[Samba] Problem with Samba 2.2.4

[Frank Fürst]

"Stefan Demarmels @ Digitag AG" <s.demarmels at digitag.ch> schrieb:

> My Problem is:
> I can't connect with a Win2kmachine to Sambaserver2 witch get the
> passwords on Sambaserver1. I can create the machine account, but I
> can't login with a user. Also i have to create a smbpasswd (with the
> machineaccount only) on Sambaserver2, otherwise the Sambaserver2 isn't
> able to check the W2kclients machineaccount on sambaserver1 and the
> message appears "Can't finde the Domain XXX".
>
> If I connect with a WinMe- oder a Win9x-client at the Sambaserver2 I
> don't have any problem and I don't have to create a smbpasswd or
> eather use the "encrypted password"-parameter on Sambaserver2. All is
> working just fine!
> When I connect with the same Win2k,9x,Me-client's to the Sambaserver1
> -> I don't have any problem.
> 
> About my configuration:
> 
> Sambaserver1 on Subnet 1 (192.168.1.0/24):
> - security = user
> - encrypt passwords = yes
> - smb passwd file = /etc/samba/smbpasswd
[...]
> - domain logons = yes
> 
> Sambaserver2 on Subnet2 (192.168.4.0/24):
> - security = server
[...]
> - domain logons = yes

It seems to as what you want to implement is a kind of trust
relationship: Sambaserver2 is a domain controller of its own, but trusts
users authenticated by Sambaserver1. I'm not sure about this, but as far
as I know this is impossible with Samba 2.2.4.

What you should do is set up Sambaserver2 as a member server in the
domain for which Sambaserver1 is domain controller. Give them identical
workgroup names and set domain logons to false for Sambaserver2.

> This two Subnets are connected via a IPSec-Tunnel and all things else
> works just fine.

Perhaps you can synchronize /etc/samba/smbpasswd and /etc/passwd every
day or the other, in order to be able to quickly switch Sambaserver2 to
an ordinary, standalone PDC in case the tunnel is unusable.

Bye, Frank
-- 
Frank Fürst, physikalische Biochemie, Universität Potsdam, Germany
Tel.: +49-331-977-5244		Fax: +49-331-977-5062