I have two SAMBA PDC's with an OpenLDAP backend. My goal is to establish an
interdomain trust between the two domains so that users from each backend can
login to Windows systems by specifying accounts from either domain.
I've followed the steps to establish the trusts and I can see accounts and
groups using wbinfo and getent.
I can access resources/shares from each domain but I'm unable to logon to
any windows system using the alternate domain although the alternate domain does
indeed show up in the drop down. I simply get a incorrect password error and
eventually lock out my account on the domain that the system is part of and not
the trust domain I'm trying to authenticate to.
net rpc trustdom LIST reports OK from each PDC.
Trusted domains list:
ABCLOTT S-1-5-21-3441751594-170090486-2794545703
Trusting domains list:
ABCLOTT S-1-5-21-3441751594-170090486-2794545703
net rpc trustdom LIST
Trusted domains list:
XYZLOTT S-1-5-21-3045757412-1322895056-2287618393
Trusting domains list:
XYZLOTT S-1-5-21-3045757412-1322895056-2287618393
I see this in the logs.
check_ntlm_password: sam authentication for user [testuser] FAILED with error
NT_STATUS_WRONG_PASSWORD
[2013/08/28 22:29:11.556149, 10] auth/auth_winbind.c:50(check_winbind_security)
Check auth for: [testuser]
[2013/08/28 22:29:11.556178, 3] auth/auth_winbind.c:60(check_winbind_security)
check_winbind_security: Not using winbind, requested domain [XYZLOTT] was for
this SAM.
[2013/08/28 22:29:11.556209, 10] auth/auth.c:259(check_ntlm_password)
check_ntlm_password: winbind had nothing to say
[2013/08/28 22:29:11.556238, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [testuser] -> [testuser]
FAILED with error NT_STATUS_WRONG_PASSWORD
[2013/08/28 22:29:11.556303, 5]
rpc_server/netlogon/srv_netlog_nt.c:1574(_netr_LogonSamLogon_base)
_netr_LogonSamLogonEx: check_password returned status NT_STATUS_WRONG_PASSWORD
[2013/08/28 22:29:11.556338, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
out: struct netr_LogonSamLogonEx
and this....
[2013/08/28 22:29:11.553321, 2]
../libcli/auth/ntlm_check.c:423(ntlm_password_check)
ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user testuser
[2013/08/28 22:29:11.553352, 3]
../libcli/auth/ntlm_check.c:442(ntlm_password_check)
ntlm_password_check: Lanman passwords NOT PERMITTED for user testuser
[2013/08/28 22:29:11.553382, 4]
../libcli/auth/ntlm_check.c:479(ntlm_password_check)
ntlm_password_check: Checking LMv2 password with domain XYZLOTT
[2013/08/28 22:29:11.553421, 4]
../libcli/auth/ntlm_check.c:508(ntlm_password_check)
ntlm_password_check: Checking LMv2 password with upper-cased version of domain
XYZLOTT
[2013/08/28 22:29:11.553459, 4]
../libcli/auth/ntlm_check.c:536(ntlm_password_check)
ntlm_password_check: Checking LMv2 password without a domain
[2013/08/28 22:29:11.553497, 4]
../libcli/auth/ntlm_check.c:567(ntlm_password_check)
ntlm_password_check: Checking NT MD4 password in LM field
[2013/08/28 22:29:11.553527, 3]
../libcli/auth/ntlm_check.c:588(ntlm_password_check)
ntlm_password_check: LM password and LMv2 failed for user testuser, and NT MD4
password in LM field not permitted
I do have ntlm auth = No in smb.conf on each PDC and "Use NTLMv2 only"
on the Windows systems and Domain logins work fine to the primary domain. Do I
need to allow ntlmv1 to get intertrust domain logons to work?
-Mike
