samba - Apr 2006 - Inconsistent Authentication Results on Different Servers

We have several RedHat Enterprise Linux version 4 servers (running the
distributed Samba).  Windbind/nsswitch is set up to point to W2K server
running in Mixed Mode.  (smb.conf from the one *working* server follows, below).

wbinfo/getent get proper results when run from the Linux command line (i.e.,
listing everyone in both local Linux /etc/passwd and everyone in the Domain,
but we are having mixed results with actual user authentication among the
systems, despite their having the same smb.conf files.  Sometimes users can
access their shares with no password prompt, sometimes they get prompted and
successfully get to their shares, and sometimes passwords are not accepted at
all.

Some questions occur to me:

1. What is the order of authentication when the user has an /etc/passwd
account on the server (no NIS in use), is in the smbpasswd file, and is in the
Windows domain?

2. Can/should the smbpasswd file and tbd databases be identical on all the
servers? And, if so, must all domain accounts be listed in smbpasswd?

# smb.conf
workgroup = JJS-SDM
netbios name = geneva
server string = geneva 
hosts allow = 192.168.1. 127.
log file = /var/log/samba/%m.log
max log size = 50
security = domain
client use spnego = yes
client schannel = no
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
unix password sync = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
winbind separator = +
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 192.168.1.4
dns proxy = no 


--
Tim Evans, TKEvans.com, Inc.    |    5 Chestnut Court
tkevans@tkevans.com             |    Owings Mills, MD 21117
http://www.tkevans.com/         |    443-394-3864
http://www.come-here.com/News/  |

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim Evans wrote:
> 1. What is the order of authentication when the user 
> has an /etc/passwd account on the server (no NIS in use), is
> in the smbpasswd file, and is in the Windows domain?
This is controlled by the undocumented 'auth methods' parameter.
For domain members, and the domain of the name being authenticated.
DOMAIN\user will only be authenticated by a domain controller
for that domain.
> 2. Can/should the smbpasswd file and tbd databases be 
> identical on all the servers? And, if so, must all
> domain accounts be listed in smbpasswd?
You don't need an smbpasswd file on domain member servers.
In this case, the smbpasswd file would be the local SAM
and the domain controllers provide the domain SAM.  Just like
you would see on a Windows member server.





cheers, jerry
====================================================================I live in a
Reply-to-All world.               -----------------------
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEVfHqIR7qMdg1EfYRAvQAAJ9WoZ4Diw0dLegxCTgZdU+5imKzlgCgscYn
g9Fx6TsDkh+BouLP3ZCoUQQ=qxkS
-----END PGP SIGNATURE-----

>Tim Evans wrote:
>
>> 1. What is the order of authentication when the user 
>> has an /etc/passwd account on the server (no NIS in use), is
>> in the smbpasswd file, and is in the Windows domain?
>
>This is controlled by the undocumented 'auth methods' parameter.
>For domain members, and the domain of the name being authenticated.
>DOMAIN\user will only be authenticated by a domain controller
>for that domain.
>
>> 2. Can/should the smbpasswd file and tbd databases be 
>> identical on all the servers? And, if so, must all
>> domain accounts be listed in smbpasswd?
>
>You don't need an smbpasswd file on domain member servers.
>In this case, the smbpasswd file would be the local SAM
>and the domain controllers provide the domain SAM.  Just like
>you would see on a Windows member server.
Thanks for your reply.  What role does the local Linux machine's /etc/passwd
play here, then?  In this particular situation, the UNIX and Windows logins are 
the same. Thus, for example, UNIX user 'joeuser' and domain user
DOMAIN\joeuser
are the same.

So, to reword question #1:  With no smbpasswd file (as you suggest), and with 
the presence of an /etc/password entry for 'joeuser,' and a domain user
of the
same name, which authenticates first? And which password (assuming they may not 
be the same) works?

--
Tim Evans, TKEvans.com, Inc.	|    5 Chestnut Court
tkevans@tkevans.com		|    Owings Mills, MD 21117
http://www.tkevans.com/		|    443-394-3864
http://www.come-here.com/News/	|