[Samba] Re: ADS valid users can't map share

Igor Belyi sambauser at katehok.ac93.org
Wed Oct 20 16:35:42 GMT 2004 

Here's maybe even more relevant part of the log:

[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 3 6 1 4 1 311 2 2 10
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 48018 1 2 2
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
  Got OID 1 2 840 113554 1 2 2
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
  Got secblob of size 48
[2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498)
  Making default auth method list for security=ADS

If I interpret it correctly, then either KRB5 is not compiled in for 
this smbd or OID return by ADS does not require Kerberos authentication...

Igor

Greg Adams wrote:

>That completely sucks!
>
>kinit and klist seem to work:
>*********************************************************************************************************
># kinit Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>Password for Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM:
># klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>
>Valid starting     Expires            Service principal
>10/20/04 09:20:13  10/20/04 19:20:14 
>krbtgt/EDSADDDM.DDM.APM.BPM.EDS.COM at EDSADDDM.DDM.APM.BPM.EDS.COM
>        renew until 10/21/04 09:20:13
>*********************************************************************************************************
>I don't have a krb5.conf to screw things up, on the recommendation of
>either the Official Samba Howto or the By Example document.
>*********************************************************************************************************
>Here's my smb.conf:
># cat smb.conf
>[global]
>
>       workgroup = EDSADDDM
>       realm = EDSADDDM.DDM.APM.BPM.EDS.COM
>
>       server string = Maul Test Server
>
>       log level = 2
>
>       max log size = 100
>
>       security = ADS
>
>       local master = no
>
>       os level = 0
>
>       domain master = no
>
>       preferred master = no
>
>       wins server = 199.42.192.103
>       dns proxy = no
>
>       encrypt passwords = yes
>
>       idmap uid = 60000-70000
>       idmap gid = 80000-90000
>
>       winbind enum users = yes
>       winbind enum groups = yes
>
>       winbind separator = +
>
>       winbind use default domain = no
>
>[space]
>       comment = Space Partition Share
>       path = /space
>       writable = yes
>       browsable = yes
>       valid users = "EDSADDDM+imguser"
>*********************************************************************************************************
>So can anyone tell me what's causing Samba to use NTLM authentication
>instead of Kerberos? And how do I fix it?
>
>Greg
>
>On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter
><jerry at samba.org> wrote:
>  
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Greg Adams wrote:
>>| I tried to send a level 10 log from the moment of connection to the
>>| user that should be mapped touching a file, but the attachment was too
>>| large and the messages bounced, awaiting moderator approval. So
>>| instead, I'll try to post the sections I think are relevant here:
>>|
>>| searching for spnego and username.map led me to this section:
>>|
>>*********************************************************************************************************
>>| [2004/10/18 08:19:25, 3]
>>smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>>|   Doing spnego session setup
>>| [2004/10/18 08:19:25, 3]
>>smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>>|   NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows
>>| 2002 5.1] PrimaryDomain=[]
>>| [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
>>|   Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24
>>|   len2=24
>>
>>NTLMSSP authentication here.  Not kerberos.  :-)  So maybe you have
>>2 problems going on ?  username map and kerberos....
>>
>>|   Scanning username map /opt/samba/lib/username.map
>>|   user_in_list: checking user imguser in list
>>|   user_in_list: checking user |imguser| against |EDSADDDM+imguser|
>>|   make_user_info_map: Mapping user [EDSADDDM]\[imguser] from
>>|      workstation [MULE]
>>
>>cheers, jerry
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.2.4 (GNU/Linux)
>>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>>iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy
>>zU0nasCPyhoO9pfobcZDpIo=
>>=YogI
>>-----END PGP SIGNATURE-----
>>
>>    
>>
>
>  
>

More information about the samba mailing list