[Samba] security = server, username map,
different domain -> no login
Ralf Gross
Ralf-Lists at RalfGross.de
Fri Jan 14 09:45:41 GMT 2005
Hi,
I posted a similar question a few days before. I'm still confused what
might be wrong with my config.
Setup:
- update from Samaba 2.2.12 to 3.0.10
- Solaris 8 Server
- server is not a domain (EMEA) member, and it's not possible to add the
server to the EMEA domain :(- server is only in workgroup ERS (our department, no DC, only a few hosts).
- no winbind
- authentification happens agains the EMEA domain password server, where
each local unix user has a valid account- mapping of some unix accounts via username map
Extract of the smb.conf
[global]
workgroup = ERS
netbios name = SAMBASERVER
encrypt passwords = Yes
username map = /etc/samba/smbusers
security = server
password server = PASSWORDSERVER
smbusers file
rg=ralfgro
This worked without a problem till 2.2.12. Since 3.0.10 (tried 3.0.11.pre1
too) the 'wrong' domain/workgroup is passed to the password server for
authentification.
I tried
smbclient //sambaserver/ralfgro -U RALFGRO -W EMEA
part of the smbd debug output:
...
Requested protocol [PC NETWORK PROGRAM 1.0]
Requested protocol [MICROSOFT NETWORKS 1.03]
Requested protocol [MICROSOFT NETWORKS 3.0]
Requested protocol [LANMAN1.0]
Requested protocol [LM1.2X002]
Requested protocol [DOS LANMAN2.1]
Requested protocol [Samba]
using SPNEGO
Selected protocol NT LANMAN 1.0
Transaction 1 of length 164
switch message SMBsesssetupX (pid 26508) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc801
Doing spnego session setup
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
Got OID 1 3 6 1 4 1 311 2 2 10
Got secblob of size 44
Got NTLMSSP neg_flags=0x60080215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
Connecting to PASSWORDSERVERIP at port 445
error connecting to PASSWORDSERVERIP:445 (Verbindungsaufbau abgelehnt)
Connecting to PASSWORDSERVERIP at port 139
connected to password server PASSWORDSERVER
got session
password server OK
using password server validation
Transaction 2 of length 264
switch message SMBsesssetupX (pid 26508) conn 0x0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
wct=12 flg2=0xc801
Doing spnego session setup
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
Got user=[ralfgro] domain=[EMEA] workstation=[CLIENT] len1=24 len2=24
Scanning username map /etc/samba/smbusers
Mapped user ralfgro to rg
get_dc_list: returning 1 ip addresses in an ordered list
get_dc_list: PASSWORDSERVER:0
enumerate_domain_trusts: can't locate a DC for domain ERS
check_ntlm_password: Checking password for unmapped user
[EMEA]\[ralfgro]@[CLIENT] with the new password interfacecheck_ntlm_password: mapped user is: [ERS]\[rg]@[CLIENT]
password server PASSWORDSERVER rejected the password
check_ntlm_password: Authentication for user [ralfgro] -> [rg] FAILED
with error NT_STATUS_LOGON_FAILUREtimeout_processing: End of file from client (client has disconnected).
...
ethereal trace
---> Samba 2.2.12
Session Setup AndX Request, User: EMEA\RALFGRO
Account: RALFGRO
Primary Domain: EMEA
---> Samba 3.0.10
Session Setup AndX Request, User: ERS\RALFGRO
Account: RALFGRO
Primary Domain: ERS
I can see that the mapping via the smbuser file is working, but why is
samba 3.0.10 passing domain ERS insted of EMEA to the password server? Is
it not possible to do these things in 3.0.10? What do I have to change to
get this working in samba 3.x?
Any ideas?
I'm a bit lost at the moment. Our samba 2.x config was nice, simple and
just working.
Ralf
More information about the samba
mailing list