topic Adding a Samba server to a 2000 Domain in Operating System - Linux

Adding a Samba server to a 2000 Domain

Martin Simnett — Tue, 12 Aug 2003 08:51:44 GMT

I have set up a Debian Samba server on our network and can see the server when we browse the network however when we try to access the server form windows clients it asks for a user name and password. Whatever we log in as does not work. It appears as if it is not authenticating. We are running in AD Mixed mode. Any ideas please.

Re: Adding a Samba server to a 2000 Domain

Jerome Henry — Tue, 12 Aug 2003 09:44:09 GMT

Hi,

Do you want your AD to control user name and password ?
Select 'Domain' type of authentication. The Samba server will rely on a Windows NT Primary or Backup Domain Controller to verify the user, which wil be possible as you are in mixed mode. The server passes the username and password to the Controller and waits for it to return. Specify the NetBIOS name of the Primary or Backup Domain Controller in the Authentication Server field.
The Encrypted Passwords option must be set to Yes if this is selected.

It doesn't work 100% time, as it depends closely to your win 2k security strategies configuration (is PDC emulator started, do you apply compatws or basicws startegy template, and so on).

You can also set up manually your list of users on samba server, look at this page, section 17.2.3. Encrypted Passwords to set up a list of users with encrypted password (for 2k compatibility) : /etc/shadow is not enough, samba needs its own file :
http://www.europe.redhat.com/documentation/rhl9/rhl-cg-en-9/s1-samba-configuring.php3#S3-SAMBA-GUI-USERS
(notice: it's a redhat doc, but samba is the same on all distro, as long as you run a recent version).

hth

J

Re: Adding a Samba server to a 2000 Domain

Martin Simnett — Tue, 12 Aug 2003 13:57:07 GMT

Thanks for the info but I have already done most of what you have said. here is my problem in more detail as my last post was slightly vague :/

I have Samba 2.2.7a running on a Debian 3.0 (woody) box, winbindd running, wbinfo authenticates, shows users etc, wbinfo -t works and is fine with the shared secret.

However, as soon as you try and log in, either from smbclient or from a Windows box, it refuses the authentication and the log shows:

[2003/08/11 16:19:05, 0] smbd/password.c:connect_to_domain_password_server(1336)
connect_to_domain_password_server: machine PDCSERVER rejected the tconX on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED
[2003/08/11 16:19:05, 0] smbd/password.c:domain_client_validate(1599)
domain_client_validate: Domain password server not available.

(Server name changed to protect the innocent ;)! )

getent also works for both users and groups

Alteration has been made to nsswitch.conf group users and groups to be: compat winbind

Relevant parts of smb.conf are:

workgroup = SMBDOMAIN
security = domain
password server = *
wins server = 10.1.2.1
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash

Re: Adding a Samba server to a 2000 Domain

Jerome Henry — Tue, 12 Aug 2003 16:16:24 GMT

Mmmm...

For Windows 2000 Server with Active Directory, you must add Samba computer as Pre-Windows 2000 computer before trying to join the domain :

Add a machine account "example" inside windows active directory (Users and Computers : right-click folder Computers -> New -> Computer fill-in : 'example' and check the box "Allow pre-Windows 2000 computers to use this account". Right-click on the samba-cable computer icon inside the Computers folder, and select "Reset Account".

In fact, when your AD authenticates, it's samba server that asks for authentication...

Then, on your Debian :

example# /usr/sfw/bin/smbpasswd -j YOURDOMAIN -r PDCSERVER

You should get :
change_trust_account_password: Changed password for domain YOURDOMAIN.
Joined domain YOURDOMAIN.

Restart samba, it should work...

hth

J

Re: Adding a Samba server to a 2000 Domain

Martin Simnett — Wed, 13 Aug 2003 06:56:09 GMT

Thanks again J for the response but when I try the smbpasswd command I get

fetch_domain_sid: machine PDC rejected the tconx on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.
Failed to get domain SID. Unable to join domain xxxxx.

Re: Adding a Samba server to a 2000 Domain

Jerome Henry — Wed, 13 Aug 2003 09:05:25 GMT

Hi Martin,

If you followed this adding smb machine to your domain and if you still get the error message, then there are good chances that you apply a restictive policy on you DC.

A good idea first would be to try your samba server with local (samba) passwords. If you get blocked there, then post you smb.conf file, for there are good chances that something is missing...

It'll be fixed sooner or later ! :]]

J

Re: Adding a Samba server to a 2000 Domain

Avinoam — Wed, 13 Aug 2003 16:56:50 GMT

hey
you need to change the following lines in your /etc/nsswitch.conf to be something like :
passwd: files winbind
shadow: files
group: files winbind

1. change your /etc/pam.d/login file , change the auth lines to the following :
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok

and chane the account line to :
account required /lib/security/pam_winbind.so

2. run the command :
smbpasswd -j DOMAIN -r PDC -U Administrator

i hope it will help..

Avinoam