Esler, Joel Contractor
2003-Feb-24 21:45 UTC
[Samba] problem configuring smbd for domain authentication
with AD / Win2k you have to use encrypted passwords. to Create a password file for Samba: # cat /etc/passwd | mksmbpasswd.sh > /etc/samba/smbpasswd # chmod 600 /etc/samba/smbpasswd # smbpasswd <username> Encrypted passwords must be enabled in the smb.conf in the [global] section encrypt password = yes smb passwd file = /etc/samba/smbpasswd -----Original Message----- From: rohitm@engr.uconn.edu [mailto:rohitm@engr.uconn.edu] Sent: Monday, February 24, 2003 4:47 PM To: samba@lists.samba.org Subject: [Samba] problem configuring smbd for domain authentication Hello everyone, I am trying to configure a Samba 2.2 server to allow users to mount their home directories (stored on a UNIX filesystem) from Windows after authenticating against a Windows 2000 Domain Controller. The Samba server is 2.2.3a compiled with acl support on Solaris 8. I think I am experiencing some (hopefully) basic configuration issues and can't seem to get it to work. I really hope some can help! The name of our Windows 2000 Domain is ad.... The domain controller is (aptly named) dc. I have placed a static record in WINs for the samba server, and added a record to the Active Directory Computers container for it as well. The domain controller is a mixed-mode controller (I read in the docs that doesn't make any difference but I thought I'd mention it) and it the only domain controller for the AD domain. With the command, "smbpasswd -r DC -j ad... -UAdministrator%mypassword", I get a successful response: Joined domain AD. However, when I get on a Windows 2000 machine (which is also a member of the domain AD), and try to mount \\mysambaserver\acls as a user who is already authenticated in the AD domain, it fails (the windows end seems to hang and *eventually* prompts me for another username password) and I see the following in my samba logs: cli_net_auth2: Error NT_STATUS_ACCESS_DENIED [2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74) cli_nt_setup_creds: auth2 challenge failed [2003/02/24 16:35:19, 0] smbd/password.c:connect_to_domain_password_server(1336) connect_to_domain_password_server: unable to setup the PDC credentials to machine DC. Error was : NT_STATUS_OK. [2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: Domain password server not available. [2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367) unable to open passdb database. [2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367) unable to open passdb database. [2003/02/24 16:35:19, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) cli_net_auth2: Error NT_STATUS_ACCESS_DENIED [2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74) cli_nt_setup_creds: auth2 challenge failed [2003/02/24 16:35:19, 0] smbd/password.c:connect_to_domain_password_server(1336) connect_to_domain_password_server: unable to setup the PDC credentials to machine DC. Error was : NT_STATUS_OK. [2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: Domain password server not available. Here is a listing of my smb.conf file: [global] # debug level = 2 # Stuff needed by nmdb first interfaces = myip domain master = no local master = no preferred master = no os level = 0 log file = /tmp/slog wins server = 192.168.28.13 guest account = nobody encrypt passwords = Yes # security = server security = domain workgroup = ad password server = dc username map=/usr/local/samba/lib/ntstaff.map invalid users = root [homes] comment = Home Directories locking = no browseable = no read only = no force create mode = 0750 create mode = 0750 force directory mode = 0750 directory mode = 0750 preserve case = yes [acls] Comments = Account information path = /export/home/acls create mode = 660 force create mode = 660 directory mode = 770 force directory mode = 770 preserve case = yes browseable = yes I am fairly certain the ntstaff.map file is correct as it works in other configurations. I'll post the line with the username I used: !rotest2 = rotest2 If anyone would like any more information I'd be happy to provide it. I am really stumped right now as I think everything I am trying to do should work, but I don't know what I am doing wrong. I would be most grateful for any assistance. Thanks, Rohit Kumar Mehta University of Connecticut School of Engineering Systems Manager rohitm@engr.uconn.edu -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
rohitm@engr.uconn.edu
2003-Feb-24 21:46 UTC
[Samba] problem configuring smbd for domain authentication
Hello everyone, I am trying to configure a Samba 2.2 server to allow users to mount their home directories (stored on a UNIX filesystem) from Windows after authenticating against a Windows 2000 Domain Controller. The Samba server is 2.2.3a compiled with acl support on Solaris 8. I think I am experiencing some (hopefully) basic configuration issues and can't seem to get it to work. I really hope some can help! The name of our Windows 2000 Domain is ad.... The domain controller is (aptly named) dc. I have placed a static record in WINs for the samba server, and added a record to the Active Directory Computers container for it as well. The domain controller is a mixed-mode controller (I read in the docs that doesn't make any difference but I thought I'd mention it) and it the only domain controller for the AD domain. With the command, "smbpasswd -r DC -j ad... -UAdministrator%mypassword", I get a successful response: Joined domain AD. However, when I get on a Windows 2000 machine (which is also a member of the domain AD), and try to mount \\mysambaserver\acls as a user who is already authenticated in the AD domain, it fails (the windows end seems to hang and *eventually* prompts me for another username password) and I see the following in my samba logs: cli_net_auth2: Error NT_STATUS_ACCESS_DENIED [2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74) cli_nt_setup_creds: auth2 challenge failed [2003/02/24 16:35:19, 0] smbd/password.c:connect_to_domain_password_server(1336) connect_to_domain_password_server: unable to setup the PDC credentials to machine DC. Error was : NT_STATUS_OK. [2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: Domain password server not available. [2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367) unable to open passdb database. [2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367) unable to open passdb database. [2003/02/24 16:35:19, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) cli_net_auth2: Error NT_STATUS_ACCESS_DENIED [2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74) cli_nt_setup_creds: auth2 challenge failed [2003/02/24 16:35:19, 0] smbd/password.c:connect_to_domain_password_server(1336) connect_to_domain_password_server: unable to setup the PDC credentials to machine DC. Error was : NT_STATUS_OK. [2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554) domain_client_validate: Domain password server not available. Here is a listing of my smb.conf file: [global] # debug level = 2 # Stuff needed by nmdb first interfaces = myip domain master = no local master = no preferred master = no os level = 0 log file = /tmp/slog wins server = 192.168.28.13 guest account = nobody encrypt passwords = Yes # security = server security = domain workgroup = ad password server = dc username map=/usr/local/samba/lib/ntstaff.map invalid users = root [homes] comment = Home Directories locking = no browseable = no read only = no force create mode = 0750 create mode = 0750 force directory mode = 0750 directory mode = 0750 preserve case = yes [acls] Comments = Account information path = /export/home/acls create mode = 660 force create mode = 660 directory mode = 770 force directory mode = 770 preserve case = yes browseable = yes I am fairly certain the ntstaff.map file is correct as it works in other configurations. I'll post the line with the username I used: !rotest2 = rotest2 If anyone would like any more information I'd be happy to provide it. I am really stumped right now as I think everything I am trying to do should work, but I don't know what I am doing wrong. I would be most grateful for any assistance. Thanks, Rohit Kumar Mehta University of Connecticut School of Engineering Systems Manager rohitm@engr.uconn.edu
rohitm@engr.uconn.edu
2003-Feb-25 14:28 UTC
[Samba] problem configuring smbd for domain authentication
One other thing I noticed, if I set "security = server" it works fine (Windows clients can authenticate of Windows DC and access samba resources), but I still cannot get it to work with "security = domain" Has anyone had success with security = domain? I would love to read your configuration files. Thanks Rohit On Mon, Feb 24, 2003 at 04:46:45PM -0500, rohitm@engr.uconn.edu wrote:> Hello everyone, I am trying to configure a Samba 2.2 server to allow users to mount their home > directories (stored on a UNIX filesystem) from Windows after authenticating against a Windows 2000 > Domain Controller. > > The Samba server is 2.2.3a compiled with acl support on Solaris 8. I think I am experiencing some (hopefully) > basic configuration issues and can't seem to get it to work. I really hope some can help! > > The name of our Windows 2000 Domain is ad.... The domain controller is (aptly named) dc. I have placed a static > record in WINs for the samba server, and added a record to the Active Directory Computers container for it as well. > The domain controller is a mixed-mode controller (I read in the docs that doesn't make any difference but I thought > I'd mention it) and it the only domain controller for the AD domain. > > With the command, "smbpasswd -r DC -j ad... -UAdministrator%mypassword", I get a successful response: > Joined domain AD. > > However, when I get on a Windows 2000 machine (which is also a member of the domain AD), and try > to mount \\mysambaserver\acls as a user who is already authenticated in the AD domain, it fails > (the windows end seems to hang and *eventually* prompts me for another username password) and > I see the following in my samba logs: > > cli_net_auth2: Error NT_STATUS_ACCESS_DENIED > [2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74) > cli_nt_setup_creds: auth2 challenge failed > [2003/02/24 16:35:19, 0] smbd/password.c:connect_to_domain_password_server(1336) > connect_to_domain_password_server: unable to setup the PDC credentials to machine DC. Error was : NT_STATUS_OK. > [2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554) > domain_client_validate: Domain password server not available. > [2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367) > unable to open passdb database. > [2003/02/24 16:35:19, 0] passdb/pdb_smbpasswd.c:pdb_getsampwnam(1367) > unable to open passdb database. > [2003/02/24 16:35:19, 0] rpc_client/cli_netlogon.c:cli_net_auth2(157) > cli_net_auth2: Error NT_STATUS_ACCESS_DENIED > [2003/02/24 16:35:19, 0] rpc_client/cli_login.c:cli_nt_setup_creds(74) > cli_nt_setup_creds: auth2 challenge failed > [2003/02/24 16:35:19, 0] smbd/password.c:connect_to_domain_password_server(1336) > connect_to_domain_password_server: unable to setup the PDC credentials to machine DC. Error was : NT_STATUS_OK. > [2003/02/24 16:35:19, 0] smbd/password.c:domain_client_validate(1554) > domain_client_validate: Domain password server not available. > > Here is a listing of my smb.conf file: > [global] > # debug level = 2 > # Stuff needed by nmdb first > interfaces = myip > domain master = no > local master = no > preferred master = no > os level = 0 > log file = /tmp/slog > wins server = 192.168.28.13 > guest account = nobody > encrypt passwords = Yes > # security = server > security = domain > workgroup = ad > password server = dc > username map=/usr/local/samba/lib/ntstaff.map > invalid users = root > > [homes] > comment = Home Directories > locking = no > browseable = no > read only = no > force create mode = 0750 > create mode = 0750 > force directory mode = 0750 > directory mode = 0750 > preserve case = yes > > [acls] > Comments = Account information > path = /export/home/acls > create mode = 660 > force create mode = 660 > directory mode = 770 > force directory mode = 770 > preserve case = yes > browseable = yes > > > I am fairly certain the ntstaff.map file is correct as it works in other configurations. I'll post the line with the username > I used: > !rotest2 = rotest2 > > > If anyone would like any more information I'd be happy to provide it. I am really stumped right now as I think everything I am > trying to do should work, but I don't know what I am doing wrong. I would be most grateful for any assistance. > > Thanks, > > > Rohit Kumar Mehta > University of Connecticut > School of Engineering > Systems Manager > rohitm@engr.uconn.edu > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba