Quantum Snap Server and Samba NT Domain

Fri Dec 8 12:36:16 GMT 2000

-----Original Message-----
From:	Chris Wood [SMTP:cwood at wencor.com]
Sent:	Friday, December 08, 2000 7:36 AM
To:	David Atkinson
Cc:	samba-ntdom at us5.samba.org
Subject:	RE: Quantum Snap Server and Samba NT Domain

No luck. :(  I did already have the machine setup as a workstation (but I
did it as all uppercase, not lowercase) 
[David Atkinson]  Yes, the account name will be listed in uppercase (netbios names are up to 14 characters, case is ignored), it is just the password which is case sensitive.
without any luck.  I tried it the
lowercase way too, but smbpasswd seems to convert it back to
uppercase.  For some reason, my samba install doesn't seem to pay
attention as to whether machines are setup in the smbpasswd file or
not.  I can connect from machines that aren't setup in that file but the
users are.  (I've never understood why it doesn't enforce this.)
[David Atkinson]  It only requires NT servers to participate in the network, not Win9x boxes. Win9x boxes do not properly support the domain trust relationships required for participating in domain authentication. Basically a WinNT machine logs into the domain with its machine password and then whenever a user logs on on that NT box all the other machines in the domain "Trust" that the NT box has made sure the user has valid credentials. Win9x just sends the username and password to the PDC, if it works, it works, if it doesn't, Win9x baulks. Whenever a Win9x box tries to connect to another server it uses the username/password pair it checked against the PDC to try and log into the another server.

The Snap server requires a valid logon name (username), if I give it a bad
one it will tell me that the server rejects the login.  If I give it a
good one, it gives me an error that says "SMB: failed to connect to IPC$
on domain controller".

[David Atkinson]  Have you got encrypted password support ? I have just had a look at the Snap 1000 Admin Guide (I just downloaded the first user manual I could find). It says

When using Microsoft networking, local users are authenticated by Snap! Server with the same algorithms as a Windows NT 4.0 server (Service Pack 3 and above). 

That means encrypted passwords. This would account for the SMB IPC$ error. With invalid credentials it would logon as a guest user, with a vaild username, but invalid password, IPC$ connection would fail.

Also, this might be of use :
from the Managing Security section (Chapter 8 in the document I'm looking at)

Local Users
You can identify users who have access rights on your Snap! Server simply by entering them in the Snap! Server configuration. These users are referred to as Snap! Server local users. You use the Snap! Server Web-based Administration program to set up local users. 

When you set up a local user, you specify the following information. 

Item Description
User name
Identifies the user to the Snap! Server. In most cases, this name should be the same as the one with which the user logs in to other systems on your network. Password Used by the Snap! Server to authenticate the user. Connecting to the Snap! Server is simpler and faster if this password is the same as the one with which the user logs in to other systems on your network.

Group membership (optional)
Allows you to combine users into a single entity, and assign access rights to them all at once. For more information, see "Combining Users into Groups" on page 69.

NFS properties (optional)
Allows the Snap! Server to associate a local user with one or more user accounts on a UNIX computer, a multiuser UNIX system, or a Windows or DOS computer configured with PC/NFS. For more information, see "NFS Users" on page 77.

When users try to connect to a share that they don't have access to
(because I can't give them access), the snappy will show them as connected
and validated but with no files open.

On Thu, 7 Dec 2000, David Atkinson wrote:

> Hi,
> Sounds like you need the Snap Server to participate in the NT domain, which requires a machine account to be created for the Snap Server on the PDC (this is the machines netbios name with an appended $.). If you are using /etc/passwd security add a line like
> 
> 	snappy$::700:700::/tmp:/dev/null
> 
> where the sever is called snappy. The password should then be set to snappy (the server's netbios name, all lowercase).
> 
> 	# passwd snappy$
> 	New UNIX password : snappy
> 
> if you use encrypted passwords use
> 
> 	smbpasswd -a -m snappy
> 
> you need to add the above line to your /etc/passwd file first, but smbpasswd takes care of the rest.
> 
> hope this helps
> 
> -----Original Message-----
> From:	Chris Wood [SMTP:cwood at wencor.com]
> Sent:	Thursday, December 07, 2000 7:26 AM
> To:	samba-ntdom at us5.samba.org
> Subject:	Quantum Snap Server and Samba NT Domain
> 
> 
> I've been running our Samba as the PDC on it's own NT domain for over a
> year.  This has worked well for authenticating Win95 boxes and handling
> shares. We are now moving some of our shares to a Quantum Snap Server 4100
> which supports NT Domain Security, but I can't get it to work correctly.
> 
> It wants to use a regular username/password to list the users/groups
> available on the server.  It DOES seem to authenticate correctly against
> the Samba server, BUT in order to administer the access list to the Shares
> on the Snap server it requires that it downloads the list of usernames
> from the PDC.
> 
> I assume that if it let me type in the usernames myself, that it would
> work correctly, but it is written so that it will only use the list from
> the PDC.
> 
> 1. Does Samba have the ability to send this username/group
> list?  (I'm guessing not.)
> 
> 2. Anyone else out there doing this with any success?
> 
> Samba Server:
> Samba 2.0.7
> DG/UX 4.2mu05 (Data General)
> 
> 

-- 

-=-=-=-=-=-
Chris Wood                         Kitco, Inc.
801-489-2097                       Wencor West, Inc.
[cwood at wencor.com]                 Durham Aircraft Services
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-