Greetings samba list,
I'm running into an issue when attempting to use "map unknown to domain" on a
samba servers bound to my AD domain. When a client maps a share and is not
part of the domain, the domain is properly mapped for the user (according to
the logs), but the domain controllers report that the password is wrong. I've
copied my password out of notepad and pasted it to make sure it's correct.
Changing the username to AD\$user and pasting the password works without issue.
Some relevant logs:
cnc-ciw:mapdomainlogs ghuntress$ grep -ri ghuntress *
log.171.66.69.67: UserName : 'ghuntress'
log.171.66.69.67: Got user=[ghuntress] domain=[CNC-PC] workstation=[CNC-PC]
len1=24 len2=212
log.cnc-pc: Mapping user [CNC-PC]\[ghuntress] from workstation [CNC-PC]
log.cnc-pc: Mapped domain from [CNC-PC] to [AD] for user [ghuntress] from
workstation [CNC-PC]
log.cnc-pc: attempting to make a user_info for ghuntress (ghuntress)
log.cnc-pc: making strings for ghuntress's user_info struct
log.cnc-pc: making blobs for ghuntress's user_info struct
log.cnc-pc: made a user_info for ghuntress (ghuntress)
log.cnc-pc: check_ntlm_password: Checking password for unmapped user
[CNC-PC]\[ghuntress]@[CNC-PC] with the new password interface
log.cnc-pc: check_ntlm_password: mapped user is: [AD]\[ghuntress]@[CNC-PC]
log.cnc-pc: Check auth for: [ghuntress]
log.cnc-pc: Check auth for: [ghuntress]
log.cnc-pc: Check auth for: [ghuntress]
log.cnc-pc: check_ntlm_password: winbind authentication for user [ghuntress]
FAILED with error NT_STATUS_WRONG_PASSWORD
log.cnc-pc: check_ntlm_password: Authentication for user [ghuntress] ->
[ghuntress] FAILED with error NT_STATUS_WRONG_PASSWORD
log.wb-AD: [ 2546]: pam auth crap domain: AD user: ghuntress
log.wb-AD: string :
'ghuntress'
log.wb-AD: NTLM CRAP authentication for user [AD]\[ghuntress] returned
NT_STATUS_WRONG_PASSWORD (PAM: 7)
log.winbindd: [ 2572]: pam auth crap domain: [AD] user: ghuntress
I've tried with Samba 3.6.9 on CentOS 6 and Samba 4.0.4 on Fedora 18, same
behavior. I'm beginning to think that either I'm completely missing something
in my smb.conf file, or there must be a group policy in AD that somehow
prevents the "map untrusted to domain" capability from working. FWIW, winbind
authentication without a domain in the username does work.
My smb.conf is below:
[global]
# ----------------------- Network Related Options -------------------------
workgroup = AD
# --------------------------- Logging Options -----------------------------
log file = /var/log/samba/log.%m
max log size = 500
# ----------------------- Domain Members Options --------------------------
security = ads
realm = ad.ciw.edu
idmap config * : range = 16777216-33554431
idmap config * : backend = tdb
idmap config AD : backend = rid
idmap config AD : range = 1000-999999
idmap config AD : base_rid = 0
template shell = /bin/false
winbind use default domain = true
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
map untrusted to domain = yes
# --------------------------- Printing Options -----------------------------
load printers = no
printcap name = /dev/null
printing = bsd
show add printer wizard = no
disable spoolss = yes
# --------------------------- Filesystem Options ---------------------------
map archive = no
map hidden = no
map read only = no
map system = no
store dos attributes = yes
hide dot files = yes
hide files =
/Thumbs.db/TheVolumeSettingsFolder/TheFindByContentFolder/Temporary Items/
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
-Garret
--
Garret W. Huntress
Information Systems Manager
Department of Plant Biology
Department of Global Ecology
Carnegie Institution for Science
260 Panama St.
Stanford, CA 94305
Email: [email protected]
Phone: 650-739-4377
Save a tree! Don't print me!
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
