[Samba] Samba as Domain Member Server Authentication Problem

John Lawler lists.samba.org at tgice.com
Thu Apr 22 07:17:50 MDT 2010 

I've been working for hours with Samba on Ubuntu Server 9.10 (Samba 
version 3.4.0), trying to get it setup simply as a fileserver that 
performs authentication to an NT 4 server (yes, I know, old and out of 
date).

After much struggling, I finally realized that my configuration *was* 
working when the clients connecting (from XP, and Win2k clients, mostly) 
were actually joined to the domain (where the PDC is the NT 4 Server) 
and logged into the domain.

For various reasons, many of the Windows clients at this location don't 
actually log into the domain, even though they have login/passwords that 
are valid users on the domain and they'll typically have some drives 
mapped to the PDC.

By the way, I have this working on another Linux box running Samba 
3.0.28, so I'm sure it's possible, I'm just lost as to how to do it.

When I try to connect to a share on my new Samba box, I see entries like 
these in the logs:

===================================================================
[2010/04/20 15:24:29, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user []\[]@[client1] 
with
the new password interface
[2010/04/20 15:24:29, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [FILESRV]\[]@[client1]
[2010/04/20 15:24:29, 3] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: guest authentication for user [] succeeded
[2010/04/20 15:24:29, 0] param/loadparm.c:9783(widelinks_warning)
Share 'IPC$' has wide links and unix extensions enabled. These 
parameters are
incompatible. Wide links will be disabled for this share.
[2010/04/20 15:24:29, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user 
[client1]\[user1]@[ILLI
NI] with the new password interface
[2010/04/20 15:24:29, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [FILESRV]\[user1]@[client1]
[2010/04/20 15:24:29, 3] auth/auth_sam.c:282(check_sam_security)
check_sam_security: Couldn't find user 'user1' in passdb.
[2010/04/20 15:24:29, 3] auth/auth_winbind.c:54(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [FILESRV] 
was for this SAM.
[2010/04/20 15:24:29, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [user1] -> [user1] FAILED 
with error
NT_STATUS_NO_SUCH_USER
[2010/04/20 15:24:29, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
===================================================================

I think the critical part is where it says "Not using winbind, requested 
domain [FILESRV] was for this SAM" I *do* want it to use winbind and 
authenticate via the remote NT 4 Server, not locally only.

This is an example on the Samba 3.4.0 box where the login *works*, but I 
think only because the user is actually logged into the domain:

===================================================================
[2010/04/20 15:23:20, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user 
[DOMNAME]\[client2]@[M
AILMAN2] with the new password interface
[2010/04/20 15:23:20, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [DOMNAME]\[client2]@[client2]
[2010/04/20 15:23:20, 3] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: winbind authentication for user [client2] succeeded
[2010/04/20 15:23:20, 2] auth/auth.c:310(check_ntlm_password)
check_ntlm_password: authentication for user [client2] -> [client2] -> [MAI
N+user2] succeeded
[2010/04/20 15:23:20, 0] param/loadparm.c:9783(widelinks_warning)
Share 'Admin' has wide links and unix extensions enabled. These 
parameters are
incompatible. Wide links will be disabled for this share.
[2010/04/20 15:23:20, 1] smbd/service.c:1062(make_connection_snum)
user2 (::ffff:192.168.1.5) connect to service Admin initially as user 
DOMNAME+
user2 (uid=70030, gid=70005) (pid 4821)
[2010/04/20 15:23:20, 0] param/loadparm.c:9783(widelinks_warning)
Share 'Admin' has wide links and unix extensions enabled. These 
parameters are
incompatible. Wide links will be disabled for this share.
[2010/04/20 15:23:20, 1] smbd/service.c:1062(make_connection_snum)
user2 (::ffff:192.168.1.5) connect to service Admin initially as user 
DOMNAME+
user2 (uid=70030, gid=70005) (pid 4821)
[2010/04/20 15:23:39, 1] smbd/service.c:1241(close_cnum)
user2 (::ffff:192.168.1.5) closed connection to service Admin
===================================================================

This is an example of the same authentication (from user1, *not* logged 
into the domain) succeeding on Samba 3.0.x:

===================================================================
[2010/04/20 16:09:21, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all ol
resources.
[2010/04/20 16:09:21, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all ol
resources.
[2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user []\[]@[client1] wit
the new password interface
[2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [DOMNAME]\[]@[client1]
[2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: guest authentication for user [] succeeded
[2010/04/20 16:09:21, 2] lib/access.c:check_access(323)
Allowed connection from (10.9.0.62)
[2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user 
[client1]\[user1]@[IL
NI] with the new password interface
[2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [DOMNAME]\[user1]@[client1]
[2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: winbind authentication for user [user1] succeeded
[2010/04/20 16:09:21, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [user1] -> [user1] -> 
[DOMNAME\user1] suceeded
[2010/04/20 16:09:21, 2] lib/access.c:check_access(323)
Allowed connection from (10.9.0.62)
[2010/04/20 16:09:21, 1] smbd/service.c:make_connection_snum(1033)
client1 (10.9.0.62) connect to service DatabaseBackup initially as user 
backu
(uid=10049, gid=10049) (pid 21909)
===================================================================

I can provide plenty more information if it would help diagnose the 
situation. Does anyone have an idea of how I can get this to work? I'm 
sure it's possible, since the exact scenario worked in a recent version 
of Samba.

Thanks.

More information about the samba mailing list