DOMAIN.LOCAL is displayed in AD USers & Computers. Pre-Windows 2000 Domain Name: DOMAIN
Carissa On Fri, 19 Nov 2004 10:07:55 -0500, Christian Merrill <[EMAIL PROTECTED]> wrote: > Carissa Srugis wrote: > > > > >This is a fresh w2k3 installation - no NT4 backwards capabilities. > >Domain Name = DOMAIN.LOCAL > >FQDN of DC = WIN2K3.DOMAIN.LOCAL > > > >Users will NOT be logging into the FreeBSD machine at all. I need the > >FreeBSD to authenticate via Samba against the W2K3 AD users, which > >will then be passed through to squid for proxy authentication. > > > >Thanks! > >Carissa > > > >On Fri, 19 Nov 2004 09:42:22 -0500, Christian Merrill > ><[EMAIL PROTECTED]> wrote: > > > > > >>Kevin Kobb wrote: > >> > >> > >> > >> > >> > >>>Carissa Srugis wrote: > >>> > >>> > >>> > >>>>I've been trying to setup Samba to authenticate users against accounts > >>>>existing on a Windows 2003 Server without any backwards capability. > >>>>Ideally, this needs to be done without any changes to the Windows 2003 > >>>>Server. Users will not be logging into the Samba shares at all. This > >>>>is merely for authentication. > >>>> > >>>>I'm running FreeBSD 4.10-Relase #4 with Samba 3.0.8. > >>>> > >>>>This is my smb.conf file: > >>>>[global] > >>>> realm = WIN2K3.DOMAIN.LOCAL > >>>> security = ads > >>>> auth methods = winbind > >>>> winbind separator = + > >>>> encrypt passwords = yes > >>>> workgroup = DOMAIN.LOCAL > >>>> netbios name = FREEBSD_Machine > >>>> winbind uid = 10000-20000 > >>>> winbind gid = 10000-20000 > >>>> winbind enum users = yes > >>>> winbind enum groups = yes > >>>> idmap uid = 10000-20000 > >>>> idmap gid = 10000-20000 > >>>> password server = WIN2K3.DOMAIN.LOCAL > >>>> > >>>>So once winbindd is running, I type the following and get these results: > >>>> > >>>>freebsd_machine# net ads join member -I 192.168.0.1 -U administrator > >>>>administrator's password: *password* > >>>>[2004/11/16 14:27:06, 0] libsmb/nmblib.c:send_udp(793) > >>>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied > >>>>[2004/11/16 14:27:07, 0] libsmb/nmblib.c:send_udp(793) > >>>> Packet send failed to 127.255.255.255(137) ERRNO=Permission denied > >>>>[2004/11/16 14:27:07, 0] utils/net_ads.c:ads_startup(186) > >>>> ads_connect: Permission denied > >>>> > >>>>In the winbindd log I've also gotten the following error messages at > >>>>one point or another: > >>>> > >>>>Could not fetch sid for our domain WIN2K3.DOMAIN.LOCAL > >>>>Packet send failed to 127.255.255.255(137) ERRNO=Permission denied > >>>>ads_connect for domain WIN2K3.DOMAIN.LOCAL failed: Permission denied > >>>>get_trust_pw: could not fetch trust account password for my domain > >>>>DOMAIN.LOCAL > >>>> > >>>>The odd part is when I try to use wbinfo to verify connections. If I > >>>>type "wbinfo -g" it will display the correct group listing from the > >>>>win2k3 server. But nothing else seems to work: > >>>> > >>>>freebsd_machine# wbinfo -t > >>>>checking the trust secret via RPC calls failed > >>>>error code was NT_STATUS_INTERNAL_ERROR (0xc00000e5) > >>>>Could not check secret > >>>> > >>>>freebsd_machine# wbinfo -u > >>>>Error looking up domain users > >>>> > >>>>freebsd_machine# wbinfo --domain-info=DOMAIN.LOCAL > >>>>Name : WIN2K3.DOMAIN.LOCAL > >>>>Alt_Name : DOMAIN.LOCAL > >>>>SID : S-0-0 > >>>>Active Directory : No > >>>>Native : No > >>>>Primary : Yes > >>>>Sequence : -1 > >>>> > >>>>I'm obviously missing something, but I am at a loss. Any help is > >>>>greatly appreciated! > >>>> > >>>>Carissa Srugis > >>>> > >>>> > >>>> > >>>> > >>>You might try looking at FreeBSD 5.3. I don't believe 4.10 has a > >>>working nsswitch which I think you will need if you want to login into > >>>FreeBSD without a local account, but just a AD account. > >>> > >>>I have done this on our Windows domain and FreeBSD 5.3 and it works > >>>OK. Join the machine to the domain, modify pam files, and > >>>nsswitch.conf, and it worked. > >>> > >>> > >>> > >>> > >>Are you saying that DOMAIN.LOCAL is your old style NT4 domain name and > >>that WIN2K3.DOMAIN.LOCAL is your directory name -- and not the FQDN of > >>your DC? > >> > >>Christian > >> > >> > >> > >>-- > >>To unsubscribe from this list go to the following URL and read the > >>instructions: http://lists.samba.org/mailman/listinfo/samba > >> > >> > >> > > > > > > > > > I just want to make sure the information is correct. On your 2k3 DC if > you go START--Administrator Tools--Active Directory Users & Computers, > your directory name should be displayed. Is it DOMAIN.LOCAL or > WIN2K3.DOMAIN.LOCAL? Also, if you right click on it and select > Properties, does a pre-Windows 2000 Domain Name exist? If so, what is that? > > Christian > > -- ********************************************************* Carissa Srugis [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
