Samba, NT4 and W2K trust/authentication problem.

m_marmaridis at email.com m_marmaridis at email.com
Mon Mar 5 22:24:22 GMT 2001 

Hi Jensen,

when switching a domain from mixed to native mode like you have, all the
Win2K clients will automatically start to use Kerberos authentication to the
DC(s) rather than NTLM, which will also remain in use so that any NT clients
can also log on to the native Win2K domain.

This is what I think causes the problem in your situation. The Win2K clients
have switched over to using Kerberos authentication. There should be a way
to revert the Win2K clients back to using NTLM instead and get your
passthrough authentication working again; - I have not tried that personally
though.

HTH,
Regards,
Makis.




> -----Original Message-----
> From: samba-admin at us5.samba.org [mailto:samba-admin at us5.samba.org]On
> Behalf Of Jensen, Rolf
> Sent: Tuesday, March 06, 2001 1:54 AM
> To: 'samba at lists.samba.org'
> Subject: Samba, NT4 and W2K trust/authentication problem.
>
>
> Hi all,
>
> Set-up:
> Local NT4-RESOURCE domain which the Samba server is a member off.
> One NT4-ADMIN domain with users accounts and one W2K domain
> with some other user accounts. A one way trust from NT4-ADMIN
> to NT4-RESOURCE and a one way trust from W2K to NT4-RESOURCE.
> Samba version 2.0.7 running on Solaris 2.6.
>
> According to the NT admins, the W2K domain is in native mode,
> but they still use Netbios.
>
> The problem is that passthrough authentication only works for
> users in the NT4-ADMIN domain and not for users in the W2K domain
> connecting with W2K workstations.
>
> The relevant section from smb.conf:
> workgroup = NT4-RESOURCE
> security = domain
> password server = NT4-RESOURCE-PDC
> encrypt passwords = yes
>
>
> The error message I get in the client log file:
> domain_client_validate: unable to validate password for user jensero
> in domain W2K to Domain controller NT4-RESOURCE-PDC .
> Error was code 0.
>
> More debug info is at the end of this mail.
>
> I've tried to use a W2K domain controller as the password server,
> but then I get the following error:
> connect_to_domain_password_server: unable to setup the PDC
> credentials
> to machine W2KDC1. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT.
>
>
> Any help is appreciated.
>
> Thanks
>
> Rolf Jensen
>
>
> PS: All Domains are fictitious.
>
>
> [2001/03/05 14:22:43, 0] smbd/password.c:domain_client_validate(1470)
>   domain_client_validate: unable to validate password for
> user jensero in
> domain W2K to Domain controller NT4-RESOURCE-PDC. Error was code 0.
> [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500)
>   Couldn't find user 'jensero' in smb_passwd file.
> [2001/03/05 14:22:43, 2] smbd/reply.c:reply_sesssetup_and_X(914)
>   NT Password did not match for user 'jensero' ! Defaulting to Lanman
> [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500)
>   Couldn't find user 'jensero' in smb_passwd file.
> [2001/03/05 14:22:43, 1] smbd/reply.c:reply_sesssetup_and_X(925)
>   Rejecting user 'jensero': authentication failed
> [2001/03/05 14:22:43, 3] smbd/error.c:error_packet(127)
>   32 bit error packet at line 639 cmd=115 (SMBsesssetupX)
> eclass=c000006d
> [Error: Unknown error (109,49152)]
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list