[Samba] Samba 3.0 question, DOMAIN vs. SERVER method? Help!
Klebanov, Lev
Lev_Klebanov at URMC.Rochester.edu
Wed Feb 2 16:09:30 GMT 2005
Hello all!
We are attempting to get Samba-3.0.10 working on a new Solaris 8 machine in
preparation for upgrading an existing 2.2.8 installation (both use the
SMCsamba packages from SunFreeware.com). We copied over the smb.conf file
and the usermap from the Samba-2 installation, and seeing some weird
symptoms when Windows users try to connect to the new machine.
We ran "net join" to join the local domain (referred to hereafter as
MYDOMAIN). When we set "security = DOMAIN" in the smb.conf file (which is
how we have it on 2.2.8), it works for users that are not in the usermap
(i.e. whose UNIX login name is the same as their Windows login). But users
who are in the usermap can't connect. However, when we change the setting
to "security = SERVER" then it works for the users in the usermap.
The main difference I see between DOMAIN and SERVER logins is that the
DOMAIN uses winbind authentication, while SERVER uses smbserver
authentication. Also, it looks like Samba tries to create a user with the
login of the UNIX user, and then fails because it can't.
If anyone can tell me where we're going wrong, I would really appreciate it!
Thanks in advance!
smb.conf global entries:
# Global parameters
[global]
workgroup = MYDOMAIN
netbios name = MYSERVER
security = DOMAIN
# security = SERVER
encrypt passwords = Yes
password server = winserv1 winserv2 *
username map = /usr/local/samba/lib/usermap
wins server = x.x.x.x
log level = 3
log file = /var/log/smb.log
Contents of usermap:
unixuser=pcuser
Log entries for the successful DOMAIN login with an unmapped user:
[2005/02/01 15:57:58, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
Got user=[myuser] domain=[MYDOMAIN] workstation=[MYPC] len1=24 len2=24
[2005/02/01 15:57:58, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[MYDOMAIN]\[myuser]@[MYPC] with the new password interface [2005/02/01
15:57:58, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [MYDOMAIN]\[myuser]@[MYPC]
< SNIP >
[2005/02/01 15:57:58, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: winbind authentication for user [myuser] succeeded
[2005/02/01 15:57:58, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/02/01 15:57:58, 3] smbd/uid.c:push_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/02/01 15:57:58, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/02/01 15:57:58, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/02/01 15:57:58, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [myuser] -> [myuser] ->
[myuser] succeeded [2005/02/01 15:57:58, 3]
libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
NTLMSSP Sign/Seal - Initialising with flags:
[2005/02/01 15:57:58, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0x60088215
[2005/02/01 15:57:58, 3] smbd/password.c:register_vuid(222)
User name: myuser Real name:
[2005/02/01 15:57:58, 3] smbd/password.c:register_vuid(241)
UNIX uid 5489 is UNIX user myuser, and will be vuid 100
< SNIP >
The logs for the failed DOMAIN login for the mapped user:
[2005/02/01 15:35:41, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
Got user=[PCuser] domain=[MYDOMAIN] workstation=[MYPC] len1=24 len2=24
[2005/02/01 15:35:41, 3] lib/username.c:map_username(173)
Mapped user PCuser to unixuser
[2005/02/01 15:35:41, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[MYDOMAIN]\[PCuser]@[MYPC] with the new password interface [2005/02/01
15:35:41, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [MYDOMAIN]\[unixuser]@[MYPC]
< SNIP >
[2005/02/01 15:35:41, 3] auth/auth_util.c:make_server_info_info3(1127)
User unixuser does not exist, trying to add it
[2005/02/01 15:35:41, 0] auth/auth_util.c:make_server_info_info3(1134)
make_server_info_info3: pdb_init_sam failed!
[2005/02/01 15:35:41, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [PCuser] -> [unixuser]
FAILED with error NT_STATUS_NO_SUCH_USER
< SNIP >
Logs for the successful SERVER login for the mapped user:
[2005/02/01 15:36:22, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
Got user=[PCuser] domain=[MYDOMAIN] workstation=[MYPC] len1=24 len2=24
[2005/02/01 15:36:22, 3] lib/username.c:map_username(173)
Mapped user PCuser to unixuser
[2005/02/01 15:36:22, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[MYDOMAIN]\[PCuser]@[MYPC] with the new password interface [2005/02/01
15:36:22, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [MYDOMAIN]\[unixuser]@[MYPC]
< SNIP >
[2005/02/01 15:36:26, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: smbserver authentication for user [PCuser] succeeded
[2005/02/01 15:36:26, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/02/01 15:36:26, 3] smbd/uid.c:push_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/02/01 15:36:26, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/02/01 15:36:26, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/02/01 15:36:26, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [PCuser] -> [unixuser] ->
[unixuser] succeeded [2005/02/01 15:36:26, 3]
smbd/password.c:register_vuid(222)
User name: unixuser Real name: Unix User
[2005/02/01 15:36:26, 3] smbd/password.c:register_vuid(241)
UNIX uid 5479 is UNIX user unixuser, and will be vuid 100
< SNIP >
-------------------------------------------------------------------------
Christina Plummer christina.plummer at rochester.edu
UNIX Systems Administrator Information Technology Services
University of Rochester (585)275-2239
More information about the samba
mailing list