[Samba] Samba 3.5 - user authentication issues
Jakov Sosic
jsosic at srce.hr
Wed Oct 31 10:49:31 MDT 2012
Hi.
I'm using CentOS 5 with samba3x packages (Samba 3.5.10) and Solaris 10
(Samba 3.5.8) for achieving AD integration. Samba hosts are added as
domain members.
Now, I've tried to add CentOS 6, which also uses 3.5.10, but have
encountered a problem -> users cannot authenticate for some reason.
Configurations are pretty much the same across the board, and they look
like this:
# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[www]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
server string = www2 (Samba ver. %v)
security = ADS
allow trusted domains = No
password server = server.domain.local
log level = 10
syslog = 0
log file = /var/log/samba/log.%m
load printers = No
local master = No
domain master = No
idmap backend = rid:"DOMAIN=10000-49999"
idmap uid = 10000-49999
idmap gid = 10000-49999
winbind use default domain = Yes
cups options = raw
[share]
comment = something
path = /home/share/www
force user = share
force group = share
read only = No
force create mode = 0660
force security mode = 0660
force directory mode = 0770
delete readonly = Yes
Tesparm is ok (exit: 0).
# net ads testjoin
Join is OK
# net ads testjoin -k
Join is OK
# net rpc testjoin -k
saf_store: refusing to store 0 length domain or servername!
Join to 'DOMAIN' is OK
# net ads info
LDAP server: 192.168.xx.y y
LDAP server name: server.Domain.local
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: Wed, 31 Oct 2012 17:46:46 CET
KDC server: 192.168.xx.yy
Server time offset: 0
wbinfo -u, wbinfo -g, wbinfo -i <username> all work OK... so mapping is ok.
But when I try to access share from other computer, credentials are
refused...
# smbclient \\\\www2\\www -U jakov.sosic
Enter jakov.sosic's password:
session setup failed: NT_STATUS_LOGON_FAILURE
If I take a look at the log, I see this:
[2012/10/31 17:39:41.443043, 6] param/loadparm.c:7158(lp_file_list_changed)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Wed
Oct 31 17:35:47 2012
[2012/10/31 17:39:41.443102, 5] auth/auth_util.c:211(make_user_info_map)
Mapping user [DOMAIN]\[jakov.sosic] from workstation [WS101]
[2012/10/31 17:39:41.443592, 5] auth/auth_util.c:122(make_user_info)
attempting to make a user_info for jakov.sosic (jakov.sosic)
[2012/10/31 17:39:41.443616, 5] auth/auth_util.c:132(make_user_info)
making strings for jakov.sosic's user_info struct
[2012/10/31 17:39:41.443632, 5] auth/auth_util.c:164(make_user_info)
making blobs for jakov.sosic's user_info struct
[2012/10/31 17:39:41.443651, 10] auth/auth_util.c:182(make_user_info)
made an encrypted user_info for jakov.sosic (jakov.sosic)
[2012/10/31 17:39:41.443671, 3] auth/auth.c:216(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user
[DOMAIN]\[jakov.sosic]@[WS101] with the new password interface
[2012/10/31 17:39:41.443695, 3] auth/auth.c:219(check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[jakov.sosic]@[WS101]
[2012/10/31 17:39:41.443714, 10] auth/auth.c:228(check_ntlm_password)
check_ntlm_password: auth_context challenge created by NTLMSSP
callback (NTLM2)
[2012/10/31 17:39:41.443733, 10] auth/auth.c:230(check_ntlm_password)
challenge is:
[2012/10/31 17:39:41.443763, 5] ../lib/util/util.c:278(_dump_data)
[0000] C5 DA F3 11 9A 67 11 50 .....g.P
[2012/10/31 17:39:41.443795, 10] auth/auth.c:256(check_ntlm_password)
check_ntlm_password: guest had nothing to say
[2012/10/31 17:39:41.443817, 8] lib/util.c:1894(is_myname)
is_myname("DOMAIN") returns 0
[2012/10/31 17:39:41.443837, 6]
auth/auth_sam.c:556(check_samstrict_security)
check_samstrict_security: DOMAIN is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2012/10/31 17:39:41.443860, 10] auth/auth.c:256(check_ntlm_password)
check_ntlm_password: sam had nothing to say
[2012/10/31 17:39:41.443882, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/10/31 17:39:41.443904, 3] smbd/uid.c:429(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/10/31 17:39:41.443923, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/10/31 17:39:41.443959, 5] auth/token_util.c:525(debug_nt_user_token)
NT user token: (NULL)
[2012/10/31 17:39:41.443977, 5]
auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2012/10/31 17:39:41.452516, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/10/31 17:39:41.452561, 5] lib/username.c:133(Get_Pwnam_alloc)
Finding user DOMAIN\jakov.sosic
[2012/10/31 17:39:41.452581, 5] lib/username.c:77(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is domain\jakov.sosic
[2012/10/31 17:39:41.452651, 5] lib/username.c:85(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as given is DOMAIN\jakov.sosic
[2012/10/31 17:39:41.452695, 5] lib/username.c:95(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is DOMAIN\JAKOV.SOSIC
[2012/10/31 17:39:41.452737, 5] lib/username.c:104(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in domain\jakov.sosic
[2012/10/31 17:39:41.452769, 5] lib/username.c:110(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [DOMAIN\jakov.sosic]!
[2012/10/31 17:39:41.452791, 5] lib/username.c:133(Get_Pwnam_alloc)
Finding user jakov.sosic
[2012/10/31 17:39:41.452837, 5] lib/username.c:77(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as lowercase is jakov.sosic
[2012/10/31 17:39:41.452911, 5] lib/username.c:95(Get_Pwnam_internals)
Trying _Get_Pwnam(), username as uppercase is JAKOV.SOSIC
[2012/10/31 17:39:41.452983, 5] lib/username.c:104(Get_Pwnam_internals)
Checking combinations of 0 uppercase letters in jakov.sosic
[2012/10/31 17:39:41.453023, 5] lib/username.c:110(Get_Pwnam_internals)
Get_Pwnam_internals didn't find user [jakov.sosic]!
[2012/10/31 17:39:41.453141, 5] auth/auth.c:268(check_ntlm_password)
check_ntlm_password: winbind authentication for user [jakov.sosic]
FAILED with error NT_STATUS_NO_SUCH_USER
[2012/10/31 17:39:41.453168, 2] auth/auth.c:314(check_ntlm_password)
check_ntlm_password: Authentication for user [jakov.sosic] ->
[jakov.sosic] FAILED with error NT_STATUS_NO_SUCH_USER
[2012/10/31 17:39:41.453189, 5] auth/auth_util.c:2119(free_user_info)
attempting to free (and zero) a user_info structure
[2012/10/31 17:39:41.453205, 10] auth/auth_util.c:2123(free_user_info)
structure was created for jakov.sosic
[2012/10/31 17:39:41.453238, 3] smbd/error.c:80(error_packet_set)
error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2012/10/31 17:39:41.453270, 5] lib/util.c:639(show_msg)
[2012/10/31 17:39:41.453283, 5] lib/util.c:649(show_msg)
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51203
smb_tid=0
smb_pid=32156
smb_uid=100
smb_mid=3
smt_wct=0
smb_bcc=0
[2012/10/31 17:39:41.453722, 5] lib/util_sock.c:462(read_fd_with_timeout)
read_fd_with_timeout: blocking read. EOF from client.
[2012/10/31 17:39:41.453753, 10] smbd/process.c:286(receive_smb_raw_talloc)
receive_smb_raw: NT_STATUS_END_OF_FILE
[2012/10/31 17:39:41.453775, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/10/31 17:39:41.453914, 5] auth/token_util.c:525(debug_nt_user_token)
NT user token: (NULL)
[2012/10/31 17:39:41.453951, 5]
auth/token_util.c:551(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2012/10/31 17:39:41.453983, 5] smbd/uid.c:369(change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/10/31 17:39:41.454009, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2012/10/31 17:39:41.454077, 10] lib/dbwrap_tdb.c:100(db_tdb_fetch_locked)
Locking key 1D4B0000FFFFFFFFFFFF
[2012/10/31 17:39:41.454106, 10] lib/dbwrap_tdb.c:129(db_tdb_fetch_locked)
Allocated locked data 0x0x7f87f45cc5f0
[2012/10/31 17:39:41.454134, 10] lib/dbwrap_tdb.c:42(db_tdb_record_destr)
Unlocking key 1D4B0000FFFFFFFFFFFF
[2012/10/31 17:39:41.454264, 3] smbd/server.c:924(exit_server_common)
Server exit (failed to receive smb request)
And this is what log.winbind spits out:
[2012/10/31 17:43:09.223274, 6] winbindd/winbindd.c:768(new_connection)
accepted socket 20
[2012/10/31 17:43:09.223356, 10] winbindd/winbindd.c:620(process_request)
process_request: request fn INTERFACE_VERSION
[2012/10/31 17:43:09.223378, 3]
winbindd/winbindd_misc.c:352(winbindd_interface_version)
[19232]: request interface version
[2012/10/31 17:43:09.223415, 10]
winbindd/winbindd.c:716(winbind_client_response_written)
winbind_client_response_written[19232:INTERFACE_VERSION]: deliverd
response to client
[2012/10/31 17:43:09.223477, 10] winbindd/winbindd.c:620(process_request)
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/10/31 17:43:09.223499, 3]
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)
[19232]: request location of privileged pipe
[2012/10/31 17:43:09.223546, 10]
winbindd/winbindd.c:716(winbind_client_response_written)
winbind_client_response_written[19232:WINBINDD_PRIV_PIPE_DIR]:
deliverd response to client
[2012/10/31 17:43:09.223596, 6]
winbindd/winbindd.c:816(winbind_client_request_read)
closing socket 20, client exited
[2012/10/31 17:43:09.223637, 6] winbindd/winbindd.c:768(new_connection)
accepted socket 20
[2012/10/31 17:43:09.223677, 10] winbindd/winbindd.c:620(process_request)
process_request: request fn DOMAIN_INFO
[2012/10/31 17:43:09.223698, 3]
winbindd/winbindd_misc.c:244(winbindd_domain_info)
[19232]: domain_info [DOMAIN]
[2012/10/31 17:43:09.223737, 10]
winbindd/winbindd.c:716(winbind_client_response_written)
winbind_client_response_written[19232:DOMAIN_INFO]: deliverd response
to client
[2012/10/31 17:43:09.224236, 10] winbindd/winbindd.c:620(process_request)
process_request: request fn AUTH_CRAP
[2012/10/31 17:43:09.224273, 3]
winbindd/winbindd_pam.c:1838(winbindd_pam_auth_crap)
[19232]: pam auth crap domain: [DOMAIN] user: jakov.sosic
[2012/10/31 17:43:09.224294, 8] lib/util.c:1894(is_myname)
is_myname("DOMAIN") returns 0
[2012/10/31 17:43:09.230954, 10]
winbindd/winbindd.c:716(winbind_client_response_written)
winbind_client_response_written[19232:AUTH_CRAP]: deliverd response
to client
[2012/10/31 17:43:09.231408, 10] winbindd/winbindd.c:593(process_request)
process_request: Handling async request 19232:PING
[2012/10/31 17:43:09.231437, 10] winbindd/winbindd.c:655(wb_request_done)
wb_request_done[19232:PING]: NT_STATUS_OK
[2012/10/31 17:43:09.231472, 10]
winbindd/winbindd.c:716(winbind_client_response_written)
winbind_client_response_written[19232:PING]: deliverd response to client
[2012/10/31 17:43:09.233042, 6]
winbindd/winbindd.c:816(winbind_client_request_read)
closing socket 20, client exited
Problem is that this exact configuration works OK on both Solaris 10
samba (3.5.8) and CentOS 5 samba3x (3.5.10), but refuses to work on
CentOS 6 samba (3.5.10)...
Any ideas?
--
Jakov Sosic
www.srce.unizg.hr
More information about the samba
mailing list