[Samba] problem configuring smbd for domain authentication
Esler, Joel Contractor
EslerJ at RCERT-S.ARMY.MIL
Mon Feb 24 21:45:44 GMT 2003
with AD / Win2k you have to use encrypted passwords. to Create a password
file for Samba:
# cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd
# chmod 600 /etc/samba/smbpasswd
# smbpasswd <username>
Encrypted passwords must be enabled in the smb.conf
in the [global] section
encrypt password = yes
smb passwd file = /etc/samba/smbpasswd
-----Original Message-----
From: rohitm at engr.uconn.edu [mailto:rohitm at engr.uconn.edu]
Sent: Monday, February 24, 2003 4:47 PM
To: samba at lists.samba.org
Subject: [Samba] problem configuring smbd for domain authentication
Hello everyone, I am trying to configure a Samba 2.2 server to allow users
to mount their home
directories (stored on a UNIX filesystem) from Windows after authenticating
against a Windows 2000
Domain Controller.
The Samba server is 2.2.3a compiled with acl support on Solaris 8. I think
I am experiencing some (hopefully)
basic configuration issues and can't seem to get it to work. I really hope
some can help!
The name of our Windows 2000 Domain is ad.... The domain controller is
(aptly named) dc. I have placed a static
record in WINs for the samba server, and added a record to the Active
Directory Computers container for it as well.
The domain controller is a mixed-mode controller (I read in the docs that
doesn't make any difference but I thought
I'd mention it) and it the only domain controller for the AD domain.
With the command, "smbpasswd -r DC -j ad... -UAdministrator%mypassword", I
get a successful response:
Joined domain AD.
However, when I get on a Windows 2000 machine (which is also a member of the
domain AD), and try
to mount \\mysambaserver\acls as a user who is already authenticated in the
AD domain, it fails
(the windows end seems to hang and *eventually* prompts me for another
username password) and
I see the following in my samba logs:
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
cli_nt_setup_creds: auth2 challenge failed
[2003/02/24 16:35:19, 0]
smbd/password.c:connect_to_domain_password_server(1336)
connect_to_domain_password_server: unable to setup the PDC credentials to
machine DC. Error was : NT_STATUS_OK.
[2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554)
domain_client_validate: Domain password server not available.
[2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
unable to open passdb database.
[2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367)
unable to open passdb database.
[2003/02/24 16:35:19, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
cli_nt_setup_creds: auth2 challenge failed
[2003/02/24 16:35:19, 0]
smbd/password.c:connect_to_domain_password_server(1336)
connect_to_domain_password_server: unable to setup the PDC credentials to
machine DC. Error was : NT_STATUS_OK.
[2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554)
domain_client_validate: Domain password server not available.
Here is a listing of my smb.conf file:
[global]
# debug level = 2
# Stuff needed by nmdb first
interfaces = myip
domain master = no
local master = no
preferred master = no
os level = 0
log file = /tmp/slog
wins server = 192.168.28.13
guest account = nobody
encrypt passwords = Yes
# security = server
security = domain
workgroup = ad
password server = dc
username map=/usr/local/samba/lib/ntstaff.map
invalid users = root
[homes]
comment = Home Directories
locking = no
browseable = no
read only = no
force create mode = 0750
create mode = 0750
force directory mode = 0750
directory mode = 0750
preserve case = yes
[acls]
Comments = Account information
path = /export/home/acls
create mode = 660
force create mode = 660
directory mode = 770
force directory mode = 770
preserve case = yes
browseable = yes
I am fairly certain the ntstaff.map file is correct as it works in other
configurations. I'll post the line with the username
I used:
!rotest2 = rotest2
If anyone would like any more information I'd be happy to provide it. I am
really stumped right now as I think everything I am
trying to do should work, but I don't know what I am doing wrong. I would
be most grateful for any assistance.
Thanks,
Rohit Kumar Mehta
University of Connecticut
School of Engineering
Systems Manager
rohitm at engr.uconn.edu
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list