[Samba] Re: smbclient with Kerberos works, smbclient with NTLM does not?

Sat Mar 21 07:52:28 GMT 2009

It turned out that my problem was caused by LMCompatibilityLevel on Windows
being set to 5. I have set this to 3 and now smbclient NTLM authentication
works. Setting "client ntlmv2 auth = yes" also allowed smbclient NTLM
authentication to work while LMCompatibilityLevel was still set to 5.

My question is: shouldn't Samba have negotiated a working protocol
regardless of the client ntlmv2 auth setting in smb.conf? The windows server
in question is Windows 2003 R2.

2009/3/20 Peter Rosenthal <voiperster at gmail.com>

> If someone could at least give me an idea of how to go about debugging this
> problem (relevant log files/debug levels/errors on windows itself) I would
> be very grateful.
>
>
> 2009/3/16 Peter Rosenthal <voiperster at gmail.com>
>
> Hello,
>>
>> I am investigating some strange authentication problems with our network.
>> I am attempting to access a share on a DC with smbclient. If I authenticate
>> with kerberos (kinit, then smbclient -k) then everything works fine. If,
>> instead I use -U administrator -W DOMAIN, or just -U administrator, I get
>>
>> session setup failed: NT_STATUS_LOGON_FAILURE
>>
>> This is samba 3.3.2.
>>
>> Here is the d5 output from smbclient:
>>
>> INFO: Current debug levels:
>>   all: True/5
>>   tdb: False/0
>>   printdrivers: False/0
>>   lanman: False/0
>>   smb: False/0
>>   rpc_parse: False/0
>>   rpc_srv: False/0
>>   rpc_cli: False/0
>>   passdb: False/0
>>   sam: False/0
>>   auth: False/0
>>   winbind: False/0
>>   vfs: False/0
>>   idmap: False/0
>>   quota: False/0
>>   acls: False/0
>>   locking: False/0
>>   msdfs: False/0
>>   dmapi: False/0
>>   registry: False/0
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> params.c:pm_process() - Processing configuration file
>> "/etc/samba/smb.conf"
>> Processing section "[global]"
>> doing parameter workgroup = TESTDOMAIN
>> doing parameter server string = Samba Server Version %v
>> doing parameter log file = /var/log/samba/log.%m
>> doing parameter max log size = 50
>> doing parameter security = ads
>> doing parameter realm = TESTDOMAIN.COM
>> doing parameter encrypt passwords = yes
>> doing parameter winbind enum users = yes
>> doing parameter winbind enum groups = yes
>> doing parameter winbind use default domain = yes
>> doing parameter winbind separator = /
>> doing parameter winbind nested groups = yes
>> doing parameter winbind refresh tickets = true
>> doing parameter winbind nss info = rfc2307
>> doing parameter use kerberos keytab = yes
>> doing parameter idmap config TESTDOMAIN : backend = ad
>> doing parameter idmap config TESTDOMAIN : range = 10000-999999
>> doing parameter idmap config TESTDOMAIN : schema_mode = rfc2307
>> doing parameter winbind offline logon = yes
>> doing parameter template homedir = /home/%U
>> pm_process() returned Yes
>> Attempting to register new charset UCS-2LE
>> Registered charset UCS-2LE
>> Attempting to register new charset UTF-16LE
>> Registered charset UTF-16LE
>> Attempting to register new charset UCS-2BE
>> Registered charset UCS-2BE
>> Attempting to register new charset UTF-16BE
>> Registered charset UTF-16BE
>> Attempting to register new charset UTF8
>> Registered charset UTF8
>> Attempting to register new charset UTF-8
>> Registered charset UTF-8
>> Attempting to register new charset ASCII
>> Registered charset ASCII
>> Attempting to register new charset 646
>> Registered charset 646
>> Attempting to register new charset ISO-8859-1
>> Registered charset ISO-8859-1
>> Attempting to register new charset UCS2-HEX
>> Registered charset UCS2-HEX
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> added interface eth0 ip=X bcast=X:ffff:ffff:ffff:ffff
>> netmask=ffff:ffff:ffff:ffff::
>> added interface eth0 ip=X bcast=fe80::ffff:ffff:ffff:ffff%eth0
>> netmask=ffff:ffff:ffff:ffff::
>> added interface eth0 ip=192.168.0.7 bcast=192.168.0.255
>> netmask=255.255.255.0
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Substituting charset 'UTF-8' for LOCALE
>> Netbios name list:-
>> my_netbios_names[0]="EL5"
>> Client started (version 3.3.2).
>> Opening cache file at /var/lib/samba/gencache.tdb
>> tdb(unnamed): tdb_open_ex: could not open file
>> /var/lib/samba/gencache.tdb: Permission denied
>> gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only.
>> sitename_fetch: Returning sitename for TESTDOMAIN.COM: "SITE1"
>> no entry for dc1#20 found.
>> resolve_lmhosts: Attempting lmhosts lookup for name dc1<0x20>
>> getlmhostsent: lmhost entry: 127.0.0.1 localhost
>> resolve_wins: Attempting wins lookup for name dc1<0x20>
>> resolve_wins: WINS server resolution selected and no WINS servers listed.
>> resolve_hosts: Attempting host lookup for name dc1<0x20>
>> namecache_store: storing 1 address for dc1#20: 192.168.0.4
>> Connecting to 192.168.0.4 at port 445
>> socket option SO_KEEPALIVE = 0
>> socket option SO_REUSEADDR = 0
>> socket option SO_BROADCAST = 0
>> socket option TCP_NODELAY = 1
>> socket option TCP_KEEPCNT = 9
>> socket option TCP_KEEPIDLE = 7200
>> socket option TCP_KEEPINTVL = 75
>> socket option IPTOS_LOWDELAY = 0
>> socket option IPTOS_THROUGHPUT = 0
>> socket option SO_SNDBUF = 16384
>> socket option SO_RCVBUF = 87380
>> socket option SO_SNDLOWAT = 1
>> socket option SO_RCVLOWAT = 1
>> socket option SO_SNDTIMEO = 0
>> socket option SO_RCVTIMEO = 0
>>  session request ok
>> size=175
>> smb_com=0x72
>> smb_rcls=0
>> smb_reh=0
>> smb_err=0
>> smb_flg=136
>> smb_flg2=51201
>> smb_tid=0
>> smb_pid=32067
>> smb_uid=0
>> smb_mid=1
>> smt_wct=17
>> smb_vwv[ 0]=    9 (0x9)
>> smb_vwv[ 1]=12807 (0x3207)
>> smb_vwv[ 2]=  256 (0x100)
>> smb_vwv[ 3]= 1024 (0x400)
>> smb_vwv[ 4]=   17 (0x11)
>> smb_vwv[ 5]=    0 (0x0)
>> smb_vwv[ 6]=  256 (0x100)
>> smb_vwv[ 7]=    0 (0x0)
>> smb_vwv[ 8]=    0 (0x0)
>> smb_vwv[ 9]=64768 (0xFD00)
>> smb_vwv[10]=  499 (0x1F3)
>> smb_vwv[11]=12416 (0x3080)
>> smb_vwv[12]=13890 (0x3642)
>> smb_vwv[13]=27340 (0x6ACC)
>> smb_vwv[14]=51622 (0xC9A6)
>> smb_vwv[15]=41985 (0xA401)
>> smb_vwv[16]=    1 (0x1)
>> smb_bcc=106
>> size=175
>> smb_com=0x72
>> smb_rcls=0
>> smb_reh=0
>> smb_err=0
>> smb_flg=136
>> smb_flg2=51201
>> smb_tid=0
>> smb_pid=32067
>> smb_uid=0
>> smb_mid=1
>> smt_wct=17
>> smb_vwv[ 0]=    9 (0x9)
>> smb_vwv[ 1]=12807 (0x3207)
>> smb_vwv[ 2]=  256 (0x100)
>> smb_vwv[ 3]= 1024 (0x400)
>> smb_vwv[ 4]=   17 (0x11)
>> smb_vwv[ 5]=    0 (0x0)
>> smb_vwv[ 6]=  256 (0x100)
>> smb_vwv[ 7]=    0 (0x0)
>> smb_vwv[ 8]=    0 (0x0)
>> smb_vwv[ 9]=64768 (0xFD00)
>> smb_vwv[10]=  499 (0x1F3)
>> smb_vwv[11]=12416 (0x3080)
>> smb_vwv[12]=13890 (0x3642)
>> smb_vwv[13]=27340 (0x6ACC)
>> smb_vwv[14]=51622 (0xC9A6)
>> smb_vwv[15]=41985 (0xA401)
>> smb_vwv[16]=    1 (0x1)
>> smb_bcc=106
>> Doing spnego session setup (blob length=106)
>> got OID=1 2 840 48018 1 2 2
>> got OID=1 2 840 113554 1 2 2
>> got OID=1 2 840 113554 1 2 2 3
>> got OID=1 3 6 1 4 1 311 2 2 10
>> got principal=dc1$@TESTDOMAIN.COM
>> size=410
>> smb_com=0x73
>> smb_rcls=22
>> smb_reh=0
>> smb_err=49152
>> smb_flg=136
>> smb_flg2=51205
>> smb_tid=0
>> smb_pid=32067
>> smb_uid=55296
>> smb_mid=2
>> smt_wct=4
>> smb_vwv[ 0]=  255 (0xFF)
>> smb_vwv[ 1]=  410 (0x19A)
>> smb_vwv[ 2]=    0 (0x0)
>> smb_vwv[ 3]=  227 (0xE3)
>> smb_bcc=367
>> size=410
>> smb_com=0x73
>> smb_rcls=22
>> smb_reh=0
>> smb_err=49152
>> smb_flg=136
>> smb_flg2=51205
>> smb_tid=0
>> smb_pid=32067
>> smb_uid=55296
>> smb_mid=2
>> smt_wct=4
>> smb_vwv[ 0]=  255 (0xFF)
>> smb_vwv[ 1]=  410 (0x19A)
>> smb_vwv[ 2]=    0 (0x0)
>> smb_vwv[ 3]=  227 (0xE3)
>> smb_bcc=367
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x62898215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM2
>>   NTLMSSP_CHAL_TARGET_INFO
>>   NTLMSSP_NEGOTIATE_VERSION
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x60088215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM2
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP challenge set by NTLM2
>> challenge is:
>> [000] DB DB CB 5D EC FE A9 86                           ...]....
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>>   NTLMSSP_NEGOTIATE_UNICODE
>>   NTLMSSP_REQUEST_TARGET
>>   NTLMSSP_NEGOTIATE_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM
>>   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>   NTLMSSP_NEGOTIATE_NTLM2
>>   NTLMSSP_NEGOTIATE_128
>>   NTLMSSP_NEGOTIATE_KEY_EXCH
>> size=35
>> smb_com=0x73
>> smb_rcls=109
>> smb_reh=0
>> smb_err=49152
>> smb_flg=136
>> smb_flg2=51205
>> smb_tid=0
>> smb_pid=32067
>> smb_uid=55296
>> smb_mid=3
>> smt_wct=0
>> smb_bcc=0
>> size=35
>> smb_com=0x73
>> smb_rcls=109
>> smb_reh=0
>> smb_err=49152
>> smb_flg=136
>> smb_flg2=51205
>> smb_tid=0
>> smb_pid=32067
>> smb_uid=55296
>> smb_mid=3
>> smt_wct=0
>> smb_bcc=0
>> SPNEGO login failed: Logon failure
>>
>>
>