[Samba] Re: authentication against win2k3 server

Christian Merrill cmerrill at redhat.com
Fri Nov 19 15:07:55 GMT 2004 

Carissa Srugis wrote:

>This is a fresh w2k3 installation - no NT4 backwards capabilities.
>Domain Name = DOMAIN.LOCAL
>FQDN of DC = WIN2K3.DOMAIN.LOCAL
>
>Users will NOT be logging into the FreeBSD machine at all.  I need the
>FreeBSD to authenticate via Samba against the W2K3 AD users, which
>will then be passed through to squid for proxy authentication.
>
>Thanks!
>Carissa
>
>On Fri, 19 Nov 2004 09:42:22 -0500, Christian Merrill
><cmerrill at redhat.com> wrote:
>  
>
>>Kevin Kobb wrote:
>>
>>
>>
>>    
>>
>>>Carissa Srugis wrote:
>>>
>>>      
>>>
>>>>I've been trying to setup Samba to authenticate users against accounts
>>>>existing on a Windows 2003 Server without any backwards capability.
>>>>Ideally, this needs to be done without any changes to the Windows 2003
>>>>Server.  Users will not be logging into the Samba shares at all.  This
>>>>is merely for authentication.
>>>>
>>>>I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
>>>>
>>>>This is my smb.conf file:
>>>>[global]
>>>>      realm = WIN2K3.DOMAIN.LOCAL
>>>>      security = ads
>>>>      auth methods = winbind
>>>>      winbind separator = +
>>>>      encrypt passwords = yes
>>>>      workgroup = DOMAIN.LOCAL
>>>>      netbios name = FREEBSD_Machine
>>>>      winbind uid = 10000-20000
>>>>      winbind gid = 10000-20000
>>>>      winbind enum users = yes
>>>>      winbind enum groups = yes
>>>>      idmap uid = 10000-20000
>>>>      idmap gid = 10000-20000
>>>>      password server = WIN2K3.DOMAIN.LOCAL
>>>>
>>>>So once winbindd is running, I type the following and get these results:
>>>>
>>>>freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
>>>>administrator's password: *password*
>>>>[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
>>>>  Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>>>>[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
>>>>  Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>>>>[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
>>>>  ads_connect: Permission denied
>>>>
>>>>In the winbindd log I've also gotten the following error messages at
>>>>one point or another:
>>>>
>>>>Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
>>>>Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>>>>ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
>>>>get_trust_pw: could not fetch trust account password for my domain
>>>>DOMAIN.LOCAL
>>>>
>>>>The odd part is when I try to use wbinfo to verify connections.  If I
>>>>type "wbinfo -g" it will display the correct group listing from the
>>>>win2k3 server.  But nothing else seems to work:
>>>>
>>>>freebsd_machine# wbinfo -t
>>>>checking the trust secret via RPC calls failed
>>>>error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
>>>>Could not check secret
>>>>
>>>>freebsd_machine# wbinfo -u
>>>>Error looking up domain users
>>>>
>>>>freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
>>>>Name              : WIN2K3.DOMAIN.LOCAL
>>>>Alt_Name          : DOMAIN.LOCAL
>>>>SID               : S-0-0
>>>>Active Directory  : No
>>>>Native            : No
>>>>Primary           : Yes
>>>>Sequence          : -1
>>>>
>>>>I'm obviously missing something, but I am at a loss.  Any help is
>>>>greatly appreciated!
>>>>
>>>>Carissa Srugis
>>>>
>>>>
>>>>        
>>>>
>>>You might try looking at FreeBSD 5.3. I don't believe 4.10 has a
>>>working nsswitch which I think you will need if you want to login into
>>>FreeBSD without a local account, but just a AD account.
>>>
>>>I have done this on our Windows domain and FreeBSD 5.3 and it works
>>>OK. Join the machine to the domain, modify pam files, and
>>>nsswitch.conf, and  it worked.
>>>
>>>
>>>      
>>>
>>Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and
>>that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of
>>your DC?
>>
>>Christian
>>
>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>
>>    
>>
>
>
>  
>
I just want to make sure the information is correct.  On your 2k3 DC if 
you go START--Administrator Tools--Active Directory Users & Computers, 
your directory name should be displayed.  Is it DOMAIN.LOCAL or 
WIN2K3.DOMAIN.LOCAL?  Also, if you right click on it and select 
Properties, does a pre-Windows 2000 Domain Name exist?  If so, what is that?

Christian

More information about the samba mailing list