Greg Zartman
2008-Mar-28 01:42 UTC
[Samba] Samba 3.0.25b as a domain member to a Samba PDC
I've been using Samba for about 7 years of so, but have hit a hurdle I just can't seem to figure out. I want to setup samba domain member servers to be members of a samba 3.0.25 (NT4 type) domain. No windbind, LDAP, or any other of the more complex authentication mechanism. This is the same functionality going way back to Samba 2.2, or so. In fact, I successfully did this on samba 2.2, but simply can't get it to work on samba 3. I've been hammering away for two days and I'm running Centos 4.5 (RHEL 4.5) host OSs with Samba 3.0.35b-1 RH rpms. Both machines are fairly high end Core 2 Duo machines with plenty of memory and hard drive space. I've tried to widdle the smb.conf files to their bare essentials just until I get this working. Samba Domain Client (smb.conf): [global] workgroup = testnet netbios name = client security = domain wins server = 90.0.0.25 log level = 10 encrypt passwords = yes Samba PDC (smb.conf): [global] workgroup = testnet netbios name = nameserver passdb backend = smbpasswd:/etc/samba/smbpasswd security = user os level = 35 preferred master = Yes domain master = Yes encrypt passwords = Yes domain logons = yes [Note: IP of PDC is 90.0.0.25] I am able to join the Samba Domain Client to the Samba domain, Testnet, and can see that the machine account was successfully created on the PDC. When I attempt to access a share on the Domain Client from the PDC using a domain user, here is what I get: [root@nameserver samba]# smbclient //client/public -U greg Password: session setup failed: NT_STATUS_LOGON_FAILURE Running the log level up to 10, it appears that the domain client is being authenticated by the PDC as a domain member: [2008/03/27 17:35:35, 10] libsmb/credentials.c:creds_client_check(327) creds_client_check: credentials check OK. [2008/03/27 17:35:35, 5] rpc_client/cli_netlogon.c:rpccli_netlogon_setup_creds(346) rpccli_netlogon_setup_creds: server NAMESERVER credential chain established. However, the Domain Client (Client) can't seem to authenticate the domain user (greg) from the PDC. I know this user account is a valid Samba account as I can's run smbclient activities on the PDC itself using this account. Following is the portion of the log level 10 output where the Domain Client seems to be looking for domain user on the PDC, but can't find it: [2008/03/27 17:35:35, 5] lib/username.c:Get_Pwnam_alloc(131) Finding user TESTNET\greg [2008/03/27 17:35:35, 5] lib/username.c:Get_Pwnam_internals(75) Trying _Get_Pwnam(), username as lowercase is testnet\greg [2008/03/27 17:35:35, 5] lib/username.c:Get_Pwnam_internals(83) Trying _Get_Pwnam(), username as given is TESTNET\greg [2008/03/27 17:35:35, 5] lib/username.c:Get_Pwnam_internals(93) Trying _Get_Pwnam(), username as uppercase is TESTNET\GREG [2008/03/27 17:35:35, 5] lib/username.c:Get_Pwnam_internals(102) Checking combinations of 0 uppercase letters in testnet\greg [2008/03/27 17:35:35, 5] lib/username.c:Get_Pwnam_internals(108) Get_Pwnam_internals didn't find user [TESTNET\greg]! The only thing that works for me is to create the domain user account on the domain client that mirrors what is on the PDC, which is basically USER level authentication. Any suggestions would be GREATLY appreciated. Thank you. Greg
"Greg Zartman" <greg@leiinc.com> wrote in message news:47EC4BDC.6010600@leiinc.com...> I've been using Samba for about 7 years of so, but have hit a hurdle I > just can't seem to figure out. > > I want to setup samba domain member servers to be members of a samba > 3.0.25 (NT4 type) domain. No windbind, LDAP, or any other of the more > complex authentication mechanism. This is the same functionality going > way back to Samba 2.2, or so. In fact, I successfully did this on samba > 2.2, but simply can't get it to work on samba 3. I've been hammering > away for two days andI would recommend having a look at Chapter 7 in "Samba by Example". The book is available at www.samba.org. Here are a few points to keep in mind. A user cannot access a Linux machine unless he is authenticated by the machine. A samba user account is mapped to a Linux user account. The security and authentication of the Samba account is related to security and authentication of the related Linux user account. Linux has several options for authenticating users. These include the /etc/file, Winbind and LDAP. With LDAP you basically configure Linux to use LDAP as an additional means of authentication. The LDAP database can be stored locally on the Linux box or on another Linux box. For your Samba users to authenticate against the Linux member server, the member server must have a means of authenticating the Linux account to which they are associated. With LDAP, you can configure Linux to authenticate against the same LDAP database that the domain controller uses. That way, you have a single sign on. LDAP and Winbind are the best options to achieve your goal. If you don't want to use them, you must create a user account for each user on the Linux member server. To automate the process and let it happen automatically, you can use an "add user script" in the member server's smb.conf file. Basically this script will add a user once he is authenticated by the domain controller. The following article shows one option of automating the process. This is how I used to do it back in the Samba 2.x days. http://www.samag.com/documents/s=7666/sam0211e/0211e.htm