[Samba] samba domain member can't validate users against 3.0 DC
Dariush Forouher
dariush at forouher.de
Wed Jan 8 21:05:00 GMT 2003
Hello,
I've a samba 3.0 (today's cvs) server running as a PDC.
The Win2K/NT Clients can login without any visible problems, but samba
2.2.7a domain member can't validate users in security=domain mode.
I've followed the howto in the docs and joyning the domain with
'smbpasswd -j BRGS -r ALDEBARAN -Uroot%pw' works just fine,
the samba 3.0 DC even creates the machine$ account in LDAP.
To be sure I've also set up a samba 2.2.7a PDC (in another WG) with the
same LDAP backend: It works!
It seems that a domain member can authenticate users against a samba 2.2
DC but not against a 3.0 one.
This is the log from the domain member (I can post a debug log if
needed):
[2003/01/08 20:01:51, 0] smbd/server.c:main(707)
smbd version 2.2.7a started.
Copyright Andrew Tridgell and the Samba Team 1992-2002
[2003/01/08 20:02:08, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2003/01/08 20:02:08, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
cli_nt_setup_creds: auth2 challenge failed
[2003/01/08 20:02:08, 0] smbd/password.c:connect_to_domain_password_server(1367)
connect_to_domain_password_server: unable to setup the PDC credentials to machine ALDEBARAN. Error was : NT_STATUS_OK.
[2003/01/08 20:02:08, 0] smbd/password.c:domain_client_validate(1599)
domain_client_validate: Domain password server not available.
With log level 2 the PDC doesn't show any unusual messages. Again, I'll
post a much bigger debug log if it can help.
smb.conf of member server:
[global]
security = domain
password server = 172.16.0.1
workgroup = BRGS
server string = Gateway (samba %v)
wins server = wins1
log level = 2
encrypt passwords = yes
os level = 2
smb.conf of PDC:
[global]
workgroup = BRGS
netbios name = ALDEBARAN
server string = PDC (samba %v)
encrypt passwords = Yes
security = user
log level = 5
log file = /var/log/samba/log.%m
max log size = 50000
unix charset = CP850
logon path = \\einstein\profiles\%U
logon script = sonstige.bat
logon drive = h:
logon home = \\sirius\%U
domain logons = Yes
os level = 32
preferred master = yes
domain master = yes
local master = yes
wins support = yes
#wins partners = wins2.brgs.org
passdb backend = ldapsam_nua:ldap://ldap1.brgs.org
ldap ssl = no
ldap admin dn = "cn=root,dc=brgs,dc=org"
ldap suffix = dc=brgs,dc=org
ldap user suffix = ou=People
ldap machine suffix = ou=Machines
non unix account range = 8000-8999
ldap trust ids = yes
ldap passwd sync = yes
unix password sync = yes
passwd chat = *enter*password* %n\n %n*ok*
passwd program = /usr/local/bin/cracklib_check %u
ciao
Dariush
--
PGP Fingerprint: 0x886C99A1
More information about the samba
mailing list