[Samba] security = server, username map, different domain -> no login

Ralf Gross Ralf-Lists at RalfGross.de
Fri Jan 14 09:45:41 GMT 2005


Hi,

I posted a similar question a few days before. I'm still confused what
might be wrong with my config.
Setup:
- update from Samaba 2.2.12 to 3.0.10
- Solaris 8 Server
- server is not a domain (EMEA) member, and it's not possible to add the
server to the EMEA domain :(- server is only in workgroup ERS (our department, no DC, only a few hosts).
- no winbind
- authentification happens agains the EMEA domain password server, where
each local unix user has a valid account- mapping of some unix accounts via username map

Extract of the smb.conf

[global]
workgroup = ERS
netbios name = SAMBASERVER
encrypt passwords = Yes
username map = /etc/samba/smbusers
security = server
password server = PASSWORDSERVER

smbusers file
rg=ralfgro

This worked without a problem till 2.2.12. Since 3.0.10 (tried 3.0.11.pre1
too) the 'wrong' domain/workgroup is passed to the password server for
authentification.
I tried
smbclient //sambaserver/ralfgro -U RALFGRO -W EMEA

part of the smbd debug output:
...
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [MICROSOFT NETWORKS 1.03]
Requested protocol [MICROSOFT NETWORKS 3.0]
Requested protocol [LANMAN1.0]
Requested protocol [LM1.2X002]
Requested protocol [DOS LANMAN2.1]
Requested protocol [Samba]
using SPNEGO
Selected protocol NT LANMAN 1.0
Transaction 1 of length 164
switch message SMBsesssetupX (pid 26508) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc801
Doing spnego session setup
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
Got OID 1 3 6 1 4 1 311 2 2 10
Got secblob of size 44
Got NTLMSSP neg_flags=0x60080215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
Connecting to PASSWORDSERVERIP at port 445
error connecting to PASSWORDSERVERIP:445 (Verbindungsaufbau abgelehnt)
Connecting to PASSWORDSERVERIP at port 139
connected to password server PASSWORDSERVER
got session
password server OK
using password server validation
Transaction 2 of length 264
switch message SMBsesssetupX (pid 26508) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc801
Doing spnego session setup
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
Got user=[ralfgro] domain=[EMEA] workstation=[CLIENT] len1=24 len2=24
Scanning username map /etc/samba/smbusers
Mapped user ralfgro to rg
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: PASSWORDSERVER:0
enumerate_domain_trusts: can't locate a DC for domain ERS
check_ntlm_password:  Checking password for unmapped user
[EMEA]\[ralfgro]@[CLIENT] with the new password interfacecheck_ntlm_password:  mapped user is: [ERS]\[rg]@[CLIENT]
password server PASSWORDSERVER rejected the password
check_ntlm_password:  Authentication for user [ralfgro] -> [rg] FAILED
with error NT_STATUS_LOGON_FAILUREtimeout_processing: End of file from client (client has disconnected).
...

ethereal trace

---> Samba 2.2.12
Session Setup AndX Request, User: EMEA\RALFGRO
Account: RALFGRO
Primary Domain: EMEA

---> Samba 3.0.10
Session Setup AndX Request, User: ERS\RALFGRO
Account: RALFGRO
Primary Domain: ERS

I can see that the mapping via the smbuser file is working, but why is
samba 3.0.10 passing domain ERS insted of EMEA to the password server? Is
it not possible to do these things in 3.0.10? What do I have to change to
get this working in samba 3.x?
Any ideas?

I'm a bit lost at the moment. Our samba 2.x config was nice, simple and
just working.
Ralf






More information about the samba mailing list