[Samba] Question regarding Samba and security = share

[matthew.r.hamilton at convergys.com]

I am really new to configuring and maintaining samba, and have what I
belive should be a quick question.

I have recently installed Samba 2.2.2 on a Solaris 8 server.  I need to
make a directory on the samba server accessable by a small group of people
here at work.  The users who will be connecting to the samba share do not
have accounts on the samba server.  The are coming from Windows 2K boxes
that are part of a Windows Domain.  From reading both the smb.conf man
pages as well as the "Samba UNIX and NT Internetworking book", this is a
clear cut case for using the 'security = share' authentication option.  I
created a basic smb.conf file as well as a 'username map' file that is
supposed to map the windows ids to the unix id that has access to this
share.

Below is the sample smb.conf:
==========================
[global]
      server string = "Just a samba server"
      security = share
      netbios name = chicago
      workgroup = MYWRKGRP
      domain logins = no
      socket options = TCP_NODELAY
      username map = /usr/local/samba/lib/chicago.map
      preferred master = no
      local master = no
      os level = 0
      domain master = no
      dns proxy = no
      wins server = xxx.xxx.xxx.xxx

[sandbox]
      path = /opt/home/smbguest
      valid users = smbguest
      writeable = yes
      guest ok = no

============================

chicago.map:
============================
smbguest = mhamilto jdoe jsmith
============================


The problem that I am running into is that when I try to access the share
sandbox on the server I get a dialog window that pops up with the message:
"Incorrect password or unkown username for \\chicago\sandbox" and has a
"Connect As:" and "Password:" entry.

In the samba log for that connection I have the following:
====================================
[2002/02/22 14:11:37, 3] smbd/reply.c:reply_sesssetup_and_X(855)
  Domain=[MYWRKGRP]  NativeOS=[Windows 2000 2195] NativeLanMan=[Windows
2000 5.0]
[2002/02/22 14:11:37, 3] smbd/reply.c:reply_sesssetup_and_X(866)
  sesssetupX:name=[MHAMILTO]
[2002/02/22 14:11:37, 6] param/loadparm.c:lp_file_list_changed(2203)
  lp_file_list_changed()
  file /usr/local/samba/lib/smb.conf -> /usr/local/samba/lib/smb.conf  last
mod_time: Fri Feb 22 14:10
:43 2002

[2002/02/22 14:11:37, 4] lib/username.c:map_username(91)
  Scanning username map /usr/local/samba/lib/chicago.map
[2002/02/22 14:11:37, 10] lib/username.c:user_in_list(407)
  user_in_list: checking user MHAMILTO in list  mhamilto jdoe jsmith
[2002/02/22 14:11:37, 3] lib/username.c:map_username(124)
  Mapped user MHAMILTO to smbguest

[2002/02/22 14:11:37, 2] smbd/reply.c:reply_sesssetup_and_X(980)
  Defaulting to Lanman password for smbguest
[2002/02/22 14:11:37, 4] smbd/password.c:password_ok(592)
  Null passwords not allowed.
[2002/02/22 14:11:37, 3] smbd/reply.c:reply_sesssetup_and_X(1018)
  Registered username smbguest for guest access
[2002/02/22 14:11:37, 7] param/loadparm.c:lp_servicenumber(3440)
  lp_servicenumber: couldn't find smbguest

===========================================
It maps my windows id 'mhamilto' to the unix id on the server 'smbguest'
just like the documentaion says it would.  But then why does it seem to be
that it is then going somewhere else to lookup the unix id 'smbguest'??  I
have the user 'smbguest' in the smbpasswd file, and I thought that by
adding the user in this file that samba uses this file to authenticate the
'smbguest' user.

Is there a problem with the fact that the Win2k clients are logged into a
Windows Domain and have authenticated themselves against a domain
controller?

Any help would be quite appreciated.

Thanks in advance.


--

NOTICE:  The information contained in this electronic mail transmission is
intended by Convergys Corporation for the use of the named individual or
entity to which it is directed and may contain information that is
privileged or otherwise confidential.  If you have received this electronic
mail transmission in error, please delete it from your system without
copying or forwarding it, and notify the sender of the error by reply email
or by telephone (collect), so that the sender's address records can be
corrected.