Re: [Samba] Re: authentication against win2k3 server

Fri, 19 Nov 2004 07:10:00 -0800 

Carissa Srugis wrote:

This is a fresh w2k3 installation - no NT4 backwards capabilities.
Domain Name = DOMAIN.LOCAL
FQDN of DC = WIN2K3.DOMAIN.LOCAL

Users will NOT be logging into the FreeBSD machine at all.  I need the
FreeBSD to authenticate via Samba against the W2K3 AD users, which
will then be passed through to squid for proxy authentication.

Thanks!
Carissa

On Fri, 19 Nov 2004 09:42:22 -0500, Christian Merrill
<[EMAIL PROTECTED]> wrote:


Kevin Kobb wrote:





Carissa Srugis wrote:



I've been trying to setup Samba to authenticate users against accounts
existing on a Windows 2003 Server without any backwards capability.
Ideally, this needs to be done without any changes to the Windows 2003
Server.  Users will not be logging into the Samba shares at all.  This
is merely for authentication.

I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8.

This is my smb.conf file:
[global]
     realm = WIN2K3.DOMAIN.LOCAL
     security = ads
     auth methods = winbind
     winbind separator = +
     encrypt passwords = yes
     workgroup = DOMAIN.LOCAL
     netbios name = FREEBSD_Machine
     winbind uid = 10000-20000
     winbind gid = 10000-20000
     winbind enum users = yes
     winbind enum groups = yes
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     password server = WIN2K3.DOMAIN.LOCAL

So once winbindd is running, I type the following and get these results:

freebsd_machine# net ads join member -I 192.168.0.1 -U administrator
administrator's password: *password*
[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793)
 Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793)
 Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186)
 ads_connect: Permission denied

In the winbindd log I've also gotten the following error messages at
one point or another:

Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL
Packet send failed to 127.255.255.255(137) ERRNO=Permission denied
ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied
get_trust_pw: could not fetch trust account password for my domain
DOMAIN.LOCAL

The odd part is when I try to use wbinfo to verify connections.  If I
type "wbinfo -g" it will display the correct group listing from the
win2k3 server.  But nothing else seems to work:

freebsd_machine# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5)
Could not check secret

freebsd_machine# wbinfo -u
Error looking up domain users

freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL
Name              : WIN2K3.DOMAIN.LOCAL
Alt_Name          : DOMAIN.LOCAL
SID               : S-0-0
Active Directory  : No
Native            : No
Primary           : Yes
Sequence          : -1

I'm obviously missing something, but I am at a loss.  Any help is
greatly appreciated!

Carissa Srugis




You might try looking at FreeBSD 5.3. I don't believe 4.10 has a
working nsswitch which I think you will need if you want to login into
FreeBSD without a local account, but just a AD account.

I have done this on our Windows domain and FreeBSD 5.3 and it works
OK. Join the machine to the domain, modify pam files, and
nsswitch.conf, and  it worked.




Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and
that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of
your DC?

Christian



--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba







I just want to make sure the information is correct. On your 2k3 DC if you go START--Administrator Tools--Active Directory Users & Computers, your directory name should be displayed. Is it DOMAIN.LOCAL or WIN2K3.DOMAIN.LOCAL? Also, if you right click on it and select Properties, does a pre-Windows 2000 Domain Name exist? If so, what is that?

Christian

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Reply via email to