I haven't found a solution yet. I think I may post a bug to the
bugtrack database.
--
Aaron
Hans-Wilhelm Heisinger wrote:
Did you come across a solution to this problem? I have the same issue.
Mit freundlichen Grüßen / With kind regards
Hans
Aaron J. Zirbes wrote:
My Question:
Is it possible to get 2-way Interdomain Trust relationships working
between a Samba domain and an
NT4 SP6a domain, while restricting all password hashes to NTLMv2 only?
Everything works except the inter-domain trust
I'm able to get the NT4 domain to trust the Samba domain, but not the
other way around.
My System:
--
I have a perfectly running Samba domain w/ ~60 client WinXP
workstations, and Win 2003 member
servers. All machines are set to use NTLMv2 only.
My Config:
--
I'm running Samba Version 3.0.27a, compiled with
--with-ldap --with-winbind --with-utmp --with-acl-support
LDAP backend with the new:
ldapsam:trusted=yes
ldapsam:editposix=yes
Key NTLMv2 security settings are:
ntlm auth = no
lanman auth = no
client plaintext auth = no
client lanman auth = no
client ntlmv2 auth = yes
client schannel = yes
server schannel = yes
client signing = auto
server signing = auto
I added an idmap config section for the trusted domain
I created the Machine account entry in LDAP for the trusted
domain. I setup the domain trust
using the net command, I added access to one of my shares by adding
TESTDOM\azirbes to the valid
users parameter as I usually do, but the trusted domain still
prompts for a user name and password,
and the samba log dumps the following:
[2007/11/09 12:55:09, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info_map(161)
make_user_info_map: Mapping user [TESTDOM]\[azirbes] from
workstation [nt4test]
[2007/11/09 12:55:09, 5] auth/auth_util.c:is_trusted_domain(2198)
is_trusted_domain: Checking for domain trust with [TESTDOM]
[2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(75)
attempting to make a user_info for azirbes (azirbes)
[2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(85)
making strings for azirbes's user_info struct
[2007/11/09 12:55:09, 5] auth/auth_util.c:make_user_info(117)
making blobs for azirbes's user_info struct
[2007/11/09 12:55:09, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user
[EMAIL PROTECTED] with the
new password interface
[2007/11/09 12:55:09, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
[2007/11/09 12:55:09, 6] auth/auth_sam.c:check_samstrict_security(421)
check_samstrict_security: TESTDOM is not one of my local names or
domain name (DC)
[2007/11/09 12:55:09, 5] auth/auth.c:check_ntlm_password(273)
check_ntlm_password: winbind authentication for user [azirbes]
FAILED with error
NT_STATUS_ACCESS_DENIED
[2007/11/09 12:55:09, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [azirbes] -
[azirbes] FAILED with error
NT_STATUS_ACCESS_DENIED
[2007/11/09 12:55:09, 5] auth/auth_util.c:free_user_info(2045)
attempting to free (and zero) a user_info structure
--
Aaron
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
