[Samba] Re: Need to join domain for security=domain (was: somebody please help)

Andrew Bartlett abartlet at pcug.org.au
Sat May 11 17:22:02 GMT 2002

Thamara Wanigatunga wrote:
> Dear all,
> I have a serious problem that I can't rectify. My smb.conf is as follows. I
> use Solaris 2.6 on SPARC

> The samba server is shown in the network neighborhood. When security is set
> to domain users are prompted for the password that does not happen if
> security is set to server.
> Log.winbind
> [2002/05/09 12:54:13, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
>   cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> [2002/05/09 12:54:13, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
>   cli_nt_setup_creds: auth2 challenge failed

You need to join the machine to the domain.  Creating 'computer
accounts' on the local machine is of no use, unless you are the PDC.

Run 'smbpasswd -j -r PDC -Uadministrator%password' to join the NT

This will allow samba to connect to the PDC, and ask it to verify an
arbitary challange/response pair.  Security=server does not require
this, but instead allows PDC spoofing and is much less reliable -
particularly under load.  (It is a really gross hack that effectivly
mounts a man-in-the-middle attack on the PDC to do its job).

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list