[Samba] Re: Need to join domain for security=domain (was: somebody please help)
Andrew Bartlett
abartlet at pcug.org.au
Sat May 11 17:22:02 GMT 2002
Thamara Wanigatunga wrote:
>
> Dear all,
>
> I have a serious problem that I can't rectify. My smb.conf is as follows. I
> use Solaris 2.6 on SPARC
> The samba server is shown in the network neighborhood. When security is set
> to domain users are prompted for the password that does not happen if
> security is set to server.
>
> Log.winbind
>
> [2002/05/09 12:54:13, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
> cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> [2002/05/09 12:54:13, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
> cli_nt_setup_creds: auth2 challenge failed
You need to join the machine to the domain. Creating 'computer
accounts' on the local machine is of no use, unless you are the PDC.
Run 'smbpasswd -j -r PDC -Uadministrator%password' to join the NT
domain.
This will allow samba to connect to the PDC, and ask it to verify an
arbitary challange/response pair. Security=server does not require
this, but instead allows PDC spoofing and is much less reliable -
particularly under load. (It is a really gross hack that effectivly
mounts a man-in-the-middle attack on the PDC to do its job).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba
mailing list