samba - Dec 2002 - FW: Samba and Windows 2000 Password Authentication - Here is the Answer.

To Samba Users Group:

I posted the message below, and a member of the group called me and talked
me through the problem.  The solution is at the bottom of the page.   
>  -----Original Message-----
> From: 	David Neilson  
> Sent:	Monday, December 09, 2002 3:40 PM
> To:	'samba@lists.samba.org'
> Subject:	Samba and Windows 2000 Password Authentication
> 
> Is there a way to configure Samba so that all password authentication is
> done through the Windows domain controllers?  
> 
> As I understand it, the variable "encrypt passwords" must be set
to yes if
> "security" is set to "domain".  This causes Samba to
reference the
> smbpasswd file, so if the W2K user's password on the domain controller
is
> not the same as that in the smbpasswd file, Samba will prompt the user for
> the password in smbpasswd.  
> 
> I have tried various options, like setting "security" equal to
the server,
> and "password server" equal to domain controller, but it all
works the
> same:  the user has to enter the smbpasswd password to get authenticated.
> 
> 
> If this is not possible, is there a way to sync up the passwords between
> the domain controllers and the smbpasswd file?  
> 
> David Neilson
> Western Family Foods, Inc.
> System Administrator
> 503 639 6300 x370
> 
The Answer:

When the Windows Administrator had created the machine account in the
domain, I assumed I did not have to use the "smbpasswd" command to
create
the trust relationship between the Samba Server and the domain.  I was
wrong, and once I followed the steps below, I could log onto the domain and
then access Samba shares without getting asked for a password:

Update the global section of the smb.conf file to include the following:
workgroup = MY_COMPANY_DOMAIN
security = domain
password server = *
encrypt passwords = yes
smbpasswd file = THE_FILE_PATH_AND_NAME
os level = 0 ### This server will never become a domain controller

Stop the smbd and nmbd daemons.

Run the smbpasswd command to establish a trust relationship:
smbpasswd -j MY_COMPANY_DOMAIN -r DOMAIN_CONTROLLER -Uadministrator%password

Start up the Samba daemons.

This last reply has helped me figure out quite a few things, but I'm still
getting stuck on the 'adding server to domain' part.  Here is what I am
seeing.

[root@yavin gabriel]# smbpasswd -j CT01 -r ANAKIN -U gabriel
Password:
error creating domain user: NT_STATUS_INVALID_DOMAIN_ROLE
Unable to join domain CT01.

I have added yavin (linux server) to the domain, and it shows in the
server manager screen.  But I guess I'm missing something else.  Can
someone help me?

Gabriel

On Mon, 9 Dec 2002, David Neilson wrote:
> To Samba Users Group:
>
> I posted the message below, and a member of the group called me and talked
> me through the problem.  The solution is at the bottom of the page.
>
> >  -----Original Message-----
> > From: 	David Neilson
> > Sent:	Monday, December 09, 2002 3:40 PM
> > To:	'samba@lists.samba.org'
> > Subject:	Samba and Windows 2000 Password Authentication
> >
> > Is there a way to configure Samba so that all password authentication
is
> > done through the Windows domain controllers?
> >
> > As I understand it, the variable "encrypt passwords" must be
set to yes if
> > "security" is set to "domain".  This causes Samba
to reference the
> > smbpasswd file, so if the W2K user's password on the domain
controller is
> > not the same as that in the smbpasswd file, Samba will prompt the user
for
> > the password in smbpasswd.
> >
> > I have tried various options, like setting "security" equal
to the server,
> > and "password server" equal to domain controller, but it all
works the
> > same:  the user has to enter the smbpasswd password to get
authenticated.
> >
> >
> > If this is not possible, is there a way to sync up the passwords
between
> > the domain controllers and the smbpasswd file?
> >
> > David Neilson
> > Western Family Foods, Inc.
> > System Administrator
> > 503 639 6300 x370
> >
> The Answer:
>
> When the Windows Administrator had created the machine account in the
> domain, I assumed I did not have to use the "smbpasswd" command
to create
> the trust relationship between the Samba Server and the domain.  I was
> wrong, and once I followed the steps below, I could log onto the domain and
> then access Samba shares without getting asked for a password:
>
> Update the global section of the smb.conf file to include the following:
> workgroup = MY_COMPANY_DOMAIN
> security = domain
> password server = *
> encrypt passwords = yes
> smbpasswd file = THE_FILE_PATH_AND_NAME
> os level = 0 ### This server will never become a domain controller
>
> Stop the smbd and nmbd daemons.
>
> Run the smbpasswd command to establish a trust relationship:
> smbpasswd -j MY_COMPANY_DOMAIN -r DOMAIN_CONTROLLER
-Uadministrator%password
>
> Start up the Samba daemons.
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
Gabriel Matthews
Network Support
Cinergy Communications
gabriel@cinergycom.com