Correct, authentication is handled by the AD DC via the Samba server. When users try to access the server they're asked for user/password, but authentication fails for Windows 7 clients not on the domain. I can get by this by having each client update their registry to use NTLM as well as NTLMv2 but that's a hassle for the number of users I have.
cjs On Feb 25, 2010, at 12:56 PM, Gaiseric Vandal wrote: > First of all, I am not familiar with using Samba with AD so none of this my > apply > > - Should security = domain ? > - technically, I think the Windows clients in the domain are authenticating > against the AD DC not the samba server. If the client machine is not in > the domain you would have provide user id and password when connecting to the > samba server. > > I noticed with Windows 2008 (presumably the same with Windows 7) that the > network settings for browsing the network neighborhood are a lot more locked > down. I don't think this is a samba issue. On Windows 2008, "Network > and Sharing" control panel there is an option for "network discovery." On > of my colleagues reported that he had to make a similar change at home so his > Vista PC could see XP machines. > > > > > > > On 02/25/2010 12:33 PM, Clif Smith wrote: >> I'm running 3.4.6 (was running 3.0.28a but upgraded in hopes to fix this >> issue). Clients running Windows 7 that are NOT joined to the AD domain >> (samba authenticates against it via "security = server") cannot authenticate >> to access the server. Clients running Windows 7 that are on the domain as >> well as Windows XP, Windows 2003 on and off the domain work as expected. >> >> Any help would be greatly appreciated! >> >> Thanks, Clif >> >> smb.conf: >> ======================== >> [global] >> workgroup = XXXXXX >> netbios name = XXXXXX >> security = server >> password server = XXXXXX >> wins server = XXXXXX >> smb passwd file = /etc/samba/smbpasswd >> server string = ausfs1 >> smb ports = 139 >> lanman auth = no >> ntlm auth = no >> client ntlmv2 auth = yes >> client lanman auth = no >> client plaintext auth = no >> max protocol = smb2 >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >> restrict anonymous = 2 >> local master = no >> domain master = no >> dns proxy = no >> log file = /var/log/samba/%m.log >> max log size = 500 >> log level = 3 >> syslog = 1 >> veto files = /.DS_Store/Thumbs.db/ >> >> Debug log: >> ======================== >> [2010/02/25 11:23:41, 3] smbd/process.c:1459(process_smb) >> Transaction 0 of length 159 (0 toread) >> [2010/02/25 11:23:41, 3] smbd/process.c:1273(switch_message) >> switch message SMBnegprot (pid 3179) conn 0x0 >> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [PC NETWORK PROGRAM 1.0] >> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [LANMAN1.0] >> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [Windows for Workgroups 3.1a] >> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [LM1.2X002] >> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [LANMAN2.1] >> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [NT LM 0.12] >> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [SMB 2.002] >> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [SMB 2.???] >> [2010/02/25 11:23:41, 3] smbd/negprot.c:387(reply_nt1) >> using SPNEGO >> [2010/02/25 11:23:41, 3] smbd/negprot.c:672(reply_negprot) >> Selected protocol NT LM 0.12 >> [2010/02/25 11:23:41, 3] smbd/process.c:1459(process_smb) >> Transaction 1 of length 142 (0 toread) >> [2010/02/25 11:23:41, 3] smbd/process.c:1273(switch_message) >> switch message SMBsesssetupX (pid 3179) conn 0x0 >> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X) >> wct=12 flg2=0xc807 >> [2010/02/25 11:23:41, 2] smbd/sesssetup.c:1360(setup_new_vc_session) >> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all >> old resources. >> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego) >> Doing spnego session setup >> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) >> NativeOS=[] NativeLanMan=[] PrimaryDomain=[] >> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:786(reply_spnego_negotiate) >> reply_spnego_negotiate: Got secblob of size 40 >> [2010/02/25 11:23:41, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) >> Got NTLMSSP neg_flags=0xe2088297 >> [2010/02/25 11:23:41, 3] lib/util_sock.c:1033(open_socket_out_send) >> Connecting to XXXXXX at port 445 >> [2010/02/25 11:23:41, 3] auth/auth_server.c:86(server_cryptkey) >> connected to password server XXXXXX >> [2010/02/25 11:23:41, 3] auth/auth_server.c:113(server_cryptkey) >> got session >> [2010/02/25 11:23:41, 3] auth/auth_server.c:149(server_cryptkey) >> password server OK >> [2010/02/25 11:23:41, 3] auth/auth_server.c:233(auth_get_challenge_server) >> using password server validation >> [2010/02/25 11:23:41, 3] smbd/process.c:1459(process_smb) >> Transaction 2 of length 592 (0 toread) >> [2010/02/25 11:23:41, 3] smbd/process.c:1273(switch_message) >> switch message SMBsesssetupX (pid 3179) conn 0x0 >> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X) >> wct=12 flg2=0xc807 >> [2010/02/25 11:23:41, 2] smbd/sesssetup.c:1360(setup_new_vc_session) >> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all >> old resources. >> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego) >> Doing spnego session setup >> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) >> NativeOS=[] NativeLanMan=[] PrimaryDomain=[] >> [2010/02/25 11:23:41, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) >> Got user=[XXXXXX] domain=[XXXXXX] workstation=[WIN7] len1=24 len2=330 >> [2010/02/25 11:23:41, 3] auth/auth.c:222(check_ntlm_password) >> check_ntlm_password: Checking password for unmapped user >> [xxxxxx]\[xxxx...@[win7] with the new password interface >> [2010/02/25 11:23:41, 3] auth/auth.c:225(check_ntlm_password) >> check_ntlm_password: mapped user is: [xxxxxx]\[xxxx...@[win7] >> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:210(push_sec_ctx) >> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 >> [2010/02/25 11:23:41, 3] smbd/uid.c:428(push_conn_ctx) >> push_conn_ctx(0) : conn_ctx_stack_ndx = 0 >> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 >> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:418(pop_sec_ctx) >> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/02/25 11:23:41, 3] auth/auth_sam.c:282(check_sam_security) >> check_sam_security: Couldn't find user 'XXXXXX' in passdb. >> [2010/02/25 11:23:41, 3] libsmb/cliconnect.c:1187(cli_session_setup) >> cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE >> [2010/02/25 11:23:41, 3] libsmb/cliconnect.c:1187(cli_session_setup) >> cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE >> [2010/02/25 11:23:41, 1] auth/auth_server.c:413(check_smbserver_security) >> password server XXXXXX rejected the password: NT_STATUS_LOGON_FAILURE >> [2010/02/25 11:23:41, 2] auth/auth.c:320(check_ntlm_password) >> check_ntlm_password: Authentication for user [XXXXXX] -> [XXXXXX] FAILED >> with error NT_STATUS_LOGON_FAILURE >> [2010/02/25 11:23:41, 3] smbd/error.c:60(error_packet_set) >> error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) >> NT_STATUS_LOGON_FAILURE >> [2010/02/25 11:23:54, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/02/25 11:23:54, 3] smbd/connection.c:31(yield_connection) >> Yielding connection to >> [2010/02/25 11:23:54, 3] smbd/server.c:845(exit_server_common) >> Server exit (failed to receive smb request) >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
