[Samba] IIS authentication

James Devine fxmulder at gmail.com
Mon Oct 8 16:23:58 MDT 2012 

It might be nice to add a debug line somewhere in auth/pass_check.c around
the if ((!*password) && !lp_null_passwords()) check indicating a reason for
the failure, or maybe a config option around DEBUG(100, ("checking
user=[%s] pass=[%s]\n", user, password)); instead of a precompiler #define

On Mon, Oct 8, 2012 at 4:11 PM, James Devine <fxmulder at gmail.com> wrote:

> I found the problem, it appears IIS is sending an empty password
>
>
> On Mon, Oct 8, 2012 at 1:36 PM, James Devine <fxmulder at gmail.com> wrote:
>
>> I have setup samba to share a local filesystem with the following config:
>>
>> [global]
>>
>> smb ports = 139
>> workgroup = WORKGROUP
>> server string = %h server (Samba, Ubuntu)
>> dns proxy = no
>> log level = 255
>> debug timestamp = yes
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 1
>> panic action = /usr/share/samba/panic-action %d
>> encrypt passwords = no
>> security = user
>> obey pam restrictions = yes
>> usershare allow guests = no
>> load printers = no
>> show add printer wizard = no
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> [web]
>> path = /isp/web/
>> read only = no
>> guest ok = no
>> browseable = yes
>> create mask = 0600
>> directory mask = 0700
>>
>>
>>
>> I also have a windows machine to import it.  If I import in windows
>> explorer it works fine and the logs show:
>>
>> [2012/10/08 13:18:34.638730,  3] auth/auth.c:216(check_ntlm_password)
>>   check_ntlm_password:  Checking password for unmapped user
>> [WIN-K7GH3RR6OCJ]\[1641]@[win-k7gh3rr6ocj] with the new password interface
>> [2012/10/08 13:18:34.638739,  3] auth/auth.c:219(check_ntlm_password)
>>   check_ntlm_password:  mapped user is:
>> [DEV-WEB1]\[1641]@[win-k7gh3rr6ocj]
>> [2012/10/08 13:18:34.638747, 10] auth/auth.c:228(check_ntlm_password)
>>   check_ntlm_password: auth_context challenge created by random
>> [2012/10/08 13:18:34.638754, 10] auth/auth.c:230(check_ntlm_password)
>>   challenge is:
>> [2012/10/08 13:18:34.638760,  5] ../lib/util/util.c:278(_dump_data)
>>   [0000] 62 C8 5D A5 AD CA DD 2C                            b.]....,
>> [2012/10/08 13:18:34.638774, 10] auth/auth.c:256(check_ntlm_password)
>>   check_ntlm_password: guest had nothing to say
>> [2012/10/08 13:18:34.638783,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2012/10/08 13:18:34.638793,  3] smbd/uid.c:429(push_conn_ctx)
>>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2012/10/08 13:18:34.638801,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2012/10/08 13:18:34.638808,  5]
>> auth/token_util.c:525(debug_nt_user_token)
>>   NT user token: (NULL)
>> [2012/10/08 13:18:34.638815,  5]
>> auth/token_util.c:551(debug_unix_user_token)
>>   UNIX token of user 0
>>   Primary group is 0 and contains 0 supplementary groups
>> [2012/10/08 13:18:34.638828,  5] lib/username.c:133(Get_Pwnam_alloc)
>>   Finding user 1641
>> [2012/10/08 13:18:34.638836,  5] lib/username.c:77(Get_Pwnam_internals)
>>   Trying _Get_Pwnam(), username as lowercase is 1641
>> [2012/10/08 13:18:34.859941,  5] lib/username.c:110(Get_Pwnam_internals)
>>   Get_Pwnam_internals did find user [1641]!
>> [2012/10/08 13:18:34.859987,  4] auth/pass_check.c:679(pass_check)
>>   pass_check: Checking (PAM) password for user 1641 (l=1)
>> [2012/10/08 13:18:34.860010,  4] auth/pampass.c:472(smb_pam_start)
>>   smb_pam_start: PAM: Init user: 1641
>> [2012/10/08 13:18:34.862743,  4] auth/pampass.c:489(smb_pam_start)
>>   smb_pam_start: PAM: setting rhost to: 64.251.188.225
>> [2012/10/08 13:18:34.862764,  4] auth/pampass.c:498(smb_pam_start)
>>   smb_pam_start: PAM: setting tty
>> [2012/10/08 13:18:34.862772,  4] auth/pampass.c:506(smb_pam_start)
>>   smb_pam_start: PAM: Init passed for user: 1641
>> [2012/10/08 13:18:34.862779,  4] auth/pampass.c:523(smb_pam_auth)
>>   smb_pam_auth: PAM: Authenticate User: 1641
>> [2012/10/08 13:18:34.862862,  4] auth/pampass.c:545(smb_pam_auth)
>>   smb_pam_auth: PAM: User 1641 Authenticated OK
>> [2012/10/08 13:18:34.862874,  4] auth/pampass.c:564(smb_pam_account)
>>
>>
>>
>>
>> But when I try to access a webpage through IIS which is also configured
>> to access this network share it fails and I see this in the logs:
>>
>> [2012/10/08 13:16:09.600154,  3] auth/auth.c:216(check_ntlm_password)
>>   check_ntlm_password:  Checking password for unmapped user
>> [WIN-K7GH3RR6OCJ]\[1641]@[win-k7gh3rr6ocj] with the new password interface
>> [2012/10/08 13:16:09.600163,  3] auth/auth.c:219(check_ntlm_password)
>>   check_ntlm_password:  mapped user is:
>> [DEV-WEB1]\[1641]@[win-k7gh3rr6ocj]
>> [2012/10/08 13:16:09.600170, 10] auth/auth.c:228(check_ntlm_password)
>>   check_ntlm_password: auth_context challenge created by random
>> [2012/10/08 13:16:09.600177, 10] auth/auth.c:230(check_ntlm_password)
>>   challenge is:
>> [2012/10/08 13:16:09.600184,  5] ../lib/util/util.c:278(_dump_data)
>>   [0000] D9 C9 AA F1 93 54 39 AD                            .....T9.
>> [2012/10/08 13:16:09.600197, 10] auth/auth.c:256(check_ntlm_password)
>>   check_ntlm_password: guest had nothing to say
>> [2012/10/08 13:16:09.600211,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2012/10/08 13:16:09.600219,  3] smbd/uid.c:429(push_conn_ctx)
>>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2012/10/08 13:16:09.600227,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2012/10/08 13:16:09.600234,  5]
>> auth/token_util.c:525(debug_nt_user_token)
>>    NT user token: (NULL)
>> [2012/10/08 13:16:09.600240,  5]
>> auth/token_util.c:551(debug_unix_user_token)
>>   UNIX token of user 0
>>   Primary group is 0 and contains 0 supplementary groups
>> [2012/10/08 13:16:09.600254,  5] lib/username.c:133(Get_Pwnam_alloc)
>>   Finding user 1641
>> [2012/10/08 13:16:09.600262,  5] lib/username.c:77(Get_Pwnam_internals)
>>   Trying _Get_Pwnam(), username as lowercase is 1641
>> [2012/10/08 13:16:09.600271,  5] lib/username.c:110(Get_Pwnam_internals)
>>   Get_Pwnam_internals did find user [1641]!
>> [2012/10/08 13:16:09.600281,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2012/10/08 13:16:09.600289,  5] auth/auth.c:268(check_ntlm_password)
>>   check_ntlm_password: unix authentication for user [1641] FAILED with
>> error NT_STATUS_LOGON_FAILURE
>> [2012/10/08 13:16:09.600298,  2] auth/auth.c:314(check_ntlm_password)
>>   check_ntlm_password:  Authentication for user [1641] -> [1641] FAILED
>> with error NT_STATUS_LOGON_FAILURE
>> [2012/10/08 13:16:09.600307,  5] auth/auth_util.c:2119(free_user_info)
>>
>>
>>
>> The first difference I am noticing is 'pop_sec_ctx (0, 0) -
>> sec_ctx_stack_ndx = 0', I'm not sure if this is relevant or if the problem
>> lies elsewhere but wondering if someone has any insights what might be
>> wrong?
>>
>
>

More information about the samba mailing list