[Samba] another one of those "cannot authenticate against AD" posts
:(
Razvan Cosma
razvan.cosma at telemach.com
Thu Sep 25 20:14:36 GMT 2003
Hello,
I had a perfectly good setup with samba being a domain member, and
domain users accessing their shares, since beta1. A month and several
updates from M$ later, clients were no longer able to log on to the
samba machine. I know this must be related to the updates, since there
have been absolutely no configuration / application modifications on the
linux box, and clients who forgot to install the patches were still able
to login.
Hint for the docs: the bloody windows update rewrote the rtfm
signorseal registry key, but that can be enforced globally from the
domain controller.
Now I'm trying with the latest beta - or first stable, as you call it
since yesterday :)
Status:
- linux box joins fine the AD
- kinit -v, smbclient -k, net ads whatever work as expected, no errors
- no one can login to the samba box. Win 2k/xp report the
username/password is incorrect, and the logs state:
[2003/09/25 20:20:01, 3] smbd/process.c:process_smb(890)
Transaction 10 of length 250
[2003/09/25 20:20:01, 3] smbd/process.c:switch_message(685)
switch message SMBsesssetupX (pid 343)
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X(579)
wct=12 flg2=0xc807
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(476)
Doing spnego session setup
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500)
NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002
5.1]
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(385)
Got OID 1 3 6 1 4 1 311 2 2 10
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_spnego_negotiate(388)
Got secblob of size 50
[2003/09/25 20:20:01, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(33)
Got NTLMSSP neg_flags=0xe008b297
[2003/09/25 20:20:01, 3] smbd/process.c:process_smb(890)
Transaction 11 of length 338
[2003/09/25 20:20:01, 3] smbd/process.c:switch_message(685)
switch message SMBsesssetupX (pid 343)
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X(579)
wct=12 flg2=0xc807
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(476)
Doing spnego session setup
[2003/09/25 20:20:01, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(500)
NativeOS=[Windows 2002 2600 Service Pack 1] NativeLanMan=[Windows 2002
5.1]
[2003/09/25 20:20:01, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(286)
Got user=[Thatsme] domain=[Mydomain] workstation=[Mine] len1=24 len2=24
[2003/09/25 20:20:01, 3] auth/auth.c:check_ntlm_password(216)
check_ntlm_password: Checking password for unmapped user
[Mydomain]\[Thatsme]@[Mine] with the new password interface
[2003/09/25 20:20:01, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: mapped user is: [Mydomain]\[Thatsme]@[Mine]
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2003/09/25 20:20:01, 3] smbd/uid.c:push_conn_ctx(287)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2003/09/25 20:20:01, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2003/09/25 20:20:01, 3] auth/auth_util.c:make_server_info_info3(1009)
User Thatsme does not exist, trying to add it
[2003/09/25 20:20:01, 0] auth/auth_util.c:make_server_info_info3(1017)
make_server_info_info3: pdb_init_sam failed!
... I don't understand this one ..
[2003/09/25 20:20:01, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: Authentication for user [Thatsme] -> [Thatsme]
FAILED with error NT_STATUS_NO_SUCH_USER
... and I definitely have a domain logon ..
[2003/09/25 20:20:04, 3] smbd/process.c:timeout_processing(1099)
timeout_processing: End of file from client (client has disconnected).
I tried raising the debug level info and got some interesting lines:
[2003/09/25 23:03:09, 10] libads/kerberos_verify.c:ads_verify_ticket(310)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2003/09/25 23:03:09, 10] libads/kerberos_verify.c:ads_verify_ticket(303)
ads_verify_ticket: enc type [3] decrypted message !
[2003/09/25 23:03:09, 10] passdb/secrets.c:secrets_named_mutex_release(709)
secrets_named_mutex: released mutex for replay cache mutex
[2003/09/25 23:03:09, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(385)
Got KRB5 session key of length 8
...
[2003/09/25 23:03:09, 3] smbd/sesssetup.c:reply_spnego_kerberos(178)
Ticket name is [Thatsme at MYDOMAIN.COM]
[2003/09/25 23:03:09, 5] lib/username.c:Get_Pwnam(288)
Finding user MYDOMAIN.COM\Thatsme
[2003/09/25 23:03:09, 5] lib/username.c:Get_Pwnam_internals(223)
Trying _Get_Pwnam(), username as lowercase is mydomain.com\thatsme
..and uppercase, and combinations, with and without the domain name
appended..
[2003/09/25 23:03:10, 1] smbd/sesssetup.c:reply_spnego_kerberos(218)
Username Thatsme is invalid on this system
[2003/09/25 23:03:10, 3] smbd/error.c:error_packet(94)
error string = No such file or directory
[2003/09/25 23:03:10, 3] smbd/error.c:error_packet(113)
error packet at smbd/sesssetup.c(220) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
More information about the samba
mailing list