Ingimar Robertsson
2002-Nov-28 10:01 UTC
[Samba] Problem authenticating against a W2K server
Hi there.
I'm having a problem letting a Samba server (MYSAMBA) authenticate users
(using "security = domain" and a "password server = MYPDC")
against a
Windows 2000 PDC (MYPDC). The Windows 2000 machine seems (I'm not 100%
sure about this) to be configured to restrict anonymous and it seems to
me that this is where the problem lies but don't know what to do.
I joined the MYDOMAIN domain by first confirming that MYSAMBA was not already
a member of the domain. Then I issued the following command:
smbpasswd -j MYDOMAIN -r MYPDC -U Administrator
And the Windows administrator typed in the password. The command responded
that I had joined the domain and a secrets.tdb file got created in the
/etc/samba directory. We confirmed on the Windows side that the machine
was now a member of the domain.
So.. anyone have some pointers for me? Below are some more information
about my setup and the errors I get. Hope it's not too much or too
irrelevant. :-)
This is what I get if I try to connect to a share on MYSAMBA from a Linux
client (MYCLIENT):
[username@MYCLIENT]$ smbclient //MYSAMBA/tmp -U username -W MYDOMAIN
added interface ip=10.10.20.42 bcast=10.10.20.255 nmask=255.255.255.0
Password: <- Here I typed in the password, not empty password
session setup failed: NT_STATUS_LOGON_FAILURE
[username@MYCLIENT]$
And I get this in the /var/log/samba/10.10.20.42.log file:
[2002/11/28 09:39:53, 0]
smbd/password.c:connect_to_domain_password_server(1335)
connect_to_domain_password_server: machine MYPDC rejected the tconX on the
IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.
[2002/11/28 09:39:53, 0] smbd/password.c:domain_client_validate(1599)
domain_client_validate: Domain password server not available.
[2002/11/28 09:39:53, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
[2002/11/28 09:39:53, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1369)
unable to open passdb database.
The Windows administrators can't see anything in the logs on MYPDC but
I've
confirmed using tcpdump that there is a dialogue between MYSAMBA and MYPDC.
Here are also some commands I use to test connections from MYSAMBA to MYPDC:
[root@MYSAMBA]# smbclient -L MYPDC
added interface ip=10.10.10.90 bcast=10.10.10.255 nmask=255.255.255.0
added interface ip=10.10.10.91 bcast=10.10.10.255 nmask=255.255.255.0
Password: <-- Just type Enter (emtpy password)
Anonymous login successful
Domain=[MYDOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@MYSAMBA]# smbclient //MYPDC/ipc\$
added interface ip=10.10.10.90 bcast=10.10.10.255 nmask=255.255.255.0
added interface ip=10.10.10.91 bcast=10.10.10.255 nmask=255.255.255.0
Password: <-- Just type Enter (emtpy password)
Anonymous login successful
Domain=[MYDOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
tree connect failed: NT_STATUS_ACCESS_DENIED
[root@MYSAMBA]# smbclient //MYPDC/ipc\$ -U username
added interface ip=10.10.10.90 bcast=10.10.10.255 nmask=255.255.255.0
added interface ip=10.10.10.91 bcast=10.10.10.255 nmask=255.255.255.0
Password: <-- Type the password of the user "username"
Domain=[MYDOMAIN] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
0 blocks of size 0. 0 blocks available
smb: \> quit
[root@mars samba]#
Here are my globals from smb.conf:
[global]
workgroup = MYDOMAIN
netbios name = MYSAMBA
server string = Samba Print Server
security = DOMAIN
encrypt passwords = Yes
password server = MYPDC
syslog only = Yes
log file = /var/log/samba/%I.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
dns proxy = No
name resolve order = lmhosts wins bcast host
local master = no
remote announce = 10.10.10.255 10.10.20.255
hosts allow = 127. 10.10.10. 10.10.20.
printing = lprng
Best regards,
Ingimar
--
Ingimar Robertsson, Systems Administrator EMAIL: iar@skyrr.is
Skyrr Ltd, Iceland Information Management TEL: +354-5695100
Armuli 2, 108 Reykjavik, ICELAND FAX: +354-5695128
http://www.skyrr.is/legal/disclaimer.txt
----- Original Message ----- From: "Ingimar Robertsson" <iar@skyrr.is> To: <samba@lists.samba.org> Sent: Thursday, November 28, 2002 10:00 AM Subject: [Samba] Problem authenticating against a W2K server> Hi there. > > I'm having a problem letting a Samba server (MYSAMBA) authenticate users > (using "security = domain" and a "password server = MYPDC") against a > Windows 2000 PDC (MYPDC). The Windows 2000 machine seems (I'm not 100%<snip> Add the machine to the domain on the Win2k PDC using AD. Then smbpasswd -j DOMAINNAME -r PDCIP -U Administrator%password Then wbinfo -A Administrator%password Then it should work fine. I'm kinda getting tired of this, can't we redo the docs for Winbind LOL Shaolin - IT Systems WB Ltd. .: http://www.security-forums.com :.