[Samba] win2k will not authenticate when logging in

Andy Kesterson tc2617 at gmail.com
Wed Feb 8 23:33:41 GMT 2006


For a few weeks now we have been trying to research why our domain
will not authenticate when we are logging in. The Samba logs indicate
that our computers properly add into the domain, however after
rebooting and attempting to log in we recieve an error message stating
that our computer account is not in the domain.

After reading the logs we have realized that Samba is indeed recieving
and verifying that the computer is allowed access to the domain,
however it appears that Samba is not recieving a username/passwd with
the login request. This in turns leaves Samba using "nobody" for the
rest of the authentication sequence, and when it hands the connection
over the IPC$ refusing access to the domain because we cannot allow
anonymous access.

Our server is setup is CentOS 4.1 64bit edition, Samba 3.0.21b, Pam,
and OpenLDAP.

I have included below the Samba log of when I attempt to log into the
domain, and the samba configuration file.

The logging level was set to 3 when these logs were taken.

Also please be aware these files are edited for security, and ridiculous length.


**********************************
***BEING DOMAIN LOGIN***
**********************************

[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/02/08 16:34:43, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[]\[]@[SEOUL] with the new password interface
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [IPOV]\[]@[SEOUL]
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: guest authentication for user [] succeeded
[2006/02/08 16:34:43, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/02/08 16:34:43, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088235
[2006/02/08 16:34:43, 3] smbd/password.c:register_vuid(257)
  User name: nobody	Real name: nobody
[2006/02/08 16:34:43, 3] smbd/password.c:register_vuid(276)
  UNIX uid 99 is UNIX user nobody, and will be vuid 101
[2006/02/08 16:34:43, 3] smbd/process.c:process_smb(1194)
  Transaction 3 of length 82
[2006/02/08 16:34:43, 3] smbd/process.c:switch_message(993)
  switch message SMBtconX (pid 2789) conn 0x0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] lib/access.c:check_access(313)
  check_access: no hostnames in host allow/deny list.
[2006/02/08 16:34:43, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.14.65)
[2006/02/08 16:34:43, 3] smbd/service.c:make_connection_snum(488)
  Connect path is '/tmp' for service [IPC$]
[2006/02/08 16:34:43, 3] lib/util_seaccess.c:se_access_check(250)
[2006/02/08 16:34:43, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-5-21-xxx-xxx-xxx-501
  se_access_check: also S-1-5-21-xxx-xxx-xxx-514
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-32-546
  se_access_check: also S-1-5-21-xxx-xxx-xxx-1199
[2006/02/08 16:34:43, 3] smbd/vfs.c:vfs_init_default(216)
  Initialising default vfs hooks
[2006/02/08 16:34:43, 2] smbd/uid.c:change_to_user(230)
  change_to_user: SMB user  (unix user nobody, vuid 101) not permitted
access to share IPC$.
[2006/02/08 16:34:43, 0] smbd/service.c:make_connection_snum(592)
  Can't become connected user!
[2006/02/08 16:34:43, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to IPC$
[2006/02/08 16:34:43, 3] smbd/error.c:error_packet(146)
  error packet at smbd/reply.c(668) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
[2006/02/08 16:34:43, 3] smbd/process.c:process_smb(1194)
  Transaction 4 of length 43
[2006/02/08 16:34:43, 3] smbd/process.c:switch_message(993)
  switch message SMBulogoffX (pid 2789) conn 0x0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] smbd/reply.c:reply_ulogoffX(1606)
  ulogoffX vuid=101
[2006/02/08 16:34:43, 3] smbd/process.c:timeout_processing(1447)
  timeout_processing: End of file from client (client has disconnected).
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 2] smbd/server.c:exit_server(614)
  Closing connections
[2006/02/08 16:34:43, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2006/02/08 16:34:43, 3] smbd/server.c:exit_server(655)
  Server exit (normal exit)
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/02/08 16:34:43, 3] smbd/uid.c:push_conn_ctx(393)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[]\[]@[SEOUL] with the new password interface
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [IPOV]\[]@[SEOUL]
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: guest authentication for user [] succeeded
[2006/02/08 16:34:43, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/02/08 16:34:43, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088235
[2006/02/08 16:34:43, 3] smbd/password.c:register_vuid(257)
  User name: nobody	Real name: nobody
[2006/02/08 16:34:43, 3] smbd/password.c:register_vuid(276)
  UNIX uid 99 is UNIX user nobody, and will be vuid 101
[2006/02/08 16:34:43, 3] smbd/process.c:process_smb(1194)
  Transaction 3 of length 82
[2006/02/08 16:34:43, 3] smbd/process.c:switch_message(993)
  switch message SMBtconX (pid 2790) conn 0x0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] lib/access.c:check_access(313)
  check_access: no hostnames in host allow/deny list.
[2006/02/08 16:34:43, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.14.65)
[2006/02/08 16:34:43, 3] smbd/service.c:make_connection_snum(488)
  Connect path is '/tmp' for service [IPC$]
[2006/02/08 16:34:43, 3] lib/util_seaccess.c:se_access_check(250)
[2006/02/08 16:34:43, 3] lib/util_seaccess.c:se_access_check(251)
  se_access_check: user sid is S-1-5-21-xxx-xxx-xxx-501
  se_access_check: also S-1-5-21-xxx-xxx-xxx-514
  se_access_check: also S-1-1-0
  se_access_check: also S-1-5-2
  se_access_check: also S-1-5-32-546
  se_access_check: also S-1-5-21-xxx-xxx-xxx-1199
[2006/02/08 16:34:43, 3] smbd/vfs.c:vfs_init_default(216)
  Initialising default vfs hooks
[2006/02/08 16:34:43, 2] smbd/uid.c:change_to_user(230)
  change_to_user: SMB user  (unix user nobody, vuid 101) not permitted
access to share IPC$.
[2006/02/08 16:34:43, 0] smbd/service.c:make_connection_snum(592)
  Can't become connected user!
[2006/02/08 16:34:43, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to IPC$
[2006/02/08 16:34:43, 3] smbd/error.c:error_packet(146)
  error packet at smbd/reply.c(668) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
[2006/02/08 16:34:43, 3] smbd/process.c:process_smb(1194)
  Transaction 4 of length 43
[2006/02/08 16:34:43, 3] smbd/process.c:switch_message(993)
  switch message SMBulogoffX (pid 2790) conn 0x0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] smbd/reply.c:reply_ulogoffX(1606)
  ulogoffX vuid=101
[2006/02/08 16:34:43, 3] smbd/process.c:timeout_processing(1447)
  timeout_processing: End of file from client (client has disconnected).
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 2] smbd/server.c:exit_server(614)
  Closing connections
[2006/02/08 16:34:43, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2006/02/08 16:34:43, 3] smbd/server.c:exit_server(655)
  Server exit (normal exit)

*******************************
***END DOMAIN LOGIN***
*******************************

*****************************
***BEGIN SMB.CONF***
*****************************
[global]
        ldap ssl = no
        name resolve order = wins lmhosts hosts bcast
        passwd chat = *new*password %n\n *new*password %n\n *successfully*
   idmap gid = 10000000-30000000
        passwd program = /usr/local/sbin/smbldap-passwd -o %u
        allow hosts = 192.168.255. 127.0.0.
        dns proxy = yes
        netbios name = *HOSTNAME*
   idmap uid = 10000000-30000000
        local master = yes
   workgroup = IPOV
        os level = 65
   security = user
        max log size = 50
        log file = /var/log/samba/%m.log
        log level = 3
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        null passwords = no
        encrypt passwords = yes
        ldap passwd sync = yes
#       unix password sync = yes
        #encrypt passwords = no
        #Set *HOSTNAME* as master Samba server
        domain master = yes
   template shell = /bin/false
        wins support = yes
        server string = IPOV Samba Server
        passdb backend = ldapsam:ldap://127.0.0.1/
        ldap admin dn = cn=Manager,dc=ipov,dc=info
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        path = /home
        ldap suffix = dc=ipov,dc=info
        add user script = /usr/local/sbin/smbldap-useradd -w %u
        valid users = @"Domain Admins",@"Domain Users"
        preferred master = yes
        domain logons = yes
        logon script = STARTUP.BAT
        logon path = \\%N\Profiles\%U
   password server = *HOSTNAME*

#Added Feb 06 - Andy Kesterson
#These probably arn't needed but I wanted to make sure they were
#properly declared.
   #lanman auth = yes
   acl compatibility = auto
#   client ntlmv2 auth = yes
   ntlm auth = yes
   nt pipe support = yes

[homes]
   comment = Home Directories
   path = /homes/%U
   valid users = %S
   read only = no
   create mask = 0664
   directory mask = 0775
   browseable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
 [netlogon]
   comment = Network Logon Service
   path = /mnt/data/netlogon
   browseable = yes
   read only = yes
   write list = ntadmin
   guest ok = yes

# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
   path = /mnt/data/profiles
   writeable = yes
   browseable = no
   create mode = 0644
   directory mode = 0775
   guest ok = yes

**************************
***END SMB.CONF***
**************************


More information about the samba mailing list