[Samba] Re: ADS valid users can't map share

Igor Belyi sambauser at katehok.ac93.org
Wed Oct 20 16:44:11 GMT 2004


Igor Belyi wrote:

> Igor Belyi wrote:
>
>> Here's maybe even more relevant part of the log:
>>
>> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>>  Got OID 1 3 6 1 4 1 311 2 2 10
>> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>>  Got OID 1 2 840 48018 1 2 2
>> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
>>  Got OID 1 2 840 113554 1 2 2
>
>
>
> This OID corresponds to Kerberos authentication...
> So, it could be the case that Samba is not compiled with Kerberos?..


No, wait! Samba checks only the first OID! And this is the reason for NTLM!
Here's the comment from source/smbd/sesssetup.c:

        /* only look at the first OID for determining the mechToken --
           accoirding to RFC2478, we should choose the one we want
           and renegotiate, but i smell a client bug here..

           Problem observed when connecting to a member (samba box)
           of an AD domain as a user in a Samba domain.  Samba member
           server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
           client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
           NTLMSSP mechtoken.                 --jerry              */

Jerry, that's your comment, right? :)

Igor

>> [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
>>  Got secblob of size 48
>> [2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498)
>>  Making default auth method list for security=ADS
>>
>> If I interpret it correctly, then either KRB5 is not compiled in for 
>> this smbd or OID return by ADS does not require Kerberos 
>> authentication...
>>
>> Igor
>>
>> Greg Adams wrote:
>>
>>> That completely sucks!
>>>
>>> kinit and klist seem to work:
>>> ********************************************************************************************************* 
>>>
>>> # kinit Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>>> Password for Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM:
>>> # klist
>>> Ticket cache: FILE:/tmp/krb5cc_0
>>> Default principal: Administrator at EDSADDDM.DDM.APM.BPM.EDS.COM
>>>
>>> Valid starting     Expires            Service principal
>>> 10/20/04 09:20:13  10/20/04 19:20:14 
>>> krbtgt/EDSADDDM.DDM.APM.BPM.EDS.COM at EDSADDDM.DDM.APM.BPM.EDS.COM
>>>        renew until 10/21/04 09:20:13
>>> ********************************************************************************************************* 
>>>
>>> I don't have a krb5.conf to screw things up, on the recommendation of
>>> either the Official Samba Howto or the By Example document.
>>> ********************************************************************************************************* 
>>>
>>> Here's my smb.conf:
>>> # cat smb.conf
>>> [global]
>>>
>>>       workgroup = EDSADDDM
>>>       realm = EDSADDDM.DDM.APM.BPM.EDS.COM
>>>
>>>       server string = Maul Test Server
>>>
>>>       log level = 2
>>>
>>>       max log size = 100
>>>
>>>       security = ADS
>>>
>>>       local master = no
>>>
>>>       os level = 0
>>>
>>>       domain master = no
>>>
>>>       preferred master = no
>>>
>>>       wins server = 199.42.192.103
>>>       dns proxy = no
>>>
>>>       encrypt passwords = yes
>>>
>>>       idmap uid = 60000-70000
>>>       idmap gid = 80000-90000
>>>
>>>       winbind enum users = yes
>>>       winbind enum groups = yes
>>>
>>>       winbind separator = +
>>>
>>>       winbind use default domain = no
>>>
>>> [space]
>>>       comment = Space Partition Share
>>>       path = /space
>>>       writable = yes
>>>       browsable = yes
>>>       valid users = "EDSADDDM+imguser"
>>> ********************************************************************************************************* 
>>>
>>> So can anyone tell me what's causing Samba to use NTLM authentication
>>> instead of Kerberos? And how do I fix it?
>>>
>>> Greg
>>>
>>> On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter
>>> <jerry at samba.org> wrote:
>>>  
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Greg Adams wrote:
>>>> | I tried to send a level 10 log from the moment of connection to the
>>>> | user that should be mapped touching a file, but the attachment 
>>>> was too
>>>> | large and the messages bounced, awaiting moderator approval. So
>>>> | instead, I'll try to post the sections I think are relevant here:
>>>> |
>>>> | searching for spnego and username.map led me to this section:
>>>> |
>>>> ********************************************************************************************************* 
>>>>
>>>> | [2004/10/18 08:19:25, 3]
>>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>>>> |   Doing spnego session setup
>>>> | [2004/10/18 08:19:25, 3]
>>>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>>>> |   NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows
>>>> | 2002 5.1] PrimaryDomain=[]
>>>> | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
>>>> |   Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24
>>>> |   len2=24
>>>>
>>>> NTLMSSP authentication here.  Not kerberos.  :-)  So maybe you have
>>>> 2 problems going on ?  username map and kerberos....
>>>>
>>>> |   Scanning username map /opt/samba/lib/username.map
>>>> |   user_in_list: checking user imguser in list
>>>> |   user_in_list: checking user |imguser| against |EDSADDDM+imguser|
>>>> |   make_user_info_map: Mapping user [EDSADDDM]\[imguser] from
>>>> |      workstation [MULE]
>>>>
>>>> cheers, jerry
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.2.4 (GNU/Linux)
>>>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>>>
>>>> iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy
>>>> zU0nasCPyhoO9pfobcZDpIo=
>>>> =YogI
>>>> -----END PGP SIGNATURE-----
>>>>
>>>>   
>>>
>>>
>>>
>>>  
>>>
>>
>>
>
>



More information about the samba mailing list