:find_free_connection(3887)
  found free connection number 42
[1998/08/12 17:38:11, 3] smbd/server.c:make_connection(3659)
  Connect path is /tmp
[1998/08/12 17:38:11, 0] smbd/uid.c:become_gid(136)
  Couldn't set gid 500 currently set to (0,0)
[1998/08/12 17:38:11, 0] smbd/server.c:make_connection(3699)
  Can't become connected user!


Note that there is a user account named "ryan" on the RH5.1 box.  If I
remove that account, the log is slightly different but ends in the same
result: Can't become connected user!

Can someone please point me in the right direction to get this working?

Thanks much!

Ryan Koski
Management Information Systems
Distribution Architects International

More information about the samba-ntdom mailing list