[Samba] Re: ADS valid users can't map share
Igor Belyi
sambauser at katehok.ac93.org
Wed Oct 20 16:35:42 GMT 2004
Here's maybe even more relevant part of the log:
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 3 6 1 4 1 311 2 2 10
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 2 840 48018 1 2 2
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 2 840 113554 1 2 2
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
Got secblob of size 48
[2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498)
Making default auth method list for security=ADS
If I interpret it correctly, then either KRB5 is not compiled in for
this smbd or OID return by ADS does not require Kerberos authentication...
Igor
Greg Adams wrote:
>That completely sucks!
>
>kinit and klist seem to work:
>*********************************************************************************************************
># kinit Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>Password for Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM:
># klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>
>Valid starting Expires Service principal
>10/20/04 09:20:13 10/20/04 19:20:14
>krbtgt/EDSADDDM.DDM.APM.BPM.EDS.COM at EDSADDDM.DDM.APM.BPM.EDS.COM
> renew until 10/21/04 09:20:13
>*********************************************************************************************************
>I don't have a krb5.conf to screw things up, on the recommendation of
>either the Official Samba Howto or the By Example document.
>*********************************************************************************************************
>Here's my smb.conf:
># cat smb.conf
>[global]
>
> workgroup = EDSADDDM
> realm = EDSADDDM.DDM.APM.BPM.EDS.COM
>
> server string = Maul Test Server
>
> log level = 2
>
> max log size = 100
>
> security = ADS
>
> local master = no
>
> os level = 0
>
> domain master = no
>
> preferred master = no
>
> wins server = 199.42.192.103
> dns proxy = no
>
> encrypt passwords = yes
>
> idmap uid = 60000-70000
> idmap gid = 80000-90000
>
> winbind enum users = yes
> winbind enum groups = yes
>
> winbind separator = +
>
> winbind use default domain = no
>
>[space]
> comment = Space Partition Share
> path = /space
> writable = yes
> browsable = yes
> valid users = "EDSADDDM+imguser"
>*********************************************************************************************************
>So can anyone tell me what's causing Samba to use NTLM authentication
>instead of Kerberos? And how do I fix it?
>
>Greg
>
>On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter
><jerry at samba.org> wrote:
>
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Greg Adams wrote:
>>| I tried to send a level 10 log from the moment of connection to the
>>| user that should be mapped touching a file, but the attachment was too
>>| large and the messages bounced, awaiting moderator approval. So
>>| instead, I'll try to post the sections I think are relevant here:
>>|
>>| searching for spnego and username.map led me to this section:
>>|
>>*********************************************************************************************************
>>| [2004/10/18 08:19:25, 3]
>>smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>>| Doing spnego session setup
>>| [2004/10/18 08:19:25, 3]
>>smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>>| NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows
>>| 2002 5.1] PrimaryDomain=[]
>>| [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
>>| Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24
>>| len2=24
>>
>>NTLMSSP authentication here. Not kerberos. :-) So maybe you have
>>2 problems going on ? username map and kerberos....
>>
>>| Scanning username map /opt/samba/lib/username.map
>>| user_in_list: checking user imguser in list
>>| user_in_list: checking user |imguser| against |EDSADDDM+imguser|
>>| make_user_info_map: Mapping user [EDSADDDM]\[imguser] from
>>| workstation [MULE]
>>
>>cheers, jerry
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.2.4 (GNU/Linux)
>>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>>iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy
>>zU0nasCPyhoO9pfobcZDpIo=
>>=YogI
>>-----END PGP SIGNATURE-----
>>
>>
>>
>
>
>
More information about the samba
mailing list