bug? Samba ADS member server does _not_ accept userid/pw but only kerberos

Stefan Beck becks at itereu.de
Mon Feb 9 06:46:52 GMT 2004

Andrew Bartlett wrote:
> On Sat, 2004-02-07 at 01:29, Gerald (Jerry) Carter wrote:
>>| Just to make sure: You DC is named IWS82328? It denies
>>| anonymous tconX to the IPC$ share, that's the symptom.
>>| No idea why it does it.
>>That's windows 2003 default policy.  RestrictAnonymous == 2 IIRC.

btw. we're using win2k

If this would the problem, why does 'smbclient -U user%pw -L //win2k' 
(or the net view command on win) works with other windows ads member 
servers? It _must_ be something specific to the samba server (?)

>>| As a workaround, could you try to run winbindd (not necessarily
>>| nss_winbind) and give it a valid user/password with
>>| 'wbinfo --set-auth-user=user%pass' to use to connect to the DC?
>>| This user does not have to have any rights in the DC's file system,
>>| it just needs a correct password.
>>Try tridge's schannel patch just for kicks :-)

winbindd is not an option since we're getting the unix users from nis. 
There share must be accessible via smb/nfs/appletalk.

If you'd like me to test something with winbindd that will help _here_, 
please tell me.

> That won't help for RA=2, but it is why we try a kerberos bind to the
> DC.  It sounds like the issue might simply be local kerberos
> configuration - does smbclient -k -Uuser%pass work?

This works flawlessly.


More information about the samba-technical mailing list