[Samba] Option valid user not expanded for groups

Tiucra-Popa Florin Catalin popa_c at yahoo.com
Fri Apr 27 16:40:06 GMT 2007


Good evening again,


Increasing the log level I found that the expansion is not made because the empty user:

[2007/04/27 19:26:57, 3] smbd/process.c:process_smb(1110)
  Transaction 89 of length 290
[2007/04/27 19:26:57, 3] smbd/process.c:switch_message(914)
  switch message SMBsesssetupX (pid 221358) conn 0x0
[2007/04/27 19:26:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/04/27 19:26:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(849)
  wct=12 flg2=0xc807
[2007/04/27 19:26:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(660)
  Doing spnego session setup
[2007/04/27 19:26:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(691)
  NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2007/04/27 19:26:57, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(672)
  Got user=[] domain=[] workstation=[BROM900LMLY7HA] len1=1 len2=0
[2007/04/27 19:26:57, 3] auth/auth.c:check_ntlm_password(221)
  check_ntlm_password:  Checking password for unmapped user []\[]@[BROM900LMLY7HA] with the new password interface
[2007/04/27 19:26:57, 3] auth/auth.c:check_ntlm_password(224)
  check_ntlm_password:  mapped user is: [TPDCBR]\[]@[BROM900LMLY7HA]
[2007/04/27 19:26:57, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/04/27 19:26:57, 3] smbd/uid.c:push_conn_ctx(345)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/04/27 19:26:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/04/27 19:26:57, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/04/27 19:26:57, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER
[2007/04/27 19:26:57, 3] smbd/error.c:error_packet(146)
  error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2007/04/27 19:26:57, 3] smbd/process.c:process_smb(1110)
  Transaction 90 of length 90

Could it be a bug in the check_ntlm_password function?

Thank you.

FlorinT

----- Original Message ----
From: Mauricio Silveira <msilveira at linuxbr.com>
To: Tiucra-Popa Florin Catalin <popa_c at yahoo.com>
Cc: sambalist <samba at lists.samba.org>
Sent: Friday, April 27, 2007 3:34:01 PM
Subject: Re: [Samba] Option valid user not expanded for groups


I believe this won't be possible via smb.conf.
As far as I know, group names with spaces are invalid under *nix.
Try to gather some more information about the use of the net command 
such as "net groupmap list".
I guess you will have to try some ohter way. I've got small knowledge 
about ADS and SAMBA as BDC.
Maybe this auth should be performed by the ADS server or should you try 
further help about "net ads".

Mauricio

Tiucra-Popa Florin Catalin wrote:
> Hi,
>
> I have a AIX 5.3 machine with Samba 3.0.24c joined into one Windows 2003 ADS server OK.
> I can request basic information, user lookup, domain lookup(wbinfo, id, net groupmap).
>
> When I want to acces the share \\node05\brom from one Windows station I receive a popup window password.
>
> In the log of the samba for that machine I found:
>
> [2007/04/27 10:48:27, 2] auth/auth.c:check_ntlm_password(319)
>   check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_ST                                                                              ATUS_NO_SUCH_USER
> [2007/04/27 10:48:28, 2] auth/auth.c:check_ntlm_password(319)
>   check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_ST                                                                              ATUS_NO_SUCH_USER
> [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old                                                                               resources.
> [2007/04/27 10:48:29, 2] smbd/sesssetup.c:setup_new_vc_session(799)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old                                                                               resources.
> [2007/04/27 10:48:29, 2] auth/auth.c:check_ntlm_password(309)
>   check_ntlm_password:  authentication for user [node05] -> [node05] -> [TPDCBR+                                                                              node05] succeeded
> [2007/04/27 10:48:29, 2] smbd/service.c:make_connection_snum(580)
>   user 'TPDCBR+node05' (from session setup) not permitted to access this share (                                                                              brom)
> [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(319)
>   check_ntlm_password:  Authentication for user [] -> [] FAILED with error NT_STATUS_NO_SUCH_USER
> [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> [2007/04/27 10:48:53, 2] smbd/sesssetup.c:setup_new_vc_session(799)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> [2007/04/27 10:48:53, 2] auth/auth.c:check_ntlm_password(309)
>   check_ntlm_password:  authentication for user [node05] -> [node05] -> [TPDCBR+node05] succeeded
> [2007/04/27 10:48:53, 2] smbd/service.c:make_connection_snum(580)
>   user 'TPDCBR+node05' (from session setup) not permitted to access this share (brom)
>
> My smb.conf looks like:
>
> [global]
> unix charset = LOCALE
> workgroup = TPDCBR
> realm = TPDCBR.ROM
> netbios name = NODE05
> dns proxy = No
> server string = NODE05 AIX
> security = ads
> password server = 10.99.0.4
> encrypt passwords = yes
> name resolve order = host
> log level = 10
> syslog = 0
> username map = /samba/private/smbusers
> log file = /samba/var/log/%m
> max log size = 5000
> ldap ssl = no
> winbind uid = 10000-59999
> winbind gid = 10000-59999
> idmap uid = 10000-60000
> idmap gid = 10000-60000
> template shell = /bin/ksh
> winbind use default domain = Yes
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind nested groups = Yes
> winbind separator = +
> auth methods = winbind
> acl compatibility = win2k
> winbind cache time = 10
> bind interfaces only = yes
> client use spnego = no
> socket address = 10.99.0.201
> allow trusted domains = no
> #use kerberos keytab = yes
> socket options = TCP_NODELAY
> #map acl inherit = Yes
> [brom]
> comment = inhouse brom
> path = /u09/inhouse/brom
> read only = No
> browseable = yes
> #valid users =@"Computers", @"domain users"
> valid users = @"domain users"
> create mask = 0777
> directory mask = 0777
> force create mode = 0777
> force directory mode = 0777
>
>
> I also made a test with only one user valid like this:
> valid users = TPDCBR.ROM+node05
> and this is working ok.
>
> Thank you.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the samba mailing list