[Samba] Domain Authentication Problem

Johannes Michler Michler at fzi.de
Thu Mar 16 15:16:35 GMT 2006

I've got similar Problems:
When I try to connect to our samba server I get an "Die Anforderung wird
nicht unterstützt" Error Message. 
>From our other Machines (even some Win2k3 Servers) I can access the Files,
what could be wrong?

The samba server has the following conf-file:

# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors.
#======================= Global Settings

# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
   workgroup = FZI

# Unter welchem Namen soll der Server sichtbar sein - vorzugsweise gleich
dem DNS-Namen
   netbios name = goedel

# server string is the equivalent of the NT Description field
   server string = SWT Samba Server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 192.168.1. 192.168.2. 127.
   hosts allow = ############  127.

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# you may wish to override the location of the printcap file
;   printcap name = /etc/printcap

# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
;   printcap name = lpstat

# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;   printing = bsd

# Uncomment this if you want a guest account, you must add this to
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
;   log file = /usr/sfw/lib/smb.conf.%m
;   log file =/var/samba/log/%m.log
   log file =/var/samba/log/smbd.log

# Put a capping on the size of the log files (in Kb).
   max log size = 100

        security = server
        password server = ad
        encrypt passwords = yes
        os level = 1

# starke Verschluesselung fuer eingehende Verbindungen
;   server NTLMv2 = auto

# starke Verschluesselung fuer ausgehende Verbindungen
;  client NTLMv2 = auto

# Gastzugriffe laufen unter diesem Account
   guest account = nobody

# Unbekannte Benutzer werden als Gast behandelt
   map to guest = Bad User

# Samba versucht nicht, Masterbrowser zu werden
   local master = no

# Security mode. Most people will want user level security. See
# security_level.txt for details.
;   security = user

# Use password server option only with security = server
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *
;   password server = <NT-Server-Name>

# Note: Do NOT use the now deprecated option of "domain controller"
# This option is no longer implemented.

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
;  encrypt passwords = yes

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;    include = /var/samba/log.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces =

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
;   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;   preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
;   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#       Note: Samba can be either a WINS Server, or a WINS Client, but NOT
;   wins server = w.x.y.z
        wins server = ############

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one  WINS Server on the network. The default is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = yes

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
   preserve case = yes
   short preserve case = yes
# Default case is normally upper case for all DOS files
;  default case = lower
# Be very careful with case sensitivity - it can break things!
   case sensitive = no
;   mangle case = no

   force create mode = 644
   force directory mode = 755
   map archive = no

#============================ Share Definitions
   comment = UNIX Home Directories
   browseable = yes
   writable = yes
   invalid users = root

   comment = FZI NFS-Wurzel
   path = /fzi
   writable = true

   comment = Public Stuff
   path = /export/home/samba
   public = yes
   browseable = yes
   writable = yes
   printable = no
   write list = @swt @rud @dtp

-----Original Message-----
From: On Behalf Of Bradish, Jeff
Sent: Thursday, March 16, 2006 3:16 PM
To: samba at lists.samba.org
Subject: [Samba] Domain Authentication Problem

I have been running Samba 2.2.8 on a Solaris 8 server with a valid NetBIOS
server name on the AD domain. The Samba 2.2.8 configuration was configured
for security = domain. Everything was fine until the AD domain controllers
were "upgraded" to Windows Server 2003 SP1. User authentication would no
longer function with the following error message in the samba 2.2.8 log:

connect_to_domain_password_server: unable to open the domain client session
to machine <name>. Error was : NT_STATUS_ACCESS_DENIED.

I was able to point the password server entry to another controller that has
not been upgraded to Server 2003 SP1 and all is fine. Authentication is
processed and granted as expected. Problem is that these controllers are
scheduled to be upgraded to 2003 SP1 in the next few weeks.

So decided to upgrade Samba to 3.0.21c. Downloaded the pre-compiled version
for Solaris 9 and installed with no problems. I copied the smb.conf and
smbpasswd files from 2.2.8 to 3.0.21c. I did not copy the secrets.tdb file
over, although I did validate the SIDs for each Samba version.

At this point, I cannot get Samba 3.0.21c to be recognized by either Windows
Server 2003 or Windows Server 2003 SP1. I have tried rejoining the domain
with no success. I have verified the SIDs for both Samba
2.2.8 and 3.0.21c.

Some of the 3.0.21c log errors I am seeing are:
cli_nt_create failed on pipe \NETLOGON to machine <name>.  Error was
NT_STATUS_ACCESS_DENIED failed to get schannel session key from server
<name> for domain <domainname>.
domain_client_validate: Domain password server not available
check_ntlm_password:  Authentication for user [id] -> [id] FAILED with error

If anyone has seen this problem I would greatly appreciate any feedback on
possible work-around or fixes. At this point, I can not get domain security
to work for either Samba version when pointed to a Windows Server 2003 SP1
AD controller.


Jeff Bradish
* mailto: jeff.bradish at eds.com

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list