[Samba] Domain Authentication Problem
Johannes Michler
Michler at fzi.de
Thu Mar 16 15:16:35 GMT 2006
I've got similar Problems:
When I try to connect to our samba server I get an "Die Anforderung wird
nicht unterstützt" Error Message.
>From our other Machines (even some Win2k3 Servers) I can access the Files,
what could be wrong?
The samba server has the following conf-file:
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not many any basic syntactic errors.
#
#======================= Global Settings
=====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
workgroup = FZI
# Unter welchem Namen soll der Server sichtbar sein - vorzugsweise gleich
dem DNS-Namen
netbios name = goedel
# server string is the equivalent of the NT Description field
server string = SWT Samba Server
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
hosts allow = ############ 127.
# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
load printers = yes
# you may wish to override the location of the printcap file
; printcap name = /etc/printcap
# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
; printcap name = lpstat
# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
; printing = bsd
# Uncomment this if you want a guest account, you must add this to
/etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
; log file = /usr/sfw/lib/smb.conf.%m
; log file =/var/samba/log/%m.log
log file =/var/samba/log/smbd.log
# Put a capping on the size of the log files (in Kb).
max log size = 100
security = server
password server = ad
encrypt passwords = yes
os level = 1
# starke Verschluesselung fuer eingehende Verbindungen
; server NTLMv2 = auto
# starke Verschluesselung fuer ausgehende Verbindungen
; client NTLMv2 = auto
# Gastzugriffe laufen unter diesem Account
guest account = nobody
# Unbekannte Benutzer werden als Gast behandelt
map to guest = Bad User
# Samba versucht nicht, Masterbrowser zu werden
local master = no
# Security mode. Most people will want user level security. See
# security_level.txt for details.
; security = user
# Use password server option only with security = server
# The argument list may include:
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
# password server = *
; password server = <NT-Server-Name>
# Note: Do NOT use the now deprecated option of "domain controller"
# This option is no longer implemented.
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
; encrypt passwords = yes
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /var/samba/log.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT
both
; wins server = w.x.y.z
wins server = ############
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = yes
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
preserve case = yes
short preserve case = yes
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
case sensitive = no
; mangle case = no
force create mode = 644
force directory mode = 755
map archive = no
#============================ Share Definitions
==============================
[homes]
comment = UNIX Home Directories
browseable = yes
writable = yes
invalid users = root
[fzi]
comment = FZI NFS-Wurzel
path = /fzi
writable = true
[public]
comment = Public Stuff
path = /export/home/samba
public = yes
browseable = yes
writable = yes
printable = no
write list = @swt @rud @dtp
-----Original Message-----
From: On Behalf Of Bradish, Jeff
Sent: Thursday, March 16, 2006 3:16 PM
To: samba at lists.samba.org
Subject: [Samba] Domain Authentication Problem
I have been running Samba 2.2.8 on a Solaris 8 server with a valid NetBIOS
server name on the AD domain. The Samba 2.2.8 configuration was configured
for security = domain. Everything was fine until the AD domain controllers
were "upgraded" to Windows Server 2003 SP1. User authentication would no
longer function with the following error message in the samba 2.2.8 log:
connect_to_domain_password_server: unable to open the domain client session
to machine <name>. Error was : NT_STATUS_ACCESS_DENIED.
I was able to point the password server entry to another controller that has
not been upgraded to Server 2003 SP1 and all is fine. Authentication is
processed and granted as expected. Problem is that these controllers are
scheduled to be upgraded to 2003 SP1 in the next few weeks.
So decided to upgrade Samba to 3.0.21c. Downloaded the pre-compiled version
for Solaris 9 and installed with no problems. I copied the smb.conf and
smbpasswd files from 2.2.8 to 3.0.21c. I did not copy the secrets.tdb file
over, although I did validate the SIDs for each Samba version.
At this point, I cannot get Samba 3.0.21c to be recognized by either Windows
Server 2003 or Windows Server 2003 SP1. I have tried rejoining the domain
with no success. I have verified the SIDs for both Samba
2.2.8 and 3.0.21c.
Some of the 3.0.21c log errors I am seeing are:
cli_nt_create failed on pipe \NETLOGON to machine <name>. Error was
NT_STATUS_ACCESS_DENIED failed to get schannel session key from server
<name> for domain <domainname>.
domain_client_validate: Domain password server not available
check_ntlm_password: Authentication for user [id] -> [id] FAILED with error
NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
If anyone has seen this problem I would greatly appreciate any feedback on
possible work-around or fixes. At this point, I can not get domain security
to work for either Samba version when pointed to a Windows Server 2003 SP1
AD controller.
Thanks
Jeff Bradish
* mailto: jeff.bradish at eds.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list