[Samba] Samba 3.0.8 using NT PDC for authentication - Unable to login/logon from Windows 2003 or CIFS - no guest too

James MacLean macleajb at ednet.ns.ca
Fri Nov 26 10:52:38 GMT 2004 

James MacLean wrote:

> James MacLean wrote:
>
>> Hi Folks,
>>
>> Recently (I believe since recent 3.0.x releases), I have been unable 
>> to login to a Samba instance using CIFS (Linux mount) or Windows 
>> 2003. If I change the smb.conf from:
>>
>> security = server
>> to
>> security = user
>>
>> I _can_ login again fine. The NT PDC always replies with 
>> NT_STATUS_LOGON_FAILURE. It's event viewer shows that the proper 
>> username is being used, but that the password is not correct.
>>
>> Logging in with smbclient or 2000 or XP is fine, although possibly 
>> slow as if it is trying one way, failing then trying another.
>>
>> Always failing at auth/auth_server.c:check_smbserver_security(363).
>>
>> I'm usually not too bad at digging in and at least having a clue with 
>> these problems, but this time I am lost. Did Google searches, looked 
>> at the archives and although I saw similar problems, they where 
>> either fixed with something that didn't work here, or the question 
>> was not answered :(.
>>
>> Any help, even to look at something obvious, appreciated,
>> JES
>
>
> By setting "use spnego = no" I am able to authenticate the Windows 
> 2003 servers against the Samba server that uses an NT4 server for 
> authentication. It appears that Windows 2003 makes Samba think that it 
> should use spnego to authenticate against an old NT domain :(? 
> According to the man :
>
> Unless further issues are discovered with our SPNEGO implementation, 
> there is no reason this should ever be disabled.
>
> So having now found a reason ;), I still can not log in from a Linux 
> system using CIFS (smbfs is fine).
>
> Some logging:
>
> [2004/11/20 22:32:49, 3] smbd/oplock.c:init_oplocks(1302)
>  open_oplock_ipc: opening loopback UDP socket.
> [2004/11/20 22:32:49, 3] 
> smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
>  Linux kernel oplocks enabled
> [2004/11/20 22:32:49, 3] smbd/oplock.c:init_oplocks(1333)
>  open_oplock ipc: pid = 6701, global_oplock_port = 44311
> [2004/11/20 22:32:49, 3] lib/access.c:check_access(313)
>  check_access: no hostnames in host allow/deny list.
> [2004/11/20 22:32:49, 2] lib/access.c:check_access(324)
>  Allowed connection from  (10.227.7.66)
> [2004/11/20 22:32:49, 3] smbd/process.c:process_smb(1092)
>  Transaction 0 of length 51
> [2004/11/20 22:32:49, 3] smbd/process.c:switch_message(887)
>  switch message SMBnegprot (pid 6701) conn 0x0
> [2004/11/20 22:32:49, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2004/11/20 22:32:49, 3] smbd/negprot.c:reply_negprot(461)
>  Requested protocol [NT LM 0.12]
> [2004/11/20 22:32:49, 3] lib/util_sock.c:open_socket_out(752)
>  Connecting to 10.227.0.8 at port 445
> [2004/11/20 22:32:49, 2] lib/util_sock.c:open_socket_out(789)
>  error connecting to 10.227.0.8:445 (Connection refused)
> [2004/11/20 22:32:49, 3] lib/util_sock.c:open_socket_out(752)
>  Connecting to 10.227.0.8 at port 139
> [2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(75)
>  connected to password server MYSERVER
> [2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(100)
>  got session
> [2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(133)
>  password server OK
> [2004/11/20 22:32:49, 3] 
> auth/auth_server.c:auth_get_challenge_server(183)
>  using password server validation
> [2004/11/20 22:32:49, 3] smbd/negprot.c:reply_nt1(327)
>  not using SPNEGO
> [2004/11/20 22:32:49, 3] smbd/negprot.c:reply_negprot(549)
>  Selected protocol NT LM 0.12
> [2004/11/20 22:32:49, 3] smbd/process.c:process_smb(1092)
>  Transaction 1 of length 220
> [2004/11/20 22:32:49, 3] smbd/process.c:switch_message(887)
>  switch message SMBsesssetupX (pid 6701) conn 0x0
> [2004/11/20 22:32:49, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
>  wct=13 flg2=0xc001
> [2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(789)
>  Domain=[EDUC]  NativeOS=[Linux version 2.6.10-rc1] NativeLanMan=[CIFS 
> VFS Client for Linux] PrimaryDomain=[]
> [2004/11/20 22:32:49, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
> all old resources.
> [2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(804)
>  sesssetupX:name=[EDUC]\[macleajb]@[10.227.7.66]
> [2004/11/20 22:32:49, 3] auth/auth.c:check_ntlm_password(219)
>  check_ntlm_password:  Checking password for unmapped user 
> [MYDOMAIN]\[JUSTME]@[10.0.0.1] withthe new password interface
> [2004/11/20 22:32:49, 3] auth/auth.c:check_ntlm_password(222)
>  check_ntlm_password:  mapped user is: [MYDOMAIN]\[JUSTME]@[10.0.0.1]
> [2004/11/20 22:32:55, 1] auth/auth_server.c:check_smbserver_security(363)
>  password server MYSERVER rejected the password
> [2004/11/20 22:32:55, 2] auth/auth.c:check_ntlm_password(312)
>  check_ntlm_password:  Authentication for user [JUSTME] -> [JUSTME] 
> FAILED with error NT_STATUS_LOGON_FAILURE
> [2004/11/20 22:32:55, 3] smbd/error.c:error_packet(129)
>  error packet at smbd/sesssetup.c(887) cmd=115 (SMBsesssetupX) 
> NT_STATUS_LOGON_FAILURE
> [2004/11/20 22:32:55, 3] smbd/process.c:timeout_processing(1337)
>  timeout_processing: End of file from client (client has disconnected).
> [2004/11/20 22:32:55, 3] smbd/sec_ctx.c:set_sec_ctx(288)
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2004/11/20 22:32:55, 2] smbd/server.c:exit_server(571)
>  Closing connections
> [2004/11/20 22:32:55, 3] smbd/connection.c:yield_connection(69)
>  Yielding connection to
> [2004/11/20 22:32:55, 3] smbd/connection.c:yield_connection(76)
>  yield_connection: tdb_delete for name  failed with error Record does 
> not exist.
> [2004/11/20 22:32:55, 3] smbd/server.c:exit_server(614)
>  Server exit (normal exit)
>
> Anyone explain this? Even just an ACK to say I'm way off the deap end 
> and sinking quickly :)?
>
> thanks,
> JES

Also, using an NT PDC to authenticate against means that my guest access 
fails using calls such as :

mount -t cifs //server/share /mnt/share -oguest

i.e.:

[2004/11/23 15:37:16, 1] smbd/service.c:make_connection_snum(648)
  me (10.0.0.2) connect to service install initially as user nobody 
(uid=999, gid=999)(pid 14072)
[2004/11/23 15:37:19, 1] smbd/service.c:close_cnum(836)
  me (10.0.0.2) closed connection to service install
[2004/11/25 15:03:17, 1] auth/auth_server.c:check_smbserver_security(363)
  password server NT_SERVER rejected the password

JES

More information about the samba mailing list