[Samba] starnge Auth problem in w2k Domain with ADS

Aden, Steve saden at itscommunications.com
Wed May 12 14:33:40 GMT 2004 

I too have similar problems that haven't been answered. I have kerberos
functioning and I can kinit a user on the samba box and access a Windows
share, but cannot connect from a Windows workstation to a samba share
that has share permissions on it (file permissions are set to 777 for
testing). The problem I see in the logs is related to rid's and sid's.
The logs (set to level 10) shows the kerberos ticket is decrypted, but
later the rid and sid are displayed and do not match the rid and sid of
the user connecting to the share. Since they don't match the actual
user, they don't match the any of the sid's in the ACL for the share,
which then denies access to the share. Same result on 3.0.2a and 3.0.3.
I have not yet tried 3.0.4.

Maybe you have the same problem.

My post:
http://groups.google.com/groups?hl=en&lr=&threadm=1FxIM-8aM-21%40gated-a
t.bofh.it&rnum=4&prev=/groups%3Fhl%3Den%26lr%3D%26q%3DAden%2Bsamba

Jerry was kind enough to make a couple of suggestions, but they did not
solve the problem.

Steve Aden


Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Opinions, conclusions and other information contained in this message that do not relate to official business shall be understood as neither given nor endorsed by ITS

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Wednesday, May 12, 2004 9:37 AM
To: Anders Berg
Cc: samba at lists.samba.org; Christoph Scheeder
Subject: Re: [Samba] starnge Auth problem in w2k Domain with ADS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anders Berg wrote:
| Hi Christoph,
|
| you have come to the wrong group. Not that this
| question does not belong here, its just that nobody is
| willing to answer it!
|
| 4 questions so far in May have been about this topic
| (mine: http://lists.samba.org/archive/samba/2004-May/085521.html) ,
| and many  more earlier months. And there are surprisingly
| few replys.
|
| I _don't_ think it's because it's a RTFM question, or is
| adressed in  such detail so many times that people just can't
| be bothered answering it. I think its because they don't wanna
| touch it (they meaning the people  that have written/worked with
| these parts of Samba)!
...
| I used both Heimdal 0.6.2 (I have a 2003 server I auth.
| gainst, and the  Samba docs say that Heimdal must be used with 2003.)
| and the MIT 1.3.3  kerbos and both 3.0.3 and 3.0.4 Samba.
|
| I see that one person has sendt a "Me too" mail in reply
| to you already. :)
|
| Will the real Samba community please stand up?!

I'll assume that your not just trolling for an answer.

For the record, you will always have better luck with
MIT krb5 1.3.x and Heimdal 0.6.1 or later.  Both supprt
the type 23 enc type used by Windows 200x.

There are a couple of likely reasons why you are prompted
for a password:

(a) the krb5 ticket cannot be verfied (possibly due to
an improper kerberos setup on the Samba box)
(b) getpwnam() fails for the user (see logs for instances
of 'Gwt_Pwnam did not')

If you can connect to the share using the server's IP
address but IP address, this is indicative of a krb5
configuration error somewhere.  When usiong the IP address,
the client will revert to the NTLMSSP mechanism during
session setup (rather than sending a krb5 ticket).



cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard            ------------------------- http://www.hp.com
SAMBA Team                 ---------------------- http://www.samba.org
GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." ----------- Sting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAoiiBIR7qMdg1EfYRAqEfAKDUJcAixHjuvoZE4vGL1YYk4oMLXgCgofYP
dSNA4Je5YQ0MIiY6dTeHyS0=
=mqvS
-----END PGP SIGNATURE-----
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba


_____________________________________________________
This message was content-scanned by IXC Shield 
Powered by GatewayDefender - BH09f02c59.00000001.mml

More information about the samba mailing list