[Samba] disable NTLM on Fedora samba-3.0.9
Nir L
nir_l3 at netvision.net.il
Mon Dec 6 18:27:41 GMT 2004
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nir L wrote:
>
> | smb.conf:
> | security = ADS
> | I also configured /etc/krb5.conf and used net ads join
> | - successfully.
> |
> | However, I can see that NTLM is the chosen protocol for
> | each client machine (WinXP) accessing samba, and kerberos
> | is not used (from the log):
> | using SPNEGO
> | Selected protocol NT LM 0.12
>
> This is the smb protocol dialect and has nothing to do
> with the authentication chosen (not directly at least).
>
> | even though I tried to set "client use spnego = no"
>
> The applies only to Samba's client code and not the
> capability bits set by the server when replying to
> clients. Besides, you really should not disable spnego.
> Generally if it doesn't work it would be considered a bug.
>
> | How can I force samba to use kerberos ?
>
> Look for thew SPNEGO communication in the level 10 log.
I tried...
I finaliy got "not using SPNEGO", but still - got
Using protocol NT LM 0.12 after the SPNEGO message.
> Hint: search for the string 'OID' and see what mechanism
no OID strings in my log.
> is being negotiated.
here is my smb.conf.
[global]
workgroup = domain2003
netbios name = defconn2Logs
server string = Major Samba
encrypt passwords = Yes
log level = 10
log file = /var/samba/logs/log.%m
lock dir = /var/samba/locks
pid directory = /var/run
max log size = 50000
preferred master = False
local master = No
domain master = False
dns proxy = No
guest account = pacifsconn
create mask = 0775
dead time = 15
debug pid = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
oplocks = Yes
kernel oplocks = Yes
level2 oplocks = Yes
defer sharing violations = No
name resolve order = lmhosts wins bcast host
debug hires timestamp = Yes
wins server = 192.168.41.108
realm = DOMAIN2003.com
security = ADS
domain logons = No
client use spnego = No
use spnego = No
map to guest = bad password
map hidden = Yes
map system = Yes
force group = 10000
bind interfaces only = Yes
interfaces = 192.168.41.139
smb passwd file = /var/samba/private/
private dir = /var/samba/private
winbind separator = +
idmap uid = 10000-30000
idmap gid = 10000-30000
winbind enum users = Yes
winbind enum groups = Yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
use sendfile = No
strict locking = Yes
disable spoolss = Yes
mangling method = hash2
[Logs]
comment = Share for Logs
path = /var/log
browseable = Yes
read only = Yes
available = Yes
writeable = No
valid users = NONE EXCEPT domain2003+user2
map archive = Yes
hide dot files = No
directory mask = 751
dos filemode = Yes
and part of the logfile:
challenge is:
[2004/12/06 20:03:36.498409, 5, pid=4142] lib/util.c:dump_data(1899)
[000] AB 02 01 6F AA E3 15 2F ...o.../
[2004/12/06 20:03:36.498603, 3, pid=4142] smbd/negprot.c:reply_nt1(327)
not using SPNEGO
[2004/12/06 20:03:36.498710, 3, pid=4142] smbd/negprot.c:reply_negprot(549)
Selected protocol NT LM 0.12
[2004/12/06 20:03:36.498811, 5, pid=4142] smbd/negprot.c:reply_negprot(555)
negprot index=5
[2004/12/06 20:03:36.498918, 5, pid=4142] lib/util.c:show_msg(461)
[2004/12/06 20:03:36.498982, 5, pid=4142] lib/util.c:show_msg(471)
size=99
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=49153
smb_tid=0
smb_pid=65279
smb_uid=0
smb_mid=0
smt_wct=17
smb_vwv[ 0]= 5 (0x5)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]= 256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]= 65 (0x41)
smb_vwv[ 5]= 0 (0x0)
smb_vwv[ 6]= 256 (0x100)
smb_vwv[ 7]=11776 (0x2E00)
smb_vwv[ 8]= 16 (0x10)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=32995 (0x80E3)
smb_vwv[11]= 0 (0x0)
smb_vwv[12]=62284 (0xF34C)
smb_vwv[13]=48615 (0xBDE7)
smb_vwv[14]=50395 (0xC4DB)
smb_vwv[15]=34817 (0x8801)
smb_vwv[16]= 2303 (0x8FF)
smb_bcc=30
[2004/12/06 20:03:36.500113, 10, pid=4142] lib/util.c:dump_data(1899)
[000] AB 02 01 6F AA E3 15 2F 44 00 4F 00 4D 00 41 00 ...o.../ D.O.M.A.
[010] 49 00 4E 00 32 00 30 00 30 00 33 00 00 00 I.N.2.0. 0.3...
[2004/12/06 20:03:36.500380, 6, pid=4142] lib/util_sock.c:write_socket(449)
write_socket(22,103)
[2004/12/06 20:03:36.500758, 6, pid=4142] lib/util_sock.c:write_socket(452)
write_socket(22,103) wrote 103
[2004/12/06 20:03:36.513975, 10, pid=4142]
lib/util_sock.c:read_smb_length_return_keepalive(505)
got smb length of 308
[2004/12/06 20:03:36.514150, 6, pid=4142] smbd/process.c:process_smb(1091)
got message type 0x0 of len 0x134
[2004/12/06 20:03:36.514264, 3, pid=4142] smbd/process.c:process_smb(1092)
Transaction 1 of length 312
[2004/12/06 20:03:36.514366, 5, pid=4142] lib/util.c:show_msg(461)
[2004/12/06 20:03:36.514431, 5, pid=4142] lib/util.c:show_msg(471)
size=308
smb_com=0x73
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51207
smb_tid=0
smb_pid=65279
smb_uid=0
smb_mid=64
smt_wct=13
smb_vwv[ 0]= 117 (0x75)
smb_vwv[ 1]= 246 (0xF6)
smb_vwv[ 2]=16644 (0x4104)
smb_vwv[ 3]= 50 (0x32)
smb_vwv[ 4]= 0 (0x0)
smb_vwv[ 5]= 4142 (0x102E)
smb_vwv[ 6]= 0 (0x0)
smb_vwv[ 7]= 24 (0x18)
smb_vwv[ 8]= 24 (0x18)
smb_vwv[ 9]= 0 (0x0)
smb_vwv[10]= 0 (0x0)
smb_vwv[11]= 212 (0xD4)
smb_vwv[12]= 0 (0x0)
smb_bcc=185
[2004/12/06 20:03:36.515412, 10, pid=4142] lib/util.c:dump_data(1899)
[000] 52 3D 8C B2 57 17 02 38 2E 93 EE 64 12 F6 FA AD R=..W..8 ...d....
[010] 98 A2 91 8F 52 9A D7 AA 78 8F 4F D5 70 78 96 B0 ....R... x.O.px..
[020] 37 60 7E F9 8E 42 BC 9B 11 69 98 E3 C5 C7 32 2F 7`~..B.. .i....2/
[030] 00 75 00 73 00 65 00 72 00 32 00 00 00 44 00 4F .u.s.e.r .2...D.O
[040] 00 4D 00 41 00 49 00 4E 00 32 00 30 00 30 00 33 .M.A.I.N .2.0.0.3
[050] 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 ...W.i.n .d.o.w.s
[060] 00 20 00 32 00 30 00 30 00 32 00 20 00 32 00 36 . .2.0.0 .2. .2.6
[070] 00 30 00 30 00 20 00 53 00 65 00 72 00 76 00 69 .0.0. .S .e.r.v.i
[080] 00 63 00 65 00 20 00 50 00 61 00 63 00 6B 00 20 .c.e. .P .a.c.k.
[090] 00 31 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 .1...W.i .n.d.o.w
[0A0] 00 73 00 20 00 32 00 30 00 30 00 32 00 20 00 35 .s. .2.0 .0.2. .5
[0B0] 00 2E 00 31 00 00 00 00 00 ...1.... .
[2004/12/06 20:03:36.516699, 3, pid=4142] smbd/process.c:switch_message(887)
switch message SMBsesssetupX (pid 4142) conn 0x0
[2004/12/06 20:03:36.516811, 3, pid=4142] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/12/06 20:03:36.517002, 5, pid=4142]
auth/auth_util.c:debug_nt_user_token(486)
NT user token: (NULL)
[2004/12/06 20:03:36.517116, 5, pid=4142]
auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/12/06 20:03:36.517296, 5, pid=4142]
smbd/uid.c:change_to_root_user(296)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/12/06 20:03:36.517442, 3, pid=4142]
smbd/sesssetup.c:reply_sesssetup_and_X(655)
wct=13 flg2=0xc807
[2004/12/06 20:03:36.517606, 3, pid=4142]
smbd/sesssetup.c:reply_sesssetup_and_X(789)
Domain=[DOMAIN2003] NativeOS=[Windows 2002 2600 Service Pack 1]
NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2004/12/06 20:03:36.517745, 10, pid=4142] lib/util.c:set_remote_arch(1874)
set_remote_arch: Client arch is 'WinXP'
[2004/12/06 20:03:36.517853, 2, pid=4142]
smbd/sesssetup.c:setup_new_vc_session(608)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/12/06 20:03:36.517957, 3, pid=4142]
smbd/sesssetup.c:reply_sesssetup_and_X(804)
sesssetupX:name=[DOMAIN2003]\[user2]@[192.168.41.244]
[2004/12/06 20:03:36.518200, 6, pid=4142]
param/loadparm.c:lp_file_list_changed(2689)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Mon Dec 6
20:01:22 2004
[2004/12/06 20:03:36.518490, 5, pid=4142]
auth/auth_util.c:make_user_info_map(225)
make_user_info_map: Mapping user [DOMAIN2003]\[user2] from workstation
[192.168.41.244]
[2004/12/06 20:03:36.521253, 10, pid=4142] lib/gencache.c:gencache_get(264)
Returning valid cache entry: key = TDOM/DOMAIN2003, value =
S-1-5-21-357967339-514352727-2020637620, timeout = Mon Dec 6 20:07:00 2004
[2004/12/06 20:03:36.521551, 5, pid=4142]
libsmb/trustdom_cache.c:trustdom_cache_fetch(190)
trusted domain DOMAIN2003 found (S-1-5-21-357967339-514352727-2020637620)
[2004/12/06 20:03:36.521732, 5, pid=4142]
auth/auth_util.c:make_user_info(133)
attempting to make a user_info for user2 (user2)
[2004/12/06 20:03:36.521850, 5, pid=4142]
auth/auth_util.c:make_user_info(143)
making strings for user2's user_info struct
[2004/12/06 20:03:36.521957, 5, pid=4142]
auth/auth_util.c:make_user_info(185)
making blobs for user2's user_info struct
[2004/12/06 20:03:36.522066, 10, pid=4142]
auth/auth_util.c:make_user_info(201)
made an encrypted user_info for user2 (user2)
[2004/12/06 20:03:36.522174, 3, pid=4142]
auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[DOMAIN2003]\[user2]@[192.168.41.244] with the new password interface
[2004/12/06 20:03:36.522288, 3, pid=4142]
>
>
>
>
>
> cheers, jerry
> - ---------------------------------------------------------------------
> Alleviating the pain of Windows(tm) ------- http://www.samba.org
> GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
> "If we're adding to the noise, turn off this song"--Switchfoot (2003)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBtIaZIR7qMdg1EfYRAmtkAKDc2777bMGrmvw3RAEnC3DhYkTYQACeN2fy
> tMgCGnfpxdChut+G3BGX+do=
> =4ywm
> -----END PGP SIGNATURE-----
More information about the samba
mailing list