[Samba] ADS users authentication problem where win2k and pre-win2k names of user differ

Arvind Deshpande pilyad at gmail.com
Wed Jul 18 11:17:34 GMT 2007


Hello,

I am new to the list and this is my first posting to the list.

I have an ADS running on Win2k3 in Native Mode. I have a user created in
ADS. While creating the user I have specified the "Win2K name of user" as
testbug and "Pre-Win2k Name of user" is bugtest. Essentially they are not
same and do differ.
I have a samba 3.0.25d running on Fedora Core 7 which has joined this ADS
domain.

I also have a share whose definition goes as

[myshare]
   comment = Mary's and Fred's stuff
   path = /music
   valid users = "DOMAIN\testbug" "DOMAIN\foobar"
   public = no
   writable = yes
   printable = no
   create mask = 0765

Security is setup to ADS and Realm is specified correctly.

Now when I try to map this share through samba as //10.52.10.20/myshare
using username DOMAIN\testbug fails authentication. NTLMSSP authentication
mechanism is tried ( I have seen wireshark logs ) and ADS returns back an
error NT_STATUS_USER_NOT_FOUND.
When I provide the user "DOMAIN\bugtest" - the pre-win2k user I can see in
the logs that authentication is successful. Basically in winbindd logs I see
PAM returning 0. But further more after authentication winbindd gets the
valid users list and tries to verify that "DOMAIN\bugtest" is indeed in the
valid users list. As you can see in the share definition that user is not
there. Hence winbindd does not allow access to the share in spite of
successful authentication.

If I specify the user as "DOMAIN\foobar" for the authentication from Windows
everything is hunky dory and user foobar is able to mount the share.

So in essense "When win2k and pre-win2k names of user differ I am not able
to mount the share using win2k name of the user"

Has anyone ever faced this issue? Or aware of any solution?

Thanks for the help.

Arvind Deshpande


More information about the samba mailing list