Dear all,
I have a serious problem that I can't rectify. My smb.conf is as follows. I
use Solaris 2.6 on SPARC
# Global parameters
[global]
workgroup = SOME_DOMAIN
netbios name = 220R
server string = Samba For Backup On Solaris
security = SERVER
encrypt passwords = Yes
update encrypted = Yes
obey pam restrictions = Yes
password server = * 10.2.240.251
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
os level = 50
preferred master = False
local master = No
domain master = False
dns proxy = No
wins server = 10.2.240.251
winbind uid = 10000-20000
winbind gid = 10000-20000
template homedir = /samba/shares/%D/%U
template shell = /bin/sh
guest account = ftp
The samba server is shown in the network neighborhood. When security is set
to domain users are prompted for the password that does not happen if
security is set to server.
Log.winbind
[2002/05/09 12:54:13, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2002/05/09 12:54:13, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
cli_nt_setup_creds: auth2 challenge failed
[2002/05/09 12:54:13, 0]
smbd/password.c:connect_to_domain_password_server(1336)
connect_to_domain_password_server: unable to setup the PDC credentials to
machine SOMEMASTER. Error was : NT_STATUS_OK.
[2002/05/09 12:54:13, 0] smbd/password.c:domain_client_validate(1554)
domain_client_validate: Domain password server not available.
[2002/05/09 13:14:39, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2002/05/09 13:14:39, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
cli_nt_setup_creds: auth2 challenge failed
[2002/05/09 13:14:39, 0] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(692)
error connecting to domain password server: NT_STATUS_ACCESS_DENIED
[2002/05/09 13:21:43, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2002/05/09 13:21:43, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
cli_nt_setup_creds: auth2 challenge failed
[2002/05/09 13:21:43, 0] nsswitch/winbindd_cm.c:cm_get_netlogon_cli(692)
error connecting to domain password server: NT_STATUS_ACCESS_DENIED
log.smbd
2002/05/10 12:30:39, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
cli_nt_setup_creds: auth2 challenge failed
[2002/05/10 12:30:39, 0]
smbd/password.c:connect_to_domain_password_server(1336)
connect_to_domain_password_server: unable to setup the PDC credentials to
machine SOMEMASTER. Error was : NT_STATUS_OK.
[2002/05/10 12:30:39, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157)
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2002/05/10 12:30:39, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74)
cli_nt_setup_creds: auth2 challenge failed
[2002/05/10 12:30:39, 0]
smbd/password.c:connect_to_domain_password_server(1336)
connect_to_domain_password_server: unable to setup the PDC credentials to
machine SOMEMASTER. Error was : NT_STATUS_OK.
[2002/05/10 12:30:39, 0] smbd/password.c:domain_client_validate(1554)
domain_client_validate: Domain password server not available.
[2002/05/10 12:32:29, 0] smbd/server.c:main(698)
smbd version 2.2.3a started.
Copyright Andrew Tridgell and the Samba Team 1992-2002
[2002/05/10 12:32:29, 0] lib/pidfile.c:pidfile_create(86)
ERROR: smbd is already running. File /usr/local/samba/var/locks/smbd.pid
exists and process id 1204 is running.
[2002/05/10 12:32:40, 0] smbd/server.c:main(698)
smbd version 2.2.3a started.
Copyright Andrew Tridgell and the Samba Team 1992-2002
Also when I do a wbinfo ?t it says
Secret is bad
0xc0000022
wbinfo ?a output is
wbinfo -a SOME_DOMAIN\\guest%password
plaintext password authentication failed
Could not authenticate user SOME_DOMAIN\guest%password with plaintext
password
challenge/response password authentication failed
Could not authenticate user SOME_DOMAIN\guest%password with
challenge/response
and winbind in debug mode presents
[ 1370]: check machine account
resolve_lmhosts: Attempting lmhosts lookup for name SOMEMASTER<0x20>
resolve_hosts: Attempting host lookup for name SOMEMASTER<0x20>
resolve_wins: Attempting wins lookup for name SOMEMASTER<0x20>
resolve_wins: WINS server == <10.2.240.251>
bind succeeded on port 0
Got a positive name query response from 10.2.240.251 ( 10.2.240.251 )
IPC$ connections done anonymously
Connecting to 10.2.240.251 at port 445
error connecting to 10.2.240.251:445 (Connection refused)
Connecting to 10.2.240.251 at port 139
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
cli_nt_setup_creds: auth2 challenge failed
error connecting to domain password server: NT_STATUS_ACCESS_DENIED
could not open handle to NETLOGON pipe
To overcome this I did
Removed the machine from the server manager(PDC is win Nt4)
Stopped all samba daemons
Removed all files in the private dir
Created a computer account using useradd ?s /bin/false ?d /dev/null
"220R$"
Used smbpasswd ?a ?m 220R$
Created the above smb.conf and started the services. Still prompts for the
username and password if I have security as domain. Also wbinfo ?t reports
a bad secret getent passwd reports all user details including NT users.
Users can connect to their shares using the security=server option in the
server.
I'm running samba 2.2.3a on Solaris with winbind
Thanks in advance
Andrew Bartlett
2002-May-11 17:22 UTC
[Samba] Re: Need to join domain for security=domain (was: somebody please help)
Thamara Wanigatunga wrote:> > Dear all, > > I have a serious problem that I can't rectify. My smb.conf is as follows. I > use Solaris 2.6 on SPARC> The samba server is shown in the network neighborhood. When security is set > to domain users are prompted for the password that does not happen if > security is set to server. > > Log.winbind > > [2002/05/09 12:54:13, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) > cli_net_auth2: Error NT_STATUS_ACCESS_DENIED > [2002/05/09 12:54:13, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74) > cli_nt_setup_creds: auth2 challenge failedYou need to join the machine to the domain. Creating 'computer accounts' on the local machine is of no use, unless you are the PDC. Run 'smbpasswd -j -r PDC -Uadministrator%password' to join the NT domain. This will allow samba to connect to the PDC, and ask it to verify an arbitary challange/response pair. Security=server does not require this, but instead allows PDC spoofing and is much less reliable - particularly under load. (It is a really gross hack that effectivly mounts a man-in-the-middle attack on the PDC to do its job). Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net