samba ads member server does _NOT_ accept userid/pw but only kerberos auth. win2k server accept both ... I set up samba 3.0.2rc2 (also tried 3.0.1 which had other problems) on Debian sid as an ADS member server: - joining the domain works flawlessly - browsing the samba server via 'smbclient -k -L //samba' works flawlessly - browsing an Win2k member server via 'smbclient -L //win2k -U user%pw' works flawlessly - browsing the samba server via 'smbclient -L //samba -U user%pw' fails with 'session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE' (browsing via 'net view \\samba * /user:user' from XP yields the same: system errror 1789) Tracing the network connection from the samba server to the ADS PDC with ethereal shows that the samba server tries to connect \\PDC\IPC$ as anonymous and this fails ... Any sugesstions/hints on this from the samba gurus ? More debug info is available if required. btw. there is an interessting little thing: samba client and samba server negotiated as smb dialect: 'Samba' according to http://www.ubiqx.org/cifs/SMB.html#SMB.6 this is not used anymore ... samba client and win2k negotiated as smb dialect: 'NT LANMAN 1.0' (as expected I would say). my smb.conf: [global] workgroup = ITER realm = ITEREU.DE server string = %h server (Samba %v) security = DOMAIN password server = 192.168.2.10 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 server signing = auto deadtime = 15 keepalive = 0 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE load printers = No lm announce = No preferred master = No local master = No domain master = No dns proxy = No wins server = 192.168.2.10 ldap ssl = no utmp = Yes panic action = /usr/share/samba/panic-action %d invalid users = root hide special files = Yes delete veto files = Yes veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/ map archive = No
Of course I was using security = ADS. The snipplet from my smb.conf with 'security = domain' was the setting from another desperate testing session. Sorry for confusion.
Created attachment 382 [details] samba server logfile with loglevel 10 this is the output generated by the samba server when the client does 'smbclient //GFS1 -U user%pw' loglevel was 10
Created attachment 383 [details] ethereal dump of traffic between samba server and ads pdc this is the network trace of the traffic between the samba server (gfs1, 194.59.170.5 and the ads pdc (iws82328, 192.168.2.10).
This is a case of RestrictAnonymous == 2, Windows member servers obviously do DCERPC over TCP in this case.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
database cleanup