[Samba] samba domain member can't validate users against 3.0 DC

Dariush Forouher dariush at forouher.de
Wed Jan 8 21:05:00 GMT 2003


I've a samba 3.0 (today's cvs) server running as a PDC. 
The Win2K/NT Clients can login without any visible problems, but samba
2.2.7a domain member can't validate users in security=domain mode.

I've followed the howto in the docs and joyning the domain with
'smbpasswd -j BRGS -r ALDEBARAN -Uroot%pw' works just fine,
the samba 3.0 DC even creates the machine$ account in LDAP.

To be sure I've also set up a samba 2.2.7a PDC (in another WG) with the
same LDAP backend: It works!

It seems that a domain member can authenticate users against a samba 2.2
DC but not against a 3.0 one.

This is the log from the domain member (I can post a debug log if

[2003/01/08 20:01:51, 0] smbd/server.c:main(707)
  smbd version 2.2.7a started.
  Copyright Andrew Tridgell and the Samba Team 1992-2002
[2003/01/08 20:02:08, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
  cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2003/01/08 20:02:08, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72)
  cli_nt_setup_creds: auth2 challenge failed
[2003/01/08 20:02:08, 0] smbd/password.c:connect_to_domain_password_server(1367)
  connect_to_domain_password_server: unable to setup the PDC credentials to machine ALDEBARAN. Error was : NT_STATUS_OK.
[2003/01/08 20:02:08, 0] smbd/password.c:domain_client_validate(1599)
  domain_client_validate: Domain password server not available.

With log level 2 the PDC doesn't show any unusual messages. Again, I'll
post a much bigger debug log if it can help.

smb.conf of member server:
    security = domain
    password server =
    workgroup = BRGS
    server string = Gateway (samba %v)
    wins server = wins1
    log level = 2
    encrypt passwords = yes
    os level = 2

smb.conf of PDC:
	workgroup = BRGS
	netbios name = ALDEBARAN
	server string = PDC (samba %v)
	encrypt passwords = Yes
	security = user
	log level = 5
	log file = /var/log/samba/log.%m
	max log size = 50000
	unix charset = CP850
	logon path = \\einstein\profiles\%U
	logon script = sonstige.bat
	logon drive = h:
	logon home = \\sirius\%U
	domain logons = Yes
	os level = 32
	preferred master = yes
	domain master = yes
	local master = yes
	wins support = yes
	#wins partners = wins2.brgs.org
	passdb backend = ldapsam_nua:ldap://ldap1.brgs.org
	ldap ssl = no
	ldap admin dn = "cn=root,dc=brgs,dc=org"
	ldap suffix = dc=brgs,dc=org
	ldap user suffix = ou=People
	ldap machine suffix = ou=Machines
	non unix account range = 8000-8999
	ldap trust ids = yes
	ldap passwd sync = yes
	unix password sync = yes
	passwd chat = *enter*password* %n\n %n*ok*
	passwd program = /usr/local/bin/cracklib_check %u

PGP Fingerprint: 0x886C99A1

More information about the samba mailing list