[Samba] Re: ADS valid users can't map share
Greg Adams
gadams at gmail.com
Wed Oct 20 16:23:57 GMT 2004
That completely sucks!
kinit and klist seem to work:
*********************************************************************************************************
# kinit Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
Password for Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
Valid starting Expires Service principal
10/20/04 09:20:13 10/20/04 19:20:14
krbtgt/EDSADDDM.DDM.APM.BPM.EDS.COM at EDSADDDM.DDM.APM.BPM.EDS.COM
renew until 10/21/04 09:20:13
*********************************************************************************************************
I don't have a krb5.conf to screw things up, on the recommendation of
either the Official Samba Howto or the By Example document.
*********************************************************************************************************
Here's my smb.conf:
# cat smb.conf
[global]
workgroup = EDSADDDM
realm = EDSADDDM.DDM.APM.BPM.EDS.COM
server string = Maul Test Server
log level = 2
max log size = 100
security = ADS
local master = no
os level = 0
domain master = no
preferred master = no
wins server = 199.42.192.103
dns proxy = no
encrypt passwords = yes
idmap uid = 60000-70000
idmap gid = 80000-90000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = no
[space]
comment = Space Partition Share
path = /space
writable = yes
browsable = yes
valid users = "EDSADDDM+imguser"
*********************************************************************************************************
So can anyone tell me what's causing Samba to use NTLM authentication
instead of Kerberos? And how do I fix it?
Greg
On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter
<jerry at samba.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Greg Adams wrote:
> | I tried to send a level 10 log from the moment of connection to the
> | user that should be mapped touching a file, but the attachment was too
> | large and the messages bounced, awaiting moderator approval. So
> | instead, I'll try to post the sections I think are relevant here:
> |
> | searching for spnego and username.map led me to this section:
> |
> *********************************************************************************************************
> | [2004/10/18 08:19:25, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
> | Doing spnego session setup
> | [2004/10/18 08:19:25, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
> | NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows
> | 2002 5.1] PrimaryDomain=[]
> | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
> | Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24
> | len2=24
>
> NTLMSSP authentication here. Not kerberos. :-) So maybe you have
> 2 problems going on ? username map and kerberos....
>
> | Scanning username map /opt/samba/lib/username.map
> | user_in_list: checking user imguser in list
> | user_in_list: checking user |imguser| against |EDSADDDM+imguser|
> | make_user_info_map: Mapping user [EDSADDDM]\[imguser] from
> | workstation [MULE]
>
> cheers, jerry
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy
> zU0nasCPyhoO9pfobcZDpIo=
> =YogI
> -----END PGP SIGNATURE-----
>
More information about the samba
mailing list