User Authentication Fails on Server 2003 SP1

Discussion in 'Active Directory' started by Jeff Bradish, Mar 21, 2006.

  1. Jeff Bradish

    Jeff Bradish Guest

    I have been using Samba 2.2.8 on a Solaris 9 system to share out a Unix file
    system to Windows XP users for the past year. Samba was configured to
    authenticate users to a Server 2003 domain. Recently the domain controllers
    were upgraded to Windows Server 2003 SP1 and authentication to the domain
    started to fail and I cannot get the authentication process to function.
    Samba logs are showing:
    [2006/03/06 10:17:25, 3] smbd/reply.c:(880) Domain=[AMER] NativeOS=[Windows
    2002 Service Pack 1 2600] NativeLanMan=[Windows 2002 5.1]
    [2006/03/06 10:17:26, 0] rpc_client/cli_pipe.c:(1202)
    cli_nt_session_open: cli_nt_create failed on pipe \NETLOGON to machine
    USAHD100. Error was NT_STATUS_ACCESS_DENIED
    [2006/03/06 10:17:26, 0] smbd/password.c:(1358)
    connect_to_domain_password_server: unable to open the domain client session
    to machine USAHD100. Error was : NT_STATUS_ACCESS_DENIED

    I have been struggling to correct this issue for the past 2 weeks with no
    success.

    If anyone has any ideas on how to correct this situation, I would really
    appreciate the help. Thanks.
     
    Jeff Bradish, Mar 21, 2006
    #1
    1. Advertisements

  2. Jeff Bradish

    Irv Guest

    I think you need to upgrade Sanmba to version 3.0.14a.

    Irv
     
    Irv, Mar 21, 2006
    #2
    1. Advertisements

  3. Jeff Bradish

    Jeff Bradish Guest

    I have tried upgrading Samba to 3.0.21c and still seeing problems with
    authentication. In fact, I cannot get Samba 3.0.21c to successfully join the
    domain.

    I have 2 domain controllers in the domain that have not been upgraded to
    2003 SP1. When I point the Samba password server to one of these systems,
    authentication works fine, but not when pointed to a domain controller
    sitting at 2003 SP1.
    --
    Jeff Bradish


     
    Jeff Bradish, Mar 21, 2006
    #3
  4. Jeff Bradish

    Irv Guest

    I think W2003 SP1 required the Domain Controllers to default to having all
    communication encrypted which may be giving Samba SMB issues. You could try
    modifying your domain controller policy to disable the need to send encrypted
    passwords to 3rd party SMB

    Computer Config\Windows Settings\Security Settings\Local Policies\Security
    Options

    Microsoft Network Client: Send unencrypted password to 3rd party SMB servers
    Disabled

    Not sure if you need to change anything on the Samba end

    HTH

    Irv


     
    Irv, Mar 22, 2006
    #4
  5. Jeff Bradish

    Jeff Bradish Guest

    Checked with Domain Admins and they replied:
    "It is disabled and it is a group policy that applies to all Domain
    controllers"
    So it does not seem to be the issue.

    As an FYI I am including my smb.conf settings from Samba 2.2.8 if it might
    help:
    [global]
    workgroup = AMER
    netbios name = USAHSSMC001
    netbios aliases = USAHSSMC001
    server string = EDS GSCO
    security = DOMAIN
    encrypt passwords = Yes
    password server =
    usahd100,uspld100,usahd101,usahd102,usahd103,usahd104
    username map = /etc/sfw/username.map
    log level = 2
    preferred master = No
    local master = No
    domain master = No
    dns proxy = No
    create mask = 0664
    I am also using the same smb.conf settings for Samba 3.0.21c.
    --
    Jeff Bradish


     
    Jeff Bradish, Mar 22, 2006
    #5
  6. Jeff Bradish

    Irv Guest

    Oops!!!!! You need to enable this policy. You want to be able to send
    unencrypted passwords 3rd party SMB servers.
    You will then need to change the .conf file to to require encrypted
    passwords I think. Try it both ways!

     
    Irv, Mar 22, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.