samba ads member server does _NOT_ accept userid/pw but only kerberos auth.
win2k server accept both ...
I set up samba 3.0.2rc2 (also tried 3.0.1 which had other problems) on Debian
sid as an ADS member server:
- joining the domain works flawlessly
- browsing the samba server via 'smbclient -k -L //samba' works flawlessly
- browsing an Win2k member server via 'smbclient -L //win2k -U user%pw' works
- browsing the samba server via 'smbclient -L //samba -U user%pw' fails with
'session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE' (browsing via
'net view \\samba * /user:user' from XP yields the same: system errror 1789)
Tracing the network connection from the samba server to the ADS PDC with
ethereal shows that the samba server tries to connect \\PDC\IPC$ as anonymous
and this fails ...
Any sugesstions/hints on this from the samba gurus ?
More debug info is available if required.
btw. there is an interessting little thing:
samba client and samba server negotiated as smb dialect: 'Samba'
according to http://www.ubiqx.org/cifs/SMB.html#SMB.6 this is not used anymore ...
samba client and win2k negotiated as smb dialect: 'NT LANMAN 1.0'
(as expected I would say).
workgroup = ITER
realm = ITEREU.DE
server string = %h server (Samba %v)
security = DOMAIN
password server = 192.168.2.10
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
client NTLMv2 auth = Yes
log level = 10
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
server signing = auto
deadtime = 15
keepalive = 0
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
load printers = No
lm announce = No
preferred master = No
local master = No
domain master = No
dns proxy = No
wins server = 192.168.2.10
ldap ssl = no
utmp = Yes
panic action = /usr/share/samba/panic-action %d
invalid users = root
hide special files = Yes
delete veto files = Yes
veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
map archive = No
Of course I was using security = ADS. The snipplet from my smb.conf
with 'security = domain' was the setting from another desperate testing
session. Sorry for confusion.
Created attachment 382 [details]
samba server logfile with loglevel 10
this is the output generated by the samba server when the client does
'smbclient //GFS1 -U user%pw'
loglevel was 10
Created attachment 383 [details]
ethereal dump of traffic between samba server and ads pdc
this is the network trace of the traffic between the samba server (gfs1,
220.127.116.11 and the ads pdc (iws82328, 192.168.2.10).
This is a case of RestrictAnonymous == 2, Windows member servers obviously
do DCERPC over TCP in this case.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.