[Samba] Windows 2000 Authentication

Fri Oct 13 19:13:17 GMT 2006

Hi community.
Let me tell you what happed to me.
I configure samba to authenticate to an LDAP server, everything wokrs
perfect, I got rid of the /etc/passwd file, now all
my users reside in the LDAP database, I can connect via ssh for example
without any problem, getent passwd returns the
information as expected, till here just like a sharm.

No, I connect from a windows 2000 client as root/administrator, no problem
with that, now I try to connect as a regular user
and a pop up displays saying that I have not have access to logon to this
session.
This is my smb.conf
Any help will be apreciated..

[global]

workgroup = NETWARRIOR
netbios name = PDC Server
server string = Net Warrior PDC Server
smb ports = 139
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
;printer admin = decoder
username map = /etc/samba/smbusers
map to guest = Never
logon path = \\%L\profiles\%U
logon home = \\%L\%U
logon drive = P:
logon script = netlogon\logon.bat
interfaces = eth0, lo

bind interfaces only = Yes

;passdb backend = tdbsam

passdb backend = ldapsam:ldap://127.0.0.1

pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .

unix password sync = no
log file = /var/log/samba/%m
log level = 2
syslog = 0
time server = Yes
domain logons = Yes
preferred master = Yes
wins support = yes
;invalid users = root

;utmp = Yes
map acl inherit = Yes
;veto files = /*.eml/*.nws/*.{*}/
;veto oplock files = /*.doc/*.xls/*.mdb/
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
# Inactividad ?
;deadtime = 10

# Virus Scanning Definition
;vfs object = vscan-clamav
;vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

# Por si quiero LDAP
ldap suffix = dc=netwarrior,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap admin dn = cn=Manager,dc=netwarrior,dc=com
ldap ssl = no
ldap passwd sync = Yes
idmap uid = 15000-20000
idmap gid = 15000-20000

# Path to IDEALX scripts
add user script = /usr/local/sbin//smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -t 0 -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/local/sbin/sbin/smbldap-usermod -g '%g' '%u'
#add machine script = /usr/bin/smbpasswd -a -m %u

[homes]
comment = Home Directories
valid users = @"Domain Users" @"Domain Admins"
browseable = no
read only = No
inherit permissions = Yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No
browsable = No

[profiles]
comment = Network Profiles Service
path = %H
browsable = No
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
valid users = @"Domain Users" @"Domain Admins"

[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

[Data]
comment = Shared
path = /opt/data
valid users = @"Domain Users" @"Domain Admins"

This is what the log shows, nothing else, no errors.

check_ntlm_password: authentication for user [netwarrior] -> [netwarrior] ->
[netwarrior] succeeded
[2006/10/12 23:21:48, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2670)
Returning domain sid for domain NETWARRIOR ->
S-1-5-21-2088455510-1489263592-2722087797
[2006/10/12 23:21:48, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: netwarrior

When I log as administrator I can see connecting to share resource, profile
resource and so on.

Thanks guys for your time.