bug? Samba ADS member server does _not_ accept userid/pw but
only kerberos
Gerald (Jerry) Carter
jerry at samba.org
Fri Feb 6 14:29:26 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Volker.Lendecke at SerNet.DE wrote:
| On Thu, Feb 05, 2004 at 08:08:49PM +0100, Stefan Beck wrote:
|
|>I created two attachments with logs/dumps there.
|>Please let me know if you need more data.
|
|
| Just to make sure: You DC is named IWS82328? It denies
| anonymous tconX to the IPC$ share, that's the symptom.
| No idea why it does it.
That's windows 2003 default policy. RestrictAnonymous == 2 IIRC.
| As a workaround, could you try to run winbindd (not necessarily
| nss_winbind) and give it a valid user/password with
| 'wbinfo --set-auth-user=user%pass' to use to connect to the DC?
| This user does not have to have any rights in the DC's file system,
| it just needs a correct password.
Try tridge's schannel patch just for kicks :-)
cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard ------------------------- http://www.hp.com
SAMBA Team ---------------------- http://www.samba.org
GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song" --Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAI6TGIR7qMdg1EfYRAuXgAJ9TNjDPQWIilOcEQmzd59PApzAH1ACghh8O
80GLdpm3WC5k1Gl5USi3s3I=
=X8T3
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: nsswitch/winbindd_cm.c
===================================================================
RCS file: /home/cvs/samba/source/nsswitch/winbindd_cm.c,v
retrieving revision 1.31.2.50
diff -u -u -r1.31.2.50 winbindd_cm.c
--- nsswitch/winbindd_cm.c 15 Jan 2004 06:55:10 -0000 1.31.2.50
+++ nsswitch/winbindd_cm.c 2 Feb 2004 06:16:44 -0000
@@ -111,6 +111,28 @@
}
}
+/*
+ setup for schannel on any pipes opened on this connection
+*/
+static NTSTATUS setup_schannel(struct cli_state *cli)
+{
+ NTSTATUS ret;
+ uchar trust_password[16];
+ uint32 sec_channel_type;
+
+ if (!secrets_fetch_trust_account_password(lp_workgroup(),
+ trust_password,
+ NULL, &sec_channel_type)) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ ret = cli_nt_setup_netsec(cli, sec_channel_type,
+ AUTH_PIPE_NETSEC | AUTH_PIPE_SIGN,
+ trust_password);
+
+ return ret;
+}
+
/* Open a connction to the remote server, cache failures for 30 seconds */
static NTSTATUS cm_open_connection(const struct winbindd_domain *domain, const int pipe_index,
@@ -254,6 +276,18 @@
if (NT_STATUS_IS_OK(result))
break;
+ }
+
+ /* try and use schannel if possible, but continue anyway if it
+ failed. This allows existing setups to continue working,
+ while solving the win2003 '100 user' limit for systems that
+ are joined properly */
+ if (NT_STATUS_IS_OK(result)) {
+ NTSTATUS status = setup_schannel(new_conn->cli);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3,("schannel refused - continuing without schannel (%s)\n",
+ nt_errstr(status)));
+ }
}
SAFE_FREE(ipc_username);
More information about the samba-technical
mailing list