Hi ! I?m trying to figure out if it?s possible to add a W2K3 Server into a Samba 3.0 Domain and then have the RAS-Service on the W2K3 server authenthicate against the Samba Domain. Bringing the 2K3 into the Domain was not much of a problem, working fine so far, i can log on using Domain users etc. But i?ve been trying for a week now and i can?t get the RAS Service working properly. It always complains that it can?t authenticate the user on the Domain, but from the logs it?s not even trying to. Of course i asked google and searched this list but the closest thing i found was about Win2000 RAS ... and it was a post about that not working either. Question: Anyone ever gotten this to work ? With a 2K or 2K3 Server ? -- Daniel Holtkamp Riege Software International GmbH System Administration Mollsfeld 10 40670 Meerbusch, Germany Phone: +49-2159-9148-41 mail: holtkamp@riege.com Fax: +49-2159-9148-11 --------------------------------------------------------------------
On Tue, 2004-03-30 at 00:32, Daniel Holtkamp wrote:> Hi ! > > I?m trying to figure out if it?s possible to add a W2K3 Server into a > Samba 3.0 Domain and then have the RAS-Service on the W2K3 server > authenthicate against the Samba Domain. > > Bringing the 2K3 into the Domain was not much of a problem, working fine > so far, i can log on using Domain users etc. > > But i?ve been trying for a week now and i can?t get the RAS Service > working properly. It always complains that it can?t authenticate the > user on the Domain, but from the logs it?s not even trying to. > > Of course i asked google and searched this list but the closest thing i > found was about Win2000 RAS ... and it was a post about that not working > either.We didn't have the 'dialin' privilege stored. Samba HEAD is slowly gaining privileges now.> Question: Anyone ever gotten this to work ? With a 2K or 2K3 Server ?No, but I've got it working with 'Samba RAS' ;-) http://hawkerc.net/staff/abartlet/comp3700 This applies just as well to modem dial-ins as to VPNs. I hope to clean it up a bit more, and get it into the PPPd distribution. See also the updated patch in that directory. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040330/530d839d/attachment.bin
Hi!> On Tue, 2004-03-30 at 00:32, Daniel Holtkamp wrote: > > Hi ! > > > > I?m trying to figure out if it?s possible to add a W2K3 Server into a > > Samba 3.0 Domain and then have the RAS-Service on the W2K3 server > > authenthicate against the Samba Domain. > > > > Bringing the 2K3 into the Domain was not much of a problem, working fine > > so far, i can log on using Domain users etc. > > > > But i?ve been trying for a week now and i can?t get the RAS Service > > working properly. It always complains that it can?t authenticate the > > user on the Domain, but from the logs it?s not even trying to. > > > > Of course i asked google and searched this list but the closest thing i > > found was about Win2000 RAS ... and it was a post about that not working > > either. > > We didn't have the 'dialin' privilege stored. Samba HEAD is slowly > gaining privileges now. > > > Question: Anyone ever gotten this to work ? With a 2K or 2K3 Server ?Yes, it works for me at least with W2K. Two things are necessary: 1. the "SambaMungedDial" attribute in the ldapsam backend (I believe since 3.0.1 in the scheme), don't know if there are any other backends supporting it. This allows you the set the "RAS allowed" switch in user manager for domains. 2. this evil patch to bypass the samba function access check --- srv_samr_nt.c.orig Tue Feb 10 10:44:51 2004 +++ srv_samr_nt.c Tue Mar 30 18:13:48 2004 @@ -102,6 +102,7 @@ NTSTATUS access_check_samr_function(uint32 acc_granted, uint32 acc_required, const char *debug) { + return NT_STATUS_OK; DEBUG(5,("%s: access check ((granted: %#010x; required: %#010x)\n", debug, acc_granted, acc_required)); if ((acc_granted & acc_required) != acc_required) { Without this patch you'll see the known message "cannot authenticate..." in Windows and this [2004/03/30 18:10:10, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_lookup_domain: ACCESS DENIED (granted: 0x00000020; required: 0x00000010) in the logs. It's dirty and for my own use, but maybe no problem for developers to work out a clean solution?!? Daniel> > No, but I've got it working with 'Samba RAS' ;-) > > http://hawkerc.net/staff/abartlet/comp3700 > > This applies just as well to modem dial-ins as to VPNs. I hope to clean > it up a bit more, and get it into the PPPd distribution. > > See also the updated patch in that directory. > > Andrew Bartlett