[Samba] W2K3 Server + RAS + Samba 3.0 Domain

Beschorner Daniel Daniel.Beschorner at facton.de
Tue Mar 30 17:08:46 GMT 2004


> On Tue, 2004-03-30 at 00:32, Daniel Holtkamp wrote:
> > Hi !
> > 
> > I´m trying to figure out if it´s possible to add a W2K3 Server into a
> > Samba 3.0 Domain and then have the RAS-Service on the W2K3 server
> > authenthicate against the Samba Domain.
> > 
> > Bringing the 2K3 into the Domain was not much of a problem, working fine
> > so far, i can log on using Domain users etc.
> > 
> > But i´ve been trying for a week now and i can´t get the RAS Service
> > working properly. It always complains that it can´t authenticate the
> > user on the Domain, but from the logs it´s not even trying to.
> > 
> > Of course i asked google and searched this list but the closest thing i
> > found was about Win2000 RAS ... and it was a post about that not working
> > either.
> We didn't have the 'dialin' privilege stored.  Samba HEAD is slowly
> gaining privileges now.
> > Question: Anyone ever gotten this to work ? With a 2K or 2K3 Server ?

Yes, it works for me at least with W2K.

Two things are necessary:

1. the "SambaMungedDial" attribute in the ldapsam backend (I believe since
3.0.1 in the scheme), don't know if there are any other backends supporting
it. This allows you the set the "RAS allowed" switch in user manager for

2. this evil patch to bypass the samba function access check

--- srv_samr_nt.c.orig  Tue Feb 10 10:44:51 2004
+++ srv_samr_nt.c       Tue Mar 30 18:13:48 2004
@@ -102,6 +102,7 @@

 NTSTATUS access_check_samr_function(uint32 acc_granted, uint32
acc_required, const char *debug)
+       return NT_STATUS_OK;
        DEBUG(5,("%s: access check ((granted: %#010x;  required: %#010x)\n",
                        debug, acc_granted, acc_required));
        if ((acc_granted & acc_required) != acc_required) {

Without this patch you'll see the known message "cannot authenticate..." in
Windows and this

[2004/03/30 18:10:10, 2]
  _samr_lookup_domain: ACCESS DENIED (granted: 0x00000020;  required:

in the logs.

It's dirty and for my own use, but maybe no problem for developers to work
out a clean solution?!?


> No, but I've got it working with 'Samba RAS' ;-)
> http://hawkerc.net/staff/abartlet/comp3700
> This applies just as well to modem dial-ins as to VPNs.  I hope to clean
> it up a bit more, and get it into the PPPd distribution.
> See also the updated patch in that directory.
> Andrew Bartlett

More information about the samba mailing list