Re: Samba and Active Directory
From: David Wright (david_c_wright_at_hotmail.com)
Date: Sat, 29 Jan 2005 09:30:55 +0100
Kevin Miller wrote:
> Here at work we've been running on a Windows NT 4.0 network for quite
> some time. We have an ftp server running on a SuSE 9.0 box, which is
> accessible from the outside via ftp. Internally, we have Samba set up
> and the NT users can access it like any other network share. Makes it
> nice and easy for them. Recently we began our "upgrade" to Windows 2003
> with Active Directory. In the process we built the AD server, demoted
> the PDC and now the AD server is acting as the PDC. But now
> authentication is dicey via winbind. In addition to Samba, we also use
> squid using ntlm authentiction so we can associate the logs w/a user
> account instead of just a dhcp generated address.
> If I reboot the SuSE box (Samba/squid/winbind) users will authenticate
> for a while, but then drop off. They'll be prompted for a
> username/password when trying to browse the internet but it will fail
> when they enter their credentials.
> Anybody have any clues on what might have changed? That is, what is AD
> expecting that NT 4 wasn't? Did the encryption change? Passwords were
> being encrypted before, and security was set to domain. It all just
> samba 2..28a-230
> samba-client 2..28a-230
> sarg 184.108.40.206-29
> squid 2.5STABLE3-114
> libsmbclient3 299_3.0rc3-18
> I'm really new to AD and W2003, so am scratching my head over this one.
> Any help appreciated...
The Samba machine should continue to work in Windows NT legacy mode, same at
the NT boxes which haven't been upgraded. This means that they will be a
legacy domain member, not a full AD member.
On the authentication side, I have seen prolems with Win2003 authentication
as well (with an XP machine as well as Samba boxes). I think they have
altered something in the way AD works under 2003, a "refinement" of the
process, but it shouldn't be such a change that it will kill off NT boxes
still in the network (although it should be expected, NT is dropping out of
the support line).
I would suggest updating Samba to a newer version, SuSE has come with
version 3 for over a year now and version 4 should be in beta soon. I
recommend updating to the latest version 3 stable release - also check the
documentation, some of the options have been changed in the config file,
but I think they have to do mainly with using the machine as a PDC, which
is not the case here.
It also sounds like the authentication cookie that Samba is using is
expiring and it is not being refreshed... Hopefully the upgrade to v3
should help on this front.