samba - Aug 2005 - Problem with security = ads

Hi list,

i am having trouble authenticating users against an
windows 2003 sp1 ads.

I am using samba 3.0.20-0.1

Here is my smb.conf:

         workgroup = SIV
         map to guest = Bad User
         security = ads
         password server = ads01.siv.de
         realm = siv.de
         client ntlmv2 auth = yes
         spnego = yes


My krb5.conf:

[libdefaults]
         default_realm = SIV.DE
         dns_lookup_realm = false
         dns_lookup_kdc = false
         clockskew = 300
         #
         # Set this to false to disable MIT krb5 compatibility
         # in GSSAPI get_mic/verify_mic, and become compatible
         # with older Heimdal releases instead.
         gss_mit_compat = true
[realms]
         SIV.DE = {
                 kdc = ads01.siv.de
                 #admin_server = ads01.siv.de
                 default_domain = siv.de
         }
[domain_realm]
         .siv.de = SIV.DE
         siv.de  = SIV.DE
[logging]
         default = SYSLOG:NOTICE:DAEMON
         kdc = FILE:/var/log/kdc.log
         kadmind = FILE:/var/log/kadmind.log
[appdefaults]
         pam = {
                 ticket_lifetime = 1d
                 renew_lifetime = 1d
                 forwardable = true
                 proxiable = false
                 retain_after_close = false
                 minimum_uid = 0
                 debug = false
         }


As you can see i do not use winbind. Is the wrong, i.e. is winbind
required to authenticate users against ads ?

The configuration itself works nearly right.
When i try to access the samba server via windows is see in
the log file:

Username SIV.DE/regner is invalid on this system


When i login as user 'regner' (without domain prefix) and
password the login works successful ! I?ve tested this
behavios with several account. All work successful without
domain prefix.


Can anybody help ??

-- 



Mit freundlichen Gr??en

Ronny Egner

SIV.AG
Konrad-Zuse-Stra?e 1
18184 Roggentin

Telefon: +49 (0)3 81 / 25 24 422
Telefax: +49 (0)3 81 / 25 24 399

mailto:ronny.egner@siv.de
http://www.siv.de

**********************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity
to whom they are addressed. The views expressed in this
e-mail are those of the individual author and not necessarily
those of SIV.AG.

This footnote also confirms that this email message has
been swept by serval anti-virus tools for the presence
of computer viruses.
**********************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ronny Egner wrote:

| The configuration itself works nearly right.
| When i try to access the samba server via windows is see in
| the log file:
|
| Username SIV.DE/regner is invalid on this system
|
|
| When i login as user 'regner' (without domain prefix) and
| password the login works successful ! I?ve tested this
| behavios with several account. All work successful without
| domain prefix.

smbd should fall back to looking for 'user' if 'domain\user'
does not exist.  All of the Windows users have corresponding
Unix accounts, correct?





cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDCcxYIR7qMdg1EfYRAsR4AKDfzJNJhtgM/m/8eSHwzJJqQWSBowCgtXw+
+q+yVveOqCj6ZymekNh+VBY=1d9Q
-----END PGP SIGNATURE-----