First off, I'll start out with the environment we're using: Solaris 7 (Kernel patch 106541-15) running on an E3500 Samba 2.2.0 (we were using 2.0.6, but upgraded because we thought it would help) We recently migrated to a Win2K environment. I should also preface this by mentioning that we have fully read through the documentation, have searched the mailing list archives for two days straight, and read all of the text and html documentation pertaining to these problems (and run through all the tests in DIAGNOSTICS.txt at least three times) We are building this machine to try and replace an NT box, and these problems are preventing us from doing so. The box is not supposed to act as a PDC, we simply want it to share certain directories on this machine, and preferably authenticate users from the domain's PDC. First problem: The option "security = domain" does not seem to work properly. Here is the smb.conf file we were using to try this out: (omitted information replaced by text in []) [global] lock directory = /var/adm/sambalock server string = [hostname] password server = [our domain pdc and bdcs, we also tried using * here] encrypt passwords = yes security = domain preferred master = no wins support = no socket options = TCP_NODELAY workgroup = [our workgroup] log file = /usr/local/samba/var/log.%m max log size = 50 domain master = no local master = no wins server = [xx.xx.xx.xx] wins proxy = no dns proxy = no hide dot files = no netbios name = [hostname] [iwdefault] comment = archive directory path = [path] read only = No create mask = 0775 locking = No share modes = No We then added the machine to the domain from one of the Win2K boxes, and ran smbpasswd -j [DOMAIN] -r [PDC]. From what our NT admin was trying to explain to us, it sounds like Win2k has decentralized its environment, so there is no single primary domain controller, and multiple machines have access to the SAM. Regardless, we were still pointing to the old PDC. We then put some users into the smbpasswd file, with the same password they use for the NT domain. Clicking on the machine in network neighborhood on a Win2k box and an NT4 box displays the message "\\[machine] is not accessible. Access denied." Looking at the logs, it says that the PDC refused the authentication. All three passwords (NT domain, smbpasswd, and UNIX password for that account) are all identical. After trying to fix this unsuccessfully for a long time, we decided that we had a second option. To spare all the details, it would rely on using unix password sync to update the UNIX password after changing the smbpasswd entry. This also does not work. Here is the smb.conf file we are trying out with the second option: [global] lock directory = /var/adm/sambalock server string = [hostname] encrypt passwords = Yes preferred master = no wins support = no security = user socket options = TCP_NODELAY workgroup = [workgroup] log file = /usr/local/samba/var/log.%m log level = 5 max log size = 50 domain master = no local master = no wins server = [wins server] wins proxy = no wins support = no dns proxy = no hide dot files = no unix password sync = yes passwd chat = *word* %n\n *word* %n\n *changed* passwd chat debug = yes passwd program = /usr/bin/passwd %u [iwserver] comment = test directory public = no create mode = 0775 writable = yes locking = no share modes = no preserve case = yes short preserve case = yes path = [path]
Hello Evan, The first approach you tried to take I believe is the best. There are a couple of things you might want to check on: 1. In the smb.conf line: workgroup = [our workgroup] is 'our workgroup' listed there the same as the Win2k Domain that you are trying to authenticate against? 2. when you did your smbpasswd command to join the domain, did it succeed? 3. are your win2k servers set up to respond to an NTLMv1 authentication request? (this is default behavior unless the Win2k domain admins have explicitly specified ONLY ntlm2 and kerberos authentication methods..) 4. you mention that the pdc refused the authentication in the log files; can you verify (or post the log file so that we can) whether the negotiation actually occurred and the pdc refused the authentication, or whether the pdc was 'unavailable', so the authentication to the pdc failed... 5. You probably wouldn't want to continue in this mode, but as a test, change your smb.conf file so that instead of security = domain, you use security = server, and point your password server = pdc. Then try to attach to your samba share with an nt/win2k user whose nt username is the same as the unix username on your samba server, and see if you succeed. Security = server uses an authentication method a bit more straightforward than security = domain, and if it works will answer the question as to whether your Win2k 'pdc' can handle the ntlmv1 method that samba is going to use. 5. You said that this failed both on an NT AND a Win2k client, right? And the NT and/or the Win2k client ARE members of the Win2k domain that you want samba to authenticate against, right? Let us know, Don -----Original Message----- From: Leon, Evan [mailto:evan.leon@nickonline.com] Sent: Wednesday, April 25, 2001 2:56 PM To: 'samba@lists.samba.org' Cc: Zegdi, Malik Subject: Many, many problems. (Samba 2.2.0) First off, I'll start out with the environment we're using: Solaris 7 (Kernel patch 106541-15) running on an E3500 Samba 2.2.0 (we were using 2.0.6, but upgraded because we thought it would help) We recently migrated to a Win2K environment. I should also preface this by mentioning that we have fully read through the documentation, have searched the mailing list archives for two days straight, and read all of the text and html documentation pertaining to these problems (and run through all the tests in DIAGNOSTICS.txt at least three times) We are building this machine to try and replace an NT box, and these problems are preventing us from doing so. The box is not supposed to act as a PDC, we simply want it to share certain directories on this machine, and preferably authenticate users from the domain's PDC. First problem: The option "security = domain" does not seem to work properly. Here is the smb.conf file we were using to try this out: (omitted information replaced by text in []) [global] lock directory = /var/adm/sambalock server string = [hostname] password server = [our domain pdc and bdcs, we also tried using * here] encrypt passwords = yes security = domain preferred master = no wins support = no socket options = TCP_NODELAY workgroup = [our workgroup] log file = /usr/local/samba/var/log.%m max log size = 50 domain master = no local master = no wins server = [xx.xx.xx.xx] wins proxy = no dns proxy = no hide dot files = no netbios name = [hostname] [iwdefault] comment = archive directory path = [path] read only = No create mask = 0775 locking = No share modes = No We then added the machine to the domain from one of the Win2K boxes, and ran smbpasswd -j [DOMAIN] -r [PDC]. From what our NT admin was trying to explain to us, it sounds like Win2k has decentralized its environment, so there is no single primary domain controller, and multiple machines have access to the SAM. Regardless, we were still pointing to the old PDC. We then put some users into the smbpasswd file, with the same password they use for the NT domain. Clicking on the machine in network neighborhood on a Win2k box and an NT4 box displays the message "\\[machine] is not accessible. Access denied." Looking at the logs, it says that the PDC refused the authentication. All three passwords (NT domain, smbpasswd, and UNIX password for that account) are all identical. After trying to fix this unsuccessfully for a long time, we decided that we had a second option. To spare all the details, it would rely on using unix password sync to update the UNIX password after changing the smbpasswd entry. This also does not work. Here is the smb.conf file we are trying out with the second option: [global] lock directory = /var/adm/sambalock server string = [hostname] encrypt passwords = Yes preferred master = no wins support = no security = user socket options = TCP_NODELAY workgroup = [workgroup] log file = /usr/local/samba/var/log.%m log level = 5 max log size = 50 domain master = no local master = no wins server = [wins server] wins proxy = no wins support = no dns proxy = no hide dot files = no unix password sync = yes passwd chat = *word* %n\n *word* %n\n *changed* passwd chat debug = yes passwd program = /usr/bin/passwd %u [iwserver] comment = test directory public = no create mode = 0775 writable = yes locking = no share modes = no preserve case = yes short preserve case = yes path = [path]
Thanks for the quick reply, btw.. 1) Yes, the workgroup is the same everywhere. 2) the smbpasswd command succeeded the first time. Later, when we were furiously trying to debug the problems, we ran it again and again, and sometimes got NT_STATUS_INVALID_MACHINE_NAME or something like that, or NT_STATUS_INVALID_PASSWORD. I believe we only got those errors because we tried to rejoin the domain, but I'm not sure. 3) I'll ask the NT admins about the authentication configuration and get back about it.. 4) The negotiation actually occurred.. I don't have the log entries handy, but it clearly said something like "authenticating to [PDC]" then "authentication failed for user [user]". 5) We tried security=server for a long time before and after trying security=domain. Neither one worked. 6) Both machines we tried this on are members of the Win2k domain. Thanks for the help.. if anyone else has any ideas, we'd love to hear them. Evan -----Original Message----- From: MCCALL,DON (HP-USA,ex1) [mailto:don_mccall@hp.com] Sent: Wednesday, April 25, 2001 3:58 PM To: Leon, Evan; 'samba@lists.samba.org' Cc: Zegdi, Malik Subject: RE: Many, many problems. (Samba 2.2.0) Hello Evan, The first approach you tried to take I believe is the best. There are a couple of things you might want to check on: 1. In the smb.conf line: workgroup = [our workgroup] is 'our workgroup' listed there the same as the Win2k Domain that you are trying to authenticate against? 2. when you did your smbpasswd command to join the domain, did it succeed? 3. are your win2k servers set up to respond to an NTLMv1 authentication request? (this is default behavior unless the Win2k domain admins have explicitly specified ONLY ntlm2 and kerberos authentication methods..) 4. you mention that the pdc refused the authentication in the log files; can you verify (or post the log file so that we can) whether the negotiation actually occurred and the pdc refused the authentication, or whether the pdc was 'unavailable', so the authentication to the pdc failed... 5. You probably wouldn't want to continue in this mode, but as a test, change your smb.conf file so that instead of security = domain, you use security = server, and point your password server = pdc. Then try to attach to your samba share with an nt/win2k user whose nt username is the same as the unix username on your samba server, and see if you succeed. Security = server uses an authentication method a bit more straightforward than security = domain, and if it works will answer the question as to whether your Win2k 'pdc' can handle the ntlmv1 method that samba is going to use. 5. You said that this failed both on an NT AND a Win2k client, right? And the NT and/or the Win2k client ARE members of the Win2k domain that you want samba to authenticate against, right? Let us know, Don -----Original Message----- From: Leon, Evan [mailto:evan.leon@nickonline.com] Sent: Wednesday, April 25, 2001 2:56 PM To: 'samba@lists.samba.org' Cc: Zegdi, Malik Subject: Many, many problems. (Samba 2.2.0) First off, I'll start out with the environment we're using: Solaris 7 (Kernel patch 106541-15) running on an E3500 Samba 2.2.0 (we were using 2.0.6, but upgraded because we thought it would help) We recently migrated to a Win2K environment. I should also preface this by mentioning that we have fully read through the documentation, have searched the mailing list archives for two days straight, and read all of the text and html documentation pertaining to these problems (and run through all the tests in DIAGNOSTICS.txt at least three times) We are building this machine to try and replace an NT box, and these problems are preventing us from doing so. The box is not supposed to act as a PDC, we simply want it to share certain directories on this machine, and preferably authenticate users from the domain's PDC. First problem: The option "security = domain" does not seem to work properly. Here is the smb.conf file we were using to try this out: (omitted information replaced by text in []) [global] lock directory = /var/adm/sambalock server string = [hostname] password server = [our domain pdc and bdcs, we also tried using * here] encrypt passwords = yes security = domain preferred master = no wins support = no socket options = TCP_NODELAY workgroup = [our workgroup] log file = /usr/local/samba/var/log.%m max log size = 50 domain master = no local master = no wins server = [xx.xx.xx.xx] wins proxy = no dns proxy = no hide dot files = no netbios name = [hostname] [iwdefault] comment = archive directory path = [path] read only = No create mask = 0775 locking = No share modes = No We then added the machine to the domain from one of the Win2K boxes, and ran smbpasswd -j [DOMAIN] -r [PDC]. From what our NT admin was trying to explain to us, it sounds like Win2k has decentralized its environment, so there is no single primary domain controller, and multiple machines have access to the SAM. Regardless, we were still pointing to the old PDC. We then put some users into the smbpasswd file, with the same password they use for the NT domain. Clicking on the machine in network neighborhood on a Win2k box and an NT4 box displays the message "\\[machine] is not accessible. Access denied." Looking at the logs, it says that the PDC refused the authentication. All three passwords (NT domain, smbpasswd, and UNIX password for that account) are all identical. After trying to fix this unsuccessfully for a long time, we decided that we had a second option. To spare all the details, it would rely on using unix password sync to update the UNIX password after changing the smbpasswd entry. This also does not work. Here is the smb.conf file we are trying out with the second option: [global] lock directory = /var/adm/sambalock server string = [hostname] encrypt passwords = Yes preferred master = no wins support = no security = user socket options = TCP_NODELAY workgroup = [workgroup] log file = /usr/local/samba/var/log.%m log level = 5 max log size = 50 domain master = no local master = no wins server = [wins server] wins proxy = no wins support = no dns proxy = no hide dot files = no unix password sync = yes passwd chat = *word* %n\n *word* %n\n *changed* passwd chat debug = yes passwd program = /usr/bin/passwd %u [iwserver] comment = test directory public = no create mode = 0775 writable = yes locking = no share modes = no preserve case = yes short preserve case = yes path = [path]