Hi,
I thought about asking this question on the list, since it
seems to me that it more of a bug rather than a feature.
SETUP:
I've got a Samba server that acts as PDC for say domain A.
Authentication is done via Kerberos5. However, for some reason, the
W2K/XP orc-stations refuse to play nice with the shares, hence the
next server.
The other Samba server authenticates to a MS-AD in domain B. This way,
the W2K/XP clients can get their shares nicely.
WHAT HAPPENS:
Case "Samba 3.0"
Win9x clients still pertaining to the domain A will authenticate to the
Samba PDC but will mount the shares from the second Samba server. The
W2K/XP clients are already in domain B so they have no problem whatsoever.
Case "Samba 2.2.6"
Replacing the Samba 3.0 ( the one that does MS-AD in domain B)
with Samba 2.2.6-pre I get the W2K/XP authentication allright, but the
W9X will fail. Apparently Samba 2.2.6 passes on to the MS-AD the domain
name as well, along with the username and password.
Here is the error message I am receiving:
2002/08/12 11:32:31, 0] smbd/password.c:domain_client_validate(1605)
domain_client_validate: unable to validate password for user <USERNAME>
in domain <DOMAIN_A> to Domain controller <MS-AD>. Error was
NT_STATUS_NO_SUCH_USER.
As far as I know, users from one domain can use resources from a
different domain as long as 1).there is no trust relationship in between
the domains and 2).the user has the same username and password in both
domains.
My question is: why is Samba 2.2.6 different? it seems to me that when it
goes for authentication to the MS-AD server it basically asks for
\DOMAIN_NAME\USERNAME:PASSWORD and of course - the authentication server
will say "bugger off - I don't know anything about your
\DOMAIN_NAME\USERNAME".
Regards,
Bogdan.
--
I have seen things you people wouldn't believe. Attack ships on fire
off the shoulder of Orion. I watched C-beams glitter in the dark
near the Tannhauser Gate. All those moments will be lost in time,
like tears in rain. Time to die.
