Ulrich Schwenk
2007-Jan-23 10:21 UTC
[Samba] Problems with password authentication on Samba as an AD-Member
Hello, I've got some problems with a Samba Server. The Samba Server is member in an Active-Directory Domain (Win2000), it is NOT the domaincontroller. Authentication is kerberos-based (smb.conf: securty=ADS, winbind). The Sambaserver is accessed by Windows-Clients, that are domainmembers and by some Windows-Client, that are not. Originally Users, who were logged on the domain could access the shares simply by typing \\servername\sharename in the windows-explorer. Users, who were not logged on the domain could also access the shares, but were presented a password dialog, where they had to type a domain-user's name and password. Everything went fine, until the domaincontroller (Win2000) sufferd a severe hardware-crash. I restored the Installation using an NT-Systemstate Backup, following this nice procedure (http://support.microsoft.com/kb/263532/de -- checkout the listbox on the leftside for a translated version). After serveral days of desaster recovery, I managed to promote a freshly installed Windows DC and finally used dcpromo to downgrade the recovered Version. Replmon, dcdiag, netdiag show no errors on the domaincontroller. After that, with the new domaincontroller, everything works fine, except the passwordbox-thing (only with the Samba-Server, shares offered by windows computers can be accessed as before the crash) Users are only able to use the Sambaserver, when logged in to a windowsbox, which is a member of the domain. Otherwise, instead of the password-dialog, a messagebox appears after a long time of waiting, saying "file \\servername\sharename not found". There are no errors reported. Neigher on the DC, nor on the Samba-Server. On the Sambaserver, I found out, that I can browse the shares only doing kinit <username> Password: <mypassword> smbclient -k -L SERVERNAME (which gives all the shares immediately) not and not by smbclient -U<username> -L SERVERNAME Password: <mypassword> which leads to 20 seconds of inactivity and then to an Timeout-message, saying "session setup failed: the Server did not respond after 20'000 milliseconds. Could anyone provide a hint for this problem? Can I somehow trace the failure? What exactely happens, when the Linuxbox needs to authenticate a user from a non-domainmember client? Thanks a lot for the help!
Felipe Augusto van de Wiel
2007-Jan-25 13:47 UTC
[Samba] Problems with password authentication on Samba as an AD-Member
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/23/2007 08:14 AM, Ulrich Schwenk escreveu:> Hello, > > I've got some problems with a Samba Server. The Samba Server is member > in an Active-Directory Domain (Win2000), it is NOT the domaincontroller. > Authentication is kerberos-based (smb.conf: securty=ADS, winbind). The > Sambaserver is accessed by Windows-Clients, that are domainmembers and > by some Windows-Client, that are not. Originally Users, who were logged > on the domain could access the shares simply by typing > \\servername\sharename in the windows-explorer. Users, who were not > logged on the domain could also access the shares, but were presented a > password dialog, where they had to type a domain-user's name and password. > > Everything went fine, until the domaincontroller (Win2000) sufferd a > severe hardware-crash. I restored the Installation using an > NT-Systemstate Backup, following this nice procedure > (http://support.microsoft.com/kb/263532/de -- checkout the listbox on > the leftside for a translated version). After serveral days of desaster > recovery, I managed to promote a freshly installed Windows DC and > finally used dcpromo to downgrade the recovered Version. Replmon, > dcdiag, netdiag show no errors on the domaincontroller. > > After that, with the new domaincontroller, everything works fine, except > the passwordbox-thing (only with the Samba-Server, shares offered by > windows computers can be accessed as before the crash) > > Users are only able to use the Sambaserver, when logged in to a > windowsbox, which is a member of the domain. Otherwise, instead of the > password-dialog, a messagebox appears after a long time of waiting, > saying "file \\servername\sharename not found". > > There are no errors reported. Neigher on the DC, nor on the > Samba-Server. On the Sambaserver, I found out, that I can browse the > shares only doing > > kinit <username> > Password: <mypassword> > smbclient -k -L SERVERNAME > > (which gives all the shares immediately) > > not and not by > > smbclient -U<username> -L SERVERNAME > Password: <mypassword> > > which leads to 20 seconds of inactivity and then to an Timeout-message, > saying "session setup failed: the Server did not respond after 20'000 > milliseconds. > > Could anyone provide a hint for this problem? Can I somehow trace the > failure? What exactely happens, when the Linuxbox needs to authenticate > a user from a non-domainmember client?This is _really_ a hint that I hope it helps. Does your SID changed? Did you changed it also in Samba? Don't you need to rejoin your samba machine to the DOMAIN?> Thanks a lot for the help!Kind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFuLT4Cj65ZxU4gPQRAizWAKCwzWm9ezeoVMdjzKPzTwTz/+Xy+gCeLZx/ uUAxqpGJMtpW38qBwewuwyw=2RyT -----END PGP SIGNATURE-----