samba - Jul 2002 - HPUX 11.00 & CIFS/9000 Server - Domain authentication problem

Hi,

I have been using Samba and CIFS/9000 happily with  security=user for
some time now, for simple read-only filesharing. Three days ago I
decided to get a bit more clever....

I now have a test server and I'm trying to get it to work against our
Win2K PDC (UKNT19), which is running Active Directory in native mode for
our Windows domain UKNT001. The UNIX server (uk209) is HPUX 11.00 and
the CIFS is v2.2a, based on the Samba 2.2.3a source. 

I got it working with security=user, then with security=server, but I
cannot get it working with security=domain. I have added the UNIX server
into the domain using the Active Directory User and Computers plug-in. I
have also added the machine into the domain using "smbpasswd -j UKNT001
-r UKNT19 -Uadministrator%domain_password". 

When I issue "net use Y: \\uk209\tmp" from a WinXP client, I get the
following:
> C:\Documents and Settings\uerrc\Desktop>net use Y: \\uk209\uerrc
> System error 1240 has occurred.
> 
> The account is not authorized to log in from this station.
When I try smbclient from uk209, I get the following:
> root@uk209:/etc/opt/samba> smbclient //uk209/tmp -Uuerrc%beckham7 |
sed 's/^/> /1'
> added interface ip=170.118.131.12 bcast=170.118.131.255
nmask=255.255.255.0     
> session setup failed: NT_STATUS_LOGON_FAILURE

and the /var/opt/samba/log.uk209 has the following lines:
> [2002/07/25 17:26:14, 2] libsmb/namequery.c:(420)
>   Got a positive name query response from 170.118.131.10 (
170.118.131.10 )                                         
> [2002/07/25 17:26:15, 0] rpc_client/cli_netlogon.c:(157)
>   cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> [2002/07/25 17:26:15, 0] rpc_client/cli_login.c:(74)
>   cli_nt_setup_creds: auth2 challenge failed
> [2002/07/25 17:26:15, 0] smbd/password.c:(1335)
>   connect_to_domain_password_server: unable to setup the PDC
credentials to machine UKNT19. Error was : NT_STATUS_OK.
> [2002/07/25 17:26:15, 0] smbd/password.c:(1554)
>   domain_client_validate: Domain password server not available.
> [2002/07/25 17:26:15, 2] smbd/reply.c:(971)
>   NT Password did not match for user 'uerrc'!
> [2002/07/25 17:26:15, 2] smbd/reply.c:(981)
>   Defaulting to Lanman password for uerrc
> [2002/07/25 17:26:15, 1] smbd/reply.c:(1002)
>   Rejecting user 'uerrc': authentication failed
> [2002/07/25 17:26:15, 2] smbd/server.c:(458)
>   Closing connections                     
Can anyone help?

Thanks,

Rich.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smb.conf
Type: application/octet-stream
Size: 587 bytes
Desc: smb.conf
Url : http://lists.samba.org/archive/samba/attachments/20020725/4684a6d2/smb.obj

Log a Response Center call and ask for site-specific patch PHNE-27562.
This contains fixes to smbpasswd for 15-char NetBIOS name, and for
smbpasswd -j -r -U.  However, you also must have EVERYONE nested in
"pre-Windows 2000 compatibile access" (check the pre-windows box when
using the W2000 computer managment snap-in).  This should work even
in Native Mode.

Eric Roseme
Hewlett-Packard

"Cheney, Richard" wrote:
> 
> Hi,
> 
> I have been using Samba and CIFS/9000 happily with  security=user for
> some time now, for simple read-only filesharing. Three days ago I
> decided to get a bit more clever....
> 
> I now have a test server and I'm trying to get it to work against our
> Win2K PDC (UKNT19), which is running Active Directory in native mode for
> our Windows domain UKNT001. The UNIX server (uk209) is HPUX 11.00 and
> the CIFS is v2.2a, based on the Samba 2.2.3a source.
> 
> I got it working with security=user, then with security=server, but I
> cannot get it working with security=domain. I have added the UNIX server
> into the domain using the Active Directory User and Computers plug-in. I
> have also added the machine into the domain using "smbpasswd -j
UKNT001
> -r UKNT19 -Uadministrator%domain_password".
> 
> When I issue "net use Y: \\uk209\tmp" from a WinXP client, I get
the
> following:
> 
> > C:\Documents and Settings\uerrc\Desktop>net use Y: \\uk209\uerrc
> > System error 1240 has occurred.
> >
> > The account is not authorized to log in from this station.
> 
> When I try smbclient from uk209, I get the following:
> 
> > root@uk209:/etc/opt/samba> smbclient //uk209/tmp -Uuerrc%beckham7 |
> sed 's/^/> /1'
> > added interface ip=170.118.131.12 bcast=170.118.131.255
> nmask=255.255.255.0
> > session setup failed: NT_STATUS_LOGON_FAILURE
> 
> and the /var/opt/samba/log.uk209 has the following lines:
> 
> > [2002/07/25 17:26:14, 2] libsmb/namequery.c:(420)
> 
> >   Got a positive name query response from 170.118.131.10 (
> 170.118.131.10 )
> > [2002/07/25 17:26:15, 0] rpc_client/cli_netlogon.c:(157)
> 
> >   cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
> 
> > [2002/07/25 17:26:15, 0] rpc_client/cli_login.c:(74)
> 
> >   cli_nt_setup_creds: auth2 challenge failed
> 
> > [2002/07/25 17:26:15, 0] smbd/password.c:(1335)
> 
> >   connect_to_domain_password_server: unable to setup the PDC
> credentials to machine UKNT19. Error was : NT_STATUS_OK.
> > [2002/07/25 17:26:15, 0] smbd/password.c:(1554)
> 
> >   domain_client_validate: Domain password server not available.
> 
> > [2002/07/25 17:26:15, 2] smbd/reply.c:(971)
> 
> >   NT Password did not match for user 'uerrc'!
> 
> > [2002/07/25 17:26:15, 2] smbd/reply.c:(981)
> 
> >   Defaulting to Lanman password for uerrc
> 
> > [2002/07/25 17:26:15, 1] smbd/reply.c:(1002)
> 
> >   Rejecting user 'uerrc': authentication failed
> 
> > [2002/07/25 17:26:15, 2] smbd/server.c:(458)
> 
> >   Closing connections
> 
> Can anyone help?
> 
> Thanks,
> 
> Rich.
> 
>   ------------------------------------------------------------------------
>                   Name: smb.conf
>    smb.conf       Type: unspecified type (application/octet-stream)
>               Encoding: base64
>            Description: smb.conf