Dear all,
I have a situation where the Samba file server is the ADS domain member
of DomA, and the DomA is trusting another domain DomB.
Currently the Samba version I am using is 3.0.34 under Solaris 10 Update
7 with Sun Cluster 3.2 HA solution. I understand that the "trusted
domains" feature on this release is breaking, thus I cannot make it
works, and the path to upgrade to 3.2.2 is also not possible since it is
not supported by Sun Cluster agent.
Therefore I need to have a mechanism to trap the user from DomB, to be
"bad user", and allowing it to access as "guest" user. The problem I
have now, when the user from DomB is accessing the share, he/she is
always presented with the Windows password pop up, which is difficult
since we want it to be unattended or at least silently login behind the
application. Only after the user entering bogus username/password, then
he can access the share as guest user.
Basically if the authentication result is NT_STATUS_LOGON_FAILURE, the
dekstop will keep asking with pop up screen. Only when the result is
NT_STATUS_NO_SUCH_USER, it is directed to "guest" account.
What I want is that both authentication failure is mapped to "guest"
account, and supressing Windows login pop up.
Many thanks in advance,
Dedhi
PS : some information
This is my excerpt of "smb.conf" :
[global]
log level = 3
syslog only = no
max log size = 50000
realm = DOMA.PVT
workgroup = DOMA
security = ADS
encrypt passwords = true
unix extensions = yes
password server = ESSBCST1.doma.pvt ESSBCST2.doma.pvt
server string = "SAMBA File Server"
wins server = 192.168.1.11 192.168.1.12
domain master = no
local master = no
client schannel = no
client use spnego = yes
interfaces = 192.168.1.17/24
bind interfaces only = yes
netbios name=SAM-FS-SAMBA
pid directory = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/var/locks
log file = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/logs/log.%m
smb passwd file = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/private/smbpasswd
private dir = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/private
lock dir = /global/SAM-QFS-HA/samba/SAM-FS-SAMBA/var/locks
kernel oplocks = true
oplocks = true
# winbind
winbind separator = /
idmap uid = 11000-19000
idmap gid = 11000-19000
#
idmap domains = DOMA
idmap config DOMA:backend = rid
idmap config DOMA:default = yes
idmap config DOMA:range = 11000-19000
#
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
allow trusted domains = no
winbind use default domain = yes
template shell = /bin/bash
map to guest = bad password
guest account = nobody
[media]
comment = "Media directory"
path = /samfs1/omnibus_F/Media
read only = No
create mask = 0666
directory mask = 0775
writable = yes
browseable = yes
guest ok = yes
case sensitive = true
default case = lower
preserve case = no
short preserve case = no
level2 oplocks = true
Output from the log :
check_ntlm_password: mapped user is: [domb]\[teng...@[dt06-016654]
[2009/10/21 17:26:26, 1] auth/auth.c:(172)
check_domain_match: Attempt to connect as user TengTM from domain DOMB
denied.
[2009/10/21 17:26:26, 3] smbd/error.c:(106)
error packet at smbd/sesssetup.c(107) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
check_ntlm_password: Checking password for unmapped user
[local]\[tt...@[dt06-016654] with the new password interface
[2009/10/21 17:26:45, 3] auth/auth.c:(224)
check_ntlm_password: mapped user is: [doma]\[tt...@[dt06-016654]
check_ntlm_password: Authentication for user [ttty] -> [ttty] FAILED
with error NT_STATUS_NO_SUCH_USER
[2009/10/21 17:26:45, 3] smbd/sesssetup.c:(45)
No such user ttty [local] - using guest account
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba