[Samba] Samba server as part of AD domain keeps asking for username and password

Wolfgang.Mair at emerson.com Wolfgang.Mair at emerson.com
Thu Sep 4 09:25:30 GMT 2008 

Hello all,

I'm trying to set up my samba server rev 3.2.3 on opensuse 10.3 as a
member of the active directory domain, so that client connections can be
authenticated by the AD server. Unfortunately when I try to connect to
the samba server from a windows XP system, it keeps on asking me for
user name and password.

I've been reading through various howto's and descriptions but no matter
what I change on the settings I still get the same result. The samba
server keeps on asking me for username and password. :(

So hopefully someone can help me out with this.

Here is my config:

[libdefaults]
default_realm = TESTDOM.ORG
clockskew = 300
#dns_lookup_realm = false
#dns_lookup_kdc = false

[realms]
TESTDOM.ORG = {
kdc = SRV.testdom.org
}

[domain_realms]
.testdom.org = TESTDOM.ORG

[logging]
default = FILE:/var/log/krb5/krb5libs.log 
kdc = FILE:/var/log/krb5/kdc.log 
kadmind = FILE:/var/log/krb5/kadmind.log


With this config I can execute the kinit command and get a ticket which
I can view with klist.


Here is the smb.conf file:
[global]
workgroup = TESTDOM
netbios name = jaguar
realm = TESTDOM.ORG
idmap uid = 100000-1000000
idmap gid = 100000-1000000
security = ads
encrypt passwords = yes
password server = 10.88.36.6
client use spnego = yes
Client ntlmv2 auth = yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
template shell = /bin/bash
template homedir = /home/%U
winbind enum users = yes
winbind enum groups = yes
preferred master = No
local master = No
domain master = No
printing = cups
cups options = raw
print command =
lpq command = %p
lprm command =

[woma]
comment = test folder for ads
path = /home/woma
browseable = yes
read only = No
guest ok = no
create mask = 0770
directory mask = 0770


(/home/woma is set to chmod 777)

With this config I am able to execute wbinfo -u and get a list of users.
But I 
have to execute it a few times unitl I see the list. Is this normal?
However 
I am albe to map a sid to use and do other queries for user informations
with 
wbinfo.

I guess this is all I need so far. Now if I open explorer on the windows
box 
and enter \\jaguar I get the user name and password promt all the time.
Also 
entering username and password won't change anything.

The log file says 'invalid user' which I beleive is the problem. But
why?????

[2008/08/29 11:40:00, 3] smbd/negprot.c:reply_nt1(364)
using SPNEGO
[2008/08/29 11:40:00, 3] smbd/negprot.c:reply_negprot(606)
Selected protocol NT LM 0.12
[2008/08/29 11:40:00, 3] smbd/process.crocess_smb(1069)
Transaction 1 of length 1668
[2008/08/29 11:40:00, 3] smbd/process.c:switch_message(927)
switch message SMBsesssetupX (pid 21191) conn 0x0
[2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
wct=12 flg2=0xc807
[2008/08/29 11:40:00, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old 
resources.
[2008/08/29 11:40:00, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
Doing spnego session setup
[2008/08/29 11:40:00, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] 
PrimaryDomain=[]
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
reply_spnego_negotiate: Got secblob of size 1436
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
Ticket name is [AWM013 at TESTDOM.ORG]
[2008/08/29 11:40:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username TESTDOM\AWM013 is invalid on this system <--------------------
There it is
[2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2008/08/29 11:40:00, 3] smbd/process.crocess_smb(1069)
Transaction 2 of length 1668
[2008/08/29 11:40:00, 3] smbd/process.c:switch_message(927)
switch message SMBsesssetupX (pid 21191) conn 0x0
[2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
wct=12 flg2=0xc807
[2008/08/29 11:40:00, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old 
resources.
[2008/08/29 11:40:00, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
Doing spnego session setup
[2008/08/29 11:40:00, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] 
PrimaryDomain=[]
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
reply_spnego_negotiate: Got secblob of size 1436
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
Ticket name is [AWM013 at TESTDOM.ORG]
[2008/08/29 11:40:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username TESTDOM\AWM013 is invalid on this system
[2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2008/08/29 11:40:00, 3] smbd/process.c:timeout_processing(1329)
timeout_processing: End of file from client (client has disconnected).
[2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/29 11:40:00, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2008/08/29 11:40:00, 3] smbd/server.c:exit_server_common(768)
Server exit (normal exit)


Below is a smbclient debug. It fails at the spnego but for what reason?

prinz:~ # smbclient -d 4 -U awm013 -W TESTDOM -L jaguar
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = TESTDOM
doing parameter printing = cups
doing parameter printcap name = cups
doing parameter printcap cache time = 750 doing parameter cups options =
raw doing parameter map to guest = Bad User doing parameter usershare
allow guests = Yes doing parameter passdb backend = smbpasswd
pm_process() returned Yes
added interface ip=192.168.230.30 bcast=192.168.230.255
nmask=255.255.255.0 added interface ip=10.88.35.136 bcast=10.88.35.255
nmask=255.255.255.0 added interface ip=192.168.200.4
bcast=192.168.200.255 nmask=255.255.255.0 added interface ip=192.168.0.1
bcast=192.168.0.255 nmask=255.255.255.0 Client started (version
3.0.26a-3.7-1787-SUSE-SL10.3).
Connecting to 10.88.35.133 at port 445
 session request ok
Password:
Doing spnego session setup (blob length=107) got OID=1 2 840 113554 1 2
2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got
principal=cifs/jaguar.testdom.org at TESTDOM.ORG
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_CHAL_TARGET_INFO
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
  NTLMSSP_NEGOTIATE_UNICODE
  NTLMSSP_REQUEST_TARGET
  NTLMSSP_NEGOTIATE_SIGN
  NTLMSSP_NEGOTIATE_NTLM
  NTLMSSP_NEGOTIATE_ALWAYS_SIGN
  NTLMSSP_NEGOTIATE_NTLM2
  NTLMSSP_NEGOTIATE_128
  NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE


Thanks for any help on this.

Wolfgang

More information about the samba mailing list