[Samba] win2k will not authenticate when logging in
Andy Kesterson
tc2617 at gmail.com
Wed Feb 8 23:33:41 GMT 2006
For a few weeks now we have been trying to research why our domain
will not authenticate when we are logging in. The Samba logs indicate
that our computers properly add into the domain, however after
rebooting and attempting to log in we recieve an error message stating
that our computer account is not in the domain.
After reading the logs we have realized that Samba is indeed recieving
and verifying that the computer is allowed access to the domain,
however it appears that Samba is not recieving a username/passwd with
the login request. This in turns leaves Samba using "nobody" for the
rest of the authentication sequence, and when it hands the connection
over the IPC$ refusing access to the domain because we cannot allow
anonymous access.
Our server is setup is CentOS 4.1 64bit edition, Samba 3.0.21b, Pam,
and OpenLDAP.
I have included below the Samba log of when I attempt to log into the
domain, and the samba configuration file.
The logging level was set to 3 when these logs were taken.
Also please be aware these files are edited for security, and ridiculous length.
**********************************
***BEING DOMAIN LOGIN***
**********************************
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/02/08 16:34:43, 3] smbd/uid.c:push_conn_ctx(393)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[]\[]@[SEOUL] with the new password interface
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [IPOV]\[]@[SEOUL]
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: guest authentication for user [] succeeded
[2006/02/08 16:34:43, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/02/08 16:34:43, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x60088235
[2006/02/08 16:34:43, 3] smbd/password.c:register_vuid(257)
User name: nobody Real name: nobody
[2006/02/08 16:34:43, 3] smbd/password.c:register_vuid(276)
UNIX uid 99 is UNIX user nobody, and will be vuid 101
[2006/02/08 16:34:43, 3] smbd/process.c:process_smb(1194)
Transaction 3 of length 82
[2006/02/08 16:34:43, 3] smbd/process.c:switch_message(993)
switch message SMBtconX (pid 2789) conn 0x0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] lib/access.c:check_access(313)
check_access: no hostnames in host allow/deny list.
[2006/02/08 16:34:43, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.14.65)
[2006/02/08 16:34:43, 3] smbd/service.c:make_connection_snum(488)
Connect path is '/tmp' for service [IPC$]
[2006/02/08 16:34:43, 3] lib/util_seaccess.c:se_access_check(250)
[2006/02/08 16:34:43, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-5-21-xxx-xxx-xxx-501
se_access_check: also S-1-5-21-xxx-xxx-xxx-514
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
se_access_check: also S-1-5-21-xxx-xxx-xxx-1199
[2006/02/08 16:34:43, 3] smbd/vfs.c:vfs_init_default(216)
Initialising default vfs hooks
[2006/02/08 16:34:43, 2] smbd/uid.c:change_to_user(230)
change_to_user: SMB user (unix user nobody, vuid 101) not permitted
access to share IPC$.
[2006/02/08 16:34:43, 0] smbd/service.c:make_connection_snum(592)
Can't become connected user!
[2006/02/08 16:34:43, 3] smbd/connection.c:yield_connection(69)
Yielding connection to IPC$
[2006/02/08 16:34:43, 3] smbd/error.c:error_packet(146)
error packet at smbd/reply.c(668) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
[2006/02/08 16:34:43, 3] smbd/process.c:process_smb(1194)
Transaction 4 of length 43
[2006/02/08 16:34:43, 3] smbd/process.c:switch_message(993)
switch message SMBulogoffX (pid 2789) conn 0x0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] smbd/reply.c:reply_ulogoffX(1606)
ulogoffX vuid=101
[2006/02/08 16:34:43, 3] smbd/process.c:timeout_processing(1447)
timeout_processing: End of file from client (client has disconnected).
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 2] smbd/server.c:exit_server(614)
Closing connections
[2006/02/08 16:34:43, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/02/08 16:34:43, 3] smbd/server.c:exit_server(655)
Server exit (normal exit)
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/02/08 16:34:43, 3] smbd/uid.c:push_conn_ctx(393)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[]\[]@[SEOUL] with the new password interface
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [IPOV]\[]@[SEOUL]
[2006/02/08 16:34:43, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: guest authentication for user [] succeeded
[2006/02/08 16:34:43, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(332)
NTLMSSP Sign/Seal - Initialising with flags:
[2006/02/08 16:34:43, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x60088235
[2006/02/08 16:34:43, 3] smbd/password.c:register_vuid(257)
User name: nobody Real name: nobody
[2006/02/08 16:34:43, 3] smbd/password.c:register_vuid(276)
UNIX uid 99 is UNIX user nobody, and will be vuid 101
[2006/02/08 16:34:43, 3] smbd/process.c:process_smb(1194)
Transaction 3 of length 82
[2006/02/08 16:34:43, 3] smbd/process.c:switch_message(993)
switch message SMBtconX (pid 2790) conn 0x0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] lib/access.c:check_access(313)
check_access: no hostnames in host allow/deny list.
[2006/02/08 16:34:43, 2] lib/access.c:check_access(324)
Allowed connection from (192.168.14.65)
[2006/02/08 16:34:43, 3] smbd/service.c:make_connection_snum(488)
Connect path is '/tmp' for service [IPC$]
[2006/02/08 16:34:43, 3] lib/util_seaccess.c:se_access_check(250)
[2006/02/08 16:34:43, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-5-21-xxx-xxx-xxx-501
se_access_check: also S-1-5-21-xxx-xxx-xxx-514
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
se_access_check: also S-1-5-21-xxx-xxx-xxx-1199
[2006/02/08 16:34:43, 3] smbd/vfs.c:vfs_init_default(216)
Initialising default vfs hooks
[2006/02/08 16:34:43, 2] smbd/uid.c:change_to_user(230)
change_to_user: SMB user (unix user nobody, vuid 101) not permitted
access to share IPC$.
[2006/02/08 16:34:43, 0] smbd/service.c:make_connection_snum(592)
Can't become connected user!
[2006/02/08 16:34:43, 3] smbd/connection.c:yield_connection(69)
Yielding connection to IPC$
[2006/02/08 16:34:43, 3] smbd/error.c:error_packet(146)
error packet at smbd/reply.c(668) cmd=117 (SMBtconX) NT_STATUS_LOGON_FAILURE
[2006/02/08 16:34:43, 3] smbd/process.c:process_smb(1194)
Transaction 4 of length 43
[2006/02/08 16:34:43, 3] smbd/process.c:switch_message(993)
switch message SMBulogoffX (pid 2790) conn 0x0
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 3] smbd/reply.c:reply_ulogoffX(1606)
ulogoffX vuid=101
[2006/02/08 16:34:43, 3] smbd/process.c:timeout_processing(1447)
timeout_processing: End of file from client (client has disconnected).
[2006/02/08 16:34:43, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/02/08 16:34:43, 2] smbd/server.c:exit_server(614)
Closing connections
[2006/02/08 16:34:43, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2006/02/08 16:34:43, 3] smbd/server.c:exit_server(655)
Server exit (normal exit)
*******************************
***END DOMAIN LOGIN***
*******************************
*****************************
***BEGIN SMB.CONF***
*****************************
[global]
ldap ssl = no
name resolve order = wins lmhosts hosts bcast
passwd chat = *new*password %n\n *new*password %n\n *successfully*
idmap gid = 10000000-30000000
passwd program = /usr/local/sbin/smbldap-passwd -o %u
allow hosts = 192.168.255. 127.0.0.
dns proxy = yes
netbios name = *HOSTNAME*
idmap uid = 10000000-30000000
local master = yes
workgroup = IPOV
os level = 65
security = user
max log size = 50
log file = /var/log/samba/%m.log
log level = 3
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
null passwords = no
encrypt passwords = yes
ldap passwd sync = yes
# unix password sync = yes
#encrypt passwords = no
#Set *HOSTNAME* as master Samba server
domain master = yes
template shell = /bin/false
wins support = yes
server string = IPOV Samba Server
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=ipov,dc=info
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
path = /home
ldap suffix = dc=ipov,dc=info
add user script = /usr/local/sbin/smbldap-useradd -w %u
valid users = @"Domain Admins",@"Domain Users"
preferred master = yes
domain logons = yes
logon script = STARTUP.BAT
logon path = \\%N\Profiles\%U
password server = *HOSTNAME*
#Added Feb 06 - Andy Kesterson
#These probably arn't needed but I wanted to make sure they were
#properly declared.
#lanman auth = yes
acl compatibility = auto
# client ntlmv2 auth = yes
ntlm auth = yes
nt pipe support = yes
[homes]
comment = Home Directories
path = /homes/%U
valid users = %S
read only = no
create mask = 0664
directory mask = 0775
browseable = yes
# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /mnt/data/netlogon
browseable = yes
read only = yes
write list = ntadmin
guest ok = yes
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
[Profiles]
path = /mnt/data/profiles
writeable = yes
browseable = no
create mode = 0644
directory mode = 0775
guest ok = yes
**************************
***END SMB.CONF***
**************************
More information about the samba
mailing list