[Samba] Suppressing the Windows password pop up when using bad user trap for user from trusted domains

Dedhi Sujatmiko dedhi.sujatmiko at gmail.com
Wed Oct 21 04:43:19 MDT 2009

Dear all,

I have a situation where the Samba file server is the ADS domain member 
of DomA, and the DomA is trusting another domain DomB.
Currently the Samba version I am using is 3.0.34 under Solaris 10 Update 
7 with Sun Cluster 3.2 HA solution. I understand that the "trusted 
domains" feature on this release is breaking, thus I cannot make it 
works, and the path to upgrade to 3.2.2 is also not possible since it is 
not supported by Sun Cluster agent.

Therefore I need to have a mechanism to trap the user from DomB, to be 
"bad user", and allowing it to access as "guest" user. The problem I 
have now, when the user from DomB is accessing the share, he/she is 
always presented with the Windows password pop up, which is difficult 
since we want it to be unattended or at least silently login behind the 
application. Only after the user entering bogus username/password, then 
he can access the share as guest user.

Basically if the authentication result is NT_STATUS_LOGON_FAILURE, the 
dekstop will keep asking with pop up screen. Only when the result is 
NT_STATUS_NO_SUCH_USER, it is directed to "guest" account.

What I want is that both authentication failure is mapped to "guest" 
account, and supressing Windows login pop up.

Many thanks in advance,


PS : some information

This is my excerpt of "smb.conf" :

log level = 3
syslog only = no
max log size = 50000
realm = DOMA.PVT
workgroup = DOMA
security = ADS
encrypt passwords = true
unix extensions = yes
password server = ESSBCST1.doma.pvt ESSBCST2.doma.pvt
server string = "SAMBA File Server"
wins server =
domain master = no
local master = no
client schannel = no
client use spnego = yes
interfaces =
bind interfaces only = yes
netbios name=SAM-FS-SAMBA
pid directory = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/var/locks
log file = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/logs/log.%m
smb passwd file = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/private/smbpasswd
private dir = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/private
lock dir = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/var/locks
kernel oplocks = true
oplocks = true

# winbind
winbind separator = /
idmap uid = 11000-19000
idmap gid = 11000-19000
idmap domains = DOMA
idmap config DOMA:backend = rid
idmap config DOMA:default = yes
idmap config DOMA:range = 11000-19000
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
allow trusted domains = no
winbind use default domain = yes
template shell = /bin/bash
map to guest = bad password
guest account = nobody

        comment = "Media directory"
        path = /samfs1/omnibus_F/Media
        read only = No
        create mask = 0666
        directory mask = 0775
        writable = yes
        browseable = yes
        guest ok = yes
        case sensitive = true
        default case = lower
        preserve case = no
        short preserve case = no
        level2 oplocks = true

Output from the log :

 check_ntlm_password:  mapped user is: [DOMB]\[TengTM]@[DT06-016654]
[2009/10/21 17:26:26, 1] auth/auth.c:(172)
  check_domain_match: Attempt to connect as user TengTM from domain DOMB 
[2009/10/21 17:26:26, 3] smbd/error.c:(106)
  error packet at smbd/sesssetup.c(107) cmd=115 (SMBsesssetupX) 
  check_ntlm_password:  Checking password for unmapped user 
[local]\[ttty]@[DT06-016654] with the new password interface
[2009/10/21 17:26:45, 3] auth/auth.c:(224)
  check_ntlm_password:  mapped user is: [DOMA]\[ttty]@[DT06-016654]
  check_ntlm_password:  Authentication for user [ttty] -> [ttty] FAILED 
[2009/10/21 17:26:45, 3] smbd/sesssetup.c:(45)
  No such user ttty [local] - using guest account

More information about the samba mailing list