samba - Mar 2006 - Domain Authentication Problem

I have been running Samba 2.2.8 on a Solaris 8 server with a valid
NetBIOS server name on the AD domain. The Samba 2.2.8 configuration was
configured for security = domain. Everything was fine until the AD
domain controllers were "upgraded" to Windows Server 2003 SP1. User
authentication would no longer function with the following error message
in the samba 2.2.8 log:

connect_to_domain_password_server: unable to open the domain client
session to machine <name>. Error was : NT_STATUS_ACCESS_DENIED.

I was able to point the password server entry to another controller that
has not been upgraded to Server 2003 SP1 and all is fine. Authentication
is processed and granted as expected. Problem is that these controllers
are scheduled to be upgraded to 2003 SP1 in the next few weeks.

So decided to upgrade Samba to 3.0.21c. Downloaded the pre-compiled
version for Solaris 9 and installed with no problems. I copied the
smb.conf and smbpasswd files from 2.2.8 to 3.0.21c. I did not copy the
secrets.tdb file over, although I did validate the SIDs for each Samba
version.

At this point, I cannot get Samba 3.0.21c to be recognized by either
Windows Server 2003 or Windows Server 2003 SP1. I have tried rejoining
the domain with no success. I have verified the SIDs for both Samba
2.2.8 and 3.0.21c.

Some of the 3.0.21c log errors I am seeing are:
cli_nt_create failed on pipe \NETLOGON to machine <name>.  Error was
NT_STATUS_ACCESS_DENIED
failed to get schannel session key from server <name> for domain
<domainname>.
domain_client_validate: Domain password server not available
check_ntlm_password:  Authentication for user [id] -> [id] FAILED with
error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

If anyone has seen this problem I would greatly appreciate any feedback
on possible work-around or fixes. At this point, I can not get domain
security to work for either Samba version when pointed to a Windows
Server 2003 SP1 AD controller.

Thanks

Jeff Bradish
* mailto: jeff.bradish@eds.com

I've got similar Problems:
When I try to connect to our samba server I get an "Die Anforderung wird
nicht unterst?tzt" Error Message. 
>From our other Machines (even some Win2k3 Servers) I can access the Files,
what could be wrong?

The samba server has the following conf-file:

# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not many any basic syntactic errors.
#
#======================= Global Settings
====================================[global]

# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
   workgroup = FZI

# Unter welchem Namen soll der Server sichtbar sein - vorzugsweise gleich
dem DNS-Namen
   netbios name = goedel

# server string is the equivalent of the NT Description field
   server string = SWT Samba Server

# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
;   hosts allow = 192.168.1. 192.168.2. 127.
   hosts allow = ############  127.


# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
   load printers = yes

# you may wish to override the location of the printcap file
;   printcap name = /etc/printcap

# on SystemV system setting printcap name to lpstat should allow
# you to automatically obtain a printer list from the SystemV spool
# system
;   printcap name = lpstat

# It should not be necessary to specify the print system type unless
# it is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
;   printing = bsd

# Uncomment this if you want a guest account, you must add this to
/etc/passwd
# otherwise the user "nobody" is used
;  guest account = pcguest

# this tells Samba to use a separate log file for each machine
# that connects
;   log file = /usr/sfw/lib/smb.conf.%m
;   log file =/var/samba/log/%m.log
   log file =/var/samba/log/smbd.log

# Put a capping on the size of the log files (in Kb).
   max log size = 100



        security = server
        password server = ad
        encrypt passwords = yes
        os level = 1

# starke Verschluesselung fuer eingehende Verbindungen
;   server NTLMv2 = auto

# starke Verschluesselung fuer ausgehende Verbindungen
;  client NTLMv2 = auto

# Gastzugriffe laufen unter diesem Account
   guest account = nobody

# Unbekannte Benutzer werden als Gast behandelt
   map to guest = Bad User

# Samba versucht nicht, Masterbrowser zu werden
   local master = no




# Security mode. Most people will want user level security. See
# security_level.txt for details.
;   security = user

# Use password server option only with security = server
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *
;   password server = <NT-Server-Name>

# Note: Do NOT use the now deprecated option of "domain controller"
# This option is no longer implemented.

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
;  encrypt passwords = yes

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;    include = /var/samba/log.%m

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
# You may want to add the following on a Linux system:
#         SO_RCVBUF=8192 SO_SNDBUF=8192
   socket options = TCP_NODELAY

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
;   interfaces = 192.168.12.2/24 192.168.13.2/24

# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
;   local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
;   os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
;   domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
;   preferred master = yes

# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
;   domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
;   logon script = %m.bat
# run a specific logon batch file per username
;   logon script = %U.bat

# Where to store roving profiles (only for Win95 and WinNT)
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
;   logon path = \\%L\Profiles\%U

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
;   wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#       Note: Samba can be either a WINS Server, or a WINS Client, but NOT
both
;   wins server = w.x.y.z
        wins server = ############

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one  WINS Server on the network. The default is NO.
;   wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
   dns proxy = yes

# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
   preserve case = yes
   short preserve case = yes
# Default case is normally upper case for all DOS files
;  default case = lower
# Be very careful with case sensitivity - it can break things!
   case sensitive = no
;   mangle case = no

   force create mode = 644
   force directory mode = 755
   map archive = no

#============================ Share Definitions
=============================[homes]
   comment = UNIX Home Directories
   browseable = yes
   writable = yes
   invalid users = root

[fzi]
   comment = FZI NFS-Wurzel
   path = /fzi
   writable = true


[public]
   comment = Public Stuff
   path = /export/home/samba
   public = yes
   browseable = yes
   writable = yes
   printable = no
   write list = @swt @rud @dtp

-----Original Message-----
From: On Behalf Of Bradish, Jeff
Sent: Thursday, March 16, 2006 3:16 PM
To: samba@lists.samba.org
Subject: [Samba] Domain Authentication Problem

I have been running Samba 2.2.8 on a Solaris 8 server with a valid NetBIOS
server name on the AD domain. The Samba 2.2.8 configuration was configured
for security = domain. Everything was fine until the AD domain controllers
were "upgraded" to Windows Server 2003 SP1. User authentication would
no
longer function with the following error message in the samba 2.2.8 log:

connect_to_domain_password_server: unable to open the domain client session
to machine <name>. Error was : NT_STATUS_ACCESS_DENIED.

I was able to point the password server entry to another controller that has
not been upgraded to Server 2003 SP1 and all is fine. Authentication is
processed and granted as expected. Problem is that these controllers are
scheduled to be upgraded to 2003 SP1 in the next few weeks.

So decided to upgrade Samba to 3.0.21c. Downloaded the pre-compiled version
for Solaris 9 and installed with no problems. I copied the smb.conf and
smbpasswd files from 2.2.8 to 3.0.21c. I did not copy the secrets.tdb file
over, although I did validate the SIDs for each Samba version.

At this point, I cannot get Samba 3.0.21c to be recognized by either Windows
Server 2003 or Windows Server 2003 SP1. I have tried rejoining the domain
with no success. I have verified the SIDs for both Samba
2.2.8 and 3.0.21c.

Some of the 3.0.21c log errors I am seeing are:
cli_nt_create failed on pipe \NETLOGON to machine <name>.  Error was
NT_STATUS_ACCESS_DENIED failed to get schannel session key from server
<name> for domain <domainname>.
domain_client_validate: Domain password server not available
check_ntlm_password:  Authentication for user [id] -> [id] FAILED with error
NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

If anyone has seen this problem I would greatly appreciate any feedback on
possible work-around or fixes. At this point, I can not get domain security
to work for either Samba version when pointed to a Windows Server 2003 SP1
AD controller.

Thanks

Jeff Bradish
* mailto: jeff.bradish@eds.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

One correction to my original email; I am running Solaris 9 rather than Solaris
8 (typo).

Following are my smb.conf settings:
[global]
        workgroup = AMER
        netbios name = USAHSSMC001
        netbios aliases = USAHSSMC001
        server string = EDS GSCO
        security = DOMAIN
        encrypt passwords = Yes
        password server = usahd100 uspld100 usahd101 usahd102 usahd103 usahd104
        username map = /etc/samba/username.map
        log level = 4
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        create mask = 0664
        name resolve order = lmhosts

My issue is: Everything was fine until the AD domain controllers were
"upgraded" to Windows Server 2003 SP1. User authentication would no
longer function until I pointed the password server entry to domain controllers
that have not been upgraded to SP1.

I upgraded to Samba 3.0.21c, downloaded the pre-compiled version for Solaris 9
and installed with no problems. At this point, I cannot get Samba 3.0.21c to be
recognized by either Windows Server 2003 or Windows Server 2003 SP1. I have
tried rejoining the domain with no success.

Samba log entries:
cli_nt_create failed on pipe \NETLOGON to machine <name>.  Error was
NT_STATUS_ACCESS_DENIED
failed to get schannel session key from server <name> for domain
<domainname>.
domain_client_validate: Domain password server not available
check_ntlm_password:  Authentication for user [id] -> [id] FAILED with error
NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

At this point, I can not get domain security to function for either Samba
version when pointed to a Windows Server 2003 SP1 AD controller.

Any help with this situation would be appreciated.

Jeff Bradish
* mailto: jeff.bradish@eds.com

-----Original Message-----
From: samba-bounces+jeff.bradish=eds.com@lists.samba.org
[mailto:samba-bounces+jeff.bradish=eds.com@lists.samba.org] On Behalf Of Craig
White
Sent: Thursday, March 16, 2006 10:58 AM
To: samba@lists.samba.org
Subject: RE: [Samba] Domain Authentication Problem

On Thu, 2006-03-16 at 16:16 +0100, Johannes Michler
wrote:
> I've got similar Problems:
> When I try to connect to our samba server I get an "Die Anforderung 
> wird nicht unterst?tzt" Error Message.
> >From our other Machines (even some Win2k3 Servers) I can access the 
> >Files,
> what could be wrong?
> 
> The samba server has the following conf-file:
> 
> # This is the main Samba configuration file. You should read the # 
> smb.conf(5) manual page in order to understand the options listed # 
> here. Samba has a huge number of configurable options (perhaps too # 
> many!) most of which are not shown in this example # # Any line which 
> starts with a ; (semi-colon) or a # (hash) # is a comment and is 
> ignored. In this example we will use a # # for commentry and a ; for 
> parts of the config file that you # may wish to enable # # NOTE: 
> Whenever you modify this file you should run the command
"testparm"
> # to check that you have not many any basic syntactic errors.
> #
> #======================= Global Settings 
> ====================================> [global]
> 
> # workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
>    workgroup = FZI
> 
> # Unter welchem Namen soll der Server sichtbar sein - vorzugsweise 
> gleich dem DNS-Namen
>    netbios name = goedel
> 
> # server string is the equivalent of the NT Description field
>    server string = SWT Samba Server
> 
> # This option is important for security. It allows you to restrict # 
> connections to machines which are on your local network. The # 
> following example restricts access to two C class networks and # the 
> "loopback" interface. For more examples of the syntax see # the 
> smb.conf man page
> ;   hosts allow = 192.168.1. 192.168.2. 127.
>    hosts allow = ############  127.
> 
> 
> # If you want to automatically load your printer list rather # than 
> setting them up individually then you'll need this
>    load printers = yes
> 
> # you may wish to override the location of the printcap file
> ;   printcap name = /etc/printcap
> 
> # on SystemV system setting printcap name to lpstat should allow # you 
> to automatically obtain a printer list from the SystemV spool # system
> ;   printcap name = lpstat
> 
> # It should not be necessary to specify the print system type unless # 
> it is non-standard. Currently supported print systems include:
> # bsd, sysv, plp, lprng, aix, hpux, qnx
> ;   printing = bsd
> 
> # Uncomment this if you want a guest account, you must add this to 
> /etc/passwd # otherwise the user "nobody" is used ;  guest
account =
> pcguest
> 
> # this tells Samba to use a separate log file for each machine # that 
> connects
> ;   log file = /usr/sfw/lib/smb.conf.%m
> ;   log file =/var/samba/log/%m.log
>    log file =/var/samba/log/smbd.log
> 
> # Put a capping on the size of the log files (in Kb).
>    max log size = 100
> 
> 
> 
>         security = server
>         password server = ad
>         encrypt passwords = yes
>         os level = 1
> 
> # starke Verschluesselung fuer eingehende Verbindungen
> ;   server NTLMv2 = auto
> 
> # starke Verschluesselung fuer ausgehende Verbindungen ;  client 
> NTLMv2 = auto
> 
> # Gastzugriffe laufen unter diesem Account
>    guest account = nobody
> 
> # Unbekannte Benutzer werden als Gast behandelt
>    map to guest = Bad User
> 
> # Samba versucht nicht, Masterbrowser zu werden
>    local master = no
> 
> 
> 
> 
> # Security mode. Most people will want user level security. See # 
> security_level.txt for details.
> ;   security = user
> 
> # Use password server option only with security = server # The 
> argument list may include:
> #   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
> # or to auto-locate the domain controller/s
> #   password server = *
> ;   password server = <NT-Server-Name>
> 
> # Note: Do NOT use the now deprecated option of "domain
controller"
> # This option is no longer implemented.
> 
> # You may wish to use password encryption. Please read # 
> ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
> # Do not enable this option unless you have read those documents ;  
> encrypt passwords = yes
> 
> # Using the following line enables you to customise your configuration 
> # on a per machine basis. The %m gets replaced with the netbios name # 
> of the machine that is connecting
> ;    include = /var/samba/log.%m
> 
> # Most people will find that this option gives better performance.
> # See speed.txt and the manual pages for details # You may want to add 
> the following on a Linux system:
> #         SO_RCVBUF=8192 SO_SNDBUF=8192
>    socket options = TCP_NODELAY
> 
> # Configure Samba to use multiple interfaces # If you have multiple 
> network interfaces then you must list them # here. See the man page 
> for details.
> ;   interfaces = 192.168.12.2/24 192.168.13.2/24
> 
> # Browser Control Options:
> # set local master to no if you don't want Samba to become a master # 
> browser on your network. Otherwise the normal election rules apply
> ;   local master = no
> 
> # OS Level determines the precedence of this server in master browser 
> # elections. The default value should be reasonable
> ;   os level = 33
> 
> # Domain Master specifies Samba to be the Domain Master Browser. This 
> # allows Samba to collate browse lists between subnets. Don't use this 
> # if you already have a Windows NT domain controller doing this job
> ;   domain master = yes
> 
> # Preferred Master causes Samba to force a local browser election on 
> startup # and gives it a slightly higher chance of winning the election
> ;   preferred master = yes
> 
> # Enable this if you want Samba to be a domain logon server for # 
> Windows95 workstations.
> ;   domain logons = yes
> 
> # if you enable domain logons then you may want a per-machine or # per 
> user logon script # run a specific logon batch file per workstation 
> (machine)
> ;   logon script = %m.bat
> # run a specific logon batch file per username
> ;   logon script = %U.bat
> 
> # Where to store roving profiles (only for Win95 and WinNT)
> #        %L substitutes for this servers netbios name, %U is username
> #        You must uncomment the [Profiles] share below
> ;   logon path = \\%L\Profiles\%U
> 
> # Windows Internet Name Serving Support Section:
> # WINS Support - Tells the NMBD component of Samba to enable it's WINS 
> Server
> ;   wins support = yes
> 
> # WINS Server - Tells the NMBD components of Samba to be a WINS Client
> #       Note: Samba can be either a WINS Server, or a WINS Client, but NOT
> both
> ;   wins server = w.x.y.z
>         wins server = ############
> 
> # WINS Proxy - Tells Samba to answer name resolution queries on # 
> behalf of a non WINS capable client, for this to work there must be # 
> at least one  WINS Server on the network. The default is NO.
> ;   wins proxy = yes
> 
> # DNS Proxy - tells Samba whether or not to try to resolve NetBIOS 
> names # via DNS nslookups. The built-in default for versions 1.9.17 is 
> yes, # this has been changed in version 1.9.18 to no.
>    dns proxy = yes
> 
> # Case Preservation can be handy - system default is _no_ # NOTE: 
> These can be set on a per share basis
>    preserve case = yes
>    short preserve case = yes
> # Default case is normally upper case for all DOS files ;  default 
> case = lower # Be very careful with case sensitivity - it can break 
> things!
>    case sensitive = no
> ;   mangle case = no
> 
>    force create mode = 644
>    force directory mode = 755
>    map archive = no
> 
> #============================ Share Definitions 
> ============================== [homes]
>    comment = UNIX Home Directories
>    browseable = yes
>    writable = yes
>    invalid users = root
> 
> [fzi]
>    comment = FZI NFS-Wurzel
>    path = /fzi
>    writable = true
> 
> 
> [public]
>    comment = Public Stuff
>    path = /export/home/samba
>    public = yes
>    browseable = yes
>    writable = yes
>    printable = no
>    write list = @swt @rud @dtp
> 
----
It would help if you don't include all of the unnecessary stuff (especially
comments)...

testparm -s > /tmp/samba-config.txt # would be better

your usage of 

security = server
password server = ad

doesn't seem correct.

is ad a netbios name?

are you sure you want to use security = server and not security = ADS ?

at least you should make sure that 'password server = WHATEVER' has
WHATEVER either an ip address or a resolvable domain controller.

see 'man smb.conf'

Craig

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Have a look at this, hopefully will explain ur prob....

cheers Andy.

http://lists.samba.org/archive/samba/2004-July/089483.html

Thanks.  I did find a solution.

-----Original Message-----
From: samba-bounces+ronald.trimble=unisys.com@lists.samba.org
[mailto:samba-bounces+ronald.trimble=unisys.com@lists.samba.org] On
Behalf Of andrew.x.smith@jpmchase.com
Sent: Thursday, March 16, 2006 12:04 PM
To: samba@lists.samba.org
Subject: RE: [Samba] Domain Authentication Problem

Have a look at this, hopefully will explain ur prob....

cheers Andy.

http://lists.samba.org/archive/samba/2004-July/089483.html
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba