[Samba] Linux Primary Domain Controller Authentication

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Wed Nov 9 13:49:47 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cynthia Jeness escreveu:
> Felipe Augusto van de Wiel wrote:
>> Cynthia Jeness escreveu:
>>> I have setup my Linux server as a Primary Domain Controller using Samba
>>> 3.   All other computers on the network run various versions of Windows
>>> from 95 to XP.   All computers are able to join my Samba domain and the
>>> user computers can log onto the network.   However, if they try to
>>> access a file resource on one of the Windows 2003 file servers, the
>>> authentication fails with System Error 1789.     
>>
>>     With "they" you mean "all computers"? Or some particular version?
>> AFAICT, Win95 does not have crypto passwords, which means that it is not
>> going to work properly.
>
> Windows users computers (all versions 98, 2000, XP Pro) can access all
> shared resources on the Linux server.   However, if one of these Windows
> user computers attempts to share a resource on the Windows 2003 File
> Server (which did successfully join the domain), then error 1789 is
> returned.   Encryption is turned on and the passwords are stored on
> smbpasswd.

	Samba is your PDC and W2k3 is a Member Server and is already
joined the domain. The W2k3 is able to access the Samba3 shares? Did
you disable "Require Sign or Seal" (I'm not sure if it is needed on
w2k3).

	What MS TechNet says about error 1789? (don't you love this
verbose erros? :D)


>>>> The Windows 2003 file
>>>> server did successfully join my domain.    I am not running Winbindd
>>>> primarily because it was not part of the Samba packaging provided by
>>>> Suse.   Is it necessary to run Winbindd in order to have the Windows
>>>> 2003 servers validate?
>>
>>     Looks like more a permission problem than a 2003 validation
>> problem. The idea behind winbindd is share the user list between
>> servers and, from your description, does not sounds like you need it,
>> althoght there is not enough information to be sure. :-)
>> 
>>     Did you map users? Which version of Samba are you running? In
>> which MS Windows versions the problem occurs?
>
> We added the users as regular users on the Linux computer and to the
> smbpasswd file.   Except for Administrator which I did map to root, the
> user name on the Windows end user computer is the same as the user name
> on the Linux Samba Primary Domain Controller.   

	But did you use net groupmap?


> We are using Samba version 3.0. The latest available from Suse.

	Which minor? 3.0.X where X is?


>   If I make the Windows 2003 computer a 
> member of a workgroup and add the users directly to the
> Windows 2003 computer, then the users can access resources on the
> Windows 2003 file server.   The error (1789) indicates that the Windows
> 2003 Server cannot verify the user name and password against the primary
> domain controller; i.e., the Linux box.   As part of one of my Google
> searches, some news group responder indicated that Windbind was
> necessary to make this work.

	Hmmmm... winbind goes in the other direction, brings user list
from another host (samba or windows) to samba. Still looks like a
permission problem. Even if the w2k3 has joined the domain, apparently
it didn't reconigze the Samba as PDC or it couldn't bind it (permission
again).

	As you said, turning it to workgroup works, so it should be a
domain join/bind related problem.

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFDcf57Cj65ZxU4gPQRAvI3AJwIjkNl4KIkU9+pcSIN/3UVTOoFNACggx/b
LS+1u4VdmtWouB5riuA0kZQ=
=70iM
-----END PGP SIGNATURE-----


More information about the samba mailing list