[Samba] Re: authentication against win2k3 server
Christian Merrill
cmerrill at redhat.com
Fri Nov 19 14:42:22 GMT 2004
Kevin Kobb wrote:
> Carissa Srugis wrote:
>
>> I've been trying to setup Samba to authenticate users against accounts
>> existing on a Windows 2003 Server without any backwards capability.
>> Ideally, this needs to be done without any changes to the Windows 2003
>> Server. Users will not be logging into the Samba shares at all. This
>> is merely for authentication.
>>
>> I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
>>
>> This is my smb.conf file:
>> [global]
>> realm = WIN2K3.DOMAIN.LOCAL
>> security = ads
>> auth methods = winbind
>> winbind separator = +
>> encrypt passwords = yes
>> workgroup = DOMAIN.LOCAL
>> netbios name = FREEBSD_Machine
>> winbind uid = 10000-20000
>> winbind gid = 10000-20000
>> winbind enum users = yes
>> winbind enum groups = yes
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> password server = WIN2K3.DOMAIN.LOCAL
>>
>> So once winbindd is running, I type the following and get these results:
>>
>> freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
>> administrator's password: *password*
>> [2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>> [2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>> [2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
>> ads_connect: Permission denied
>>
>> In the winbindd log I've also gotten the following error messages at
>> one point or another:
>>
>> Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>> ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
>> get_trust_pw: could not fetch trust account password for my domain
>> DOMAIN.LOCAL
>>
>> The odd part is when I try to use wbinfo to verify connections. If I
>> type "wbinfo -g" it will display the correct group listing from the
>> win2k3 server. But nothing else seems to work:
>>
>> freebsd_machine# wbinfo -t
>> checking the trust secret via RPC calls failed
>> error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
>> Could not check secret
>>
>> freebsd_machine# wbinfo -u
>> Error looking up domain users
>>
>> freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
>> Name : WIN2K3.DOMAIN.LOCAL
>> Alt_Name : DOMAIN.LOCAL
>> SID : S-0-0
>> Active Directory : No
>> Native : No
>> Primary : Yes
>> Sequence : -1
>>
>> I'm obviously missing something, but I am at a loss. Any help is
>> greatly appreciated!
>>
>> Carissa Srugis
>>
>>
>
> You might try looking at FreeBSD 5.3. I don't believe 4.10 has a
> working nsswitch which I think you will need if you want to login into
> FreeBSD without a local account, but just a AD account.
>
> I have done this on our Windows domain and FreeBSD 5.3 and it works
> OK. Join the machine to the domain, modify pam files, and
> nsswitch.conf, and it worked.
>
>
Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and
that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of
your DC?
Christian
More information about the samba
mailing list