[Samba] Domain member server with local users

Daniel Frank Daniel.Frank at unilever.com
Thu Sep 30 13:41:27 GMT 2004


I'm trying to build a samba server that shall substitue one of our NT4
servers but I'm having some problems with setting up the local user account:
The NT4 server was member of a ressource domain (R1) and also had a local
user account named "bcd" which is needed for a boot-cd. Normal users
authenticated through the master domains M1 and M2 which has all the
necessary trusts setup and working.
For samba I'm using 3.0.7-Debian. I've setup winbindd and joined samba to
the domain (security = domain). Authentication is working for domain users
from M1 and M2 so this seems to be fine. Then I've added a linux user bcd
and a samba user bcd (smbpasswd -a bcd) to allow authentication from the
boot-cd. But this does not work, after a few seconds I always get the error
that no logon server is available.
To work around this, I tried to include /etc/samba/%Dauth.conf to let me
create one auth.conf (containing security = user) for the bcd user),
M1auth.conf and M2auth.conf (containing the settings needed for
authenticating against the domain) but acording to the log samba always uses
the auth.conf which results in the domain users unable to authenticate.
Google didn't show anything useful.

How can the non-domain user authenticate against the samba server while the
domain users are still able to access the server? I've attached my config
and a few lines from the log below.

Thanks for taking your time,

Daniel Frank

If it helps here's my config:
workgroup = R1 ; The ressource domain. Users are in M1 and M2, all needed
trusts are setup and working
server string = CDS Server
announce as = NT Workstation
log file = /var/log/samba/%m
max log size = 100
syslog = 0
security = DOMAIN
invalid users = root
load printers = no
unix charset = iso8859-15
display charset = iso8859-15
idmap uid = 15000-30000
idmap gid = 15000-30000
use sendfile = Yes
winbind separator = +
winbind use default domain = Yes ; Also tried with "no"
winbind enum users = no ; M1 and M2 have severall thousand users
winbind enum groups = no
winbind cache time = 15
winbind trusted domains only = yes ; Also tried with "no"
log level = 5 ; I can provide more detailed logs if it's useful.
include = /etc/samba/services.conf ; Only shares in it, so I'm not adding it
to the mail. If it's useful, just tell me to post it.

Here are a few lines of the log (I filtered a few lines to keep it smaller):
[2004/09/30 13:53:12, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/09/30 13:53:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(804)
[2004/09/30 13:53:12, 5] auth/auth_util.c:make_user_info_map(225)
  make_user_info_map: Mapping user []\[BCD] from workstation [pc-525533]
[2004/09/30 13:53:12, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain R1 found.
[2004/09/30 13:53:12, 5] auth/auth_util.c:make_user_info(133)
  attempting to make a user_info for BCD (BCD)
[2004/09/30 13:53:12, 5] auth/auth_util.c:make_user_info(143)
  making strings for BCD's user_info struct
[2004/09/30 13:53:12, 5] auth/auth_util.c:make_user_info(185)
  making blobs for BCD's user_info struct
[2004/09/30 13:53:12, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[]\[BCD]@[pc-525533] with the new password interface
[2004/09/30 13:53:12, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [R1]\[BCD]@[pc-525533]
[2004/09/30 13:53:43, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [BCD] FAILED with
[2004/09/30 13:53:43, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [BCD] -> [BCD] FAILED with

More information about the samba mailing list