[Samba] Problem authenticating against a W2K server

Ingimar Robertsson iar at skyrr.is
Thu Nov 28 10:01:02 GMT 2002 

Hi there.

I'm having a problem letting a Samba server (MYSAMBA) authenticate users
(using "security = domain" and a "password server = MYPDC") against a
Windows 2000 PDC (MYPDC).  The Windows 2000 machine seems (I'm not 100%
sure about this) to be configured to restrict anonymous and it seems to
me that this is where the problem lies but don't know what to do.

I joined the MYDOMAIN domain by first confirming that MYSAMBA was not already
a member of the domain.  Then I issued the following command:

  smbpasswd -j MYDOMAIN -r MYPDC -U Administrator

And the Windows administrator typed in the password.  The command responded
that I had joined the domain and a secrets.tdb file got created in the
/etc/samba directory.  We confirmed on the Windows side that the machine
was now a member of the domain.

So.. anyone have some pointers for me?  Below are some more information
about my setup and the errors I get.  Hope it's not too much or too
irrelevant. :-)

This is what I get if I try to connect to a share on MYSAMBA from a Linux
client (MYCLIENT):

  [username at MYCLIENT]$ smbclient //MYSAMBA/tmp -U username -W MYDOMAIN
  added interface ip=10.10.20.42 bcast=10.10.20.255 nmask=255.255.255.0
  Password:        <- Here I typed in the password, not empty password
  session setup failed: NT_STATUS_LOGON_FAILURE
  [username at MYCLIENT]$ 

And I get this in the /var/log/samba/10.10.20.42.log file:

  [2002/11/28 09:39:53, 0] smbd/password.c:connect_to_domain_password_server(1335)
    connect_to_domain_password_server: machine MYPDC rejected the tconX on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.
  [2002/11/28 09:39:53, 0] smbd/password.c:domain_client_validate(1599)
    domain_client_validate: Domain password server not available.
  [2002/11/28 09:39:53, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
    unable to open passdb database.
  [2002/11/28 09:39:53, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
    unable to open passdb database.

The Windows administrators can't see anything in the logs on MYPDC but I've
confirmed using tcpdump that there is a dialogue between MYSAMBA and MYPDC.

Here are also some commands I use to test connections from MYSAMBA to MYPDC:

  [root at MYSAMBA]# smbclient -L MYPDC       
  added interface ip=10.10.10.90 bcast=10.10.10.255 nmask=255.255.255.0
  added interface ip=10.10.10.91 bcast=10.10.10.255 nmask=255.255.255.0
  Password:       <-- Just type Enter (emtpy password)
  Anonymous login successful
  Domain=[MYDOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
  tree connect failed: NT_STATUS_ACCESS_DENIED

  [root at MYSAMBA]# smbclient //MYPDC/ipc\$ 
  added interface ip=10.10.10.90 bcast=10.10.10.255 nmask=255.255.255.0
  added interface ip=10.10.10.91 bcast=10.10.10.255 nmask=255.255.255.0
  Password:        <-- Just type Enter (emtpy password)
  Anonymous login successful
  Domain=[MYDOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
  tree connect failed: NT_STATUS_ACCESS_DENIED

  [root at MYSAMBA]# smbclient //MYPDC/ipc\$ -U username  
  added interface ip=10.10.10.90 bcast=10.10.10.255 nmask=255.255.255.0
  added interface ip=10.10.10.91 bcast=10.10.10.255 nmask=255.255.255.0
  Password:       <-- Type the password of the user "username"
  Domain=[MYDOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
  smb: \> ls
  NT_STATUS_ACCESS_DENIED listing \*
  
                  0 blocks of size 0. 0 blocks available
  smb: \> quit
  [root at mars samba]# 

Here are my globals from smb.conf:

 [global]
    workgroup = MYDOMAIN
    netbios name = MYSAMBA
    server string = Samba Print Server
    security = DOMAIN
    encrypt passwords = Yes
    password server = MYPDC
    syslog only = Yes
    log file = /var/log/samba/%I.log
    max log size = 0
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    dns proxy = No
    name resolve order = lmhosts wins bcast host
    local master = no
    remote announce = 10.10.10.255 10.10.20.255
    hosts allow = 127. 10.10.10. 10.10.20.
    printing = lprng



Best regards,

Ingimar

-- 
Ingimar Robertsson, Systems Administrator       EMAIL: iar at skyrr.is
Skyrr Ltd, Iceland Information Management       TEL:   +354-5695100
Armuli 2, 108 Reykjavik, ICELAND                FAX:   +354-5695128
            http://www.skyrr.is/legal/disclaimer.txt

More information about the samba mailing list