Aaron J. Zirbes
2007-Dec-05 23:35 UTC
[Samba] Is Samba PDC + NT4 DOM Trust using NTLMv2 possible?
My Question: ------------ Is it possible to get 2-way Interdomain Trust relationships working between a Samba domain and an NT4 SP6a domain, while restricting all password hashes to NTLMv2 only? Everything works except the inter-domain trust I'm able to get the NT4 domain to trust the Samba domain, but not the other way around. My System: ---------- I have a perfectly running Samba domain w/ ~60 client WinXP workstations, and Win 2003 member servers. All machines are set to use NTLMv2 only. My Config: ---------- I'm running Samba Version 3.0.27a, compiled with --with-ldap --with-winbind --with-utmp --with-acl-support LDAP backend with the new: ldapsam:trusted=yes ldapsam:editposix=yes Key NTLMv2 security settings are: ntlm auth = no lanman auth = no client plaintext auth = no client lanman auth = no client ntlmv2 auth = yes client schannel = yes server schannel = yes client signing = auto server signing = auto I added an idmap config section for the trusted domain I created the "Machine" account entry in LDAP for the trusted domain. I setup the domain trust using the net command, I added access to one of my shares by adding TESTDOM\azirbes to the "valid users" parameter as I usually do, but the trusted domain still prompts for a user name and password, and the samba log dumps the following: [2007/11/09 12:55:09, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info_map(161) make_user_info_map: Mapping user [TESTDOM]\[azirbes] from workstation [nt4test] [2007/11/09 12:55:09, 5] auth/auth_util.c:is_trusted_domain(2198) is_trusted_domain: Checking for domain trust with [TESTDOM] [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(75) attempting to make a user_info for azirbes (azirbes) [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(85) making strings for azirbes's user_info struct [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(117) making blobs for azirbes's user_info struct [2007/11/09 12:55:09, 3] auth/auth.c:check_ntlm_password(221) check_ntlm_password: Checking password for unmapped user [TESTDOM]\[azirbes]@[nt4test] with the new password interface [2007/11/09 12:55:09, 3] auth/auth.c:check_ntlm_password(224) check_ntlm_password: mapped user is: [TESTDOM]\[azirbes]@[nt4test] [2007/11/09 12:55:09, 6] auth/auth_sam.c:check_samstrict_security(421) check_samstrict_security: TESTDOM is not one of my local names or domain name (DC) [2007/11/09 12:55:09, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: winbind authentication for user [azirbes] FAILED with error NT_STATUS_ACCESS_DENIED [2007/11/09 12:55:09, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [azirbes] -> [azirbes] FAILED with error NT_STATUS_ACCESS_DENIED [2007/11/09 12:55:09, 5] auth/auth_util.c:free_user_info(2045) attempting to free (and zero) a user_info structure -- Aaron
Aaron J. Zirbes
2007-Dec-10 17:22 UTC
[Samba] Is Samba PDC + NT4 DOM Trust using NTLMv2 possible?
I haven't found a solution yet. I think I may post a bug to the bugtrack database. -- Aaron Hans-Wilhelm Heisinger wrote:> Did you come across a solution to this problem? I have the same issue. > > Mit freundlichen Gr??en / With kind regards > Hans > > Aaron J. Zirbes wrote: >> My Question: >> ------------ >> >> Is it possible to get 2-way Interdomain Trust relationships working >> between a Samba domain and an >> NT4 SP6a domain, while restricting all password hashes to NTLMv2 only? >> >> Everything works except the inter-domain trust >> >> I'm able to get the NT4 domain to trust the Samba domain, but not the >> other way around. >> >> My System: >> ---------- >> >> I have a perfectly running Samba domain w/ ~60 client WinXP >> workstations, and Win 2003 member >> servers. All machines are set to use NTLMv2 only. >> >> My Config: >> ---------- >> >> I'm running Samba Version 3.0.27a, compiled with >> --with-ldap --with-winbind --with-utmp --with-acl-support >> >> LDAP backend with the new: >> ldapsam:trusted=yes >> ldapsam:editposix=yes >> >> Key NTLMv2 security settings are: >> ntlm auth = no >> lanman auth = no >> client plaintext auth = no >> client lanman auth = no >> client ntlmv2 auth = yes >> client schannel = yes >> server schannel = yes >> client signing = auto >> server signing = auto >> >> I added an idmap config section for the trusted domain >> >> I created the "Machine" account entry in LDAP for the trusted >> domain. I setup the domain trust >> using the net command, I added access to one of my shares by adding >> TESTDOM\azirbes to the "valid >> users" parameter as I usually do, but the trusted domain still >> prompts for a user name and password, >> and the samba log dumps the following: >> >> [2007/11/09 12:55:09, 2] smbd/sesssetup.c:setup_new_vc_session(1200) >> setup_new_vc_session: New VC == 0, if NT4.x compatible we would >> close all old resources. >> [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info_map(161) >> make_user_info_map: Mapping user [TESTDOM]\[azirbes] from >> workstation [nt4test] >> [2007/11/09 12:55:09, 5] auth/auth_util.c:is_trusted_domain(2198) >> is_trusted_domain: Checking for domain trust with [TESTDOM] >> [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(75) >> attempting to make a user_info for azirbes (azirbes) >> [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(85) >> making strings for azirbes's user_info struct >> [2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(117) >> making blobs for azirbes's user_info struct >> [2007/11/09 12:55:09, 3] auth/auth.c:check_ntlm_password(221) >> check_ntlm_password: Checking password for unmapped user >> [TESTDOM]\[azirbes]@[nt4test] with the >> new password interface >> [2007/11/09 12:55:09, 3] auth/auth.c:check_ntlm_password(224) >> check_ntlm_password: mapped user is: [TESTDOM]\[azirbes]@[nt4test] >> [2007/11/09 12:55:09, 6] auth/auth_sam.c:check_samstrict_security(421) >> check_samstrict_security: TESTDOM is not one of my local names or >> domain name (DC) >> [2007/11/09 12:55:09, 5] auth/auth.c:check_ntlm_password(273) >> check_ntlm_password: winbind authentication for user [azirbes] >> FAILED with error >> NT_STATUS_ACCESS_DENIED >> [2007/11/09 12:55:09, 2] auth/auth.c:check_ntlm_password(319) >> check_ntlm_password: Authentication for user [azirbes] -> >> [azirbes] FAILED with error >> NT_STATUS_ACCESS_DENIED >> [2007/11/09 12:55:09, 5] auth/auth_util.c:free_user_info(2045) >> attempting to free (and zero) a user_info structure >> >> >> -- >> Aaron >> > > >