[Samba] SIDs get not resolved in Domaint Trust with Windows 2008r2
Harald Strack
harry at code.de
Mon Mar 22 13:49:44 MDT 2010
Hi,
I could workaround the problem:
When I first connect to any share (e.g. the Netlogon share) on one
Domain Controller of the SAMBA Domain, I am able to search users in the
SAMBA Domain.
Now, the next problem is that after I set some permissions on a file
using SAMBA Domain users, logout and login again the SIDs do not get
resolved anymore. Instead of seeing some Users like "SAMBA\jsmith" I see
only his SID in the permission dialog.
How can I force Windows to resolve the SIDs?
Any help is greatly appreciated
Best Regards
Harry
On Mon, 2010-03-22 at 14:25 +0100, Harald Strack wrote:
> Hi,
>
> our setup is
>
> Samba 3.3.12 as the Trusted Domain (Domain name: SAMBA)
> Windows 2008r2 as the Trusting Domain (Domain name: W2008)
>
> The trust itself works quite well, users of the SAMBA Domain are able to
> log into the workstations of the W2008 domain and even roaming profiles
> are working.
>
> However, when I try to configure permissions on a share of the W2008r2
> server to users from the SAMBA domain (e.g. SAMBA\jsmith), while I am
> logged in as a user from the W2008 domain (e.g. W2008\Administrator) I
> do not find any user from the SAMBA domain.
>
>
> Background:
>
> Whenever a users wants to access the SAMBA domain, even when he only
> wants to search users for granting permissions, he has to authenticate
> first. As far as I know, the user has to authenticate, not the machine.
>
> Now, when I am logged in as a user from another domain (e.g. W2008
> \Administrator) I cannot authenticate in the SAMBA domain with my actual
> credentials (desktop single sign-on). However, Windows 2008 R2 tries to
> authenticate at the SAMBA domain controller several times with the
> credentials (User: Administrator) of the W2008 domain.
>
> Samba Log of a SAMBA domain controller:
>
> [2010/03/22 12:07:51, 2] lib/access.c:check_access(406)
> Allowed connection from (10.10.20.167)
> [2010/03/22 12:07:51, 2] lib/smbldap.c:smbldap_open_connection(890)
> smbldap_open_connection: connection opened
> [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318)
> check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318)
> check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318)
> check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318)
> check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
> [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318)
> check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
>
> However, Earlier versions of Windows tried only once to connect with the
> wrong credentials and then appeared a prompt where the user could enter
> its credentials in the other domain (SAMBA) to gain access to their
> ressources.
>
> Does anyone know a registry setting or sth. similar that forces W2008R2
> to offer me a prompt for credentials if it gets a
> NT_STATUS_NO_SUCH_USER?
>
> Or any other solution? I greatly appreciate any comments!
>
> Best Regards
>
> Harry
>
> --
> Harald Strack, Dipl.Inf.(FH)
> IT Development
>
> ssystems
> c/o todo GmbH
> Alt-Moabit 60a
> 10555 Berlin
>
> http://www.ssystems.de
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
Harald Strack, Dipl.Inf.(FH)
IT Development
ssystems
c/o todo GmbH
Alt-Moabit 60a
10555 Berlin
Tel: +49 30 805 78 - 101
http://www.ssystems.de
More information about the samba
mailing list