Harald Strack
2010-Mar-22 13:25 UTC
[Samba] Cannot access samba users from Windows Server 2008 r2 trust
Hi, our setup is Samba 3.3.12 as the Trusted Domain (Domain name: SAMBA) Windows 2008r2 as the Trusting Domain (Domain name: W2008) The trust itself works quite well, users of the SAMBA Domain are able to log into the workstations of the W2008 domain and even roaming profiles are working. However, when I try to configure permissions on a share of the W2008r2 server to users from the SAMBA domain (e.g. SAMBA\jsmith), while I am logged in as a user from the W2008 domain (e.g. W2008\Administrator) I do not find any user from the SAMBA domain. Background: Whenever a users wants to access the SAMBA domain, even when he only wants to search users for granting permissions, he has to authenticate first. As far as I know, the user has to authenticate, not the machine. Now, when I am logged in as a user from another domain (e.g. W2008 \Administrator) I cannot authenticate in the SAMBA domain with my actual credentials (desktop single sign-on). However, Windows 2008 R2 tries to authenticate at the SAMBA domain controller several times with the credentials (User: Administrator) of the W2008 domain. Samba Log of a SAMBA domain controller: [2010/03/22 12:07:51, 2] lib/access.c:check_access(406) Allowed connection from (10.10.20.167) [2010/03/22 12:07:51, 2] lib/smbldap.c:smbldap_open_connection(890) smbldap_open_connection: connection opened [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER However, Earlier versions of Windows tried only once to connect with the wrong credentials and then appeared a prompt where the user could enter its credentials in the other domain (SAMBA) to gain access to their ressources. Does anyone know a registry setting or sth. similar that forces W2008R2 to offer me a prompt for credentials if it gets a NT_STATUS_NO_SUCH_USER? Or any other solution? I greatly appreciate any comments! Best Regards Harry -- ?Harald Strack, Dipl.Inf.(FH) IT Development ssystems c/o todo GmbH Alt-Moabit 60a 10555 Berlin http://www.ssystems.de
Harald Strack
2010-Mar-22 19:49 UTC
[Samba] SIDs get not resolved in Domaint Trust with Windows 2008r2
Hi, I could workaround the problem: When I first connect to any share (e.g. the Netlogon share) on one Domain Controller of the SAMBA Domain, I am able to search users in the SAMBA Domain. Now, the next problem is that after I set some permissions on a file using SAMBA Domain users, logout and login again the SIDs do not get resolved anymore. Instead of seeing some Users like "SAMBA\jsmith" I see only his SID in the permission dialog. How can I force Windows to resolve the SIDs? Any help is greatly appreciated Best Regards Harry On Mon, 2010-03-22 at 14:25 +0100, Harald Strack wrote:> Hi, > > our setup is > > Samba 3.3.12 as the Trusted Domain (Domain name: SAMBA) > Windows 2008r2 as the Trusting Domain (Domain name: W2008) > > The trust itself works quite well, users of the SAMBA Domain are able to > log into the workstations of the W2008 domain and even roaming profiles > are working. > > However, when I try to configure permissions on a share of the W2008r2 > server to users from the SAMBA domain (e.g. SAMBA\jsmith), while I am > logged in as a user from the W2008 domain (e.g. W2008\Administrator) I > do not find any user from the SAMBA domain. > > > Background: > > Whenever a users wants to access the SAMBA domain, even when he only > wants to search users for granting permissions, he has to authenticate > first. As far as I know, the user has to authenticate, not the machine. > > Now, when I am logged in as a user from another domain (e.g. W2008 > \Administrator) I cannot authenticate in the SAMBA domain with my actual > credentials (desktop single sign-on). However, Windows 2008 R2 tries to > authenticate at the SAMBA domain controller several times with the > credentials (User: Administrator) of the W2008 domain. > > Samba Log of a SAMBA domain controller: > > [2010/03/22 12:07:51, 2] lib/access.c:check_access(406) > Allowed connection from (10.10.20.167) > [2010/03/22 12:07:51, 2] lib/smbldap.c:smbldap_open_connection(890) > smbldap_open_connection: connection opened > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > > However, Earlier versions of Windows tried only once to connect with the > wrong credentials and then appeared a prompt where the user could enter > its credentials in the other domain (SAMBA) to gain access to their > ressources. > > Does anyone know a registry setting or sth. similar that forces W2008R2 > to offer me a prompt for credentials if it gets a > NT_STATUS_NO_SUCH_USER? > > Or any other solution? I greatly appreciate any comments! > > Best Regards > > Harry > > -- > ?Harald Strack, Dipl.Inf.(FH) > IT Development > > ssystems > c/o todo GmbH > Alt-Moabit 60a > 10555 Berlin > > http://www.ssystems.de > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- ?Harald Strack, Dipl.Inf.(FH) IT Development ssystems c/o todo GmbH Alt-Moabit 60a 10555 Berlin Tel: +49 30 805 78 - 101 http://www.ssystems.de
Harald Strack
2010-Apr-12 19:00 UTC
[Samba] SIDs get not resolved in Domaint Trust with Windows 2008r2 - resolved
Hi, On Mon, 2010-03-22 at 20:49 +0100, Harald Strack wrote:> Hi, > > Now, the next problem is that after I set some permissions on a file > using SAMBA Domain users, logout and login again the SIDs do not get > resolved anymore. Instead of seeing some Users like "SAMBA\jsmith" I see > only his SID in the permission dialog. > > How can I force Windows to resolve the SIDs?I checked the registry of W2008R2 and discovered the solution: You have to disable the Policy: Network security: Allow Local System to use computer identity for NTLM Details are described here: http://wiki.ssystems.de/doku.php?id=samba_trust_w2008r2_harald_strack#resolving_sids A documentation of the whole setup of a Windows 2008 R2 to Samba trust may now be found here: http://wiki.ssystems.de/doku.php?id=samba_trust_w2008r2_harald_strack br Harald Strack> > Any help is greatly appreciated > > Best Regards > > Harry > > On Mon, 2010-03-22 at 14:25 +0100, Harald Strack wrote: > > Hi, > > > > our setup is > > > > Samba 3.3.12 as the Trusted Domain (Domain name: SAMBA) > > Windows 2008r2 as the Trusting Domain (Domain name: W2008) > > > > The trust itself works quite well, users of the SAMBA Domain are able to > > log into the workstations of the W2008 domain and even roaming profiles > > are working. > > > > However, when I try to configure permissions on a share of the W2008r2 > > server to users from the SAMBA domain (e.g. SAMBA\jsmith), while I am > > logged in as a user from the W2008 domain (e.g. W2008\Administrator) I > > do not find any user from the SAMBA domain. > > > > > > Background: > > > > Whenever a users wants to access the SAMBA domain, even when he only > > wants to search users for granting permissions, he has to authenticate > > first. As far as I know, the user has to authenticate, not the machine. > > > > Now, when I am logged in as a user from another domain (e.g. W2008 > > \Administrator) I cannot authenticate in the SAMBA domain with my actual > > credentials (desktop single sign-on). However, Windows 2008 R2 tries to > > authenticate at the SAMBA domain controller several times with the > > credentials (User: Administrator) of the W2008 domain. > > > > Samba Log of a SAMBA domain controller: > > > > [2010/03/22 12:07:51, 2] lib/access.c:check_access(406) > > Allowed connection from (10.10.20.167) > > [2010/03/22 12:07:51, 2] lib/smbldap.c:smbldap_open_connection(890) > > smbldap_open_connection: connection opened > > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > > [2010/03/22 12:07:51, 2] auth/auth.c:check_ntlm_password(318) > > check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER > > > > However, Earlier versions of Windows tried only once to connect with the > > wrong credentials and then appeared a prompt where the user could enter > > its credentials in the other domain (SAMBA) to gain access to their > > ressources. > > > > Does anyone know a registry setting or sth. similar that forces W2008R2 > > to offer me a prompt for credentials if it gets a > > NT_STATUS_NO_SUCH_USER? > > > > Or any other solution? I greatly appreciate any comments! > > > > Best Regards > > > > Harry > > > > -- > > ?Harald Strack, Dipl.Inf.(FH) > > IT Development > > > > ssystems > > c/o todo GmbH > > Alt-Moabit 60a > > 10555 Berlin > > > > http://www.ssystems.de > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > ?Harald Strack, Dipl.Inf.(FH) > IT Development > > ssystems > c/o todo GmbH > Alt-Moabit 60a > 10555 Berlin > > Tel: +49 30 805 78 - 101 > http://www.ssystems.de > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- ?Harald Strack, Dipl.Inf.(FH) IT Development ssystems c/o todo GmbH Alt-Moabit 60a 10555 Berlin Tel: +49 30 805 78 - 101 http://www.ssystems.de