[Samba] Re: ADS valid users can't map share

Greg Adams gadams at gmail.com
Wed Oct 20 16:07:12 GMT 2004 

I tried to send a level 10 log from the moment of connection to the
user that should be mapped touching a file, but the attachment was too
large and the messages bounced, awaiting moderator approval. So
instead, I'll try to post the sections I think are relevant here:

searching for spnego and username.map led me to this section:
*********************************************************************************************************
[2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows
2002 5.1] PrimaryDomain=[]
[2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24 len2=24
[2004/10/18 08:19:25, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(66)
  auth_context challenge set by NTLMSSP callback (NTLM2)
[2004/10/18 08:19:25, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(67)
  challenge is:
[2004/10/18 08:19:25, 5] lib/util.c:dump_data(1835)
  [000] C7 63 4B 45 C2 48 96 F8                           .cKE.H..
[2004/10/18 08:19:25, 6] param/loadparm.c:lp_file_list_changed(2681)
  lp_file_list_changed()
  file /opt/samba/lib/smb.conf -> /opt/samba/lib/smb.conf  last
mod_time: Mon Oct 18 07:57:06 2
004

[2004/10/18 08:19:25, 4] lib/username.c:map_username(132)
  Scanning username map /opt/samba/lib/username.map
[2004/10/18 08:19:25, 10] lib/username.c:user_in_list(529)
  user_in_list: checking user imguser in list
[2004/10/18 08:19:25, 10] lib/username.c:user_in_list(533)
  user_in_list: checking user |imguser| against |EDSADDDM+imguser|
[2004/10/18 08:19:25, 10] lib/username.c:user_in_list(610)
  user_in_list: checking if user |imguser| is in winbind group
|EDSADDDM+imguser|
[2004/10/18 08:19:26, 5] auth/auth_util.c:make_user_info_map(225)
  make_user_info_map: Mapping user [EDSADDDM]\[imguser] from workstation [MULE]
[2004/10/18 08:19:26, 10] lib/gencache.c:gencache_get(264)
  Returning valid cache entry: key = TDOM/EDSADDDM, value =
S-1-5-21-764805150-3330113275-14862
79211, timeout = Mon Oct 18 08:24:08 2004
*********************************************************************************************************

>From "checking user |imguser| against |EDSADDDM+imguser|", when
EDSADDDM+imguser is in my username.map, it would appear that the
domain (EDSADDDM) is not being passed. How can I tell from the level
10 log if I'm using NTLM or Kerberos authentication? Specifically,
what can I search through the log for in order to find a section to
post?

Thanks for all your help.

Greg

On Wed, 20 Oct 2004 10:42:12 -0500, Gerald (Jerry) Carter
<jerry at samba.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greg Adams wrote:
> | I'm sorry, I still don't quite follow you.
> |
> | I have "security = ads", and, as far as I can tell,
> | a working kerberos installation, so that means I'm
> | using kerberos authentication, right?
> 
> Correct.
> 
> | From the messages above, that means samba should
> | be honoring the domain portion of entries in the
> | username map, which it is not doing. Or am I
> | using NTLM authentication for some weird reason?
> 
> smbd should be honoring entries like
> 
>         jerry = AD\gcarter
> 
> You can check a level 10 smbd debug log to verify that
> the krb5 SNPEGO login is working.
> 
> I'll work on getting the NTLM/username map functionality fixed.
> 
> 
> cheers, jerry
> - ---------------------------------------------------------------------
> Alleviating the pain of Windows(tm)      ------- http://www.samba.org
> GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
> "If we're adding to the noise, turn off this song"--Switchfoot (2003)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBdodUIR7qMdg1EfYRAsoNAKDfDj12mHbQtIByveM8h5GMhYJK2QCfeo9g
> HmSadb1FMvxE59cwtY+BcjA=
> =V897
> -----END PGP SIGNATURE-----
>

More information about the samba mailing list