[Samba] Re: authentication against win2k3 server
Carissa Srugis
csrugis at gmail.com
Fri Nov 19 14:54:56 GMT 2004
This is a fresh w2k3 installation - no NT4 backwards capabilities.
Domain Name = DOMAIN.LOCAL
FQDN of DC = WIN2K3.DOMAIN.LOCAL
Users will NOT be logging into the FreeBSD machine at all. I need the
FreeBSD to authenticate via Samba against the W2K3 AD users, which
will then be passed through to squid for proxy authentication.
Thanks!
Carissa
On Fri, 19 Nov 2004 09:42:22 -0500, Christian Merrill
<cmerrill at redhat.com> wrote:
> Kevin Kobb wrote:
>
>
>
> > Carissa Srugis wrote:
> >
> >> I've been trying to setup Samba to authenticate users against accounts
> >> existing on a Windows 2003 Server without any backwards capability.
> >> Ideally, this needs to be done without any changes to the Windows 2003
> >> Server. Users will not be logging into the Samba shares at all. This
> >> is merely for authentication.
> >>
> >> I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
> >>
> >> This is my smb.conf file:
> >> [global]
> >> realm = WIN2K3.DOMAIN.LOCAL
> >> security = ads
> >> auth methods = winbind
> >> winbind separator = +
> >> encrypt passwords = yes
> >> workgroup = DOMAIN.LOCAL
> >> netbios name = FREEBSD_Machine
> >> winbind uid = 10000-20000
> >> winbind gid = 10000-20000
> >> winbind enum users = yes
> >> winbind enum groups = yes
> >> idmap uid = 10000-20000
> >> idmap gid = 10000-20000
> >> password server = WIN2K3.DOMAIN.LOCAL
> >>
> >> So once winbindd is running, I type the following and get these results:
> >>
> >> freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
> >> administrator's password: *password*
> >> [2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
> >> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >> [2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
> >> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >> [2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
> >> ads_connect: Permission denied
> >>
> >> In the winbindd log I've also gotten the following error messages at
> >> one point or another:
> >>
> >> Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
> >> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >> ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
> >> get_trust_pw: could not fetch trust account password for my domain
> >> DOMAIN.LOCAL
> >>
> >> The odd part is when I try to use wbinfo to verify connections. If I
> >> type "wbinfo -g" it will display the correct group listing from the
> >> win2k3 server. But nothing else seems to work:
> >>
> >> freebsd_machine# wbinfo -t
> >> checking the trust secret via RPC calls failed
> >> error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
> >> Could not check secret
> >>
> >> freebsd_machine# wbinfo -u
> >> Error looking up domain users
> >>
> >> freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
> >> Name : WIN2K3.DOMAIN.LOCAL
> >> Alt_Name : DOMAIN.LOCAL
> >> SID : S-0-0
> >> Active Directory : No
> >> Native : No
> >> Primary : Yes
> >> Sequence : -1
> >>
> >> I'm obviously missing something, but I am at a loss. Any help is
> >> greatly appreciated!
> >>
> >> Carissa Srugis
> >>
> >>
> >
> > You might try looking at FreeBSD 5.3. I don't believe 4.10 has a
> > working nsswitch which I think you will need if you want to login into
> > FreeBSD without a local account, but just a AD account.
> >
> > I have done this on our Windows domain and FreeBSD 5.3 and it works
> > OK. Join the machine to the domain, modify pam files, and
> > nsswitch.conf, and it worked.
> >
> >
> Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and
> that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of
> your DC?
>
> Christian
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
>
--
*********************************************************
Carissa Srugis
csrugis at gmail.com
More information about the samba
mailing list