[Samba] [found something] Problems making use of 2K PDC

John H Terpstra jht at samba.org
Thu Jan 30 22:14:47 GMT 2003

On Thu, 30 Jan 2003, Andreas Hasenack wrote:

> Em Thu, Jan 30, 2003 at 04:29:04PM -0200, Andreas Hasenack escreveu:
> > Immediately afterwards I run:
> > smbpasswd -t DISTRO -r TESTE011 -D 4
> >
> > and get:
> > (...)
> > cli_net_req_chal: LSA Request Challenge from TESTE011 to PANDORA: 934D0AA570E6938A
> > cred_session_key
> > cred_create
> > cli_net_auth2: srv:\\TESTE011 acct:PANDORA$ sc:6 mc: PANDORA chal C72569B51FC1D884 neg: 1ff
> > cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> Ok, finally found something. It's in smb.conf.
> If I leave "domain logons = yes" in /etc/smb.conf, then the above smbpasswd command
> fails. If I comment "domain logons", then the above command works.
> Also, without domain logons, I can issue:
> smbclient -L PANDORA -U user%pass
> and it will happily authenticate "user" against my W2K server.
> Now I need a way to make my workstations (winxp) try to logon on the
> linux samba server but authenticate against my w2k server.

No way. Authenticate == logon!

If your Win2K DC is your authentication server for your domain, then DO
NOT set "domain logons = Yes" on samba - it can cripple your Win2K DC!

Instead, in your smb.conf [globals] you want:
	security = domain
	password server = *

Then join the domain by:
	smbpasswd -r 'PDC_name' -j 'Domain_Name'

This way your MS Windows clients should be domain members and will log
onto the Win2K DC and will be able to seemlessly access your samba server.

If you do not want to create separate users on the samba server, then
configure winbind and PAM to provide all account info and home directories
on the samba server automatically.

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list