[Samba] FW: Samba and Windows 2000 Password Authentication - Here is the Answer.

David Neilson DNeilson at westfam.com
Tue Dec 10 01:10:10 GMT 2002

To Samba Users Group:

I posted the message below, and a member of the group called me and talked
me through the problem.  The solution is at the bottom of the page.   

>  -----Original Message-----
> From: 	David Neilson  
> Sent:	Monday, December 09, 2002 3:40 PM
> To:	'samba at lists.samba.org'
> Subject:	Samba and Windows 2000 Password Authentication
> Is there a way to configure Samba so that all password authentication is
> done through the Windows domain controllers?  
> As I understand it, the variable "encrypt passwords" must be set to yes if
> "security" is set to "domain".  This causes Samba to reference the
> smbpasswd file, so if the W2K user's password on the domain controller is
> not the same as that in the smbpasswd file, Samba will prompt the user for
> the password in smbpasswd.  
> I have tried various options, like setting "security" equal to the server,
> and "password server" equal to domain controller, but it all works the
> same:  the user has to enter the smbpasswd password to get authenticated.
> If this is not possible, is there a way to sync up the passwords between
> the domain controllers and the smbpasswd file?  
> David Neilson
> Western Family Foods, Inc.
> System Administrator
> 503 639 6300 x370
The Answer:

When the Windows Administrator had created the machine account in the
domain, I assumed I did not have to use the "smbpasswd" command to create
the trust relationship between the Samba Server and the domain.  I was
wrong, and once I followed the steps below, I could log onto the domain and
then access Samba shares without getting asked for a password:

Update the global section of the smb.conf file to include the following:
security = domain
password server = *
encrypt passwords = yes
smbpasswd file = THE_FILE_PATH_AND_NAME
os level = 0 ### This server will never become a domain controller

Stop the smbd and nmbd daemons.

Run the smbpasswd command to establish a trust relationship:
smbpasswd -j MY_COMPANY_DOMAIN -r DOMAIN_CONTROLLER -Uadministrator%password

Start up the Samba daemons.

More information about the samba mailing list