[Samba] Authentication failure when accessing Samba server in a NT domain

Ashutosh Kamdar akamdar at gnsi.com
Wed Apr 27 10:06:58 GMT 2005


Hello Ankush,

Thanks for taking a look at this. I tried the two suggestions that you put forward. Neither of them seemed to solve this problem...I increased the logging level and found the following when trying to connect to the Samba share from the WINXP machine.

[2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info_map(224)
  make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation [ASHUTOSH]
[2005/04/27 05:51:16, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain DOMAINNAME found.
[2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info(132)
  attempting to make a user_info for akamdar (akamdar)
[2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info(142)
  making strings for akamdar's user_info struct
[2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info(184)
  making blobs for akamdar's user_info struct
[2005/04/27 05:51:16, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [DOMAINNAME]\[akamdar]@[ASHUTOSH] with the new password interface
[2005/04/27 05:51:16, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [DOMAINNAME]\[akamdar]@[ASHUTOSH]
[2005/04/27 05:51:16, 5] lib/util.c:dump_data(1995)
  [000] 49 59 CB 9A EB 49 C4 0E                           IY...I..
[2005/04/27 05:51:16, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/04/27 05:51:16, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/04/27 05:51:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/04/27 05:51:16, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2005/04/27 05:51:16, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2005/04/27 05:51:16, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 05:51:16, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [akamdar] FAILED with error NT_STATUS_ACCESS_DENIED
[2005/04/27 05:51:16, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [akamdar] -> [akamdar] FAILED with error NT_STATUS_ACCESS_DENIED
[2005/04/27 05:51:16, 5] auth/auth_util.c:free_user_info(1380)
  attempting to free (and zero) a user_info structure
[2005/04/27 05:51:16, 3] smbd/process.c:timeout_processing(1334)
  timeout_processing: End of file from client (client has disconnected).
[2005/04/27 05:51:16, 5] lib/gencache.c:gencache_shutdown(88)
  Closing cache file
[2005/04/27 05:51:16, 5] libsmb/namecache.c:namecache_shutdown(79)
  namecache_shutdown: netbios namecache closed successfully.
[2005/04/27 05:51:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 05:51:16, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2005/04/27 05:51:16, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2005/04/27 05:51:16, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2005/04/27 05:51:16, 2] smbd/server.c:exit_server(609)
  Closing connections
[2005/04/27 05:51:16, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2005/04/27 05:51:16, 5] smbd/oplock.c:receive_local_message(107)
  receive_local_message: doing select with timeout of 1 ms
[2005/04/27 05:51:16, 3] smbd/server.c:exit_server(652)
  Server exit (normal exit)

Any thoughts?

Regards,

Ash


------Original Message-----
-From: ankush grover [mailto:ankushmailing at gmail.com]
-Sent: Wednesday, April 27, 2005 07:38 AM
-To: 'Ashutosh Kamdar'
-Subject: Re: [Samba] Authentication failure when accessing Samba server in a NT domain
-
-On 4/26/05, Ashutosh Kamdar <akamdar at gnsi.com> wrote:
-> Hello Samba Gurus,
-> 
-> I have configured my Samba install to be a domain member of a NT4-Style domain. The version of samba used is 3.0.13. The domain joining process worked fine (net rpc join). An excerpt of smb.conf is provided at the end for reference.
-> 
-> The problem is that when users access this server, they are challenged for the username password. I was of the impression that this process would be seamless to the user. On providing the NT username/password, the login process still fails. It just comes back with the same prompt challenging the user.
-> 
-> These users are added in /etc/passwd but not in smbpasswd, as per the documentation.
-> 
-> On using smbclient:
-> # ./smbclient -d 3 -U akamdar -L localhost
-> 
-> This was the output obtained:
-> lp_load: refreshing parameters
-> Initialising global parameters
-> params.c:pm_process() - Processing configuration file "/usr/local/samba/lib/smb.conf"
-> Processing section "[global]"
-> added interface ip=192.168.2.37 bcast=192.168.2.255 nmask=255.255.255.0
-> Client started (version 3.0.13).
-> resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
-> resolve_wins: Attempting wins lookup for name localhost<0x20>
-> resolve_wins: WINS server resolution selected and no WINS servers listed.
-> resolve_hosts: Attempting host lookup for name localhost<0x20>
-> Connecting to 127.0.0.1 at port 445
-> Password:
-> 
-> Doing spnego session setup (blob length=58)
-> got OID=1 3 6 1 4 1 311 2 2 10
-> got principal=NONE
-> Got challenge flags:
-> Got NTLMSSP neg_flags=0x60890215
-> NTLMSSP: Set final flags:
-> Got NTLMSSP neg_flags=0x60080215
-> NTLMSSP Sign/Seal - Initialising with flags:
-> Got NTLMSSP neg_flags=0x60080215
-> SPNEGO login failed: Access denied
-> session setup failed: NT_STATUS_ACCESS_DENIED
-> 
-> Can someone please help me understand what exactly is causing this problem and of possible solutions? Any help would be greatly appreciated.
-> 
-> Regards,
-> 
-> Ashutosh
-> 
-> ---smb.conf--------------------8<---------------------------
-> 
-> [global]
->         dns proxy = no
->         debug timestamp = yes
->         encrypt passwords = yes
->         idmap gid = 15000-20000
->         socket options = TCP_NODELAY
->         max log size = 1024
->         password server = PASSWORDSERVER
->         idmap uid = 15000-20000
->         debug level = 3
->         security = domain
->         server string = Samba Server
->         workgroup = DOMAINNAME
->         log level = 3
->         log file = /usr/local/samba/var/log.%m
->         netbios name = appserver7
->         load printers = yes
->         os level = 33
->         default = share
->         winbind use default domain = Yes
-> 
-> [homes]
->    comment = Home Directories
->    valid users = %S
->    browseable = no
->    writable = yes
-> 
-> [share]
-> path = /share
-> comment = Solaris share
-> valid users = @staff
-> guest ok = Yes
-> read only = No
-
-
-Where is the hosts allow in the smb.conf .I think that is missing in
-your configuration
- like 192.168.1. 127.
-moreover try to change winbind use default domain = no
-
-Regards
-
-Ankush
-




More information about the samba mailing list