[Samba] Transparent authentication issues

Robert Settle robert.settle at platinumsolutions.com
Mon Mar 6 16:43:43 GMT 2006


I am having issues getting my Windows clients (all WinXP) in a 2003 AD
domain to transparently authenticate to my Samba (version 3.0.10-1.4E.2)
server.  I had this previously working before I changed the name of the
server.  After changing the name of the server in smb.conf, I ran the
same init commands such as kinit, net ads join, and so on.  I had also
deleted the previous computer object in AD, and a new object did appear
after the 'net ads join'.  In WINS, the samba server is showing up with
the correct name, IP, and record types (x00, x03, x20).

 

When clients try to hit the server via explorer (\\mysambaserver
<file:///\\mysambaserver> ), it pops up a dialog asking for the
user/pass.  The user is specified as SAMBASERVER\username instead of the
default domain.  Using Ethereal, I see the following sequence:

 

1)       Client requests DNS resolution and WINS resolution (x20 type
record) of sambaserver from domain controller (dns/wins server)

2)       Domain controller responds with correct IP for both requests


3)       Client establishes a successful TCP connection to TCP 445 on
the sambaserver

4)       Client sends a Session request to sambaserver<x20>

5)       Sambaserver sends back a Positive session response

6)       Client sends a Negotiate Protocol Request to sambaserver

7)       Sambaserver responds with a Negotiate Protocol Response.  I
noticed in the response 'Primary Domain: MYDOMAIN' which is correct.
(turned spnego off to see this)

8)       Client then sends a name query to the domain controller (wins
server) asking for the x1C (domain controller) record of sambaserver.

9)       Wins server responds back with failure (correct response)

 

If I change the login prompt to MYDOMAIN\username and enter my domain
password, the login is successful.  The problem is apparent in Item 8.
Why is my client requesting the x1C (domain controller) record of my
samba server?  What would cause it to think sambaserver is not a part of
the domain and thus not use the domain credentials?

 

Here is the config for the server:

 

-----------------------------------------------------------------------

 

[global]

workgroup = MYDOMAIN

netbios name = sambaserver

server string = File Server (sambaserver)

 

nt acl support = yes

map acl inherit = yes

obey pam restrictions = yes

winbind enum users = yes

winbind enum groups = yes

idmap uid = 16777216-33554431

idmap gid = 16777216-33554431

template shell = /bin/bash

template homedir = /home/%U

winbind use default domain = yes

 

wins server = 192.168.0.200

 

log file = /var/log/samba/%m.log

log level = 3

max log size = 100

security = ADS

realm = MYDOMAIN.COM

password server = dc.mydomain.com

 

encrypt passwords = yes

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

local master = no

domain master = no

preferred master = no

domain logons = no

name resolve order = wins host

dns proxy = no

-----------------------------------------------------------------------

 

 

Any help/insight would be appreciated.

 

Thanks,

- Rob



More information about the samba mailing list