samba - Feb 2005 - samba 3.0.11, security=server and smbpasswd as fallback not working

Hi,

with samba 2.2.12 a user was able to connect to a share with his local
smbpasswd if he had no user on the password server. I updated the samba
server
to 3.0.11 and this is not working anymore. I kept the config files and the
smbpasswd file. The smb.conf man page describes old behavior, but if the
password server rejects the password the connection gets terminated
with  NT_STATUS_LOGON_FAILURE.

Is there anything I have to change in the config? The smb.conf is an old
version from the beginning of samba 2.x, but it worked fine until now.

Any ideas?

Ralf

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ralf Gross wrote:
| Hi,
|
| with samba 2.2.12 a user was able to connect to a share with his local
| smbpasswd if he had no user on the password server. I updated the samba
| server
| to 3.0.11 and this is not working anymore. I kept the config files and the
| smbpasswd file. The smb.conf man page describes old behavior, but if the
| password server rejects the password the connection gets terminated
| with  NT_STATUS_LOGON_FAILURE.

Fallover to the next auth method only occurs when the current
auth method (e.g. the remote server) returns
NT_STATUS_NOT_IMPLEMENTED I think.  This is by design.

You'll have better luck setting

	'auth methods = guest sam_ignoredomain smbserver'

But I rarely ever recommend setting the 'auth methods' parameter.
So keep that in mind.

This will authenticate first against the smbpasswd and
the fall over to server authentication if the user is
not listed in the smbpasswd file.

Last recommendation, you should really explore security = domain.
security = server has been deprecated.




cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCCTKxIR7qMdg1EfYRArwHAKCc1pRxuELCCkTbyJHhiAPRnB5aBACdEUYH
DodgGGckT0AirH0CQeclZB8=EuEP
-----END PGP SIGNATURE-----

Gerald (Jerry) Carter wrote:
>
> Ralf Gross wrote:
>| Hi,
>|
>| with samba 2.2.12 a user was able to connect to a share with his local
>| smbpasswd if he had no user on the password server. I updated the samba
>| server to 3.0.11 and this is not working anymore. I kept the config
>files >| and the smbpasswd file. The smb.conf man page describes old
>behavior, but >| if the password server rejects the password the
>connection gets
>| terminated with  NT_STATUS_LOGON_FAILURE.
>
> Fallover to the next auth method only occurs when the current
> auth method (e.g. the remote server) returns
> NT_STATUS_NOT_IMPLEMENTED I think.  This is by design.
This was changed in samba 3.x?
> You'll have better luck setting
>
>       'auth methods = guest sam_ignoredomain smbserver'
>
> But I rarely ever recommend setting the 'auth methods' parameter.
> So keep that in mind.
Great, now it seems to work as before!
> This will authenticate first against the smbpasswd and
> the fall over to server authentication if the user is
> not listed in the smbpasswd file.
I need the fallback to smbpasswd because we have some users that have no
domain account (students, doctorands...). With the fallback I can give
them a local account/password and access to shares.
> Last recommendation, you should really explore security = domain.
> security = server has been deprecated.
I would love to do this. Unfortunately samba server are not allowed to
join the domain, only window servers are allowed to be member of the
domain. This is just a workgroup server, which is in a separate workgroup
with a couple of linux machines.

Ralf