bug? Samba ADS member server does _not_ accept userid/pw but
only kerberos
Stefan Beck
becks at itereu.de
Mon Feb 9 06:46:52 GMT 2004
Andrew Bartlett wrote:
> On Sat, 2004-02-07 at 01:29, Gerald (Jerry) Carter wrote:
>>| Just to make sure: You DC is named IWS82328? It denies
>>| anonymous tconX to the IPC$ share, that's the symptom.
>>| No idea why it does it.
>>
>>That's windows 2003 default policy. RestrictAnonymous == 2 IIRC.
btw. we're using win2k
If this would the problem, why does 'smbclient -U user%pw -L //win2k'
(or the net view command on win) works with other windows ads member
servers? It _must_ be something specific to the samba server (?)
>>
>>| As a workaround, could you try to run winbindd (not necessarily
>>| nss_winbind) and give it a valid user/password with
>>| 'wbinfo --set-auth-user=user%pass' to use to connect to the DC?
>>| This user does not have to have any rights in the DC's file system,
>>| it just needs a correct password.
>>
>>Try tridge's schannel patch just for kicks :-)
winbindd is not an option since we're getting the unix users from nis.
There share must be accessible via smb/nfs/appletalk.
If you'd like me to test something with winbindd that will help _here_,
please tell me.
>
>
> That won't help for RA=2, but it is why we try a kerberos bind to the
> DC. It sounds like the issue might simply be local kerberos
> configuration - does smbclient -k -Uuser%pass work?
>
This works flawlessly.
regards
Stefan
More information about the samba-technical
mailing list