[Samba] problem configuring smbd for domain authentication

Esler, Joel Contractor EslerJ at RCERT-S.ARMY.MIL
Mon Feb 24 21:45:44 GMT 2003 

with AD / Win2k you have to use encrypted passwords.  to Create a password
file for Samba:

#  cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd

# chmod 600 /etc/samba/smbpasswd

# smbpasswd <username>

Encrypted passwords must be enabled in the smb.conf

in the [global] section

encrypt password = yes
smb passwd file = /etc/samba/smbpasswd






-----Original Message-----
From: rohitm at engr.uconn.edu [mailto:rohitm at engr.uconn.edu]
Sent: Monday, February 24, 2003 4:47 PM
To: samba at lists.samba.org
Subject: [Samba] problem configuring smbd for domain authentication


Hello everyone, I am trying to configure a Samba 2.2 server to allow users
to mount their home
directories (stored on a UNIX filesystem) from Windows after authenticating
against a Windows 2000
Domain Controller.  

The Samba server is 2.2.3a compiled with acl support on Solaris 8.  I think
I am experiencing  some (hopefully)
basic configuration issues and can't seem to get it to work.  I really hope
some can help! 

The name of our Windows 2000 Domain is ad.... The domain controller is
(aptly named) dc.  I have placed a static
record in WINs for the samba server, and added a record to the Active
Directory Computers container for it as well.
The domain controller is a mixed-mode controller (I read in the docs that
doesn't make any difference but I thought
I'd mention it) and it the only domain controller for the AD domain. 

With the command, "smbpasswd -r DC -j ad... -UAdministrator%mypassword", I
get a successful response:
		Joined domain AD.

However, when I get on a Windows 2000 machine (which is also a member of the
domain AD), and try
to mount \\mysambaserver\acls as a user who is already authenticated in the
AD domain, it fails
(the windows end seems to hang and *eventually* prompts me for another
username password) and 
I see the following in my samba logs:

 cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
  cli_nt_setup_creds: auth2 challenge failed
[2003/02/24 16:35:19, 0]
smbd/password.c:connect_to_domain_password_server(1336)
  connect_to_domain_password_server: unable to setup the PDC credentials to
machine DC. Error was : NT_STATUS_OK.
[2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554)
  domain_client_validate: Domain password server not available.
[2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
  unable to open passdb database.
[2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
  unable to open passdb database.
[2003/02/24 16:35:19, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
  cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
  cli_nt_setup_creds: auth2 challenge failed
[2003/02/24 16:35:19, 0]
smbd/password.c:connect_to_domain_password_server(1336)
  connect_to_domain_password_server: unable to setup the PDC credentials to
machine DC. Error was : NT_STATUS_OK.
[2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554)
  domain_client_validate: Domain password server not available.

Here is a listing of my smb.conf file:
[global]
# debug level = 2
   # Stuff needed by nmdb first
   interfaces = myip
   domain master = no
   local master = no
   preferred master = no
   os level = 0
   log file = /tmp/slog
   wins server = 192.168.28.13
   guest account = nobody
   encrypt passwords = Yes
#   security = server
   security = domain
   workgroup = ad
   password server = dc
   username map=/usr/local/samba/lib/ntstaff.map
   invalid users = root

[homes]
   comment = Home Directories
   locking = no
   browseable = no
   read only = no
   force create mode = 0750
   create mode = 0750
   force directory mode = 0750
   directory mode = 0750
   preserve case = yes

[acls]
   Comments = Account information
   path = /export/home/acls
   create mode = 660
   force create mode = 660
   directory mode = 770
   force directory mode = 770
   preserve case = yes
   browseable = yes


I am fairly certain the ntstaff.map file is correct as it works in other
configurations. I'll post the line with the username
I used:
!rotest2 = rotest2


If anyone would like any more information I'd be happy to provide it.  I am
really stumped right now as I think everything I am
trying to do should work, but I don't know what I am doing wrong.  I would
be most grateful for any assistance.

Thanks,


Rohit Kumar Mehta
University of Connecticut
School of Engineering
Systems Manager
rohitm at engr.uconn.edu
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list