[Samba] Samba 3.0.8 using NT PDC for authentication - Unable to login/logon from Windows 2003 or CIFS - Partial Fix

James MacLean macleajb at ednet.ns.ca
Sun Nov 21 02:41:23 GMT 2004


James MacLean wrote:

> Hi Folks,
>
> Recently (I believe since recent 3.0.x releases), I have been unable 
> to login to a Samba instance using CIFS (Linux mount) or Windows 2003. 
> If I change the smb.conf from:
>
> security = server
> to
> security = user
>
> I _can_ login again fine. The NT PDC always replies with 
> NT_STATUS_LOGON_FAILURE. It's event viewer shows that the proper 
> username is being used, but that the password is not correct.
>
> Logging in with smbclient or 2000 or XP is fine, although possibly 
> slow as if it is trying one way, failing then trying another.
>
> Always failing at auth/auth_server.c:check_smbserver_security(363).
>
> I'm usually not too bad at digging in and at least having a clue with 
> these problems, but this time I am lost. Did Google searches, looked 
> at the archives and although I saw similar problems, they where either 
> fixed with something that didn't work here, or the question was not 
> answered :(.
>
> Any help, even to look at something obvious, appreciated,
> JES

By setting "use spnego = no" I am able to authenticate the Windows 2003 
servers against the Samba server that uses an NT4 server for 
authentication. It appears that Windows 2003 makes Samba think that it 
should use spnego to authenticate against an old NT domain :(? According 
to the man :

Unless further issues are discovered with our SPNEGO implementation, 
there is no reason this should ever be disabled.

So having now found a reason ;), I still can not log in from a Linux 
system using CIFS (smbfs is fine).

Some logging:

[2004/11/20 22:32:49, 3] smbd/oplock.c:init_oplocks(1302)
  open_oplock_ipc: opening loopback UDP socket.
[2004/11/20 22:32:49, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
  Linux kernel oplocks enabled
[2004/11/20 22:32:49, 3] smbd/oplock.c:init_oplocks(1333)
  open_oplock ipc: pid = 6701, global_oplock_port = 44311
[2004/11/20 22:32:49, 3] lib/access.c:check_access(313)
  check_access: no hostnames in host allow/deny list.
[2004/11/20 22:32:49, 2] lib/access.c:check_access(324)
  Allowed connection from  (10.227.7.66)
[2004/11/20 22:32:49, 3] smbd/process.c:process_smb(1092)
  Transaction 0 of length 51
[2004/11/20 22:32:49, 3] smbd/process.c:switch_message(887)
  switch message SMBnegprot (pid 6701) conn 0x0
[2004/11/20 22:32:49, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/20 22:32:49, 3] smbd/negprot.c:reply_negprot(461)
  Requested protocol [NT LM 0.12]
[2004/11/20 22:32:49, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.227.0.8 at port 445
[2004/11/20 22:32:49, 2] lib/util_sock.c:open_socket_out(789)
  error connecting to 10.227.0.8:445 (Connection refused)
[2004/11/20 22:32:49, 3] lib/util_sock.c:open_socket_out(752)
  Connecting to 10.227.0.8 at port 139
[2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(75)
  connected to password server MYSERVER
[2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(100)
  got session
[2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(133)
  password server OK
[2004/11/20 22:32:49, 3] auth/auth_server.c:auth_get_challenge_server(183)
  using password server validation
[2004/11/20 22:32:49, 3] smbd/negprot.c:reply_nt1(327)
  not using SPNEGO
[2004/11/20 22:32:49, 3] smbd/negprot.c:reply_negprot(549)
  Selected protocol NT LM 0.12
[2004/11/20 22:32:49, 3] smbd/process.c:process_smb(1092)
  Transaction 1 of length 220
[2004/11/20 22:32:49, 3] smbd/process.c:switch_message(887)
  switch message SMBsesssetupX (pid 6701) conn 0x0
[2004/11/20 22:32:49, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=13 flg2=0xc001
[2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(789)
  Domain=[EDUC]  NativeOS=[Linux version 2.6.10-rc1] NativeLanMan=[CIFS 
VFS Client for Linux] PrimaryDomain=[]
[2004/11/20 22:32:49, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
all old resources.
[2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(804)
  sesssetupX:name=[EDUC]\[macleajb]@[10.227.7.66]
[2004/11/20 22:32:49, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user 
[MYDOMAIN]\[JUSTME]@[10.0.0.1] withthe new password interface
[2004/11/20 22:32:49, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [MYDOMAIN]\[JUSTME]@[10.0.0.1]
[2004/11/20 22:32:55, 1] auth/auth_server.c:check_smbserver_security(363)
  password server MYSERVER rejected the password
[2004/11/20 22:32:55, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [JUSTME] -> [JUSTME] 
FAILED with error NT_STATUS_LOGON_FAILURE
[2004/11/20 22:32:55, 3] smbd/error.c:error_packet(129)
  error packet at smbd/sesssetup.c(887) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2004/11/20 22:32:55, 3] smbd/process.c:timeout_processing(1337)
  timeout_processing: End of file from client (client has disconnected).
[2004/11/20 22:32:55, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/11/20 22:32:55, 2] smbd/server.c:exit_server(571)
  Closing connections
[2004/11/20 22:32:55, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2004/11/20 22:32:55, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does 
not exist.
[2004/11/20 22:32:55, 3] smbd/server.c:exit_server(614)
  Server exit (normal exit)

Anyone explain this? Even just an ACK to say I'm way off the deap end 
and sinking quickly :)?

thanks,
JES


More information about the samba mailing list