[Samba] Re: ADS valid users can't map share

Igor Belyi sambauser at katehok.ac93.org
Wed Oct 20 16:40:35 GMT 2004 

Igor Belyi wrote:

> Here's maybe even more relevant part of the log:
>
> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>  Got OID 1 3 6 1 4 1 311 2 2 10
> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>  Got OID 1 2 840 48018 1 2 2
> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>  Got OID 1 2 840 113554 1 2 2


This OID corresponds to Kerberos authentication...
So, it could be the case that Samba is not compiled with Kerberos?..

Igor

> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
>  Got secblob of size 48
> [2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498)
>  Making default auth method list for security=ADS
>
> If I interpret it correctly, then either KRB5 is not compiled in for 
> this smbd or OID return by ADS does not require Kerberos 
> authentication...
>
> Igor
>
> Greg Adams wrote:
>
>> That completely sucks!
>>
>> kinit and klist seem to work:
>> ********************************************************************************************************* 
>>
>> # kinit Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>> Password for Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM:
>> # klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>>
>> Valid starting     Expires            Service principal
>> 10/20/04 09:20:13  10/20/04 19:20:14 
>> krbtgt/EDSADDDM.DDM.APM.BPM.EDS.COM at EDSADDDM.DDM.APM.BPM.EDS.COM
>>        renew until 10/21/04 09:20:13
>> ********************************************************************************************************* 
>>
>> I don't have a krb5.conf to screw things up, on the recommendation of
>> either the Official Samba Howto or the By Example document.
>> ********************************************************************************************************* 
>>
>> Here's my smb.conf:
>> # cat smb.conf
>> [global]
>>
>>       workgroup = EDSADDDM
>>       realm = EDSADDDM.DDM.APM.BPM.EDS.COM
>>
>>       server string = Maul Test Server
>>
>>       log level = 2
>>
>>       max log size = 100
>>
>>       security = ADS
>>
>>       local master = no
>>
>>       os level = 0
>>
>>       domain master = no
>>
>>       preferred master = no
>>
>>       wins server = 199.42.192.103
>>       dns proxy = no
>>
>>       encrypt passwords = yes
>>
>>       idmap uid = 60000-70000
>>       idmap gid = 80000-90000
>>
>>       winbind enum users = yes
>>       winbind enum groups = yes
>>
>>       winbind separator = +
>>
>>       winbind use default domain = no
>>
>> [space]
>>       comment = Space Partition Share
>>       path = /space
>>       writable = yes
>>       browsable = yes
>>       valid users = "EDSADDDM+imguser"
>> ********************************************************************************************************* 
>>
>> So can anyone tell me what's causing Samba to use NTLM authentication
>> instead of Kerberos? And how do I fix it?
>>
>> Greg
>>
>> On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter
>> <jerry at samba.org> wrote:
>>  
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Greg Adams wrote:
>>> | I tried to send a level 10 log from the moment of connection to the
>>> | user that should be mapped touching a file, but the attachment was 
>>> too
>>> | large and the messages bounced, awaiting moderator approval. So
>>> | instead, I'll try to post the sections I think are relevant here:
>>> |
>>> | searching for spnego and username.map led me to this section:
>>> |
>>> ********************************************************************************************************* 
>>>
>>> | [2004/10/18 08:19:25, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>>> |   Doing spnego session setup
>>> | [2004/10/18 08:19:25, 3]
>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>>> |   NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows
>>> | 2002 5.1] PrimaryDomain=[]
>>> | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
>>> |   Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24
>>> |   len2=24
>>>
>>> NTLMSSP authentication here.  Not kerberos.  :-)  So maybe you have
>>> 2 problems going on ?  username map and kerberos....
>>>
>>> |   Scanning username map /opt/samba/lib/username.map
>>> |   user_in_list: checking user imguser in list
>>> |   user_in_list: checking user |imguser| against |EDSADDDM+imguser|
>>> |   make_user_info_map: Mapping user [EDSADDDM]\[imguser] from
>>> |      workstation [MULE]
>>>
>>> cheers, jerry
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.2.4 (GNU/Linux)
>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>
>>> iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy
>>> zU0nasCPyhoO9pfobcZDpIo=
>>> =YogI
>>> -----END PGP SIGNATURE-----
>>>
>>>   
>>
>>
>>  
>>
>
>

More information about the samba mailing list