[Samba] Problem with "Security=ADS" and domain users afer upgrading to 3.0.23c

Svinopas Evgnatyevich svinopas at gmail.com
Tue Sep 5 09:29:11 GMT 2006 

Hello all,

I am not sure if this is a bug or a feature of the newly released Samba 3.0.23c.
I had this samba.conf working fully ok for smbd 3.0.23b :

[global]
        map to guest = Bad User
        guest account = nobody
        disable netbios = Yes
        lanman auth = No
        unix charset = ISO8859-15
        display charset = ISO8859-15
        printing = bsd
        workgroup = OAAD
        realm = OA.PNRAD.NET
        security = ADS

[public]
        path = /srv/www/htdocs/public
        valid users = nazaand, orloale
        write list = nazaand, orloale
        force group = public
        create mask = 0660
        directory mask = 0770
        browseable = No

As soon as I upgraded to 3.0.23c I encountered the following problem.
If I try to map the [public] share from a simple standalone PC, which
does not belong to a domain, everything works fine (I am being asked
for a username and password and I enter "nazaand" as the username and
the corresponding password.
However, if I try to map the same share from the PC which belongs to
the domain "OA.PNRAD.NET" the authentication fails, unless I enter
"localhost\nazaand" as the username. With 3.0.23b I did not need to
enter any username/password when mapping the share from the domain PC,
because I was already logged in with the right account in the domain.

I have studied level 3 log file, and see that the authentication is
performed differently now when the domain PC is used. For the PC that
is not in the domain I have this in the log:

Got user=[nazaand] domain=[PC35355] workstation=[PC35355] len1=24 len2=24
check_ntlm_password:  mapped user is: [OAAD]\[nazaand]@[PC35355]
check_ntlm_password: winbind authentication for user [nazaand] succeeded

For the domain PC nothing like that is present. Instead I get this:

Ticket name is [PC35355$@OA.PNRAD.NET]
Username OAAD\PC35355$ is invalid on this system
error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
...
Ticket name is [NAZAAND at OA.PNRAD.NET]
make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER!
error packet at smbd/sesssetup.c(339) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE

Finally, if on the domain PC I enter "localhost\nazaand" as my
username, then the share does get mapped and the following is in the
log:

Got user=[nazaand] domain=[localhost] workstation=[PC3535] len1=24 len2=24
check_ntlm_password:  Checking password for unmapped user
[localhost]\[nazaand]@[PC3535] with the new password interface
check_ntlm_password:  mapped user is: [OAAD]\[nazaand]@[PC3535]
check_ntlm_password: winbind authentication for user [nazaand] succeeded

It is obvious that the authentication breaks at the "Ticket name is
[NAZAAND at OA.PNRAD.NET] - NO SUCH USER" part (in the domain). So my
question is basically, is this the intended behaviour? If so, how can
I make it work again the same way 3.0.23b did?

Regards,

Andrei Nazarenko

More information about the samba mailing list