[Samba] Re: ADS valid users can't map share

Greg Adams gadams at gmail.com
Wed Oct 20 16:23:57 GMT 2004


That completely sucks!

kinit and klist seem to work:
*********************************************************************************************************
# kinit Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
Password for Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM

Valid starting     Expires            Service principal
10/20/04 09:20:13  10/20/04 19:20:14 
krbtgt/EDSADDDM.DDM.APM.BPM.EDS.COM at EDSADDDM.DDM.APM.BPM.EDS.COM
        renew until 10/21/04 09:20:13
*********************************************************************************************************
I don't have a krb5.conf to screw things up, on the recommendation of
either the Official Samba Howto or the By Example document.
*********************************************************************************************************
Here's my smb.conf:
# cat smb.conf
[global]

       workgroup = EDSADDDM
       realm = EDSADDDM.DDM.APM.BPM.EDS.COM

       server string = Maul Test Server

       log level = 2

       max log size = 100

       security = ADS

       local master = no

       os level = 0

       domain master = no

       preferred master = no

       wins server = 199.42.192.103
       dns proxy = no

       encrypt passwords = yes

       idmap uid = 60000-70000
       idmap gid = 80000-90000

       winbind enum users = yes
       winbind enum groups = yes

       winbind separator = +

       winbind use default domain = no

[space]
       comment = Space Partition Share
       path = /space
       writable = yes
       browsable = yes
       valid users = "EDSADDDM+imguser"
*********************************************************************************************************
So can anyone tell me what's causing Samba to use NTLM authentication
instead of Kerberos? And how do I fix it?

Greg

On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter
<jerry at samba.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greg Adams wrote:
> | I tried to send a level 10 log from the moment of connection to the
> | user that should be mapped touching a file, but the attachment was too
> | large and the messages bounced, awaiting moderator approval. So
> | instead, I'll try to post the sections I think are relevant here:
> |
> | searching for spnego and username.map led me to this section:
> |
> *********************************************************************************************************
> | [2004/10/18 08:19:25, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
> |   Doing spnego session setup
> | [2004/10/18 08:19:25, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
> |   NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows
> | 2002 5.1] PrimaryDomain=[]
> | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
> |   Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24
> |   len2=24
> 
> NTLMSSP authentication here.  Not kerberos.  :-)  So maybe you have
> 2 problems going on ?  username map and kerberos....
> 
> |   Scanning username map /opt/samba/lib/username.map
> |   user_in_list: checking user imguser in list
> |   user_in_list: checking user |imguser| against |EDSADDDM+imguser|
> |   make_user_info_map: Mapping user [EDSADDDM]\[imguser] from
> |      workstation [MULE]
> 
> cheers, jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy
> zU0nasCPyhoO9pfobcZDpIo=
> =YogI
> -----END PGP SIGNATURE-----
>


More information about the samba mailing list