[Samba] Problems with password authentication on Samba as an AD-Member

Ulrich Schwenk Ulrich-schwenk at gmx.de
Tue Jan 23 10:14:55 GMT 2007 

Hello,

I've got some problems with a Samba Server. The Samba Server is member
in an Active-Directory Domain (Win2000), it is NOT the domaincontroller.
Authentication is kerberos-based (smb.conf: securty=ADS, winbind). The
Sambaserver is accessed by Windows-Clients, that are domainmembers and
by some Windows-Client, that are not. Originally Users, who were logged
 on the domain could access the shares simply by typing
\\servername\sharename in the windows-explorer. Users, who were not
logged on the domain could also access the shares, but were presented a
password dialog, where they had to type a domain-user's name and password.

Everything went fine, until the domaincontroller (Win2000) sufferd a
severe hardware-crash. I restored the Installation using an
NT-Systemstate Backup, following this nice procedure
(http://support.microsoft.com/kb/263532/de -- checkout the listbox on
the leftside for a translated version). After serveral days of desaster
recovery, I managed to promote a freshly installed Windows DC and
finally used dcpromo to downgrade the recovered Version. Replmon,
dcdiag, netdiag show no errors on the domaincontroller.

After that, with the new domaincontroller, everything works fine, except
the passwordbox-thing (only with the Samba-Server, shares offered by
windows computers can be accessed as before the crash)

Users are only able to use the Sambaserver, when logged in to a
windowsbox, which is a member of the domain. Otherwise, instead of the
password-dialog, a messagebox appears after a long time of waiting,
saying "file \\servername\sharename not found".

There are no errors reported. Neigher on the DC, nor on the
Samba-Server. On the Sambaserver, I found out, that I can browse the
shares only doing

kinit <username>
Password: <mypassword>
smbclient -k -L SERVERNAME

(which gives all the shares immediately)

not and not by

smbclient -U<username> -L SERVERNAME
Password: <mypassword>

which leads to 20 seconds of inactivity and then to an Timeout-message,
saying "session setup failed: the Server did not respond after 20'000
milliseconds.

Could anyone provide a hint for this problem? Can I somehow trace the
failure? What exactely happens, when the Linuxbox needs to authenticate
a user from a non-domainmember client?

Thanks a lot for the help!

More information about the samba mailing list