[Samba] Samba 3.0 question, DOMAIN vs. SERVER method? Help!

Klebanov, Lev Lev_Klebanov at URMC.Rochester.edu
Wed Feb 2 16:09:30 GMT 2005


Hello all!

We are attempting to get Samba-3.0.10 working on a new Solaris 8 machine in
preparation for upgrading an existing 2.2.8 installation (both use the
SMCsamba packages from SunFreeware.com).  We copied over the smb.conf file
and the usermap from the Samba-2 installation, and seeing some weird
symptoms when Windows users try to connect to the new machine.

We ran "net join" to join the local domain (referred to hereafter as
MYDOMAIN).  When we set "security = DOMAIN" in the smb.conf file (which is
how we have it on 2.2.8), it works for users that are not in the usermap
(i.e. whose UNIX login name is the same as their Windows login).  But users
who are in the usermap can't connect.  However, when we change the setting
to "security = SERVER" then it works for the users in the usermap.

The main difference I see between DOMAIN and SERVER logins is that the
DOMAIN uses winbind authentication, while SERVER uses smbserver
authentication.  Also, it looks like Samba tries to create a user with the
login of the UNIX user, and then fails because it can't.

If anyone can tell me where we're going wrong, I would really appreciate it!
Thanks in advance!


smb.conf global entries:

# Global parameters
[global]
        workgroup = MYDOMAIN
        netbios name = MYSERVER
        security = DOMAIN
#       security = SERVER
        encrypt passwords = Yes
        password server = winserv1 winserv2 *
        username map = /usr/local/samba/lib/usermap
        wins server = x.x.x.x
        log level = 3
        log file = /var/log/smb.log


Contents of usermap:

unixuser=pcuser


Log entries for the successful DOMAIN login with an unmapped user:

[2005/02/01 15:57:58, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[myuser] domain=[MYDOMAIN] workstation=[MYPC] len1=24 len2=24
[2005/02/01 15:57:58, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[MYDOMAIN]\[myuser]@[MYPC] with the new password interface [2005/02/01
15:57:58, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [MYDOMAIN]\[myuser]@[MYPC]
	< SNIP >
[2005/02/01 15:57:58, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: winbind authentication for user [myuser] succeeded
[2005/02/01 15:57:58, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/02/01 15:57:58, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/02/01 15:57:58, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/02/01 15:57:58, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/02/01 15:57:58, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [myuser] -> [myuser] ->
[myuser] succeeded [2005/02/01 15:57:58, 3]
libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2005/02/01 15:57:58, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x60088215
[2005/02/01 15:57:58, 3] smbd/password.c:register_vuid(222)
  User name: myuser      Real name:
[2005/02/01 15:57:58, 3] smbd/password.c:register_vuid(241)
  UNIX uid 5489 is UNIX user myuser, and will be vuid 100
	< SNIP >



The logs for the failed DOMAIN login for the mapped user:

[2005/02/01 15:35:41, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[PCuser] domain=[MYDOMAIN] workstation=[MYPC] len1=24 len2=24
[2005/02/01 15:35:41, 3] lib/username.c:map_username(173)
  Mapped user PCuser to unixuser
[2005/02/01 15:35:41, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[MYDOMAIN]\[PCuser]@[MYPC] with the new password interface [2005/02/01
15:35:41, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [MYDOMAIN]\[unixuser]@[MYPC]
	< SNIP >
[2005/02/01 15:35:41, 3] auth/auth_util.c:make_server_info_info3(1127)
  User unixuser does not exist, trying to add it
[2005/02/01 15:35:41, 0] auth/auth_util.c:make_server_info_info3(1134)
  make_server_info_info3: pdb_init_sam failed!
[2005/02/01 15:35:41, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [PCuser] -> [unixuser]
FAILED with error NT_STATUS_NO_SUCH_USER
	< SNIP >


Logs for the successful SERVER login for the mapped user:

[2005/02/01 15:36:22, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[PCuser] domain=[MYDOMAIN] workstation=[MYPC] len1=24 len2=24
[2005/02/01 15:36:22, 3] lib/username.c:map_username(173)
  Mapped user PCuser to unixuser
[2005/02/01 15:36:22, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[MYDOMAIN]\[PCuser]@[MYPC] with the new password interface [2005/02/01
15:36:22, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [MYDOMAIN]\[unixuser]@[MYPC]
	< SNIP >
[2005/02/01 15:36:26, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: smbserver authentication for user [PCuser] succeeded
[2005/02/01 15:36:26, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/02/01 15:36:26, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/02/01 15:36:26, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/02/01 15:36:26, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/02/01 15:36:26, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [PCuser] -> [unixuser] ->
[unixuser] succeeded [2005/02/01 15:36:26, 3]
smbd/password.c:register_vuid(222)
  User name: unixuser     Real name: Unix User
[2005/02/01 15:36:26, 3] smbd/password.c:register_vuid(241)
  UNIX uid 5479 is UNIX user unixuser, and will be vuid 100
	< SNIP >





-------------------------------------------------------------------------
Christina Plummer		 	  christina.plummer at rochester.edu
UNIX Systems Administrator		  Information Technology Services
University of Rochester			 		    (585)275-2239


More information about the samba mailing list