samba - Nov 2005 - Linux Primary Domain Controller Authentication

I have setup my Linux server as a Primary Domain Controller using Samba 
3.   All other computers on the network run various versions of Windows 
from 95 to XP.   All computers are able to join my Samba domain and the 
user computers can log onto the network.   However, if they try to 
access a file resource on one of the Windows 2003 file servers, the 
authentication fails with System Error 1789.   The Windows 2003 file 
server did successfully join my domain.    I am not running Winbindd 
primarily because it was not part of the Samba packaging provided by 
Suse.   Is it necessary to run Winbindd in order to have the Windows 
2003 servers validate?

Any suggestions would be greatly appreciated.

Cynthia Jeness

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cynthia Jeness escreveu:
> I have setup my Linux server as a Primary Domain Controller using Samba
> 3.   All other computers on the network run various versions of Windows
> from 95 to XP.   All computers are able to join my Samba domain and the
> user computers can log onto the network.   However, if they try to
> access a file resource on one of the Windows 2003 file servers, the
> authentication fails with System Error 1789.   
	With "they" you mean "all computers"? Or some particular
version?
AFAICT, Win95 does not have crypto passwords, which means that it is not
going to work properly.

> The Windows 2003 file
> server did successfully join my domain.    I am not running Winbindd
> primarily because it was not part of the Samba packaging provided by
> Suse.   Is it necessary to run Winbindd in order to have the Windows
> 2003 servers validate?
	Looks like more a permission problem than a 2003 validation
problem. The idea behind winbindd is share the user list between
servers and, from your description, does not sounds like you need it,
althoght there is not enough information to be sure. :-)

	Did you map users? Which version of Samba are you running? In
which MS Windows versions the problem occurs?

> Any suggestions would be greatly appreciated.
	Hope it helps, kind regards.

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFDb09qCj65ZxU4gPQRAop7AKCf9H9A1CYeiNmoe656Y52w8GV0FQCgmcbt
3SW8mNYe0tnZwKSAXw9gw1o=KcOE
-----END PGP SIGNATURE-----

Felipe Augusto van de Wiel wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Cynthia Jeness escreveu:
>  
>
>>I have setup my Linux server as a Primary Domain Controller using Samba
>>3.   All other computers on the network run various versions of Windows
>>from 95 to XP.   All computers are able to join my Samba domain and the
>>user computers can log onto the network.   However, if they try to
>>access a file resource on one of the Windows 2003 file servers, the
>>authentication fails with System Error 1789.   
>>    
>>
>
>	With "they" you mean "all computers"? Or some
particular version?
>AFAICT, Win95 does not have crypto passwords, which means that it is not
>going to work properly.
>
>  
>
Windows users computers (all versions 98, 2000, XP Pro) can access all 
shared resources on the Linux server.   However, if one of these Windows 
user computers attempts to share a resource on the Windows 2003 File 
Server (which did successfully join the domain), then error 1789 is 
returned.   Encryption is turned on and the passwords are stored on 
smbpasswd.
>  
>
>>The Windows 2003 file
>>server did successfully join my domain.    I am not running Winbindd
>>primarily because it was not part of the Samba packaging provided by
>>Suse.   Is it necessary to run Winbindd in order to have the Windows
>>2003 servers validate?
>>    
>>
>
>	Looks like more a permission problem than a 2003 validation
>problem. The idea behind winbindd is share the user list between
>servers and, from your description, does not sounds like you need it,
>althoght there is not enough information to be sure. :-)
>
>	Did you map users? Which version of Samba are you running? In
>which MS Windows versions the problem occurs?
>
>
>  
>
>>Any suggestions would be greatly appreciated.
>>    
>>
>
>	Hope it helps, kind regards.
>
>  
>
We added the users as regular users on the Linux computer and to the 
smbpasswd file.   Except for Administrator which I did map to root, the 
user name on the Windows end user computer is the same as the user name 
on the Linux Samba Primary Domain Controller.   We are using Samba 
version 3.0.   The latest available from Suse.  If I make the Windows 
2003 computer a member of a workgroup and add the users directly to the 
Windows 2003 computer, then the users can access resources on the 
Windows 2003 file server.   The error (1789) indicates that the Windows 
2003 Server cannot verify the user name and password against the primary 
domain controller; i.e., the Linux box.   As part of one of my Google 
searches, some news group responder indicated that Windbind was 
necessary to make this work.
>- --
>Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
>Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
>http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (GNU/Linux)
>Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
>
>iD8DBQFDb09qCj65ZxU4gPQRAop7AKCf9H9A1CYeiNmoe656Y52w8GV0FQCgmcbt
>3SW8mNYe0tnZwKSAXw9gw1o>=KcOE
>-----END PGP SIGNATURE-----
>  
>

Hi Cynthia,

I am not sure if you tried this yet, but you may want to check your
local server security policy on the server and verify that you are
accepting lanmanger based authentication and that SMB signing is
turned off.

Regards,

Jose Medeiros
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.sfntug.org
www.tvnug.org

---------------------------------------------------------------------

On 11/5/05, Cynthia Jeness <CJeness@bellsouth.net>
wrote:
> I have setup my Linux server as a Primary Domain Controller using Samba
> 3.   All other computers on the network run various versions of Windows
> from 95 to XP.   All computers are able to join my Samba domain and the
> user computers can log onto the network.   However, if they try to
> access a file resource on one of the Windows 2003 file servers, the
> authentication fails with System Error 1789.   The Windows 2003 file
> server did successfully join my domain.    I am not running Winbindd
> primarily because it was not part of the Samba packaging provided by
> Suse.   Is it necessary to run Winbindd in order to have the Windows
> 2003 servers validate?
>
> Any suggestions would be greatly appreciated.
>
> Cynthia Jeness
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>