[Samba] AD integration and machine account access to shares

Andersson Fredrik Fredrik.Andersson at tetrapak.com
Thu Sep 3 05:52:51 MDT 2009

Dear all,

I'm facing a weird problem that I can't seem to find any information about.
I have joined in a machine running samba 3.2 into an Active Directory environment (security = ads).
Even though user and group access works perfectly, when I try to access with a machine account, it fails to map it.
"libsmb/ntlmssp.c:ntlmssp_server_auth(745)  Got user=[] domain=[] workstation=[SERVERNAME] len1=1 len2=0"
is the only thing I get in the log, after which it falls back to anonymous log-on and maps to guest.

I find this odd, seeing as Winbind has no issues retrieving info about machine accounts and their group memberships.

I would greatly appreciate any pointers here, as I've not been able to find anything in the documentation or on various forums.

Thanks & Regards,

Relevant info from smb.conf:


workgroup = AD1
security = ADS
server string = LINUXBOX
encrypt passwords = Yes
username level = 0
map to guest = Bad User
null passwords = yes
max log size = 10
os level = 32
preferred master = Yes
dns proxy = No
config file = /etc/config/smb.conf
smb passwd file=/etc/config/smbpasswd
username map = /etc/config/smbusers
guest account = guest
directory mask = 0777
create mask = 0777
#enable asu support = no
force unknown acl user = yes

log level = 10
log file = /usr/local/samba/lib/log.%m
include = /usr/local/samba/lib/smb.conf.%m

oplocks = yes
locking = yes
disable spoolss = yes
load printers = no
dos charset = UTF8
force directory security mode = 0000
template shell = /bin/sh
veto files = /.AppleDB/.AppleDouble/.AppleDesktop/:2eDS_Store/Network Trash Folder/Temporary Items/TheVolumeSettingsFolder/. at __thumb/. at __desc/
delete veto files = yes
map archive = yes
map system = yes
map hidden = yes
map read only = yes
deadtime = 10
ldap suffix = dc=AD1,dc=DOMAIN,dc=COM
use sendfile = yes
case sensitive = auto
display charset = UTF8
unix extensions = no
wins support = no
realm = ad1.domain.com
password server = adserver. ad1.domain.com
pam password change = yes
winbind separator = +
idmap uid = 30001-300000
idmap gid = 30001-300000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 3600
winbind use default domain = Yes
winbind nested groups = Yes
obey pam restrictions = yes

More information about the samba mailing list