Changing Domains from NT4 / AD 2000

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Wed Apr 11 22:12:15 GMT 2001 

Hi Kirk,
Don't know if this is your problem or not, but when working with 2.0.7 on 
HP-UX 11.0, we found this irregularity (only for nt users that had been
moved from
an NT 4.0 domain to a Win2k Domain):
**********************************
When Windows users are migrated from Windows NT to Windows 2000 
domains, to maintain backward access permissions, the migration tools 
add whats called as SID history to the users accounts. 
When Samba server is used in domain authentication mode with migrated 
users the authentications fails. 
The problem is that due to the addition of old security ids (called as 
SIDHistory) to the user accounts, when Samba authenticates a user 
against a Windows 2000 server, if the user is authenticated properly, 
Win2k returns more information than what samba expects. Consequently 
Samba fails with buffer overflow error.

You should be able to determine if this is happening to you by turning up
your 
log level and reproducing the failure, then looking thru the log file for a 
buffer overflow...

When a user is migrated from Windows NT to Windows 2000 running
in native mode, Win2K preserves the users old SID information in
a Win2K native attribute called SID History.
When samba authenticates such a user successfully against the
Windows 2000 server (giving rightusername and password), Windows 
2K appends SID history to the response. Samba isn't ready (not coded) 
to handle the extra SID information returned by Win2K servers, so it fails.
Work around is to use the the Samba in server security mode.

*******************************************************

We (hp) have coded a fix for this for the 2.0.7 version we ship as part of
the 
HP-UX 11.0 operating system. 

 Jeremy, et all - could this still be an issue with
the 2.2  code?  I can submit a patch for this as soon as I can find the lab
guy
who actually coded the fix, if you like.

Hope this helps,
Don

-----Original Message-----
From: Kirk Shimek [mailto:Kirk.Shimek at trw.com]
Sent: Wednesday, April 11, 2001 4:46 PM
To: samba at lists.samba.org
Subject: Changing Domains from NT4 / AD 2000


Hello all.

AIX 4.3.3 / Samba 2.0.6 / Production NT4.0 domain
Security = DOMAIN
encrypt passwords = yes
update encrypted = yes

Action: Moving from NT4.0 domain called nt40 to AD 2000 Domain called
ad-domain

Problem: Users that have been migrated to ad-domain cannot authenticate to
AIX SAMBA shares . . . the AIX SAMBA server is still part of the nt40
domain.

Explanation:  I can however, map / access share if I use the "administrator"
login of the ad-domain.  We have a two way trust between the nt40 domain and
the 2000 ad-domain.  This particular share configuration is:

guest account = guest
guest = okay
read only = no
create mask = 0777
force create mode = 0777
directory mask = 0777
force directory mode = 0777
browseable = yes

I don't want to move the AIX SAMBA server into the new 2000 ad-domain yet
because I don't want to risk the production nt40 domain losing this share.
I'm in testing mode yet with 2 live users logging into the 2000 ad-domain.
Everything else (printer and folder shares and even proxy) from a PC world
works.

Please ask any further questions that you need answers to, to clarify the
issue at hand.  And of course any solutions.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba-technical mailing list