No subject


Fri Aug 20 08:29:19 MDT 2010 

               net use z:  \\sambapdc\share1 <file:///\\sambapdc\share1>



However I still get prompted for a user name and password.     I don't seem
to have a way to force the "net" command to connect anonymously.



If I can force an anonymous connection from Windows, then I should be OK.
(Again, this share does not contain information that needs much protection.)




Thanks





From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Tuesday, September 14, 2010 1:16 PM
To: samba at lists.samba.org
Subject: RE: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted
domains, ntlm_auth succeeds



Maybe this is some issue with parsing the user name properly?



I noticed that if I have a user in the Windows domain AND a user with the
same name in the Samba domain, then the Windows user can access shares on
the Samba domain.    For example, I have an Administrator account in each
domain.    They do NOT have the same password.  In the example below the
user authenticates to the samba domain using the trusted Windows domain
password.







sambapdc # smbclient "//sambapdc/dept_common" -U " WINDOMAIN \Administrator"

Enter WINDOMAIN Administrator's password:

Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.4.8]

smb: \> quit

sambapdc #







So it seems like there are two steps -

               Verify that the user is legitimate (which seems to strip off
the domain component and look for a local name)

               Then authenticate the user (which verifies the domain
component.)





I supposed the hack would be to create some dummy local accounts in the
samba domain to represent each user in the trusted domain.



FYI  smb.conf includes



      winbind enum users = Yes

      winbind enum groups = Yes

      winbind use default domain = no

      winbind trusted domains only = no





winbindd.log keeps showing



[2010/09/14 13:05:49,  3]
winbindd/winbindd_pam.c:1779(winbindd_pam_auth_crap)

 [ 1293]: pam auth crap domain: [WINDOMAIN] user: winuser





I have never got an answer for what "pam auth crap domain" means.





Thanks



From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Tuesday, September 14, 2010 9:19 AM
To: samba at lists.samba.org
Subject: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains,
ntlm_auth succeeds, wbinfo not caching



FYI



The ntlm_auth command does work with users from the trusted domain.





sambapdc# ntlm_auth --username "WINDOMAIN\winuser"

password:

NT_STATUS_OK: Success (0x0)

sambapdc #





(winuser is the user in the trusted Windows 2003 AD domain.)



I also removed a trust relationship with a 2nd Windows domain  that was no
longer active-  this fixed the slow "wbinfo -u" response but did not fix the
smbclient authentication issue to the existing windows domain.





From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Monday, September 13, 2010 3:55 PM
To: samba at lists.samba.org
Subject: NT_STATUS_NO_SUCH_USER for trusted domains





I am running Samba 3.4.7 (compiled from source) on Solaris 10 as a PDC.  I
have trusted domains setup with a Windows 2003 Active Directory domain in
"2003 native" mode.    Everything is  in an LDAP backend (unix accounts for
the Samba domain, idmap entries for trusted domains.)  The Solaris 10 PDC is
also an ldap/nfs server for linux and solaris clients.



Assuming

               SAMBAPDC is the Solaris 10 PDC for the domain called
"SAMBADOMAIN."

               WINSERVER is the PDC for the Win 2003 AD domain called
"WINDOMAIN."

               "winuser" is a user in the "WINDOMAIN" domain.





This was working for some time.    Now, however, users in the Windows domain
can no longer access resources on the samba domain.   On a windows PC in the
trs   Smbclient on the PDC or on a linux workstation  also fails, so this
does not seem to be a mismatch in NTLM versions between windows and samba.
Samba log files show "NT_STATUS_NO_SUCH_USER."





sambapdc #smbclient -U "WINDOMAIN\winuser" -L \\SAMBAPDC
<file:///\\SAMBAPDC>

session setup failed: NT_STATUS_LOGON_FAILURE








"wbinfo -u" does list the users from the trusted  Windows domain.



The "/etc/nsswitch.conf" file  has the following entries



passwd:     files ldap winbind

group:      files ldap winbind





"getent passwd" command does list users from the trusted Windows domain.

"id "WINDOMAIN/winuser""  command  returns valid uid and gid values.

"wbinfo -s " and "winbinfo -n" commands show matching name-to-sid and
sid-to-name entries.







"Getent passwd" lists unix accounts from ldap quickly.  There is a delay of
about 10 seconds before it starts listing winbind users (i.e. from the
trusted domain.)   I suspect that the names are not getting returned to
samba fast enough.









sambapdc# cat winserver.log

.

.

[2010/09/13 08:02:04,  3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)

 NativeOS=[Windows Server 2003 R2 3790 Service Pack 2] NativeLanMan=[]
PrimaryD

omain=[Windows Server 2003 R2 5.2]

[2010/09/13 08:02:04,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)

 Got user=[winuser] domain=[WINDOMAIN] workstation=[WINSERVER] len1=24
len2=24

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:210(push_sec_ctx)

 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/uid.c:428(push_conn_ctx)

 push_conn_ctx(0) : conn_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)

 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx)

 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  3] auth/auth.c:222(check_ntlm_password)

 check_ntlm_password:  Checking password for unmapped user [WINDOMAIN]\[li

nus]@[WINSERVER] with the new password interface

[2010/09/13 08:02:04,  3] auth/auth.c:225(check_ntlm_password)

 check_ntlm_password:  mapped user is: [WINDOMAIN]\[winuser]@[WINSERVER]

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:210(push_sec_ctx)

 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/uid.c:428(push_conn_ctx)

 push_conn_ctx(0) : conn_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)

 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx)

 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  2] auth/auth.c:320(check_ntlm_password)

 check_ntlm_password:  Authentication for user [winuser] -> [winuser]
FAILED with e

rror NT_STATUS_NO_SUCH_USER

[2010/09/13 08:02:04,  3] smbd/error.c:60(error_packet_set)

 error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_

FAILURE

[2010/09/13 08:02:12,  2] smbd/process.c:1988(deadtime_fn)

 Closing idle connection

[2010/09/13 08:02:12,  3] smbd/server.c:146(msg_exit_server)

 got a SHUTDOWN message

[2010/09/13 08:02:12,  3] smbd/sec_ctx.c:310(set_sec_ctx)

 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:12,  3] smbd/connection.c:31(yield_connection)

 Yielding connection to

[2010/09/13 08:02:12,  3] smbd/server.c:845(exit_server_common)

 Server exit (normal exit)

#







sambapdc #testparm -v | grep timeout



       passwd chat timeout = 2

       name cache timeout = 660

       cups connection timeout = 30

       machine password timeout = 604800

       ldap timeout = 15

       ldap connection timeout = 2







Help is appreciated.



Thanks





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list