[Samba] Windows 2003 AD <-> Samba 3.0.23c

Jean-Vincent BAYARRI bayarri at lcpc.fr
Mon Nov 13 11:07:03 GMT 2006 

Hi,

I have exactly the same problem between a W2003 AD and a FreeBSD box
running Samba 3.0.23c : authentification timeouts when the login/pw are
correct, although wbinfo -u / -g work perfectly.

Le Mon, Nov 13, 2006 at 11:05:46AM +0100, db at trunet.dk a écrit :
> Hi all
> 
> I have a network with a Windows 2003 AD (10.10.10.5) and a Samba 3.0.23c
> (10.10.10.8). I want Samba to join the domain and get it's
> user/group/permission info from my Windows 2003 server. I have followed
> http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-adsdc
> 
> And it seams to join and work with wbinfo/getent/"net ads
> join/info/status". When I try to login with a wrong password it get's
> rejected, but when I type the correct password it timeout.
> 
> krb5.conf:
> [libdefaults]
>  default_realm = MYDOMAIN.LOCAL
> 
> [realms]
>  MYDOMAIN.LOCAL = {
>    kdc = 10.10.10.5
>  }
> 
> [domain_realms]
>  .MYDOMAIN.local = MYDOMAIN.LOCAL
> 
> ldap.conf
> host 10.10.10.5
> base dc=example,dc=com
> nss_initgroups_ignoreusers root,ldap
> 
> nsswitch.conf
> passwd:      files ldap winbind
> group:       files ldap winbind
> shadow:      files ldap winbind
> hosts:       files wins dns
> 
> smb.conf
> [global]
> 	unix charset = LOCALE
> 	workgroup = MYDOMAIN
> 	realm = MYDOMAIN.local
> 	security = ADS
> 	password server = 10.10.10.5
> 	ldap ssl = No
> 	netbios name = MYDOMAINFILES
> 	server string = MYDOMAIN Linux Filserver
> 	encrypt passwords = Yes
> 	socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY
> 	dns proxy = Yes
> 	smb ports = 445
> 	log file = /var/log/samba/%m.log
> 	max log size = 50
> 	max xmit = 2048
> 	idmap uid = 10000-20000
> 	idmap gid = 10000-20000
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind separator = +
> 	winbind trusted domains only = No
> 	template homedir = /home/data/homes/%U
> 	template shell = /bin/false
> 	guest ok = No
> 	create mask = 0777
> 	directory mask = 0777
> 	force create mode = 0777
> 	force directory mode = 0777
> 	hide dot files = No
> 	enable privileges = Yes
> 	disable spoolss = Yes
> 	enable asu support = No
> 	add share command = /etc/samba/scripts/share_add
> 	change share command = /etc/samba/scripts/share_change
> 	delete share command = /etc/samba/scripts/share_delete
> 	vfs object = recycle:recycle
>         recycle:repository = PAPIRKURV
>         recycle:keeptree = Yes
>         recycle:touch = Yes
>         recycle:versions = Yes
> include = /etc/samba/shares.conf
> 
> Commands:
> [samba]# net ads info
> LDAP server: 10.10.10.5
> LDAP server name: mydomainad.Mydomain.local
> Realm: MYDOMAIN.LOCAL
> Bind Path: dc=MYDOMAIN,dc=LOCAL
> LDAP port: 389
> Server time: Mon, 13 Nov 2006 09:30:10 CET
> KDC server: 10.10.10.5
> Server time offset: 0
> amba]# smbclient -d 10 -L \\10.10.10.8 -U og
> INFO: Current debug levels:
>   all: True/10
>   tdb: False/0
>   printdrivers: False/0
>   lanman: False/0
>   smb: False/0
>   rpc_parse: False/0
>   rpc_srv: False/0
>   rpc_cli: False/0
>   passdb: False/0
>   sam: False/0
>   auth: False/0
>   winbind: False/0
>   vfs: False/0
>   idmap: False/0
>   quota: False/0
>   acls: False/0
>   locking: False/0
>   msdfs: False/0
>   dmapi: False/0
> lp_load: refreshing parameters
> Initialising global parameters
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> Processing section "[global]"
> doing parameter unix charset = LOCALE
> [snip]
> doing parameter workgroup = MYDOMAIN
> doing parameter realm = MYDOMAIN.local
> doing parameter security = ADS
> doing parameter password server = 10.10.10.5
> doing parameter ldap ssl = No
> doing parameter netbios name = MYDOMAINFILES
> handle_netbios_name: set global_myname to: MYDOMAINFILES
> doing parameter server string = MYDOMAIN Linux Filserver
> doing parameter encrypt passwords = Yes
> doing parameter socket options = TCP_NODELAY SO_SNDBUF=65536
> SO_RCVBUF=65536 IPTOS_LOWDELAY
> doing parameter dns proxy = Yes
> doing parameter smb ports = 445
> doing parameter log file = /var/log/samba/%m.log
> doing parameter max log size = 50
> doing parameter max xmit = 2048
> doing parameter idmap uid = 10000-20000
> doing parameter idmap gid = 10000-20000
> doing parameter winbind enum users = Yes
> doing parameter winbind enum groups = Yes
> doing parameter winbind separator = +
> doing parameter winbind trusted domains only = No
> doing parameter template homedir = /home/data/homes/%U
> doing parameter template shell = /bin/false
> doing parameter guest ok = No
> doing parameter create mask = 0777
> doing parameter directory mask = 0777
> doing parameter force create mode = 0777
> doing parameter force directory mode = 0777
> doing parameter hide dot files = No
> doing parameter enable privileges = Yes
> doing parameter disable spoolss = Yes
> doing parameter enable asu support = No
> doing parameter add share command = /etc/samba/scripts/share_add
> doing parameter change share command = /etc/samba/scripts/share_change
> doing parameter delete share command = /etc/samba/scripts/share_delete
> doing parameter vfs object = recycle:recycle
> doing parameter recycle:repository = PAPIRKURV
> doing parameter recycle:keeptree = Yes
> doing parameter recycle:touch = Yes
> doing parameter recycle:versions = Yes
> doing parameter include = /etc/samba/shares.conf
> params.c:pm_process() - Processing configuration file
> "/etc/samba/shares.conf"
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> set_server_role: role = ROLE_DOMAIN_MEMBER
> [snip]
> added interface ip=10.10.10.8 bcast=10.10.10.255 nmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="MYDOMAINFILES"
> Client started (version 3.0.23c-1.fc5).
> Connecting to 10.10.10.8 at port 445
> socket option SO_KEEPALIVE = 0
> socket option SO_REUSEADDR = 0
> socket option SO_BROADCAST = 0
> socket option TCP_NODELAY = 1
> socket option TCP_KEEPCNT = 9
> socket option TCP_KEEPIDLE = 7200
> socket option TCP_KEEPINTVL = 75
> socket option IPTOS_LOWDELAY = 16
> socket option IPTOS_THROUGHPUT = 16
> socket option SO_SNDBUF = 131072
> socket option SO_RCVBUF = 131072
> socket option SO_SNDLOWAT = 1
> socket option SO_RCVLOWAT = 1
> socket option SO_SNDTIMEO = 0
> socket option SO_RCVTIMEO = 0
>  session request ok
> write_socket(4,183)
> write_socket(4,183) wrote 183
> got smb length of 187
> size=187
> smb_com=0x72
> smb_rcls=0
> smb_reh=0
> smb_err=0
> smb_flg=136
> smb_flg2=51201
> smb_tid=0
> smb_pid=11408
> smb_uid=0
> smb_mid=1
> smt_wct=17
> smb_vwv[ 0]=    7 (0x7)
> smb_vwv[ 1]=12803 (0x3203)
> smb_vwv[ 2]=  256 (0x100)
> smb_vwv[ 3]=    0 (0x0)
> smb_vwv[ 4]=    8 (0x8)
> smb_vwv[ 5]=    0 (0x0)
> smb_vwv[ 6]=  256 (0x100)
> smb_vwv[ 7]=37120 (0x9100)
> smb_vwv[ 8]=   44 (0x2C)
> smb_vwv[ 9]=64768 (0xFD00)
> smb_vwv[10]=33011 (0x80F3)
> smb_vwv[11]=  128 (0x80)
> smb_vwv[12]= 7325 (0x1C9D)
> smb_vwv[13]=65054 (0xFE1E)
> smb_vwv[14]=50950 (0xC706)
> smb_vwv[15]=50177 (0xC401)
> smb_vwv[16]=30463 (0x76FF)
> smb_bcc=118
> [snip]
> size=187
> smb_com=0x72
> smb_rcls=0
> smb_reh=0
> smb_err=0
> smb_flg=136
> smb_flg2=51201
> smb_tid=0
> smb_pid=11408
> smb_uid=0
> smb_mid=1
> smt_wct=17
> smb_vwv[ 0]=    7 (0x7)
> smb_vwv[ 1]=12803 (0x3203)
> smb_vwv[ 2]=  256 (0x100)
> smb_vwv[ 3]=    0 (0x0)
> smb_vwv[ 4]=    8 (0x8)
> smb_vwv[ 5]=    0 (0x0)
> smb_vwv[ 6]=  256 (0x100)
> smb_vwv[ 7]=37120 (0x9100)
> smb_vwv[ 8]=   44 (0x2C)
> smb_vwv[ 9]=64768 (0xFD00)
> smb_vwv[10]=33011 (0x80F3)
> smb_vwv[11]=  128 (0x80)
> smb_vwv[12]= 7325 (0x1C9D)
> smb_vwv[13]=65054 (0xFE1E)
> smb_vwv[14]=50950 (0xC706)
> smb_vwv[15]=50177 (0xC401)
> smb_vwv[16]=30463 (0x76FF)
> smb_bcc=118
> [snip]
> Password:
> Doing spnego session setup (blob length=118)
> got OID=1 2 840 113554 1 2 2
> got OID=1 2 840 48018 1 2 2
> got OID=1 3 6 1 4 1 311 2 2 10
> got principal=cifs/mydomainfiles.mydomain.local at MYDOMAIN.LOCAL
> write_socket(4,168)
> write_socket(4,168) wrote 168
> got smb length of 324
> size=324
> smb_com=0x73
> smb_rcls=22
> smb_reh=0
> smb_err=49152
> smb_flg=136
> smb_flg2=51201
> smb_tid=0
> smb_pid=11408
> smb_uid=100
> smb_mid=2
> smt_wct=4
> smb_vwv[ 0]=  255 (0xFF)
> smb_vwv[ 1]=    0 (0x0)
> smb_vwv[ 2]=    0 (0x0)
> smb_vwv[ 3]=  217 (0xD9)
> smb_bcc=281
> [snip]
> size=324
> smb_com=0x73
> smb_rcls=22
> smb_reh=0
> smb_err=49152
> smb_flg=136
> smb_flg2=51201
> smb_tid=0
> smb_pid=11408
> smb_uid=100
> smb_mid=2
> smt_wct=4
> smb_vwv[ 0]=  255 (0xFF)
> smb_vwv[ 1]=    0 (0x0)
> smb_vwv[ 2]=    0 (0x0)
> smb_vwv[ 3]=  217 (0xD9)
> smb_bcc=281
> [snip]
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60890215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_NTLM2
>   NTLMSSP_CHAL_TARGET_INFO
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60080215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_NTLM2
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP challenge set by NTLM2
> challenge is:
> [000] 8B 81 0C 92 37 33 38 69                           ....738i
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60080215
>   NTLMSSP_NEGOTIATE_UNICODE
>   NTLMSSP_REQUEST_TARGET
>   NTLMSSP_NEGOTIATE_SIGN
>   NTLMSSP_NEGOTIATE_NTLM
>   NTLMSSP_NEGOTIATE_NTLM2
>   NTLMSSP_NEGOTIATE_128
>   NTLMSSP_NEGOTIATE_KEY_EXCH
> write_socket(4,264)
> write_socket(4,264) wrote 264
> read_socket_with_timeout: timeout read. select timed out.
> receive_smb_raw: length < 0!
> client_receive_smb failed
> size=324
> smb_com=0x73
> smb_rcls=22
> smb_reh=0
> smb_err=49152
> smb_flg=136
> smb_flg2=51201
> smb_tid=0
> smb_pid=11408
> smb_uid=100
> smb_mid=2
> smt_wct=4
> smb_vwv[ 0]=  255 (0xFF)
> smb_vwv[ 1]=    0 (0x0)
> smb_vwv[ 2]=    0 (0x0)
> smb_vwv[ 3]=  217 (0xD9)
> smb_bcc=281
> [snip]
> SPNEGO login failed: NT_STATUS_IO_TIMEOUT
> lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory
> session setup failed: Call timed out: server did not respond after 20000
> milliseconds
> 
> Any ideas what's wrong?
> 
> Best regards
> db
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

-- 
***************************************************************************
* Jean-Vincent BAYARRI                         Ingénieur système & réseau *
* Service Informatique         Laboratoire Central des Ponts et Chaussées *
* 58, boulevard Lefebvre                             75732 PARIS CEDEX 15 *
* Tel 01 40 43 51 70                                   Fax 01 56 56 16 99 *
***************************************************************************

More information about the samba mailing list