Trust problem with Samba 2.0.5a domain security
Spock
spock at spk.hp.com
Wed Oct 27 15:34:42 GMT 1999
First, I must appologize for not being completely knowledgeable on
how NT domain controllers work with each other.
I am running samba 2.0.5a under HP-UX 10.20 on an HP9000 model C3000.
The NT users on our site belong, if I understand this correctly, to a user
domain called COL-SPRINGS. All NT servers on the site, and my samba server,
smbasvr, are members of a resource domain called SPK. There is a primary
domain controller for both the COL-SPRINGS domain (COL-SPRINGS-PDC.atl) and
the SPK domain (spkps1). There is a backup domain controller for the SPK
domain (CS-BDC-SP). There is some kind of trust relationship between the
primary and backup domain controllers which are used for user authentication.
I used the command "smbpasswd -j SPK -r spkps1" to join the SPK
domain. Set the parameters "workgroup = SPK", "security = domain",
"encrypt passwords = yes", and "password server = CS-BDC-SP COL-SPRINGS-PDC.atl"
in smb.conf and started smbd. (previous to this, we had been operating with
security = server and having intermittent connection problems by NT clients.)
The problem I now see in the log file for an NT PC trying to connect
is the following:
"cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
[1999/10/27 08:16:42, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
cli_nt_setup_creds: auth2 challenge failed
[1999/10/27 08:16:42, 0] smbd/password.c:domain_client_validate(1351)
domain_client_validate: unable to setup the PDC credentials to machine CS-BDC-
SP. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT."
My questions are:
1. Is the problem that the backup domain controller
CS-BDC-SP does not trust my samba server? Or is it the other way around?
2. What can be done to establish the required trust?
3. Have I joined my samba server to the correct domain?
(In an earlier attempt at domain security, I had smbasvr made a member of the
COL-SPRINGS domain and joined it. However, in that mode, the samba logs
would indicate that the machines trying to connect were rejected because they
were not members of the COL-SPRINGS domain. )
If anyone can help me solve this problem, I will be very grateful.
Ken Laird
___________________________________________________________________________
| |
| Ken Laird unix: spock at vulcan.spk.hp.com |
| Hewlett Packard cc:Mail : none |
| Spokane Division AT&T: (509) 921-3656 |
| 24001 E. Mission, Liberty Lake, WA 99019 Telnet: 1-921-3656 |
|___________________________________________________________________________|
More information about the samba-ntdom
mailing list