[Samba] Samba trusts, mapping issue, and pam crap domain
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Nov 18 15:50:59 MST 2009
Before getting into too much detail-
Is it possible that my samba PDC server is trying to treat the
Windows PDC as an active directory domain controller (which of course it
is) rather than a Windows NT4 server (which it should be emulating)?
Would be it easier to setup a kerberos trust between my Samba
server and the Windows Active Directory
Maybe this will help isolate what is going wrong:
If I type the following command from a solaris or linux workstation
-> smbclient -U "WINDOMAIN\linus" -L SMBPDC
Enter WINDOMAIN\linus's password:
session setup failed: NT_STATUS_LOGON_FAILURE
->
If I have restarted winbind, and this is the first smbclient attempt,
/var/samba/log/wb-WINDOMAIN.log shows me the following:
*
*
[2009/11/18 17:28:22, 3] nsswitch/winbindd_cm.c:(504)
cm_get_ipc_userpass: No auth-user defined
[2009/11/18 17:28:22, 3] rpc_client/cli_pipe.c:(2082)
rpc_pipe_bind: Remote machine winpdc.windomain.domain.com pipe
\lsarpc fnum 0xc000 bind request returned ok.
[2009/11/18 17:28:22, 3] rpc_client/cli_pipe.c:(2082)
rpc_pipe_bind: Remote machine winpdc.windomain.domain.com pipe
\lsarpc fnum 0xc004 bind request returned ok.
[2009/11/18 17:28:22, 3] rpc_parse/parse_lsa.c:(224)
lsa_io_sec_qos: length c does not match size 8
[2009/11/18 17:28:22, 3] nsswitch/winbindd_pam.c:(1755)
[17996]: pam auth crap domain: WINDOMAIN user: linus
[2009/11/18 17:28:22, 3] rpc_client/cli_pipe.c:(2082)
rpc_pipe_bind: Remote machine winpdc.windomain.domain.comi.com pipe
\NETLOGON fnum 0xc002 bind request returned ok.
[2009/11/18 17:28:22, 3] rpc_client/cli_pipe.c:(2082)
rpc_pipe_bind: Remote machine winpdc.windomain.domain.com pipe
\NETLOGON fnum 0xc003 bind request returned ok.
...
Subsequent smbclient attempts just get logged as
[2009/11/18 17:35:31, 3] nsswitch/winbindd_pam.c:(1755)
[17996]: pam auth crap domain: WINDOMAIN user: linus
But if I type the wrong password, I will get
[2009/11/18 17:37:56, 3] nsswitch/winbindd_pam.c:(1755)
[17996]: pam auth crap domain: WINDOMAIN user: linus
[2009/11/18 17:37:56, 2] nsswitch/winbindd_pam.c:(1941)
NTLM CRAP authentication for user [WINDOMAIN]\[linus] returned
NT_STATUS_WRONG_PASSWORD (PAM: 9)
So it is definately validating the password.
smbpdc # ntlm_auth --username=linus --domain=WINDOMAIN
password:
NT_STATUS_OK: Success (0x0)
smbpdc# wbinfo -a WINDOMAIN\\linus%Password
plaintext password authentication succeeded
challenge/response password authentication succeeded
asterix#
(ALthough I would have expected plaintext to fail.)
If I type
-> smbclient -U "WINDOMAIN\linus" -L SMBPDC
but then don't enter a password, I will still see a list of shares (I
guess anonymously?)
If I type
-> smbclient -U "WINDOMAIN\Administrator" -L SMBPDC
I will get a list of shares. This will happen with any account name
that exists in both domains, even if the password is different. So it
all seems points to a mapping issue of some sort.
Why does PAM even come into play? Do I need to enable winbind in
pam.conf? I don't want to enable ssh or other "unix" level logins for
the trusted users.
Thanks
On 11/17/09 14:16, Gaiseric Vandal wrote:
>
>
> I am running Samba ver 3.0.37 on Solaris 10 (sparc) as a PDC with LDAP for
> the backend for both samba and unix accounts. Assume the samba SMBPDC is
> called "PDC."
>
> I have also set up a trust with an Windows domain- lets call it
> WINDOMAIN- (the PDC for the Windows domain is Win 2003 but is in mixed
> mode for backwards compat.) The SAMBA domain trusts the WINDOWS domain,
> not not vice versa. Assume the Windows PDC is called "WINPDC."
>
>
> I have winbind enabled. Idmap entries are stored in the backend.
>
>
> On the Windows domain, I have a login script which maps R: to
> \\PDC\dept\common. The "dept" share does not explicitly set or deny any
> users. The "common" directory has unix perms of "rwxrwxr-t."
>
>
>
>
> On the SMBPDC
>
> smbpdc# getent passwd | grep linus
> WINDOMAIN\linus:*:30197:30037:Linus Van Pelt:/home/ WINDOMAIN
> /linus:/bin/false
> smbpdc#
>
>
> smbpdc -3.00# id " WINDOMAIN \linus"
> uid=30197(ADMINISTRATION\linus) gid=30037(WINDOMAIN \domain users)
> bash-3.00# id linus
> id: invalid user name: "linus"
> smbpdc -3.00#
>
>
>
>
>
>
>
> Smb.conf includes
> -------------------------
>
> ntlm auth = Yes
>
> passdb backend = ldapsam:ldap://ldap1.mydomain.com
> ldap suffix=o=mydomain.com
> ldap user suffix=ou=people
> ldap group suffix=ou=smb_groups
> ldap machine suffix=ou=machines
> ldap admin dn="cn=Directory Manager"
> ldap ssl = no
> ldap passwd sync = no
> ldap idmap suffix=ou=idmap
>
> winbind enum users = Yes
> winbind enum groups = no
> winbind use default domain = no
> winbind trusted domains only = no
>
> #ldap time out default is 15 sec
> ldap timeout=30
>
> # idmap domains = WINDOMAIN, TESTDOMAIN
> idmap domains = WINDOMAIN
>
>
> idmap config WINDOMAIN:backend = ldap
> idmap config WINDOMAIN:readonly = no
> idmap config WINDOMAIN:default=no
> idmap config WINDOMAIN:ldap_base_dn = ou=windomain,ou=idmap,o=mydomain.com
> idmap config WINDOMAIN:ldap_user_dn = cn=Directory Manager idmap config
> WINDOMAIN:ldap_url =ldap1.mydomain.com idmap config WINDOMAIN:range =
> 30000-39999
>
>
> #idmap config TESTDOMAIN:backend = ldap
> #idmap config TESTDOMAIN:readonly = no
> #idmap config TESTDOMAIN:default=no
> #idmap config TESTDOMAIN:ldap_base_dn
> =ou=testdomain,ou=idmap,o=mydomain.com
> #idmap config TESTDOMAIN:ldap_user_dn = cn=Directory Manager #idmap config
> TESTDOMAIN:ldap_url =ldap1.mydomain.com #idmap config TESTDOMAIN:range =
> 40000-49999
>
>
>
> idmap alloc backend = ldap
> idmap alloc config:ldap_base_dn = ou=alloc,ou=idmap,o=mydomain.com
> idmap alloc config:ldap_user_dn = cn=Directory Manager
> idmap alloc config:ldap_url = ldap1.mydomain.com
> idmap alloc config:range = 70000 - 79999
>
>
>
> [dept]
> path = /zexport/Dept
> read only = No
> create mask = 0770
> force create mode = 0600
> directory mask = 0775
> force directory mode = 0600
> inherit permissions = Yes
> inherit acls = Yes
> hide special files = Yes
> vfs objects = zfsacl
> zfsacl:acesort = dontcare
> nfs4:mode = special
> nfs4:chown = yes
> nfs4:acedup = merge
>
> --------------------
>
>
>
> I have a test user "linus" on the WINDOMAIN domain. If I log into a
> WINDOMAIN account on WINPDC, I am prompted for credentials on the
> SAMBA/SMBPDC share and am denied. This used to work (sort of) - I
> recently added the Solaris patch to update from 3.0.35 to 3.0.37.
>
>
> The /var/log/samba/WINPDC.log file shows
>
> ...
>
>
> check_ntlm_password: Checking password for unmapped user
> [WINDOMAIN]\[linus]@[WINPDC] with the new password interface
> [2009/11/17 11:54:25, 3] auth/auth.c:(224)
> check_ntlm_password: mapped user is: [WINDOMAIN]\[linus]@[ WINPDC]
> [2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(208)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2009/11/17 11:54:25, 3] smbd/uid.c:(408)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(241)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2009/11/17 11:54:25, 3] smbd/sec_ctx.c:(356)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2009/11/17 11:54:25, 2] auth/auth.c:(319)
> check_ntlm_password: Authentication for user [linus] -> [linus] FAILED
> with error NT_STATUS_NO_SUCH_USER
> [2009/11/17 11:54:25, 3] smbd/error.c:(106)
> error packet at smbd/sesssetup.c(107) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> [2009/11/17 11:54:35, 3] smbd/process.c:(1083)
> ...
>
>
> The /var/samba/log/log.wb-WINDOMAIN shows
>
> ...
> [2009/11/17 08:14:48, 3] nsswitch/winbindd_pam.c:(1755)
> [13932]: pam auth crap domain: WINDOMAIN user: lucy
> ...
> [13932]: pam auth crap domain: WINDOMAIN user: charlie
> [2009/11/17 10:59:54, 3] nsswitch/winbindd_pam.c:(1755)
> [13932]: pam auth crap domain: WINDOMAIN user: Administrator
> [2009/11/17 10:59:54, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-21-xxxx
> [2009/11/17 10:59:54, 3] nsswitch/winbindd_ads.c:(1062)
> ads: fetch sequence_number for WINDOMAIN
> [2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
> get_dc_list: preferred server list: ", *"
> [2009/11/17 10:59:54, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 10:59:54, 3] libsmb/namequery.c:(1557)
> get_dc_list: preferred server list: ", *"
> [2009/11/17 10:59:54, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 10:59:54, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 10:59:54, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2009/11/17 10:59:54, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2009/11/17 10:59:54, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2009/11/17 10:59:54, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2009/11/17 10:59:54, 3] libads/sasl.c:(300)
> ads_sasl_spnego_bind: got server principal name = SMBPDC$@
> WINDOMAIN.DOMAIN.COM
> [2009/11/17 10:59:54, 3] libsmb/clikrb5.c:(593)
> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache file
> found)
> [2009/11/17 10:59:55, 3] libsmb/clikrb5.c:(528)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Tue, 17 Nov 2009 20:59:55 EST
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-xxxx for domain WINDOMAIN
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-xxxx-
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-21-xxxxx for domain WINDOMAIN
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-21-xxxx
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-21-xxxx for domain WINDOMAIN
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-21-xxxx
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-512 for domain
> WINDOMAIN
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-21-xxxx
> [2009/11/17 10:59:55, 3] nsswitch/winbindd_rpc.c:(304)
> sid_to_name [rpc] S-1-5-21-1935655697-920026266-725345543-519 for domain
> WINDOMAIN
> [2009/11/17 11:00:01, 3] nsswitch/winbindd_pam.c:(1755)
> [13932]: pam auth crap domain: WINDOMAIN user: Administrator
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-xxxx
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-xxxx
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5xxxxx
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-xxxx
> [2009/11/17 11:00:02, 3] nsswitch/winbindd_async.c:(754)
> [13932]: lookupsid S-1-5-xxxx
> [2009/11/17 11:28:15, 3] nsswitch/winbindd_ads.c:(1062)
> ads: fetch sequence_number for WINDOMAIN
> [2009/11/17 11:28:15, 3] libads/ldap.c:(745)
> ads_do_paged_search_args: ldap_search_with_timeout((objectclass=*)) ->
> Timelimit exceeded
> [2009/11/17 11:28:15, 3] libads/ldap_utils.c:(76)
> Reopening ads connection to realm WINDOMAIN.DOMAIN.COM' after error
> Timelimit exceeded
> [2009/11/17 11:28:15, 3] libsmb/namequery.c:(1557)
> get_dc_list: preferred server list: ", *"
> [2009/11/17 11:28:15, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 11:28:15, 3] libads/ldap.c:(443)
> Connected to LDAP server 192.168.0.71
> [2009/11/17 11:28:15, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
> [2009/11/17 11:28:15, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
> [2009/11/17 11:28:15, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
> [2009/11/17 11:28:15, 3] libads/sasl.c:(291)
> ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
> [2009/11/17 11:28:15, 3] libads/sasl.c:(300)
> ads_sasl_spnego_bind: got server principal name = SMBPDC$@
> WINDOMAIN.DOMAIN.COM
> [2009/11/17 11:28:15, 3] libsmb/clikrb5.c:(528)
> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Tue, 17 Nov 2009 20:59:55 EST
> [2009/11/17 11:28:15, 3] nsswitch/winbindd_rpc.c:(342)
> ...
>
>
>
>
> I am not using kerberos for anything. As far as I know, this should be
> an "NT4" type trust. NTLM a It seems to be some sort of mapping error?
>
>
> It looks like it doesn't handle the domain component properly, so strips
> it off, and then tries to authenticate just the user name- which of
> course it can't.
>
> Thoughts?
>
> Thanks
>
>
>
>
>
>
>
More information about the samba
mailing list