[Samba] Re: ADS valid users can't map share
Igor Belyi
sambauser at katehok.ac93.org
Wed Oct 20 16:40:35 GMT 2004
Igor Belyi wrote:
> Here's maybe even more relevant part of the log:
>
> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
> Got OID 1 3 6 1 4 1 311 2 2 10
> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
> Got OID 1 2 840 48018 1 2 2
> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
> Got OID 1 2 840 113554 1 2 2
This OID corresponds to Kerberos authentication...
So, it could be the case that Samba is not compiled with Kerberos?..
Igor
> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
> Got secblob of size 48
> [2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498)
> Making default auth method list for security=ADS
>
> If I interpret it correctly, then either KRB5 is not compiled in for
> this smbd or OID return by ADS does not require Kerberos
> authentication...
>
> Igor
>
> Greg Adams wrote:
>
>> That completely sucks!
>>
>> kinit and klist seem to work:
>> *********************************************************************************************************
>>
>> # kinit Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>> Password for Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM:
>> # klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>>
>> Valid starting Expires Service principal
>> 10/20/04 09:20:13 10/20/04 19:20:14
>> krbtgt/EDSADDDM.DDM.APM.BPM.EDS.COM at EDSADDDM.DDM.APM.BPM.EDS.COM
>> renew until 10/21/04 09:20:13
>> *********************************************************************************************************
>>
>> I don't have a krb5.conf to screw things up, on the recommendation of
>> either the Official Samba Howto or the By Example document.
>> *********************************************************************************************************
>>
>> Here's my smb.conf:
>> # cat smb.conf
>> [global]
>>
>> workgroup = EDSADDDM
>> realm = EDSADDDM.DDM.APM.BPM.EDS.COM
>>
>> server string = Maul Test Server
>>
>> log level = 2
>>
>> max log size = 100
>>
>> security = ADS
>>
>> local master = no
>>
>> os level = 0
>>
>> domain master = no
>>
>> preferred master = no
>>
>> wins server = 199.42.192.103
>> dns proxy = no
>>
>> encrypt passwords = yes
>>
>> idmap uid = 60000-70000
>> idmap gid = 80000-90000
>>
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> winbind separator = +
>>
>> winbind use default domain = no
>>
>> [space]
>> comment = Space Partition Share
>> path = /space
>> writable = yes
>> browsable = yes
>> valid users = "EDSADDDM+imguser"
>> *********************************************************************************************************
>>
>> So can anyone tell me what's causing Samba to use NTLM authentication
>> instead of Kerberos? And how do I fix it?
>>
>> Greg
>>
>> On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter
>> <jerry at samba.org> wrote:
>>
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Greg Adams wrote:
>>> | I tried to send a level 10 log from the moment of connection to the
>>> | user that should be mapped touching a file, but the attachment was
>>> too
>>> | large and the messages bounced, awaiting moderator approval. So
>>> | instead, I'll try to post the sections I think are relevant here:
>>> |
>>> | searching for spnego and username.map led me to this section:
>>> |
>>> *********************************************************************************************************
>>>
>>> | [2004/10/18 08:19:25, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>>> | Doing spnego session setup
>>> | [2004/10/18 08:19:25, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>>> | NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows
>>> | 2002 5.1] PrimaryDomain=[]
>>> | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
>>> | Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24
>>> | len2=24
>>>
>>> NTLMSSP authentication here. Not kerberos. :-) So maybe you have
>>> 2 problems going on ? username map and kerberos....
>>>
>>> | Scanning username map /opt/samba/lib/username.map
>>> | user_in_list: checking user imguser in list
>>> | user_in_list: checking user |imguser| against |EDSADDDM+imguser|
>>> | make_user_info_map: Mapping user [EDSADDDM]\[imguser] from
>>> | workstation [MULE]
>>>
>>> cheers, jerry
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.2.4 (GNU/Linux)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>
>>> iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy
>>> zU0nasCPyhoO9pfobcZDpIo=
>>> =YogI
>>> -----END PGP SIGNATURE-----
>>>
>>>
>>
>>
>>
>>
>
>
More information about the samba
mailing list