Hi all, Set-up: Local NT4-RESOURCE domain which the Samba server is a member off. One NT4-ADMIN domain with users accounts and one W2K domain with some other user accounts. A one way trust from NT4-ADMIN to NT4-RESOURCE and a one way trust from W2K to NT4-RESOURCE. Samba version 2.0.7 running on Solaris 2.6. According to the NT admins, the W2K domain is in native mode, but they still use Netbios. The problem is that passthrough authentication only works for users in the NT4-ADMIN domain and not for users in the W2K domain connecting with W2K workstations. The relevant section from smb.conf: workgroup = NT4-RESOURCE security = domain password server = NT4-RESOURCE-PDC encrypt passwords = yes The error message I get in the client log file: domain_client_validate: unable to validate password for user jensero in domain W2K to Domain controller NT4-RESOURCE-PDC . Error was code 0. More debug info is at the end of this mail. I've tried to use a W2K domain controller as the password server, but then I get the following error: connect_to_domain_password_server: unable to setup the PDC credentials to machine W2KDC1. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. Any help is appreciated. Thanks Rolf Jensen PS: All Domains are fictitious. [2001/03/05 14:22:43, 0] smbd/password.c:domain_client_validate(1470) domain_client_validate: unable to validate password for user jensero in domain W2K to Domain controller NT4-RESOURCE-PDC. Error was code 0. [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500) Couldn't find user 'jensero' in smb_passwd file. [2001/03/05 14:22:43, 2] smbd/reply.c:reply_sesssetup_and_X(914) NT Password did not match for user 'jensero' ! Defaulting to Lanman [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500) Couldn't find user 'jensero' in smb_passwd file. [2001/03/05 14:22:43, 1] smbd/reply.c:reply_sesssetup_and_X(925) Rejecting user 'jensero': authentication failed [2001/03/05 14:22:43, 3] smbd/error.c:error_packet(127) 32 bit error packet at line 639 cmd=115 (SMBsesssetupX) eclass=c000006d [Error: Unknown error (109,49152)]
m_marmaridis@email.com
2001-Mar-05 22:24 UTC
Samba, NT4 and W2K trust/authentication problem.
Hi Jensen, when switching a domain from mixed to native mode like you have, all the Win2K clients will automatically start to use Kerberos authentication to the DC(s) rather than NTLM, which will also remain in use so that any NT clients can also log on to the native Win2K domain. This is what I think causes the problem in your situation. The Win2K clients have switched over to using Kerberos authentication. There should be a way to revert the Win2K clients back to using NTLM instead and get your passthrough authentication working again; - I have not tried that personally though. HTH, Regards, Makis.> -----Original Message----- > From: samba-admin@us5.samba.org [mailto:samba-admin@us5.samba.org]On > Behalf Of Jensen, Rolf > Sent: Tuesday, March 06, 2001 1:54 AM > To: 'samba@lists.samba.org' > Subject: Samba, NT4 and W2K trust/authentication problem. > > > Hi all, > > Set-up: > Local NT4-RESOURCE domain which the Samba server is a member off. > One NT4-ADMIN domain with users accounts and one W2K domain > with some other user accounts. A one way trust from NT4-ADMIN > to NT4-RESOURCE and a one way trust from W2K to NT4-RESOURCE. > Samba version 2.0.7 running on Solaris 2.6. > > According to the NT admins, the W2K domain is in native mode, > but they still use Netbios. > > The problem is that passthrough authentication only works for > users in the NT4-ADMIN domain and not for users in the W2K domain > connecting with W2K workstations. > > The relevant section from smb.conf: > workgroup = NT4-RESOURCE > security = domain > password server = NT4-RESOURCE-PDC > encrypt passwords = yes > > > The error message I get in the client log file: > domain_client_validate: unable to validate password for user jensero > in domain W2K to Domain controller NT4-RESOURCE-PDC . > Error was code 0. > > More debug info is at the end of this mail. > > I've tried to use a W2K domain controller as the password server, > but then I get the following error: > connect_to_domain_password_server: unable to setup the PDC > credentials > to machine W2KDC1. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. > > > Any help is appreciated. > > Thanks > > Rolf Jensen > > > PS: All Domains are fictitious. > > > [2001/03/05 14:22:43, 0] smbd/password.c:domain_client_validate(1470) > domain_client_validate: unable to validate password for > user jensero in > domain W2K to Domain controller NT4-RESOURCE-PDC. Error was code 0. > [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500) > Couldn't find user 'jensero' in smb_passwd file. > [2001/03/05 14:22:43, 2] smbd/reply.c:reply_sesssetup_and_X(914) > NT Password did not match for user 'jensero' ! Defaulting to Lanman > [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500) > Couldn't find user 'jensero' in smb_passwd file. > [2001/03/05 14:22:43, 1] smbd/reply.c:reply_sesssetup_and_X(925) > Rejecting user 'jensero': authentication failed > [2001/03/05 14:22:43, 3] smbd/error.c:error_packet(127) > 32 bit error packet at line 639 cmd=115 (SMBsesssetupX) > eclass=c000006d > [Error: Unknown error (109,49152)] > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
Hi Makis, Thanks for you answer, but I'm not sure if this is true. According to the NT admins, a native W2K client use NTLM if you try to log in to a NT4 domain and there is a trust between the W2K domain and the NT4 domain. I've skimmed some TechNet articles and as far I can tell, this is correct. So in a pure Windows world it works. If I use a W2K client in a native domain and map a drive to a NT4 server in another domain, I'm not prompted for a password. But if I try to map a drive from the same W2K client to a Samba server in the same NT4 domain, it doesn't work. Rolf -----Original Message----- From: m_marmaridis@email.com [mailto:m_marmaridis@email.com] Sent: 5. mars 2001 23:24 To: Jensen, Rolf Cc: samba@lists.samba.org Subject: RE: Samba, NT4 and W2K trust/authentication problem. Hi Jensen, when switching a domain from mixed to native mode like you have, all the Win2K clients will automatically start to use Kerberos authentication to the DC(s) rather than NTLM, which will also remain in use so that any NT clients can also log on to the native Win2K domain. This is what I think causes the problem in your situation. The Win2K clients have switched over to using Kerberos authentication. There should be a way to revert the Win2K clients back to using NTLM instead and get your passthrough authentication working again; - I have not tried that personally though. HTH, Regards, Makis.> -----Original Message----- > From: samba-admin@us5.samba.org [mailto:samba-admin@us5.samba.org]On > Behalf Of Jensen, Rolf > Sent: Tuesday, March 06, 2001 1:54 AM > To: 'samba@lists.samba.org' > Subject: Samba, NT4 and W2K trust/authentication problem. > > > Hi all, > > Set-up: > Local NT4-RESOURCE domain which the Samba server is a member off. > One NT4-ADMIN domain with users accounts and one W2K domain > with some other user accounts. A one way trust from NT4-ADMIN > to NT4-RESOURCE and a one way trust from W2K to NT4-RESOURCE. > Samba version 2.0.7 running on Solaris 2.6. > > According to the NT admins, the W2K domain is in native mode, > but they still use Netbios. > > The problem is that passthrough authentication only works for > users in the NT4-ADMIN domain and not for users in the W2K domain > connecting with W2K workstations. > > The relevant section from smb.conf: > workgroup = NT4-RESOURCE > security = domain > password server = NT4-RESOURCE-PDC > encrypt passwords = yes > > > The error message I get in the client log file: > domain_client_validate: unable to validate password for user jensero > in domain W2K to Domain controller NT4-RESOURCE-PDC . > Error was code 0. > > More debug info is at the end of this mail. > > I've tried to use a W2K domain controller as the password server, > but then I get the following error: > connect_to_domain_password_server: unable to setup the PDC > credentials > to machine W2KDC1. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. > > > Any help is appreciated. > > Thanks > > Rolf Jensen > > > PS: All Domains are fictitious. > > > [2001/03/05 14:22:43, 0] smbd/password.c:domain_client_validate(1470) > domain_client_validate: unable to validate password for > user jensero in > domain W2K to Domain controller NT4-RESOURCE-PDC. Error was code 0. > [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500) > Couldn't find user 'jensero' in smb_passwd file. > [2001/03/05 14:22:43, 2] smbd/reply.c:reply_sesssetup_and_X(914) > NT Password did not match for user 'jensero' ! Defaulting to Lanman > [2001/03/05 14:22:43, 1] smbd/password.c:pass_check_smb(500) > Couldn't find user 'jensero' in smb_passwd file. > [2001/03/05 14:22:43, 1] smbd/reply.c:reply_sesssetup_and_X(925) > Rejecting user 'jensero': authentication failed > [2001/03/05 14:22:43, 3] smbd/error.c:error_packet(127) > 32 bit error packet at line 639 cmd=115 (SMBsesssetupX) > eclass=c000006d > [Error: Unknown error (109,49152)] > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba