[Samba] Re: authentication against win2k3 server

Carissa Srugis csrugis at gmail.com
Fri Nov 19 15:13:45 GMT 2004 

DOMAIN.LOCAL is displayed in AD USers & Computers.
Pre-Windows 2000 Domain Name: DOMAIN

Carissa

On Fri, 19 Nov 2004 10:07:55 -0500, Christian Merrill
<cmerrill at redhat.com> wrote:
> Carissa Srugis wrote:
> 
> 
> 
> >This is a fresh w2k3 installation - no NT4 backwards capabilities.
> >Domain Name = DOMAIN.LOCAL
> >FQDN of DC = WIN2K3.DOMAIN.LOCAL
> >
> >Users will NOT be logging into the FreeBSD machine at all.  I need the
> >FreeBSD to authenticate via Samba against the W2K3 AD users, which
> >will then be passed through to squid for proxy authentication.
> >
> >Thanks!
> >Carissa
> >
> >On Fri, 19 Nov 2004 09:42:22 -0500, Christian Merrill
> ><cmerrill at redhat.com> wrote:
> >
> >
> >>Kevin Kobb wrote:
> >>
> >>
> >>
> >>
> >>
> >>>Carissa Srugis wrote:
> >>>
> >>>
> >>>
> >>>>I've been trying to setup Samba to authenticate users against accounts
> >>>>existing on a Windows 2003 Server without any backwards capability.
> >>>>Ideally, this needs to be done without any changes to the Windows 2003
> >>>>Server.  Users will not be logging into the Samba shares at all.  This
> >>>>is merely for authentication.
> >>>>
> >>>>I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
> >>>>
> >>>>This is my smb.conf file:
> >>>>[global]
> >>>>      realm = WIN2K3.DOMAIN.LOCAL
> >>>>      security = ads
> >>>>      auth methods = winbind
> >>>>      winbind separator = +
> >>>>      encrypt passwords = yes
> >>>>      workgroup = DOMAIN.LOCAL
> >>>>      netbios name = FREEBSD_Machine
> >>>>      winbind uid = 10000-20000
> >>>>      winbind gid = 10000-20000
> >>>>      winbind enum users = yes
> >>>>      winbind enum groups = yes
> >>>>      idmap uid = 10000-20000
> >>>>      idmap gid = 10000-20000
> >>>>      password server = WIN2K3.DOMAIN.LOCAL
> >>>>
> >>>>So once winbindd is running, I type the following and get these results:
> >>>>
> >>>>freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
> >>>>administrator's password: *password*
> >>>>[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
> >>>>  Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >>>>[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
> >>>>  Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >>>>[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
> >>>>  ads_connect: Permission denied
> >>>>
> >>>>In the winbindd log I've also gotten the following error messages at
> >>>>one point or another:
> >>>>
> >>>>Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
> >>>>Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
> >>>>ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
> >>>>get_trust_pw: could not fetch trust account password for my domain
> >>>>DOMAIN.LOCAL
> >>>>
> >>>>The odd part is when I try to use wbinfo to verify connections.  If I
> >>>>type "wbinfo -g" it will display the correct group listing from the
> >>>>win2k3 server.  But nothing else seems to work:
> >>>>
> >>>>freebsd_machine# wbinfo -t
> >>>>checking the trust secret via RPC calls failed
> >>>>error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
> >>>>Could not check secret
> >>>>
> >>>>freebsd_machine# wbinfo -u
> >>>>Error looking up domain users
> >>>>
> >>>>freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
> >>>>Name              : WIN2K3.DOMAIN.LOCAL
> >>>>Alt_Name          : DOMAIN.LOCAL
> >>>>SID               : S-0-0
> >>>>Active Directory  : No
> >>>>Native            : No
> >>>>Primary           : Yes
> >>>>Sequence          : -1
> >>>>
> >>>>I'm obviously missing something, but I am at a loss.  Any help is
> >>>>greatly appreciated!
> >>>>
> >>>>Carissa Srugis
> >>>>
> >>>>
> >>>>
> >>>>
> >>>You might try looking at FreeBSD 5.3. I don't believe 4.10 has a
> >>>working nsswitch which I think you will need if you want to login into
> >>>FreeBSD without a local account, but just a AD account.
> >>>
> >>>I have done this on our Windows domain and FreeBSD 5.3 and it works
> >>>OK. Join the machine to the domain, modify pam files, and
> >>>nsswitch.conf, and  it worked.
> >>>
> >>>
> >>>
> >>>
> >>Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and
> >>that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of
> >>your DC?
> >>
> >>Christian
> >>
> >>
> >>
> >>--
> >>To unsubscribe from this list go to the following URL and read the
> >>instructions:  http://lists.samba.org/mailman/listinfo/samba
> >>
> >>
> >>
> >
> >
> >
> >
> I just want to make sure the information is correct.  On your 2k3 DC if
> you go START--Administrator Tools--Active Directory Users & Computers,
> your directory name should be displayed.  Is it DOMAIN.LOCAL or
> WIN2K3.DOMAIN.LOCAL?  Also, if you right click on it and select
> Properties, does a pre-Windows 2000 Domain Name exist?  If so, what is that?
> 
> Christian
> 
> 


-- 
*********************************************************
Carissa Srugis
csrugis at gmail.com

More information about the samba mailing list