Domain Authorization

John Evans samba at kilnar.com
Tue Apr 4 22:28:20 GMT 2000


Greetings,
	Normally I lurk on a list before posting, but I don't have the
luxury to take the time to lurk this time around. I apologize ahead of
time for any breaches of etiquette that you have on the list.
	I have just setup a RedHat 6.0 system with Samba 2.0.6 (via RPM
packages, not source.) I've been adminning Linux for four years, but this
is my first attempt with Samba, so I'm having problems with it.
	I am on a network with an NT PDC (not sure of details on the PDC
since it's not my machine to work on) and I am trying to share out
directories on the Linux box so that people can use the PDC to
authenticate and get access to the directories. I have the directories
shared out and they are visible in Windows Explorer from an NT4/SP5
workstation, but I am not able to access the contents of the directories.
	Each time I try to open a share, I am prompted for a
username/password (U/P) and no matter what I type, I cannot get in. While
experimenting, I discovered that if I create a U/P set on the Linux system
that is identical to my network U/P, then I am able to enter the shares.
This solution is not good since there are over 1300 accounts on the
network and I surely don't want to duplicate them all on the Linux box.
	I've read all of the documentation that I can find on the 'net and
in O'Reilly's Samba book, but I'm missing something. Here is my smb.conf
with all of the comments and fluff removed:

[global]
   workgroup = COS
   netbios name = PRODMARK
   server string = Super-Duper Samba (%v)
   hosts allow = 10.112. 10.96. 127.
   log file = /var/log/samba/log.%m
   max log size = 50
   security = server
   password server = CPSRV1 ZIEGE GOAT CORBA
   encrypt passwords = yes
   smb passwd file = /etc/smbpasswd
   unix password sync = Yes
   passwd program = /usr/bin/passwd %u

## These two lines wrap in email, but in the .conf it's on one line
   passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* \
%n\n *passwd:*all*authentication*tokens*updated*successfully*

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   local master = no
   os level = 20
   domain master = no
   preferred master = no
   domain logons = no
   name resolve order = wins host lmhosts bcast
   wins support = no
   wins server = 10.112.2.2
   wins proxy = no
   dns proxy = no
### I have multiple shares, but they all look like the following
### with different users in the write list. I am trying to create
### a share that only listed people have access to and everyone
### else is rejected.
[STIWeb]
  comment = Sales Tools Intranet Web Site
  path = /export/www/STIWeb
  browseable = yes
  admin users = pcooke jevans
  write list = pcooke jhinz spalanuk lvigil lekdahl jkovalik jevans


	One last bit of information. According to DOMAIN_MEMBER.txt I
needed to run the following command: smbpasswd -j COS -r CPSRV1
That command returned the following:
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
cli_nt_setup_creds: auth2 challenge failed
modify_trust_password: unable to setup the PDC credentials to machine
CPSRV1. Error was : NT_STATUS_ACCESS_DENIED.
2000/04/04 16:15:48 : change_trust_account_password: Failed to change
password for domain COS.
Unable to join domain COS.

	Could this be the cause of my problems? The box used to be an NT
machine (until I "upgraded" it to Linux yesterday) and it already had a
machine account setup with the PDC. If this is the root of my pain, how do
I work around this?

	I would really appreciate any information that you could provide
on getting "prodmark" (my Linux box) to make the PDC handle
authentication.


Thanks,
John Evans



More information about the samba mailing list