[Samba] 3.5.5, ADS mode, user authentication syntax
nddugan at live.com
Tue Jul 19 15:57:41 MDT 2011
I'm in the process of migrating a samba server from Solaris 10 (running 3.0.37) to Solaris 11 Express (running 3.5.5).
The system is joined to a Win2k3 Active Directory. Migrating the configuration worked fine, the shares are available and everything mostly works as intended.
The problem we're having is with the syntax of authentication requests from Windows client machines. On the old server, users could provide credentials using either of two formats: "user at domain.com", or "DOMAIN\user". After migrating to the new system, only "DOMAIN\user" is accepted as valid. using the other method results in the following:
check_ntlm_password: Authentication for user [user at domain.com] -> [user at domain.com] FAILED with error NT_STATUS_NO_SUCH_USER
I've experimented a bit with a username map script, but gather from the documentation that this won't have the desired effect in ADS mode as it is processed AFTER the initial authentication.
Of course, we have lots of documentation and a couple hundred users that are trained to use "user at domain.com" as their username.
My question is, has this behavior deliberately changed in more modern versions of Samba, or am I missing a piece of the configuration somewhere? Any pointers in the right direction would be most appreciated. smb.conf pasted below.
#======================= Global Settings =======================
## Browsing/Identification ###
workgroup = SUBDOM security = ads encrypt passwords = true realm = SUBDOM.DOMAIN.COM obey pam restrictions = yes posix locking = no unix extensions = no nt acl support = no
####### Authentication #######
# "security = user" is always a good idea. This will require a Unix account# in this server for every user accessing the server. See# /usr/share/doc/samba-doc/htmldocs/ServerType.html in the samba-doc# package for details.# security = user
# You may wish to use password encryption. See the section on# 'encrypt passwords' in the smb.conf(5) manpage before enabling.# encrypt passwords = true
# If you are using encrypted passwords, Samba will need to know what# password database type you are using. passdb backend = tdbsam
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#======================= Share Definitions =======================
[homes] comment = Home Directories browseable = no vfs objects = zfsacl follow symlinks = yes wide links = yes map readonly = Permissions map system = no map archive = no writable = yes create mask = 0644 directory mask = 0755 valid users = %S
More information about the samba