Greetings,
Brief preamble: this list is a fantastic resource. I've been lurking and
have learned a lot, but I haven't seen anyone ask the following:
First, my environment: a single Debian Linux (kernel 2.2.18) Samba server
(version 2.2.2debian-2) in the midst of an NT 4 domain. I have successfully
configured Winbindd such that my NT domain user names and groups are able to
be used for all things Samba, and for console logon, as well.
One problem is that when I try to use 'wbinfo -a' to test the domain
password validation, I see the following:
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user DOMAIN+User%password with challenge/response
Does anyone know why this may be? Or perhaps this is normal, and my lack of
experience prevents me from seeing it as such? I have a wildly speculative
hypothesis that this may be related to some difficulties we have been having
using DOS LanMan clients with the same Samba server (I don't have enough
details about those problems to ask about them... Yet).
Another (smaller[?]) issue that I'm having with Winbind is the naming of
groups. I have an NT Domain group called "Domain Admins" (surprise!),
and
yet, when I 'wbinfo -r DOMAIN+User' (to get the GIDs of a user's
domain
groups) and then input, for example, 'wbinfo -s `wbinfo -G 10000`' (to
convert GIDs to SIDs and then SIDs to human-readable group names) the
resulting groups are labeled as: "DOMAIN+Domain Admins 2" and
"DOMAIN+Domain
Users 2"; and yet, when I use 'smbstatus' it shows group
memberships for
clients connected to shares without the trailing number. Is this an
indication that Winbindd has twice mapped my domain groups to Linux GIDs?
Am I overlooking something obvious (just not obvious to me)?
OK, the second issue is more interesting (to me). I'm trying to set up a
printer for use with my NT4 & 2k clients. I have CUPS set up as the
spooling subsystem, and I have confirmed that it works properly. If I set
'disable spoolss = yes' then I can print successfully from 2k
(haven't
tested NT). I can even print when I set 'disable spoolss = no'.
However,
problems arise when trying to use the NT/2k Add Printer Wizard: it never
appears in the Printers share on my server. When I tail the log.smbd I see:
[TIMESTAMP] smbd/service.c:make_connection(239)
[client hostname] ([client IP address]) couldn't find service
::{[mysterious SID]}
(substitutions are surrounded by [])
Finally, I tried resolving the SID in the log to a domain group or user, to
no avail. My current thinking is that my domain group is not resolving
properly to a Linux GID. In my smb.conf, I have 'printer admin
root,@"DOMAIN+Domain Admins". SWAT does not like those double quotes
one
bit, and I haven't confirmed that it's working at all (see above, as
well).
This is the point at which I have exhausted my Samba knowledge and cast
myself on the mercy of this list. Anybody have any suggestions, hints, tips
or recommendations on one or more of the above issues?
Thank you all,
Manuel Gomez
Manuel Gomez wrote:> > Greetings, > > Brief preamble: this list is a fantastic resource. I've been lurking and > have learned a lot, but I haven't seen anyone ask the following: > > First, my environment: a single Debian Linux (kernel 2.2.18) Samba server > (version 2.2.2debian-2) in the midst of an NT 4 domain. I have successfully > configured Winbindd such that my NT domain user names and groups are able to > be used for all things Samba, and for console logon, as well. > > One problem is that when I try to use 'wbinfo -a' to test the domain > password validation, I see the following: > > plaintext password authentication succeeded > challenge/response password authentication failed > Could not authenticate user DOMAIN+User%password with challenge/response > > Does anyone know why this may be? Or perhaps this is normal, and my lack of > experience prevents me from seeing it as such?This is normal. The challage-response mode presents a security risk and has been disabled until it is 'secured' as a root-only resource. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Gerald (Jerry) Carter
2002-Apr-15 06:11 UTC
[Samba] Two questions: 'wbinfo -a' & NT/2k APW
On Fri, 12 Apr 2002, Manuel Gomez wrote:> OK, the second issue is more interesting (to me). I'm trying to set up > a printer for use with my NT4 & 2k clients. I have CUPS set up as the > spooling subsystem, and I have confirmed that it works properly. If I > set 'disable spoolss = yes' then I can print successfully from 2k > (haven't tested NT). I can even print when I set 'disable spoolss > no'. However, problems arise when trying to use the NT/2k Add Printer > Wizard: it never appears in the Printers share on my server. When IIf the APW does not show up, it is because smbd rejected a OpenPrinterEx() call with SERVER_ALL_ACCESS rigths. Set the "printer admin" parameters in the [global] section of smb.conf.> tail the log.smbd I see: > > [TIMESTAMP] smbd/service.c:make_connection(239) > [client hostname] ([client IP address]) couldn't find service > ::{[mysterious SID]} > (substitutions are surrounded by [])It's not a SID. It;'s a GUID IIRC.> Finally, I tried resolving the SID in the log to a domain group or user, > to no avail. My current thinking is that my domain group is not > resolving properly to a Linux GID. In my smb.conf, I have 'printer > admin = root,@"DOMAIN+Domain Admins". SWAT does not like those double > quotes one bit, and I haven't confirmed that it's working at all (see > above, as well).I haven't tested SWAT but this should work if you edit smb.conf by hand. cheers, jerry --------------------------------------------------------------------- Hewlett-Packard http://www.hp.com SAMBA Team http://www.samba.org -- http://www.plainjoe.org "Sam's Teach Yourself Samba in 24 Hours" 2ed. ISBN 0-672-32269-2 --"I never saved anything for the swim back." Ethan Hawk in Gattaca--