[Samba] Samba as Domain Member Server Authentication Problem

Dale Schroeder dale at BriannasSaladDressing.com
Thu Apr 22 11:40:01 MDT 2010 

John,

See 
<samba at lists.samba.org>http://www.samba.org/samba/history/samba-3.4.0.html
for the authentication changes made in that version.
There is a new parameter to revert to the old behavior.

Dale


On 04/22/2010 8:17 AM, John Lawler wrote:
> I've been working for hours with Samba on Ubuntu Server 9.10 (Samba 
> version 3.4.0), trying to get it setup simply as a fileserver that 
> performs authentication to an NT 4 server (yes, I know, old and out of 
> date).
>
> After much struggling, I finally realized that my configuration *was* 
> working when the clients connecting (from XP, and Win2k clients, 
> mostly) were actually joined to the domain (where the PDC is the NT 4 
> Server) and logged into the domain.
>
> For various reasons, many of the Windows clients at this location 
> don't actually log into the domain, even though they have 
> login/passwords that are valid users on the domain and they'll 
> typically have some drives mapped to the PDC.
>
> By the way, I have this working on another Linux box running Samba 
> 3.0.28, so I'm sure it's possible, I'm just lost as to how to do it.
>
> When I try to connect to a share on my new Samba box, I see entries 
> like these in the logs:
>
> ===================================================================
> [2010/04/20 15:24:29, 3] auth/auth.c:222(check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user 
> []\[]@[client1] with
> the new password interface
> [2010/04/20 15:24:29, 3] auth/auth.c:225(check_ntlm_password)
> check_ntlm_password: mapped user is: [FILESRV]\[]@[client1]
> [2010/04/20 15:24:29, 3] auth/auth.c:271(check_ntlm_password)
> check_ntlm_password: guest authentication for user [] succeeded
> [2010/04/20 15:24:29, 0] param/loadparm.c:9783(widelinks_warning)
> Share 'IPC$' has wide links and unix extensions enabled. These 
> parameters are
> incompatible. Wide links will be disabled for this share.
> [2010/04/20 15:24:29, 3] auth/auth.c:222(check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user 
> [client1]\[user1]@[ILLI
> NI] with the new password interface
> [2010/04/20 15:24:29, 3] auth/auth.c:225(check_ntlm_password)
> check_ntlm_password: mapped user is: [FILESRV]\[user1]@[client1]
> [2010/04/20 15:24:29, 3] auth/auth_sam.c:282(check_sam_security)
> check_sam_security: Couldn't find user 'user1' in passdb.
> [2010/04/20 15:24:29, 3] auth/auth_winbind.c:54(check_winbind_security)
> check_winbind_security: Not using winbind, requested domain [FILESRV] 
> was for this SAM.
> [2010/04/20 15:24:29, 2] auth/auth.c:320(check_ntlm_password)
> check_ntlm_password: Authentication for user [user1] -> [user1] FAILED 
> with error
> NT_STATUS_NO_SUCH_USER
> [2010/04/20 15:24:29, 1] smbd/service.c:676(make_connection_snum)
> create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
> ===================================================================
>
> I think the critical part is where it says "Not using winbind, 
> requested domain [FILESRV] was for this SAM" I *do* want it to use 
> winbind and authenticate via the remote NT 4 Server, not locally only.
>
> This is an example on the Samba 3.4.0 box where the login *works*, but 
> I think only because the user is actually logged into the domain:
>
> ===================================================================
> [2010/04/20 15:23:20, 3] auth/auth.c:222(check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user 
> [DOMNAME]\[client2]@[M
> AILMAN2] with the new password interface
> [2010/04/20 15:23:20, 3] auth/auth.c:225(check_ntlm_password)
> check_ntlm_password: mapped user is: [DOMNAME]\[client2]@[client2]
> [2010/04/20 15:23:20, 3] auth/auth.c:271(check_ntlm_password)
> check_ntlm_password: winbind authentication for user [client2] succeeded
> [2010/04/20 15:23:20, 2] auth/auth.c:310(check_ntlm_password)
> check_ntlm_password: authentication for user [client2] -> [client2] -> 
> [MAI
> N+user2] succeeded
> [2010/04/20 15:23:20, 0] param/loadparm.c:9783(widelinks_warning)
> Share 'Admin' has wide links and unix extensions enabled. These 
> parameters are
> incompatible. Wide links will be disabled for this share.
> [2010/04/20 15:23:20, 1] smbd/service.c:1062(make_connection_snum)
> user2 (::ffff:192.168.1.5) connect to service Admin initially as user 
> DOMNAME+
> user2 (uid=70030, gid=70005) (pid 4821)
> [2010/04/20 15:23:20, 0] param/loadparm.c:9783(widelinks_warning)
> Share 'Admin' has wide links and unix extensions enabled. These 
> parameters are
> incompatible. Wide links will be disabled for this share.
> [2010/04/20 15:23:20, 1] smbd/service.c:1062(make_connection_snum)
> user2 (::ffff:192.168.1.5) connect to service Admin initially as user 
> DOMNAME+
> user2 (uid=70030, gid=70005) (pid 4821)
> [2010/04/20 15:23:39, 1] smbd/service.c:1241(close_cnum)
> user2 (::ffff:192.168.1.5) closed connection to service Admin
> ===================================================================
>
> This is an example of the same authentication (from user1, *not* 
> logged into the domain) succeeding on Samba 3.0.x:
>
> ===================================================================
> [2010/04/20 16:09:21, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
> all ol
> resources.
> [2010/04/20 16:09:21, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
> all ol
> resources.
> [2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(221)
> check_ntlm_password: Checking password for unmapped user 
> []\[]@[client1] wit
> the new password interface
> [2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(224)
> check_ntlm_password: mapped user is: [DOMNAME]\[]@[client1]
> [2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(270)
> check_ntlm_password: guest authentication for user [] succeeded
> [2010/04/20 16:09:21, 2] lib/access.c:check_access(323)
> Allowed connection from (10.9.0.62)
> [2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(221)
> check_ntlm_password: Checking password for unmapped user 
> [client1]\[user1]@[IL
> NI] with the new password interface
> [2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(224)
> check_ntlm_password: mapped user is: [DOMNAME]\[user1]@[client1]
> [2010/04/20 16:09:21, 3] auth/auth.c:check_ntlm_password(270)
> check_ntlm_password: winbind authentication for user [user1] succeeded
> [2010/04/20 16:09:21, 2] auth/auth.c:check_ntlm_password(309)
> check_ntlm_password: authentication for user [user1] -> [user1] -> 
> [DOMNAME\user1] suceeded
> [2010/04/20 16:09:21, 2] lib/access.c:check_access(323)
> Allowed connection from (10.9.0.62)
> [2010/04/20 16:09:21, 1] smbd/service.c:make_connection_snum(1033)
> client1 (10.9.0.62) connect to service DatabaseBackup initially as 
> user backu
> (uid=10049, gid=10049) (pid 21909)
> ===================================================================
>
> I can provide plenty more information if it would help diagnose the 
> situation. Does anyone have an idea of how I can get this to work? I'm 
> sure it's possible, since the exact scenario worked in a recent 
> version of Samba.
>
> Thanks.

More information about the samba mailing list