Many, many problems. (Samba 2.2.0)

MCCALL,DON (HP-USA,ex1) don_mccall at hp.com
Wed Apr 25 19:58:10 GMT 2001


Hello Evan,
The first approach you tried to take I believe is the best.
There are a couple of things you might want to check on:
1. In the smb.conf line:  workgroup = [our workgroup]  is 'our workgroup'
listed there
the same as the Win2k Domain that you are trying to authenticate against?
2. when you did your smbpasswd command to join the domain, did it succeed?
3. are your win2k servers set up to respond to an NTLMv1 authentication
request? (this is 
   default behavior unless the Win2k domain admins have explicitly specified
ONLY ntlm2 and 
   kerberos authentication methods..)
4. you mention that the pdc refused the authentication in the log files; can
you verify
   (or post the log file so that we can) whether the negotiation actually
occurred and the 
   pdc refused the authentication, or whether the pdc was 'unavailable', so
the authentication to the pdc failed...
5. You probably wouldn't want to continue in this mode, but as a test,
change your smb.conf
   file so that instead of security = domain, you use security = server, and
point your 
   password server = pdc.  Then try to attach to your samba share with an
nt/win2k user
   whose nt username is the same as the unix username on your samba server,
and see if you
   succeed. Security = server uses an authentication method a bit more
straightforward than
   security = domain, and if it works will answer the question as to whether
your Win2k 'pdc' can handle the ntlmv1 method that samba is going to use.
5. You said that this failed both on an NT AND a Win2k client, right?  And
the NT and/or the Win2k client ARE members of the Win2k domain that you want
samba to authenticate against, right?


Let us know,
Don

-----Original Message-----
From: Leon, Evan [mailto:evan.leon at nickonline.com]
Sent: Wednesday, April 25, 2001 2:56 PM
To: 'samba at lists.samba.org'
Cc: Zegdi, Malik
Subject: Many, many problems. (Samba 2.2.0)



First off, I'll start out with the environment we're using:

Solaris 7 (Kernel patch 106541-15) running on an E3500
Samba 2.2.0 (we were using 2.0.6, but upgraded because we thought it would
help)
We recently migrated to a Win2K environment.

I should also preface this by mentioning that we have fully read through the
documentation, have searched the mailing list archives for two days
straight, and read all of the text and html documentation pertaining to
these problems (and run through all the tests in DIAGNOSTICS.txt at least
three times)

We are building this machine to try and replace an NT box, and these
problems are preventing us from doing so.
The box is not supposed to act as a PDC, we simply want it to share certain
directories on this machine, and preferably authenticate users from the
domain's PDC.

First problem:

The option "security = domain" does not seem to work properly.  Here is the
smb.conf file we were using to try this out: (omitted information replaced
by text in [])

[global]
        lock directory = /var/adm/sambalock
        server string = [hostname]
        password server = [our domain pdc and bdcs, we also tried using *
here]
        encrypt passwords = yes
        security = domain
        preferred master = no
        wins support = no
        socket options = TCP_NODELAY
        workgroup = [our workgroup]
        log file = /usr/local/samba/var/log.%m
        max log size = 50
        domain master = no
        local master = no
        wins server = [xx.xx.xx.xx]
        wins proxy = no
        dns proxy = no
        hide dot files = no
        netbios name = [hostname]

[iwdefault]
        comment = archive directory
        path = [path]
        read only = No
        create mask = 0775
        locking = No
        share modes = No

We then added the machine to the domain from one of the Win2K boxes, and ran
smbpasswd -j [DOMAIN] -r [PDC].  From what our NT admin was trying to
explain to us, it sounds like Win2k has decentralized its environment, so
there is no single primary domain controller, and multiple machines have
access to the SAM.  Regardless, we were still pointing to the old PDC.  We
then put some users into the smbpasswd file, with the same password they use
for the NT domain.

Clicking on the machine in network neighborhood on a Win2k box and an NT4
box displays the message "\\[machine] is not accessible.  Access denied."
Looking at the logs, it says that the PDC refused the authentication.  All
three passwords (NT domain, smbpasswd, and UNIX password for that account)
are all identical.

After trying to fix this unsuccessfully for a long time, we decided that we
had a second option.  To spare all the details, it would rely on using unix
password sync to update the UNIX password after changing the smbpasswd
entry.  This also does not work.

Here is the smb.conf file we are trying out with the second option:

[global]
  lock directory = /var/adm/sambalock
  server string = [hostname]
  encrypt passwords = Yes
  preferred master = no
  wins support = no
  security = user
  socket options = TCP_NODELAY
  workgroup = [workgroup]
  log file = /usr/local/samba/var/log.%m
  log level = 5
  max log size = 50
  domain master = no
  local master = no
  wins server = [wins server]
  wins proxy = no
  wins support = no
  dns proxy = no
  hide dot files = no
  unix password sync = yes
  passwd chat = *word* %n\n *word* %n\n *changed*
  passwd chat debug = yes
  passwd program = /usr/bin/passwd %u

[iwserver]
  comment = test directory
  public = no
  create mode = 0775
  writable = yes
  locking = no
  share modes = no
  preserve case = yes
  short preserve case = yes
  path = [path]



More information about the samba mailing list