Re: [SLUG] FW: Making Samba a member of NT security domain fails - why?

From: Ian C. Blenke (icblenke@nks.net)
Date: Tue Apr 16 2002 - 17:07:23 EDT


On Tue, 2002-04-16 at 15:40, Clay, John wrote:
>
> I am following 2.5.2 in the Samba-howto-collection in an attempt to make my
> Samba server part of my NT security domain. I have Samba 2.2.3 on Slack 8.0
> (2.2.19). So far I'm meeting with failure.
>
> The smb.conf is as follows:
>
> # Samba config file created using SWAT
> # from localhost (127.0.0.1)
> # Date: 2002/04/16 14:20:05
>
> # Global parameters
> [global]
> workgroup = LFRG-TLH
> netbios name = HUMPHRY
> server string = Samba 2.2.3
> security = DOMAIN

Yep. Step one complete. This must be set to DOMAIN for authenticating
against a PDC. Try setting this to "SERVER" and add your root user to
your smbpasswd file (with md5 password) and see if you can map a drive.
If so, then proceed with security = DOMAIN, password server =
tlh-file-print, and run the smbpasswd -r -j command as below.

> encrypt passwords = Yes

Good. This fixes NT/2k/XP clients right off.. but will tend to break
95/98/ME clients (which I hope you're not running anymore ;)

> min passwd length = 0
> null passwords = Yes
> password server = *

This should work, in theory. In practice, however, I've found it best to
always implicitly list the PDC and/or BDCs rather than using the splat.

Try:

 password server = TLH-FILE-PRINT

As your Samba server isn't becoming a BDC, it still must refer all
client connections to a password server to verify them (but you already
gathered this much ;)

No, the all caps shouldn't matter with NetBIOS names, but it's a good
convention to capitalize the buggers anyway.

If in doubt, you can always hard code NetBIOS name records in nmb.conf
(kind of like lmhosts).

> [print$]
> path = /usr/local/samba/printers
> guest ok = Yes
> printable = Yes
> print command = /usr/bin/lpr -r %s
> printer name = lp
>
> [test]
> comment = For testing only please
> path = /export/samba/test
>
> [homes]
> read only = No
>
> I've added a machine account for "humphry".

If you think you've botched the "smbpasswd -r {pdc} -j {domain}"
command, delete this machine entry and re-add it and try again (this has
fixed things for me in the past).

> I've executed: smbpasswd -r tlh-file-print -j lfrg-tlh (the pdc and domain
> names) but get the following error:

You can only run this command once, it seems (from past experience,
things may have changed with newer versions of samba). When it is
successful, you will not get any error back (or anything at all in the
older versions). If you run it again, you should get an error (or I do,
anyway, YMMV).

> cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
> cli_nt_setup_creds: auth2 challenge failed
> modify_trust_password: unable to setup the PDC credentials to machine
> TLH-FILE-PRINT. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT.
> 2002/04/16 14:28:44 : change_trust_account_password: Failed to change
> password for domain LFRG-TLH.

No trust. The machine recode in the server list is "botched" (my
terminology.. perhaps not 100% true). Remove it and try again.

> I've added an NT user account "root" and password ensemble that is the same
> as on the Linux box.

And you login to the root account and then try to map a drive to the
samba share?

> I've put a couple of disk directory shares on the Linux box and those have
> been available to their users (same user names and passwords as the accounts
> on the NT domain)

Have you tried running "smbpasswd" on those users to see if they can map
in?

If you can login with a local smbpasswd file entry but not with
"password server" set, then you're having a PDC registration /
communication problem. If not, then you're having some other SMB problem
with SAMBA.

> Can anyone tell me what I'm missing?

Try setting your "password server" implicitly.
Try removing and readding the machine to your server list.
Try re-running smbpasswd again.

You don't seem to have a WINS server or name-resolve-order defined
either. You might want to add:

    wins server = IP_OF_NTSERVER
    name resolve order = lmhosts wins hosts bcast

Make sure that "nmblookup -a tlh-file-print" returns something.. or that
at least the name can be resolved (/etc/hosts, DNS, or otherwise). Also,
don't be afraid to try the IP of the server directly rather than its
NetBIOS name.

It really should be this easy.

- Ian



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:11:04 EDT