[Samba] Re: authentication against win2k3 server
Carissa Srugis
csrugis at gmail.com
Fri Nov 19 15:13:45 GMT 2004
DOMAIN.LOCAL is displayed in AD USers & Computers.
Pre-Windows 2000 Domain Name: DOMAIN
Carissa
On Fri, 19 Nov 2004 10:07:55 -0500, Christian Merrill
<cmerrill at redhat.com> wrote:
> Carissa Srugis wrote:
>
>
>
> >This is a fresh w2k3 installation - no NT4 backwards capabilities.
> >Domain Name = DOMAIN.LOCAL
> >FQDN of DC = WIN2K3.DOMAIN.LOCAL
> >
> >Users will NOT be logging into the FreeBSD machine at all. I need the
> >FreeBSD to authenticate via Samba against the W2K3 AD users, which
> >will then be passed through to squid for proxy authentication.
> >
> >Thanks!
> >Carissa
> >
> >On Fri, 19 Nov 2004 09:42:22 -0500, Christian Merrill
> ><cmerrill at redhat.com> wrote:
> >
> >
> >>Kevin Kobb wrote:
> >>
> >>
> >>
> >>
> >>
> >>>Carissa Srugis wrote:
> >>>
> >>>
> >>>
> >>>>I've been trying to setup Samba to authenticate users against accounts
> >>>>existing on a Windows 2003 Server without any backwards capability.
> >>>>Ideally, this needs to be done without any changes to the Windows 2003
> >>>>Server. Users will not be logging into the Samba shares at all. This
> >>>>is merely for authentication.
> >>>>
> >>>>I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
> >>>>
> >>>>This is my smb.conf file:
> >>>>[global]
> >>>> realm = WIN2K3.DOMAIN.LOCAL
> >>>> security = ads
> >>>> auth methods = winbind
> >>>> winbind separator = +
> >>>> encrypt passwords = yes
> >>>> workgroup = DOMAIN.LOCAL
> >>>> netbios name = FREEBSD_Machine
> >>>> winbind uid = 10000-20000
> >>>> winbind gid = 10000-20000
> >>>> winbind enum users = yes
> >>>> winbind enum groups = yes
> >>>> idmap uid = 10000-20000
> >>>> idmap gid = 10000-20000
> >>>> password server = WIN2K3.DOMAIN.LOCAL
> >>>>
> >>>>So once winbindd is running, I type the following and get these results:
> >>>>
> >>>>freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
> >>>>administrator's password: *password*
> >>>>[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
> >>>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >>>>[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
> >>>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >>>>[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
> >>>> ads_connect: Permission denied
> >>>>
> >>>>In the winbindd log I've also gotten the following error messages at
> >>>>one point or another:
> >>>>
> >>>>Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
> >>>>Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >>>>ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
> >>>>get_trust_pw: could not fetch trust account password for my domain
> >>>>DOMAIN.LOCAL
> >>>>
> >>>>The odd part is when I try to use wbinfo to verify connections. If I
> >>>>type "wbinfo -g" it will display the correct group listing from the
> >>>>win2k3 server. But nothing else seems to work:
> >>>>
> >>>>freebsd_machine# wbinfo -t
> >>>>checking the trust secret via RPC calls failed
> >>>>error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
> >>>>Could not check secret
> >>>>
> >>>>freebsd_machine# wbinfo -u
> >>>>Error looking up domain users
> >>>>
> >>>>freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
> >>>>Name : WIN2K3.DOMAIN.LOCAL
> >>>>Alt_Name : DOMAIN.LOCAL
> >>>>SID : S-0-0
> >>>>Active Directory : No
> >>>>Native : No
> >>>>Primary : Yes
> >>>>Sequence : -1
> >>>>
> >>>>I'm obviously missing something, but I am at a loss. Any help is
> >>>>greatly appreciated!
> >>>>
> >>>>Carissa Srugis
> >>>>
> >>>>
> >>>>
> >>>>
> >>>You might try looking at FreeBSD 5.3. I don't believe 4.10 has a
> >>>working nsswitch which I think you will need if you want to login into
> >>>FreeBSD without a local account, but just a AD account.
> >>>
> >>>I have done this on our Windows domain and FreeBSD 5.3 and it works
> >>>OK. Join the machine to the domain, modify pam files, and
> >>>nsswitch.conf, and it worked.
> >>>
> >>>
> >>>
> >>>
> >>Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and
> >>that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of
> >>your DC?
> >>
> >>Christian
> >>
> >>
> >>
> >>--
> >>To unsubscribe from this list go to the following URL and read the
> >>instructions: http://lists.samba.org/mailman/listinfo/samba
> >>
> >>
> >>
> >
> >
> >
> >
> I just want to make sure the information is correct. On your 2k3 DC if
> you go START--Administrator Tools--Active Directory Users & Computers,
> your directory name should be displayed. Is it DOMAIN.LOCAL or
> WIN2K3.DOMAIN.LOCAL? Also, if you right click on it and select
> Properties, does a pre-Windows 2000 Domain Name exist? If so, what is that?
>
> Christian
>
>
--
*********************************************************
Carissa Srugis
csrugis at gmail.com
More information about the samba
mailing list