Problems authenticating with 2.0.7 vs Windows 2000

Ray Frush ray_frush at agilent.com
Fri Apr 28 17:26:18 GMT 2000 

I've posted this to the samba, and comp.protocols.smb forums, the only response
I got was to try posting here. The write up is kind of long, but I want to paint
a good picture! Here goes:


Our company currenly uses a few "User Domains" running NT 4.0 that all the
Resouce Domains have a one way trust with to provide logins.  Our Samba servers
are 'joined' to one of the Resouce domains and use security=domain mode to
authenticate usrs.
This has been working very well.  On to the problem:

We're splitting out a significant chunk of users to form a new company and
moving thier accounts to a NEW NT Account domain.  A design descision was made
to implement the new domain on WINDOWS 2000 servers.  The NT 4.0 "emulation
mode" is being used so that the existing Resource domains can create a one way
trust with the new Windows 2000 Account domain.  (Let me know if this isn't
making sense).

The accounts in the new (w2k) user domain are copied from the old accounts in
the old (NT4) domain.  The new account has a new SID for the new account domain,
plus a copy of the SID from the old domain (SID History).

So far, the resource domains (nt4) are all very happy with the situation.  They
recognize and authenticate to the new (w2k) user domain, and allow access to ACL
protected resources by using the SID history to match the old SIDs.

THE PROBLEM WITH SAMBA...
(Versions 2.0.3, 2.0.5, 2.0.7 have the same behaviour)

Samba servers in our resource domain continue to authenticate with the OLD (nt4)
User Domains, but cannot authenticate to the new (w2k) user domain.

As a repeatable example, I use a client ( NT4 sp5, or W2k Pro) to execute the
command:

     NET VIEW \\BOCK     #where BOCK is our samba server 2.0.7

The results of this are:
H:\>net view \\bock
System error 86 has occurred.

The specified network password is not correct.


The "Client" log file in \var\opt\samba\logs records the following:

[2000/04/28 11:24:54, 0] rpc_client/cli_pipe.c:rpc_read(89)
  rpc_read: Error 234 in cli_read
[2000/04/28 11:24:54, 0] smbd/password.c:domain_client_validate(1470)
  domain_client_validate: unable to validate password for user frush in domain
AGILENT to Domain controller *. Error was ERRDOS - ERRmoredata (There is more
data to be returned.).
[2000/04/28 11:24:54, 1] smbd/password.c:pass_check_smb(500)
  Couldn't find user 'frush' in smb_passwd file.
[2000/04/28 11:24:54, 1] smbd/password.c:pass_check_smb(500)
  Couldn't find user 'frush' in smb_passwd file.
[2000/04/28 11:24:54, 1] smbd/reply.c:reply_sesssetup_and_X(925)
  Rejecting user 'frush': authentication failed

Based on what I know, the first and  second entry in the log are the key, an the
rest of  entries are what you'd expect since we're usind Domain security to
avoid having to populate the local smb_passwd file.  It appears that the request
to the AGILENT domain recieves a response that the Samba code is not equiped to
deal with, and Samba simply assumes that the password is invalid when there is
still more data to retrieve.

My request to this forum is this:
If this configuration has been tested, and is known to work,  then please let me
know what I am probably doing wrong. If it is known to _not_ work then I need
someone to confirm this.

If this configuration has not been tested, then I would like someone to help me
verify or solve this problem.  I just haven't got enough SMB protocol knowledge
to read a level 5 log of this transaction.  ( I do have a log saved when I did
this with Log Level = 5 if anyone would care to take a crack at this.)

Thanks, and I look forward to your insights into this problem.

; Configuration file for smbd.
; ============================================================================

[global]
; Networking Options
   server string = ICBD SAMBA %v
   socket options = TCP_NODELAY SO_KEEPALIVE
   dead time = 30

; Name Service and DOMAIN membership
   local master = no
   netbios name = bock
   wins server = 130.29.152.23
   encrypt passwords = yes
   oplocks = yes
   level2 oplocks = yes

   security = domain
   workgroup = FCS-SRV
   password server = *
   allow trusted domains = yes
   username map = /opt/samba/lib/username.map
   guest account = nobody

   log file = /var/opt/samba/logs/%m.log
   max log size = 50

  lock directory = /var/opt/samba/locks
  share modes = yes


;----------------------------------------------------------------
; service definitions

[homes]
   comment = Home Directories
   browseable = yes
   read only = no
   create mode = 0755


[temp]
    path = /tmp
    browseable = yes
    writable = yes



--
Ray Frush               "Either you are part of the solution,
T:898.6223               or part of the precipitate."
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
Agilent Technologies  Fort Collins Site IT

More information about the samba-technical mailing list