- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Adding a Samba server to a 2000 Domain
Operating System - Linux
1820308
Members
2714
Online
109623
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-12-2003 01:51 AM
тАО08-12-2003 01:51 AM
Adding a Samba server to a 2000 Domain
I have set up a Debian Samba server on our network and can see the server when we browse the network however when we try to access the server form windows clients it asks for a user name and password. Whatever we log in as does not work. It appears as if it is not authenticating. We are running in AD Mixed mode. Any ideas please.
6 REPLIES 6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-12-2003 02:44 AM
тАО08-12-2003 02:44 AM
Re: Adding a Samba server to a 2000 Domain
Hi,
Do you want your AD to control user name and password ?
Select 'Domain' type of authentication. The Samba server will rely on a Windows NT Primary or Backup Domain Controller to verify the user, which wil be possible as you are in mixed mode. The server passes the username and password to the Controller and waits for it to return. Specify the NetBIOS name of the Primary or Backup Domain Controller in the Authentication Server field.
The Encrypted Passwords option must be set to Yes if this is selected.
It doesn't work 100% time, as it depends closely to your win 2k security strategies configuration (is PDC emulator started, do you apply compatws or basicws startegy template, and so on).
You can also set up manually your list of users on samba server, look at this page, section 17.2.3. Encrypted Passwords to set up a list of users with encrypted password (for 2k compatibility) : /etc/shadow is not enough, samba needs its own file :
http://www.europe.redhat.com/documentation/rhl9/rhl-cg-en-9/s1-samba-configuring.php3#S3-SAMBA-GUI-USERS
(notice: it's a redhat doc, but samba is the same on all distro, as long as you run a recent version).
hth
J
Do you want your AD to control user name and password ?
Select 'Domain' type of authentication. The Samba server will rely on a Windows NT Primary or Backup Domain Controller to verify the user, which wil be possible as you are in mixed mode. The server passes the username and password to the Controller and waits for it to return. Specify the NetBIOS name of the Primary or Backup Domain Controller in the Authentication Server field.
The Encrypted Passwords option must be set to Yes if this is selected.
It doesn't work 100% time, as it depends closely to your win 2k security strategies configuration (is PDC emulator started, do you apply compatws or basicws startegy template, and so on).
You can also set up manually your list of users on samba server, look at this page, section 17.2.3. Encrypted Passwords to set up a list of users with encrypted password (for 2k compatibility) : /etc/shadow is not enough, samba needs its own file :
http://www.europe.redhat.com/documentation/rhl9/rhl-cg-en-9/s1-samba-configuring.php3#S3-SAMBA-GUI-USERS
(notice: it's a redhat doc, but samba is the same on all distro, as long as you run a recent version).
hth
J
You can lean only on what resists you...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-12-2003 06:57 AM
тАО08-12-2003 06:57 AM
Re: Adding a Samba server to a 2000 Domain
Thanks for the info but I have already done most of what you have said. here is my problem in more detail as my last post was slightly vague :/
I have Samba 2.2.7a running on a Debian 3.0 (woody) box, winbindd running, wbinfo authenticates, shows users etc, wbinfo -t works and is fine with the shared secret.
However, as soon as you try and log in, either from smbclient or from a Windows box, it refuses the authentication and the log shows:
[2003/08/11 16:19:05, 0] smbd/password.c:connect_to_domain_password_server(1336)
connect_to_domain_password_server: machine PDCSERVER rejected the tconX on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED
[2003/08/11 16:19:05, 0] smbd/password.c:domain_client_validate(1599)
domain_client_validate: Domain password server not available.
(Server name changed to protect the innocent ;)! )
getent also works for both users and groups
Alteration has been made to nsswitch.conf group users and groups to be: compat winbind
Relevant parts of smb.conf are:
workgroup = SMBDOMAIN
security = domain
password server = *
wins server = 10.1.2.1
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
I have Samba 2.2.7a running on a Debian 3.0 (woody) box, winbindd running, wbinfo authenticates, shows users etc, wbinfo -t works and is fine with the shared secret.
However, as soon as you try and log in, either from smbclient or from a Windows box, it refuses the authentication and the log shows:
[2003/08/11 16:19:05, 0] smbd/password.c:connect_to_domain_password_server(1336)
connect_to_domain_password_server: machine PDCSERVER rejected the tconX on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED
[2003/08/11 16:19:05, 0] smbd/password.c:domain_client_validate(1599)
domain_client_validate: Domain password server not available.
(Server name changed to protect the innocent ;)! )
getent also works for both users and groups
Alteration has been made to nsswitch.conf group users and groups to be: compat winbind
Relevant parts of smb.conf are:
workgroup = SMBDOMAIN
security = domain
password server = *
wins server = 10.1.2.1
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-12-2003 09:16 AM
тАО08-12-2003 09:16 AM
Re: Adding a Samba server to a 2000 Domain
Mmmm...
For Windows 2000 Server with Active Directory, you must add Samba computer as Pre-Windows 2000 computer before trying to join the domain :
Add a machine account "example" inside windows active directory (Users and Computers : right-click folder Computers -> New -> Computer fill-in : 'example' and check the box "Allow pre-Windows 2000 computers to use this account". Right-click on the samba-cable computer icon inside the Computers folder, and select "Reset Account".
In fact, when your AD authenticates, it's samba server that asks for authentication...
Then, on your Debian :
example# /usr/sfw/bin/smbpasswd -j YOURDOMAIN -r PDCSERVER
You should get :
change_trust_account_password: Changed password for domain YOURDOMAIN.
Joined domain YOURDOMAIN.
Restart samba, it should work...
hth
J
For Windows 2000 Server with Active Directory, you must add Samba computer as Pre-Windows 2000 computer before trying to join the domain :
Add a machine account "example" inside windows active directory (Users and Computers : right-click folder Computers -> New -> Computer fill-in : 'example' and check the box "Allow pre-Windows 2000 computers to use this account". Right-click on the samba-cable computer icon inside the Computers folder, and select "Reset Account".
In fact, when your AD authenticates, it's samba server that asks for authentication...
Then, on your Debian :
example# /usr/sfw/bin/smbpasswd -j YOURDOMAIN -r PDCSERVER
You should get :
change_trust_account_password: Changed password for domain YOURDOMAIN.
Joined domain YOURDOMAIN.
Restart samba, it should work...
hth
J
You can lean only on what resists you...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-12-2003 11:56 PM
тАО08-12-2003 11:56 PM
Re: Adding a Samba server to a 2000 Domain
Thanks again J for the response but when I try the smbpasswd command I get
fetch_domain_sid: machine PDC rejected the tconx on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.
Failed to get domain SID. Unable to join domain xxxxx.
fetch_domain_sid: machine PDC rejected the tconx on the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.
Failed to get domain SID. Unable to join domain xxxxx.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-13-2003 02:05 AM
тАО08-13-2003 02:05 AM
Re: Adding a Samba server to a 2000 Domain
Hi Martin,
If you followed this adding smb machine to your domain and if you still get the error message, then there are good chances that you apply a restictive policy on you DC.
A good idea first would be to try your samba server with local (samba) passwords. If you get blocked there, then post you smb.conf file, for there are good chances that something is missing...
It'll be fixed sooner or later ! :]]
J
If you followed this adding smb machine to your domain and if you still get the error message, then there are good chances that you apply a restictive policy on you DC.
A good idea first would be to try your samba server with local (samba) passwords. If you get blocked there, then post you smb.conf file, for there are good chances that something is missing...
It'll be fixed sooner or later ! :]]
J
You can lean only on what resists you...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-13-2003 09:56 AM
тАО08-13-2003 09:56 AM
Re: Adding a Samba server to a 2000 Domain
hey
you need to change the following lines in your /etc/nsswitch.conf to be something like :
passwd: files winbind
shadow: files
group: files winbind
1. change your /etc/pam.d/login file , change the auth lines to the following :
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
and chane the account line to :
account required /lib/security/pam_winbind.so
2. run the command :
smbpasswd -j DOMAIN -r PDC -U Administrator
i hope it will help..
Avinoam
you need to change the following lines in your /etc/nsswitch.conf to be something like :
passwd: files winbind
shadow: files
group: files winbind
1. change your /etc/pam.d/login file , change the auth lines to the following :
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_winbind.so
auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
and chane the account line to :
account required /lib/security/pam_winbind.so
2. run the command :
smbpasswd -j DOMAIN -r PDC -U Administrator
i hope it will help..
Avinoam
Sababa
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP