closer to delegated credentials on samba4

Amin Azez azez at ufomechanic.net
Mon Sep 24 11:50:56 GMT 2007


I may have got confused over the direction in which delegation works.

I was trying to get the samba4 machine be a delegate for the real
server, so it could serve files as if it were the server as far as the
client could tell, however I'm getting this message:
  CIFS backend: NO delegated credentials found: You must supply server,
user and password or the client must supply delegated credentials

(
after running this command:
smbclient '\\cifsproxy\myshare' -U sam

With this smb.conf fragment:
[myshare]
        ntvfs handler = cifs
        cifs:server = ufomechanicw200.home.ufomechanic.net
        cifs:share = dbamreports
)

Now authentication is correctly passed upstream, which is nice but (no
doutb as per kerberos) the credentials can't be passed upstream which I
hope is unneccessary if the upstream server is delegating downstream???

However if I remove the cifsproxy "trust computer for delegation"
attribute from the real server (and also restart samba4) it has no
effect on the ability of the samba4 proxy to validate the password,
which surprised me, did smbclient really pass it a kerberos ticket? Cool
if it did, sorry to be so slow and excitable...

Sam


(full output below).

I'm now getting this level 5 debug
smbsrv_accept
Shutdown SMB signing
switch message SMBnegprot (task_id 6811)
Requested protocol [0][PC NETWORK PROGRAM 1.0]
Requested protocol [1][MICROSOFT NETWORKS 1.03]
Requested protocol [2][MICROSOFT NETWORKS 3.0]
Requested protocol [3][LANMAN1.0]
Requested protocol [4][Windows for Workgroups 3.1a]
Requested protocol [5][LM1.2X002]
Requested protocol [6][DOS LANMAN2.1]
Requested protocol [7][LANMAN2.1]
Requested protocol [8][Samba]
Requested protocol [9][NT LANMAN 1.0]
Requested protocol [10][NT LM 0.12]
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Added CIFSPROXY$@HOME.UFOMECHANIC.NET(kvno 2) to keytab (des-cbc-md5)
Added CIFSPROXY$@HOME.UFOMECHANIC.NET(kvno 2) to keytab
(aes256-cts-hmac-sha1-96)
Added CIFSPROXY$@HOME.UFOMECHANIC.NET(kvno 2) to keytab (des3-cbc-sha1)
Added CIFSPROXY$@HOME.UFOMECHANIC.NET(kvno 2) to keytab (arcfour-hmac-md5)
using SPNEGO
Selected protocol [9][NT LANMAN 1.0]
switch message SMBsesssetupX (task_id 6811)
Starting GENSEC mechanism spnego
Starting GENSEC submechanism ntlmssp
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
switch message SMBsesssetupX (task_id 6811)
Got user=[sam] domain=[UFO] workstation=[CIFSPROXY] len1=24 len2=24
auth_check_password_send:  Checking password for unmapped user
[UFO]\[sam]@[CIFSPROXY]
map_user_info: Mapping user [UFO]\[sam] from workstation [CIFSPROXY]
auth_check_password_send:  mapped user is: [UFO]\[sam]@[CIFSPROXY]
auth_get_challenge: returning previous challenge by module NTLMSSP
callback (NTLM2) (normal)
[000] 58 65 C1 F9 6C B5 5A 1D                           Xe..l.Z.
auth_get_challenge: returning previous challenge by module NTLMSSP
callback (NTLM2) (normal)
wb_irpc_SamLogon called
        seed        cb65dda6:a8fb4dc0
        seed+time   125d7ff1:a8fb4dc0
        CLIENT      74716938:c0594af0
        seed+time+1 125d7ff2:a8fb4dc0
        SERVER      2fa4757d:01d36a16
sign_outgoing_message: SENT SIG (seq: 44): sent SMB signature of
[000] 43 41 EB D7 78 C8 6D EE                           CA..x.m.
[000] 10 70 26 B2 22 98 6C 3F                           .p&.".l?
wb_irpc_SamLogon_callback called
auth_check_password_recv: winbind authentication for user [UFO\sam]
succeeded
ldb: naming_fsmo_init: we are master: yes
ldb: pdc_fsmo_init: we are master: yes
SMB Signing has been locally disabled
switch message SMBtconX (task_id 6811)
CIFS backend: NO delegated credentials found: You must supply server,
user and password or the client must supply delegated credentials
make_connection: NTVFS make connection failed!
127.0.0.1 closed connection to service myshare
standard_terminate: reason[NT_STATUS_END_OF_FILE]



More information about the samba-technical mailing list