[Samba] wbinfo -a works against other domains, but can't use other dom creds for a share

Smith, David desmith at wustl.edu
Fri Apr 20 13:22:08 MDT 2012

I've successfully joined my Samba server to a Windows domain (let's call it DOMAIN1). When I run wbinfo -m , I see a number of other domains listed, including DOMAIN2. I can even test credentials in those other domains (wbinfo -a DOMAIN2\\username says that both plaintext and challenge/response authentication were successful).

However, I can't get Samba to accept credentials from other domains.

I can log in with any (valid) credentials from DOMAIN1. What I'd really like to do, though, is to allow people to login with credentials from DOMAIN2 (that domain is our equivalent of a single-sign-on key, used for a lot of things). When I try to connect (from a Windows desktop client), though, I'm always told "Invalid user name or password". With the default logging, the only thing that shows up is a note in log.smbd about "Connection reset by peer," which I assume is related to Windows trying and failing to connect.

Upping the log level to 2 doesn't tell me much more:
auth/auth.c:314(check_ntlm_password) check_ntlm_password:  Authentication for user [username] -> [username] FAILED with error NT_STATUS_NO_SUCH_USER

This makes sense, as I actually entered DOMAIN2\username when trying to map the drive from my Windows desktop.

I don't have access to the domain controllers, which I know limits my ability to provide debugging information. Any suggestions on things to look for, though? Below is a (slightly sanitized - changed the domain names but nothing else) copy of my smb.conf. This is all on a RHEL 6.2 server, running their current/supported version of Samba (3.5.10). I can provide other configuration files (the only other one that seems relevant would be /etc/krb5.conf) if needed.


workgroup = domain1
security = ads
netbios name = TESTBOX
encrypt passwords = yes
idmap uid=30000-40000
idmap gid=30000-40000
winbind refresh tickets = yes
## These lines just suppress printer spam in the logs
printing = bsd
load printers = no
disable spoolss = yes

guest ok = no
browseable = yes
force user  = site2
force group = site2
# these are both 'local' users, and it's here for a reason
hide dot files = no
path = /home/site2
read only = no

David E. Smith, Systems Engineer
Washington University in Saint Louis
desmith at wustl.edu<mailto:desmith at wustl.edu> / 314-935-5746

More information about the samba mailing list