Hi guys/gals. I'm brand new to this list, been working with Linux for several years, and have occasionally set up samba file servers before in a "hi-i'm-wide-open-so-anyone-can-read/write-to-my-shares" mode for temporary storage in data recovery scenarios. At the moment, I'm working on a project that involves FreeRADIUS authenticating against a Win2k/2k3 AD server using the ntlm_auth program. The Free RADIUS folks say that ntlm_auth is a samba-related program and to RTFM or ask a samba mailing list. (ok, they really were nice about it, they just didn't have any suggestions) The machine is running Debian-testing, and is all updated. It's on the same local network/subnet as the AD server, and I can ping/nmap the AD server. The AD server works, as it authenticates enough windows machines on a daily basis to give my stuffed Tux the creeps. When I run ntlm_auth from the command line, just to verify that it does indeed do what it's supposed to do, I get the following: root@crbr-1cjib:~# ntlm_auth --username=msnodgrass --request-nt-key --domain=CECNT password: NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) root@crbr-1cjib:~# I realize that there's probably been someone asking this exact question sometime in the past, and I've googled my heart out on this one to no avail. Any sort of help/point-in-the-right-direction would be greatly appreciated. -MS
On Wed, 2005-03-30 at 08:05 -0600, Snodgrass, Micah wrote:> root@crbr-1cjib:~# ntlm_auth --username=msnodgrass --request-nt-key --domain=CECNT > password: > NT_STATUS_CANT_ACCESS_DOMAIN_INFO: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) > root@crbr-1cjib:~#You have to join the domain first - see the documentation on setting up a fileserver as a domain member, and once you are joined you can just run winbindd and nmbd. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050331/05bcf115/attachment.bin
Thank you much Andrew, joining the domain did the trick. For the record, doing a net rpc join -U administrator from the Linux/FreeRADIUS box joined the machine to the domain, but still no luck. I took a look at the Win2k3 AD server, and had to check the foolish little check box on the account for the Linux computer that said something like "This machine is a Pre-Windows 2000 machine" and then we were talking. thanks again for the reply, -MS> -----Original Message----- > From: Andrew Bartlett [mailto:abartlet@samba.org] > Sent: Thursday, March 31, 2005 5:31 AM > To: Snodgrass, Micah > Cc: samba@lists.samba.org > Subject: Re: [Samba] ntlm_auth question > > > On Wed, 2005-03-30 at 08:05 -0600, Snodgrass, Micah wrote: > > > root@crbr-1cjib:~# ntlm_auth --username=msnodgrass > --request-nt-key --domain=CECNT > > password: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO: > NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) > > root@crbr-1cjib:~# > > You have to join the domain first - see the documentation on > setting up > a fileserver as a domain member, and once you are joined you can just > run winbindd and nmbd. > > Andrew Bartlett > > -- > Andrew Bartlett > http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Student Network Administrator, Hawker College http://hawkerc.net >
> -----Original Message----- > From: Andrew Bartlett [mailto:abartlet@samba.org] > Sent: Thursday, March 31, 2005 3:31 PM > To: Snodgrass, Micah > Cc: samba@lists.samba.org > Subject: RE: [Samba] ntlm_auth question > > > On Thu, 2005-03-31 at 07:36 -0600, Snodgrass, Micah wrote: > > Thank you much Andrew, joining the domain did the trick. For the > > record, doing a net rpc join -U administrator from the > > Linux/FreeRADIUS box joined the machine to the domain, > > but still no luck. I took a look at the Win2k3 AD server, > > and had to check the foolish little check box on the account > > for the Linux computer that said something like > > "This machine is a Pre-Windows 2000 machine" and then we > were talking. > > Had you done a 'net ads join' and set 'security=ads' in your smb.conf, > then it would have worked. > > I'm lining up a micro-patch to make the error message > indicate the need > for a domain join.Hmmm... no I didn't. I'm not familiar with the "net ads" command *digs out google and man pages* - At this point, it's safe to say that I have done neither. smb.conf has security = server, and then password server = ip.of.AD.server. Once I sat down at the AD server and checked that foolish "this is a pre-windows 2000 computer" checkbox, ntlm_auth started working fine, and I moved on to the next hurdle in the project which is a problem with the FreeRADIUS config file. (something totally unrelated to samba, so I won't bore you with the details. thanks again for the help. I'll do some digging into security=ads and "net ads ..." as it sounds like they may save me future headaches. -MS