[Samba] smb_auth problem

VINICIUS KWIECIEN RUOSO vkr07 at c3sl.ufpr.br
Mon Sep 1 12:36:04 GMT 2008


I don't know what I'm doing wrong. I configured this authentication correctly
some time before, but this time it's not working.

An I missing something crusial here?
For me all looks normal. :(


Thanks a lot

On Mon, Sep 01, 2008 at 12:42:14PM +0100, Jon Wilson wrote:
> Sorry for the misleading information.
> 
> I use censornet and that stopped authenticating to the domain when I
> did the upgrade to 3.2.x - I thought you might be suffering the same
> issue.
> 
> Jon
> 
> 
> 2008/9/1 Vinicius Ruoso <vkr07 at c3sl.ufpr.br>:
> > Hi Jon Wilson,
> >
> > Really thanks for your fast response. But the "lanman auth = yes" added
> > to global directive of my smb.conf don't make any effect on smb_auth
> > authentication process. The response still the same. :(
> >
> > Do you have any other idea of what can be done to fix it?
> > Any hope is very welcome. I'm trying to get this work a long time.
> >
> > 8<-------------------------------------------------------------------
> > The following are the man entry to lanman auth:
> > It looks like that this option don't affect smbclient requests.
> >
> > lanman auth (G)
> >
> >           This parameter determines whether or not smbd(8) will attempt to
> >           authenticate users or permit password changes using the LANMAN
> >           password hash. If disabled, only clients which support NT password
> >           hashes (e.g. Windows NT/2000 clients, smbclient, but not Windows
> >           95/98 or the MS DOS network client) will be able to connect to the
> >           Samba host.
> >
> >           The LANMAN encrypted response is easily broken, due to it´s
> >           case-insensitive nature, and the choice of algorithm. Servers
> >           without Windows 95/98/ME or MS DOS clients are advised to disable
> >           this option.
> >
> >           Unlike the encrypt passwords option, this parameter cannot alter
> >           client behaviour, and the LANMAN response will still be sent over
> >           the network. See the client lanman auth to disable this for
> > Samba´s
> >           clients (such as smbclient)
> >
> >           If this option, and ntlm auth are both disabled, then only NTLMv2
> >           logins will be permited. Not all clients support NTLMv2, and most
> >           will require special configuration to use it.
> >
> >           Default: lanman auth = no
> >
> > 8<-------------------------------------------------------------------
> >
> >
> >
> >> Since upgrading to 3.2.x I had to enable
> >>
> >> lanman auth = yes
> >>
> >> in my smb.conf
> >>
> >> (thats from memory - you may want to check the man page)
> >>
> >> It fixed it for me.
> >>
> >> Jon
> >>
> >>
> >> 2008/8/31 Vinicius Ruoso <vkr07 at c3sl.ufpr.br>:
> >>> Hi samba community.
> >>>
> >>> I'm having a problem with the smb_auth authentication method. Everything
> >>> looks like normal, but everytime I try to use smb_auth it returns ERR.
> >>>
> >>> I will show here some commands output to secure that all configuration
> >>> is
> >>> correct, and if anyone can help me to investigate what's happend I'll
> >>> thanks.
> >>>
> >>>
> >>> I'm using: Debian lenny, updated.
> >>>
> >>> ii  samba          2:3.2.3-1
> >>> ii  squid          2.7.STABLE3-1
> >>>
> >>> XXXXXXXXXX its the correct password.
> >>>
> >>> 8<----------------------------------
> >>> sek:/home# /usr/lib/squid/smb_auth -W SEKPLASTICOS -U 127.0.0.1 -d
> >>> vinicius XXXXXXXXXXX
> >>> Domain name: SEKPLASTICOS
> >>> Pass-through authentication: no
> >>> Query address options: -U 127.0.0.1 -R
> >>> Domain controller IP address: 10.0.0.1
> >>> Domain controller NETBIOS name: SEK
> >>> Contents of //SEK/NETLOGON/proxyauth:
> >>> ERR
> >>> 8<----------------------------------
> >>>
> >>> But, look at the smbclient command.
> >>>
> >>> vinicius at sek:~$ smbclient "//SEK/netlogon" XXXXXXXXXXX -c "get proxyauth
> >>> -"
> >>> Domain=[SEKPLASTICOS] OS=[Unix] Server=[Samba 3.2.3]
> >>> allow
> >>> getting file \proxyauth of size 6 as - (5,9 kb/s) (average 5,9 kb/s)
> >>>
> >>> Running smb_auth with user "vinicius" don't work too.
> >>> 8<----------------------------------
> >>>
> >>> Some permission and configs:
> >>>
> >>> 8<----------------------------------
> >>> The smb_auth permissions
> >>>
> >>> sek:/usr/lib/squid# ls -l /usr/lib/squid/
> >>> total 284
> >>> -rwxr-xr-x 1 root  root   15212 Jul  6 06:28 digest_pw_auth
> >>> -rwxr-xr-x 1 root  root   11636 Jul  6 06:26 diskd-daemon
> >>> -rwxr-sr-- 1 proxy shadow  7988 Jul  6 06:28 getpwnam_auth
> >>> -rwxr-xr-x 1 root  root   10312 Jul  6 06:28 ip_user_check
> >>> -rwxr-xr-x 1 root  root   17544 Jul  6 06:28 ldap_auth
> >>> -rwxr-xr-x 1 root  root    5464 Jul  6 06:26 logfile-daemon
> >>> -rwxr-xr-x 1 root  root   32828 Jul  6 06:28 msnt_auth
> >>> -rwxr-xr-x 1 root  root   15748 Jul  6 06:28 ncsa_auth
> >>> -rwxr-xr-x 1 root  root   42216 Jul  6 06:28 ntlm_auth
> >>> -rwxr-sr-- 1 proxy shadow 10696 Jul  6 06:28 pam_auth
> >>> -rwxr-xr-x 1 root  root    9552 Jul  6 06:28 smb_auth
> >>> -rwxr-xr-x 1 root  root    2287 Jul  6 06:23 smb_auth.sh
> >>> -rwxr-xr-x 1 root  root   22848 Jul  6 06:28 squid_kerb_auth
> >>> -rwxr-xr-x 1 root  root   19000 Jul  6 06:28 squid_ldap_group
> >>> -rwxr-xr-x 1 root  root    5996 Jul  6 06:28 squid_session
> >>> -rwxr-xr-x 1 root  root   10248 Jul  6 06:28 squid_unix_group
> >>> -rwxr-xr-x 1 root  root    3732 Jul  6 06:26 unlinkd
> >>> -rwxr-xr-x 1 root  root    2359 Abr  9  2007 wbinfo_group.pl
> >>> -rwxr-xr-x 1 root  root    8776 Jul  6 06:28 yp_auth
> >>>
> >>>
> >>> 8<----------------------------------
> >>> The SMB configuration
> >>>
> >>> sek:/usr/lib/squid# cat /etc/samba/smb.conf
> >>> # Samba config file created using SWAT
> >>> # from 192.168.0.2 (192.168.0.2)
> >>> # Date: 2008/04/04 23:07:20
> >>>
> >>> [global]
> >>>    workgroup = sekplasticos
> >>>    netbios name = sek
> >>>    server string = sek
> >>>    security = user
> >>>    null passwords = No
> >>>    encrypt passwords = true
> >>>    unix password sync = No
> >>>    unix charset = iso8859-1
> >>>    display charset = cp850
> >>>    log level = 3
> >>>    log file = /var/log/samba_log.%u
> >>>    keepalive = 20
> >>>    socket options = IPTOS_LOWDELAY TCP_NODELAY
> >>>    logon path = \\sek\sysvol\%U
> >>>    logon drive = P
> >>>    domain logons = Yes
> >>>    os level = 100
> >>>    preferred master = Yes
> >>>    domain master = Yes
> >>>    local master = Yes
> >>>    wins support = Yes
> >>>    ldap ssl = no
> >>>    comment = Servidor Sek
> >>>    admin users = vinicius
> >>>    time server = Yes
> >>>    hosts allow = 127., 192.168.0., 10.0.0.
> >>>
> >>> [homes]
> >>>    comment = Pastas dos Usuarios
> >>>    browseable = No
> >>>    writable = Yes
> >>>    create mask = 0600
> >>>    directory mask = 0700
> >>>    valid users = %S
> >>>
> >>> [netlogon]
> >>>    comment = Compartilhamento de Scripts
> >>>    path = /home/netlogon
> >>>    public = Yes
> >>>    browseable = Yes
> >>>    writable = Yes
> >>>
> >>> [sysvol]
> >>>    comment = System Volume
> >>>    path = /home/sysvol
> >>>    writable = Yes
> >>>    guest ok = Yes
> >>>    share modes = No
> >>>    browseable = No
> >>>    hide files = /desktop.ini/ntuser.ini/NTUSER.*/
> >>>
> >>> [publico]
> >>>   comment = publico
> >>>   path = /home/publico
> >>>   guest ok = No
> >>>   writable = Yes
> >>>   create mask = 0644
> >>>   directory mask = 0777
> >>>   public = Yes
> >>>
> >>> [aplicativos]
> >>>   comment = aplicativos
> >>>   path = /home/aplicativos
> >>>   guest ok = No
> >>>   writable = Yes
> >>>   browseable = Yes
> >>>   create mask = 0600
> >>>   directory mask = 0700
> >>>   valid users = gilberto
> >>> sek:/usr/lib/squid#
> >>>
> >>> 8<----------------------------------
> >>> The NETLOGON permissions and proxyauth
> >>>
> >>> sek:/home/netlogon# ls -l
> >>> total 4
> >>> -rwxrwxrwx 1 root root 6 Ago 31 17:35 proxyauth
> >>> sek:/home/netlogon# ls -ld
> >>> drwxrwxrwx 2 root root 22 Ago 31 17:35 .
> >>> sek:/home/netlogon# cat proxyauth
> >>> allow
> >>> 8<----------------------------------
> >>>
> >>>
> >>> Really thanks if someone could help me.
> >>>
> >>> --
> >>> Vinicius Ruoso - vkr07 at c3sl.ufpr.br
> >>> C3SL: http://www.c3sl.ufpr.br
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/listinfo/samba
> >>>
> >>
> >
> >
> > --
> > Vinicius Ruoso - vkr07 at c3sl.ufpr.br
> > C3SL: http://www.c3sl.ufpr.br
> >
> >

-- 
---
Vinicius Kwiecien Ruoso - vkr07 at c3sl.ufpr.br
C3SL: http://www.c3sl.ufpr.br


More information about the samba mailing list