[Samba] Re: authentication against win2k3 server

Christian Merrill cmerrill at redhat.com
Fri Nov 19 14:42:22 GMT 2004 

Kevin Kobb wrote:

> Carissa Srugis wrote:
>
>> I've been trying to setup Samba to authenticate users against accounts
>> existing on a Windows 2003 Server without any backwards capability. 
>> Ideally, this needs to be done without any changes to the Windows 2003
>> Server.  Users will not be logging into the Samba shares at all.  This
>> is merely for authentication.
>>
>> I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
>>
>> This is my smb.conf file:
>> [global]
>>       realm = WIN2K3.DOMAIN.LOCAL
>>       security = ads
>>       auth methods = winbind
>>       winbind separator = +
>>       encrypt passwords = yes
>>       workgroup = DOMAIN.LOCAL
>>       netbios name = FREEBSD_Machine
>>       winbind uid = 10000-20000
>>       winbind gid = 10000-20000
>>       winbind enum users = yes
>>       winbind enum groups = yes
>>       idmap uid = 10000-20000
>>       idmap gid = 10000-20000
>>       password server = WIN2K3.DOMAIN.LOCAL
>>
>> So once winbindd is running, I type the following and get these results:
>>
>> freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
>> administrator's password: *password*
>> [2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
>>   Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>> [2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
>>   Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>> [2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
>>   ads_connect: Permission denied
>>
>> In the winbindd log I've also gotten the following error messages at
>> one point or another:
>>
>> Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>> ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
>> get_trust_pw: could not fetch trust account password for my domain 
>> DOMAIN.LOCAL
>>
>> The odd part is when I try to use wbinfo to verify connections.  If I
>> type "wbinfo -g" it will display the correct group listing from the
>> win2k3 server.  But nothing else seems to work:
>>
>> freebsd_machine# wbinfo -t
>> checking the trust secret via RPC calls failed
>> error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
>> Could not check secret
>>
>> freebsd_machine# wbinfo -u
>> Error looking up domain users
>>
>> freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
>> Name              : WIN2K3.DOMAIN.LOCAL
>> Alt_Name          : DOMAIN.LOCAL
>> SID               : S-0-0
>> Active Directory  : No
>> Native            : No
>> Primary           : Yes
>> Sequence          : -1
>>
>> I'm obviously missing something, but I am at a loss.  Any help is
>> greatly appreciated!
>>
>> Carissa Srugis
>>
>>
>
> You might try looking at FreeBSD 5.3. I don't believe 4.10 has a 
> working nsswitch which I think you will need if you want to login into 
> FreeBSD without a local account, but just a AD account.
>
> I have done this on our Windows domain and FreeBSD 5.3 and it works 
> OK. Join the machine to the domain, modify pam files, and 
> nsswitch.conf, and  it worked.
>
>
Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and 
that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of 
your DC?

Christian

More information about the samba mailing list