[Samba] Re: authentication against win2k3 server

Christian Merrill cmerrill at redhat.com
Fri Nov 19 15:16:11 GMT 2004 

Carissa Srugis wrote:

>DOMAIN.LOCAL is displayed in AD USers & Computers.
>Pre-Windows 2000 Domain Name: DOMAIN
>
>Carissa
>
>On Fri, 19 Nov 2004 10:07:55 -0500, Christian Merrill
><cmerrill at redhat.com> wrote:
>  
>
>>Carissa Srugis wrote:
>>
>>
>>
>>    
>>
>>>This is a fresh w2k3 installation - no NT4 backwards capabilities.
>>>Domain Name = DOMAIN.LOCAL
>>>FQDN of DC = WIN2K3.DOMAIN.LOCAL
>>>
>>>Users will NOT be logging into the FreeBSD machine at all.  I need the
>>>FreeBSD to authenticate via Samba against the W2K3 AD users, which
>>>will then be passed through to squid for proxy authentication.
>>>
>>>Thanks!
>>>Carissa
>>>
>>>On Fri, 19 Nov 2004 09:42:22 -0500, Christian Merrill
>>><cmerrill at redhat.com> wrote:
>>>
>>>
>>>      
>>>
>>>>Kevin Kobb wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>>>Carissa Srugis wrote:
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>>>I've been trying to setup Samba to authenticate users against accounts
>>>>>>existing on a Windows 2003 Server without any backwards capability.
>>>>>>Ideally, this needs to be done without any changes to the Windows 2003
>>>>>>Server.  Users will not be logging into the Samba shares at all.  This
>>>>>>is merely for authentication.
>>>>>>
>>>>>>I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.
>>>>>>
>>>>>>This is my smb.conf file:
>>>>>>[global]
>>>>>>     realm = WIN2K3.DOMAIN.LOCAL
>>>>>>     security = ads
>>>>>>     auth methods = winbind
>>>>>>     winbind separator = +
>>>>>>     encrypt passwords = yes
>>>>>>     workgroup = DOMAIN.LOCAL
>>>>>>     netbios name = FREEBSD_Machine
>>>>>>     winbind uid = 10000-20000
>>>>>>     winbind gid = 10000-20000
>>>>>>     winbind enum users = yes
>>>>>>     winbind enum groups = yes
>>>>>>     idmap uid = 10000-20000
>>>>>>     idmap gid = 10000-20000
>>>>>>     password server = WIN2K3.DOMAIN.LOCAL
>>>>>>
>>>>>>So once winbindd is running, I type the following and get these results:
>>>>>>
>>>>>>freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
>>>>>>administrator's password: *password*
>>>>>>[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
>>>>>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>>>>>>[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
>>>>>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>>>>>>[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
>>>>>> ads_connect: Permission denied
>>>>>>
>>>>>>In the winbindd log I've also gotten the following error messages at
>>>>>>one point or another:
>>>>>>
>>>>>>Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
>>>>>>Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
>>>>>>ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
>>>>>>get_trust_pw: could not fetch trust account password for my domain
>>>>>>DOMAIN.LOCAL
>>>>>>
>>>>>>The odd part is when I try to use wbinfo to verify connections.  If I
>>>>>>type "wbinfo -g" it will display the correct group listing from the
>>>>>>win2k3 server.  But nothing else seems to work:
>>>>>>
>>>>>>freebsd_machine# wbinfo -t
>>>>>>checking the trust secret via RPC calls failed
>>>>>>error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
>>>>>>Could not check secret
>>>>>>
>>>>>>freebsd_machine# wbinfo -u
>>>>>>Error looking up domain users
>>>>>>
>>>>>>freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
>>>>>>Name              : WIN2K3.DOMAIN.LOCAL
>>>>>>Alt_Name          : DOMAIN.LOCAL
>>>>>>SID               : S-0-0
>>>>>>Active Directory  : No
>>>>>>Native            : No
>>>>>>Primary           : Yes
>>>>>>Sequence          : -1
>>>>>>
>>>>>>I'm obviously missing something, but I am at a loss.  Any help is
>>>>>>greatly appreciated!
>>>>>>
>>>>>>Carissa Srugis
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>You might try looking at FreeBSD 5.3. I don't believe 4.10 has a
>>>>>working nsswitch which I think you will need if you want to login into
>>>>>FreeBSD without a local account, but just a AD account.
>>>>>
>>>>>I have done this on our Windows domain and FreeBSD 5.3 and it works
>>>>>OK. Join the machine to the domain, modify pam files, and
>>>>>nsswitch.conf, and  it worked.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and
>>>>that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of
>>>>your DC?
>>>>
>>>>Christian
>>>>
>>>>
>>>>
>>>>--
>>>>To unsubscribe from this list go to the following URL and read the
>>>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>>>
>>>>
>>>>
>>>>        
>>>>
>>>
>>>
>>>      
>>>
>>I just want to make sure the information is correct.  On your 2k3 DC if
>>you go START--Administrator Tools--Active Directory Users & Computers,
>>your directory name should be displayed.  Is it DOMAIN.LOCAL or
>>WIN2K3.DOMAIN.LOCAL?  Also, if you right click on it and select
>>Properties, does a pre-Windows 2000 Domain Name exist?  If so, what is that?
>>
>>Christian
>>
>>
>>    
>>
>
>
>  
>
Ok, so then:

workgroup=DOMAIN
realm=DOMAIN.LOCAL

Christian

More information about the samba mailing list