Versions are all 3.0.10
compiled with --enable-cups --with-utmp --with-acl-support
Backend is tdbsam
All smb.confs have the following:
...
pdc: security = user
members: security = domain
...
restrict anonymous = 2
encrypt passwords = yes
lanman auth = no
ntlm auth = no
client ntlmv2 auth = yes
client schannel = yes server schannel = yes client signing = auto server signing = auto ...
Domain controller works like a charm, all Windows2000/XP clients are locked down the same schannel=yes,ntlmv2 only,restrict anon=2. All clients can auth through each other (I can view shares on other workstations)
net rpc testjoin returns "OK" from all samba-3.0.10 members
attempts to connect to samba-3.0.10 member server fail with session setup failed: NT_STATUS_LOGON_FAILURE
unix accounts exists for domain members.
winbindd is up and running on members as auth only (no account creation)
attempts to connect to windows members succeed.
If security = user is used on members, and a smbpasswd -a command is issued to assign the samba password on members (which makes the membership useless), connection attempts succeed.
Logs on the Samba member server [RHEL] look like this:
[2005/02/02 10:26:59, 10] auth/auth_util.c:make_user_info(201)
made an encrypted user_info for myuser (myuser)
[2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface
[2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
[2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(231)
check_ntlm_password: auth_context challenge created by random
[2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(233)
challenge is:
[2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(259)
check_ntlm_password: guest had nothing to say
[2005/02/02 10:26:59, 6] auth/auth_sam.c:check_samstrict_security(358)
check_samstrict_security: MYDOMAIN is not one of my local names (ROLE_DOMAIN_MEMBER)
[2005/02/02 10:26:59, 10] auth/auth.c:check_ntlm_password(259)
check_ntlm_password: sam had nothing to say
[2005/02/02 10:26:59, 5] auth/auth.c:check_ntlm_password(271)
check_ntlm_password: winbind authentication for user [myuser] FAILED with error NT_STATUS_WRONG_PASSWORD
[2005/02/02 10:26:59, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [myuser] -> [myuser] FAILED with error NT_STATUS_WRONG_PASSWORD
Logs on the domain controller [FreeBSD] look like this:
[2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user [EMAIL PROTECTED] with the new password interface
[2005/02/02 10:26:59, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
[2005/02/02 10:26:59, 4] libsmb/ntlm_check.c:ntlm_password_check(288)
ntlm_password_check: Checking NTLMv2 password with domain [MYDOMAIN]
[2005/02/02 10:26:59, 4] libsmb/ntlm_check.c:ntlm_password_check(298)
ntlm_password_check: Checking NTLMv2 password with uppercased version of domain [MYDOMAIN]
[2005/02/02 10:26:59, 4] libsmb/ntlm_check.c:ntlm_password_check(308)
ntlm_password_check: Checking NTLMv2 password without a domain
[2005/02/02 10:26:59, 3] libsmb/ntlm_check.c:ntlm_password_check(317)
ntlm_password_check: NTLMv2 password check failed
[2005/02/02 10:26:59, 5] auth/auth.c:check_ntlm_password(271)
check_ntlm_password: sam authentication for user [myuser] FAILED with error NT_STATUS_WRONG_PASSWORD
[2005/02/02 10:26:59, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM.
[2005/02/02 10:26:59, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [myuser] -> [myuser] FAILED with error NT_STATUS_WRONG_PASSWORD
I am stumped.
Is a tdbsam backend unsupported for security = domain? (not stated in docs)
Do I have to move to an LDAP backend? Although this is not noted in any documentation I have found.
Side note:
I noticed that even though I am setting auth to NTLMv2 ONLY, the password databases are still storing the LANMAN hashes... is there a reason for this?
-- Aaron Zirbes Systems Administrator Environmental Health Sciences University of Minnesota
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
