Dariush Forouher
2003-Jan-08 21:05 UTC
[Samba] samba domain member can't validate users against 3.0 DC
Hello, I've a samba 3.0 (today's cvs) server running as a PDC. The Win2K/NT Clients can login without any visible problems, but samba 2.2.7a domain member can't validate users in security=domain mode. I've followed the howto in the docs and joyning the domain with 'smbpasswd -j BRGS -r ALDEBARAN -Uroot%pw' works just fine, the samba 3.0 DC even creates the machine$ account in LDAP. To be sure I've also set up a samba 2.2.7a PDC (in another WG) with the same LDAP backend: It works! It seems that a domain member can authenticate users against a samba 2.2 DC but not against a 3.0 one. This is the log from the domain member (I can post a debug log if needed): [2003/01/08 20:01:51, 0] smbd/server.c:main(707) smbd version 2.2.7a started. Copyright Andrew Tridgell and the Samba Team 1992-2002 [2003/01/08 20:02:08, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) cli_net_auth2: Error NT_STATUS_ACCESS_DENIED [2003/01/08 20:02:08, 0] rpc_client/cli_login.c:cli_nt_setup_creds(72) cli_nt_setup_creds: auth2 challenge failed [2003/01/08 20:02:08, 0] smbd/password.c:connect_to_domain_password_server(1367) connect_to_domain_password_server: unable to setup the PDC credentials to machine ALDEBARAN. Error was : NT_STATUS_OK. [2003/01/08 20:02:08, 0] smbd/password.c:domain_client_validate(1599) domain_client_validate: Domain password server not available. With log level 2 the PDC doesn't show any unusual messages. Again, I'll post a much bigger debug log if it can help. smb.conf of member server: [global] security = domain password server = 172.16.0.1 workgroup = BRGS server string = Gateway (samba %v) wins server = wins1 log level = 2 encrypt passwords = yes os level = 2 smb.conf of PDC: [global] workgroup = BRGS netbios name = ALDEBARAN server string = PDC (samba %v) encrypt passwords = Yes security = user log level = 5 log file = /var/log/samba/log.%m max log size = 50000 unix charset = CP850 logon path = \\einstein\profiles\%U logon script = sonstige.bat logon drive = h: logon home = \\sirius\%U domain logons = Yes os level = 32 preferred master = yes domain master = yes local master = yes wins support = yes #wins partners = wins2.brgs.org passdb backend = ldapsam_nua:ldap://ldap1.brgs.org ldap ssl = no ldap admin dn = "cn=root,dc=brgs,dc=org" ldap suffix = dc=brgs,dc=org ldap user suffix = ou=People ldap machine suffix = ou=Machines non unix account range = 8000-8999 ldap trust ids = yes ldap passwd sync = yes unix password sync = yes passwd chat = *enter*password* %n\n %n*ok* passwd program = /usr/local/bin/cracklib_check %u ciao Dariush -- PGP Fingerprint: 0x886C99A1