[Samba] SIDs get not resolved in Domaint Trust with Windows 2008r2 - resolved

Harald Strack harry at code.de
Mon Apr 12 13:00:59 MDT 2010 

Hi,

On Mon, 2010-03-22 at 20:49 +0100, Harald Strack wrote:
> Hi,
> 
> Now, the next problem is that after I set some permissions on a file
> using SAMBA Domain users, logout and login again the SIDs do not get
> resolved anymore. Instead of seeing some Users like "SAMBA\jsmith" I see
> only his SID in the permission dialog. 
> 
> How can I force Windows to resolve the SIDs? 
I checked the registry of W2008R2 and discovered the solution: 

You have to disable the Policy:

Network security: Allow Local System to use computer identity for NTLM

Details are described here:

http://wiki.ssystems.de/doku.php?id=samba_trust_w2008r2_harald_strack#resolving_sids

A documentation of the whole setup of a Windows 2008 R2 to Samba trust
may now be found here:

http://wiki.ssystems.de/doku.php?id=samba_trust_w2008r2_harald_strack

br

Harald Strack

 




> 
> Any help is greatly appreciated
> 
> Best Regards
> 
> Harry
> 
> On Mon, 2010-03-22 at 14:25 +0100, Harald Strack wrote:
> > Hi,
> > 
> > our setup is 
> > 
> > Samba 3.3.12 as the Trusted Domain (Domain name: SAMBA)
> > Windows 2008r2 as the Trusting Domain (Domain name: W2008)
> > 
> > The trust itself works quite well, users of the SAMBA Domain are able to
> > log into the workstations of the W2008 domain and even roaming profiles
> > are working.
> > 
> > However, when I try to configure permissions on a share of the W2008r2
> > server to users from the SAMBA domain (e.g. SAMBA\jsmith), while I am
> > logged in as a user from the W2008 domain (e.g. W2008\Administrator) I
> > do not find any user from the SAMBA domain.
> > 
> > 
> > Background:
> > 
> > Whenever a users wants to access the SAMBA domain, even when he only
> > wants to search users for granting permissions, he has to authenticate
> > first. As far as I know, the user has to authenticate, not the machine.
> > 
> > Now, when I am logged in as a user from another domain (e.g. W2008
> > \Administrator) I cannot authenticate in the SAMBA domain with my actual
> > credentials (desktop single sign-on). However, Windows 2008 R2 tries to
> > authenticate at the SAMBA domain controller several times with the
> > credentials (User: Administrator) of the W2008 domain. 
> > 
> > Samba Log of a SAMBA domain controller:
> > 
> > [2010/03/22 12:07:51,  2] lib/access.c:check_access(406)
> >   Allowed connection from  (10.10.20.167)
> > [2010/03/22 12:07:51,  2] lib/smbldap.c:smbldap_open_connection(890)
> >   smbldap_open_connection: connection opened
> > [2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
> >   check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> > [2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
> >   check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> > [2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
> >   check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> > [2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
> >   check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> > [2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
> >   check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> > 
> > However, Earlier versions of Windows tried only once to connect with the
> > wrong credentials and then appeared a prompt where the user could enter
> > its credentials in the other domain (SAMBA) to gain access to their
> > ressources.
> > 
> > Does anyone know a registry setting or sth. similar that forces W2008R2
> > to offer me a prompt for credentials if it gets a
> > NT_STATUS_NO_SUCH_USER?
> > 
> > Or any other solution? I greatly appreciate any comments!
> > 
> > Best Regards
> > 
> > Harry
> > 
> > -- 
> > Harald Strack, Dipl.Inf.(FH)
> > IT Development
> > 
> > ssystems
> > c/o todo GmbH
> > Alt-Moabit 60a
> > 10555 Berlin
> > 
> > http://www.ssystems.de
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> -- 
> Harald Strack, Dipl.Inf.(FH)
> IT Development
> 
> ssystems
> c/o todo GmbH
> Alt-Moabit 60a
> 10555 Berlin
> 
> Tel:     +49 30 805 78 - 101
> http://www.ssystems.de
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
Harald Strack, Dipl.Inf.(FH)
IT Development

ssystems
c/o todo GmbH
Alt-Moabit 60a
10555 Berlin

Tel:     +49 30 805 78 - 101
http://www.ssystems.de

More information about the samba mailing list