[Samba] Cannot access samba users from Windows Server 2008 r2 trust

Harald Strack harry at code.de
Mon Mar 22 07:25:41 MDT 2010


Hi,

our setup is 

Samba 3.3.12 as the Trusted Domain (Domain name: SAMBA)
Windows 2008r2 as the Trusting Domain (Domain name: W2008)

The trust itself works quite well, users of the SAMBA Domain are able to
log into the workstations of the W2008 domain and even roaming profiles
are working.

However, when I try to configure permissions on a share of the W2008r2
server to users from the SAMBA domain (e.g. SAMBA\jsmith), while I am
logged in as a user from the W2008 domain (e.g. W2008\Administrator) I
do not find any user from the SAMBA domain.


Background:

Whenever a users wants to access the SAMBA domain, even when he only
wants to search users for granting permissions, he has to authenticate
first. As far as I know, the user has to authenticate, not the machine.

Now, when I am logged in as a user from another domain (e.g. W2008
\Administrator) I cannot authenticate in the SAMBA domain with my actual
credentials (desktop single sign-on). However, Windows 2008 R2 tries to
authenticate at the SAMBA domain controller several times with the
credentials (User: Administrator) of the W2008 domain. 

Samba Log of a SAMBA domain controller:

[2010/03/22 12:07:51,  2] lib/access.c:check_access(406)
  Allowed connection from  (10.10.20.167)
[2010/03/22 12:07:51,  2] lib/smbldap.c:smbldap_open_connection(890)
  smbldap_open_connection: connection opened
[2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2010/03/22 12:07:51,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER

However, Earlier versions of Windows tried only once to connect with the
wrong credentials and then appeared a prompt where the user could enter
its credentials in the other domain (SAMBA) to gain access to their
ressources.

Does anyone know a registry setting or sth. similar that forces W2008R2
to offer me a prompt for credentials if it gets a
NT_STATUS_NO_SUCH_USER?

Or any other solution? I greatly appreciate any comments!

Best Regards

Harry

-- 
Harald Strack, Dipl.Inf.(FH)
IT Development

ssystems
c/o todo GmbH
Alt-Moabit 60a
10555 Berlin

http://www.ssystems.de



More information about the samba mailing list