[Samba] RE: TOSHARG: Samba ADS domain membership notes
John H Terpstra
samba at primastasys.com
Wed Oct 13 13:40:30 GMT 2004
Jeremy,
Thanks for this feedback. I will include this info as soon as I get a
moment. Good work.
- John T.
---
John H Terpstra
Samba-Team
email: jht at samba.org
> -------- Original Message --------
> Subject: TOSHARG: Samba ADS domain membership notes
> From: "Jeremy Naylor" <jnaylor at gmail.com>
> Date: Wed, October 13, 2004 5:27 am
> To: jht at samba.org
>
> Hi John,
>
> I ran into a few problems adding a samba machine to my Win2k3 AD
> domain for Squid authentication. I pinned it down to two specific
> settings in the Security Policy on the domain controller. I googled
> for days and found a few other cases of the same problem but never any
> solutions. I finally found them through trial and error. I think
> these two would be good tips to add to the how-to, since the settings
> are recommended by Microsoft as a best practice for security.
>
> At first, I was always getting this message:
>
> [2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183)
> ads_connect: Strong(er) authentication required
>
> This directly correlated with this setting in the Security Policy:
> Domain Controller: LDAP server signing requirements = Require Signing
> Changing this to "None" got it working as a workaround. I'm still
> trying to get it to work with that enabled.
>
> The other issue I had was testing authentication with "wbinfo -a
> user%pass". That would never succeed, even once I had joined the
> domain. It would always come back with:
>
> plaintext password authentication failed
> error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
> error messsage was: Wrong Password
> Could not authenticate user user%pass with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_WRONG_PASSWORD (0xc000006a)
> error messsage was: Wrong Password
> Could not authenticate user user with challenge/response
>
> It also failed when using the ntlm_auth helper (with basic or NTLM
> authentication). I found out this is because neither wbinfo or
> ntlm_auth support NTLMv2, and I had this setting in my Security
> Policy:
>
> Network security: LAN Manager authentication level = Send NTLMv2
> response only\refuse LM & NTLM
>
> I configured Squid for NTLMv2 (ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp) authentication and that worked
> fine. I could have saved a lot of time had I realized the other tools
> would never work.
>
> Thanks!
More information about the samba
mailing list