Jeremy, Thanks for this feedback. I will include this info as soon as I get a moment. Good work.
- John T. --- John H Terpstra Samba-Team email: [EMAIL PROTECTED] > -------- Original Message -------- > Subject: TOSHARG: Samba ADS domain membership notes > From: "Jeremy Naylor" <[EMAIL PROTECTED]> > Date: Wed, October 13, 2004 5:27 am > To: [EMAIL PROTECTED] > > Hi John, > > I ran into a few problems adding a samba machine to my Win2k3 AD > domain for Squid authentication. I pinned it down to two specific > settings in the Security Policy on the domain controller. I googled > for days and found a few other cases of the same problem but never any > solutions. I finally found them through trial and error. I think > these two would be good tips to add to the how-to, since the settings > are recommended by Microsoft as a best practice for security. > > At first, I was always getting this message: > > [2004/10/13 08:11:14, 0] utils/net_ads.c:ads_startup(183) > ads_connect: Strong(er) authentication required > > This directly correlated with this setting in the Security Policy: > Domain Controller: LDAP server signing requirements = Require Signing > Changing this to "None" got it working as a workaround. I'm still > trying to get it to work with that enabled. > > The other issue I had was testing authentication with "wbinfo -a > user%pass". That would never succeed, even once I had joined the > domain. It would always come back with: > > plaintext password authentication failed > error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) > error messsage was: Wrong Password > Could not authenticate user user%pass with plaintext password > challenge/response password authentication failed > error code was NT_STATUS_WRONG_PASSWORD (0xc000006a) > error messsage was: Wrong Password > Could not authenticate user user with challenge/response > > It also failed when using the ntlm_auth helper (with basic or NTLM > authentication). I found out this is because neither wbinfo or > ntlm_auth support NTLMv2, and I had this setting in my Security > Policy: > > Network security: LAN Manager authentication level = Send NTLMv2 > response only\refuse LM & NTLM > > I configured Squid for NTLMv2 (ntlm_auth > --helper-protocol=squid-2.5-ntlmssp) authentication and that worked > fine. I could have saved a lot of time had I realized the other tools > would never work. > > Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
