closer to delegated credentials on samba4
Amin Azez
azez at ufomechanic.net
Mon Sep 24 11:50:56 GMT 2007
I may have got confused over the direction in which delegation works.
I was trying to get the samba4 machine be a delegate for the real
server, so it could serve files as if it were the server as far as the
client could tell, however I'm getting this message:
CIFS backend: NO delegated credentials found: You must supply server,
user and password or the client must supply delegated credentials
(
after running this command:
smbclient '\\cifsproxy\myshare' -U sam
With this smb.conf fragment:
[myshare]
ntvfs handler = cifs
cifs:server = ufomechanicw200.home.ufomechanic.net
cifs:share = dbamreports
)
Now authentication is correctly passed upstream, which is nice but (no
doutb as per kerberos) the credentials can't be passed upstream which I
hope is unneccessary if the upstream server is delegating downstream???
However if I remove the cifsproxy "trust computer for delegation"
attribute from the real server (and also restart samba4) it has no
effect on the ability of the samba4 proxy to validate the password,
which surprised me, did smbclient really pass it a kerberos ticket? Cool
if it did, sorry to be so slow and excitable...
Sam
(full output below).
I'm now getting this level 5 debug
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 6811)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][MICROSOFT NETWORKS 1.03]
Requested protocol [2][MICROSOFT NETWORKS 3.0]
Requested protocol [3][LANMAN1.0]
Requested protocol [4][Windows for Workgroups 3.1a]
Requested protocol [5][LM1.2X002]
Requested protocol [6][DOS LANMAN2.1]
Requested protocol [7][LANMAN2.1]
Requested protocol [8][Samba]
Requested protocol [9][NT LANMAN 1.0]
Requested protocol [10][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added CIFSPROXY$@HOME.UFOMECHANIC.NET(kvno 2) to keytab (des-cbc-md5)
Added CIFSPROXY$@HOME.UFOMECHANIC.NET(kvno 2) to keytab
(aes256-cts-hmac-sha1-96)
Added CIFSPROXY$@HOME.UFOMECHANIC.NET(kvno 2) to keytab (des3-cbc-sha1)
Added CIFSPROXY$@HOME.UFOMECHANIC.NET(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [9][NT LANMAN 1.0]
switch message SMBsesssetupX (task_id 6811)
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
switch message SMBsesssetupX (task_id 6811)
Got user=[sam] domain=[UFO] workstation=[CIFSPROXY] len1=24 len2=24
auth_check_password_send: Checking password for unmapped user
[UFO]\[sam]@[CIFSPROXY]
map_user_info: Mapping user [UFO]\[sam] from workstation [CIFSPROXY]
auth_check_password_send: mapped user is: [UFO]\[sam]@[CIFSPROXY]
auth_get_challenge: returning previous challenge by module NTLMSSP
callback (NTLM2) (normal)
[000] 58 65 C1 F9 6C B5 5A 1D Xe..l.Z.
auth_get_challenge: returning previous challenge by module NTLMSSP
callback (NTLM2) (normal)
wb_irpc_SamLogon called
seed cb65dda6:a8fb4dc0
seed+time 125d7ff1:a8fb4dc0
CLIENT 74716938:c0594af0
seed+time+1 125d7ff2:a8fb4dc0
SERVER 2fa4757d:01d36a16
sign_outgoing_message: SENT SIG (seq: 44): sent SMB signature of
[000] 43 41 EB D7 78 C8 6D EE CA..x.m.
[000] 10 70 26 B2 22 98 6C 3F .p&.".l?
wb_irpc_SamLogon_callback called
auth_check_password_recv: winbind authentication for user [UFO\sam]
succeeded
ldb: naming_fsmo_init: we are master: yes
ldb: pdc_fsmo_init: we are master: yes
SMB Signing has been locally disabled
switch message SMBtconX (task_id 6811)
CIFS backend: NO delegated credentials found: You must supply server,
user and password or the client must supply delegated credentials
make_connection: NTVFS make connection failed!
127.0.0.1 closed connection to service myshare
standard_terminate: reason[NT_STATUS_END_OF_FILE]
More information about the samba-technical
mailing list