[Samba] windows users can login but OS X users cannot

grant little grantliddle at gmail.com
Sat Feb 20 14:31:47 MST 2010 

Thanks Alex.
I'm not using winbind, just kerberos and LDAP and I have in all cases tried
both domain\username as well as username.

Here's a better dump of the ip log that appens on a failed login attempt
that seems to show that the authentication is OK from os x:
[2010/02/20 13:13:17,  3] smbd/process.c:1453(process_smb)
  Transaction 2 of length 366 (0 toread)
[2010/02/20 13:13:17,  3] smbd/process.c:1272(switch_message)
  switch message SMBsesssetupX (pid 6039) conn 0x0
[2010/02/20 13:13:17,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 13:13:17,  3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
  wct=12 flg2=0xc801
[2010/02/20 13:13:17,  3]
smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2010/02/20 13:13:17,  3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
  NativeOS=[Mac OS X 10.6] NativeLanMan=[SMBFS 1.6.0] PrimaryDomain=[]
[2010/02/20 13:13:17,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
  Got user=[grant] domain=[AD] workstation=[GRANT] len1=24 len2=126
[2010/02/20 13:13:19,  3] smbd/oplock.c:911(init_oplocks)
  init_oplocks: initializing messages.
[2010/02/20 13:13:19,  3] smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
  Linux kernel oplocks enabled
[2010/02/20 13:13:19,  3] smbd/process.c:1453(process_smb)
  Transaction 0 of length 51 (0 toread)
[2010/02/20 13:13:19,  3] smbd/process.c:1272(switch_message)
  switch message SMBnegprot (pid 6040) conn 0x0
[2010/02/20 13:13:19,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 13:13:19,  3] smbd/negprot.c:567(reply_negprot)
  Requested protocol [NT LM 0.12]
[2010/02/20 13:13:19,  3] smbd/negprot.c:387(reply_nt1)
  using SPNEGO
[2010/02/20 13:13:19,  3] smbd/negprot.c:672(reply_negprot)
  Selected protocol NT LM 0.12
[2010/02/20 13:13:21,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 13:13:21,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2010/02/20 13:13:21,  3] smbd/server.c:848(exit_server_common)
  Server exit (failed to receive smb request)
------
what's weird is that there's no sign of the login in auth.log only the test
via windows cleint a few seconds before:
Feb 20 13:12:14 servername smbd[6033]: pam_unix(samba:session): session
opened for user grant by (uid=0)
Feb 20 13:12:24 servername smbd[6033]: pam_unix(samba:session): session
closed for user grant
after that nothing...

On Sat, Feb 20, 2010 at 11:17 AM, Alex Ferrara <alex at receptiveit.com.au>wrote:

> I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree
> on Ubuntu 9.10
>
> Try using domain\username for the username
>
> To me, it appears to be a bug in winbind not using the default domain, but
> I could be wrong.
>
> Sent from my iPhone
>
>
> On 20/02/2010, at 8:29 PM, grant little <grantliddle at gmail.com> wrote:
>
>  Hello,
>> having spent many hours scouring archives, docs, books and googling
>> without
>> finding an answer I need to ask your help on this.
>>
>> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can
>> login
>> to the share from windows clients but the same users is denied access when
>> connecting from OS X  via GO/Connect To Server in format
>> smb://fqdnofserver
>>
>> user authentication is to active directory  using kerberos and LDAP and am
>> not running winbind
>>
>> pam.d/samba is set to allow smb logins, that is shell logins are not
>> permitted for active directory authenticated users. here's that snippet:
>> # /etc/pam.d/samba
>> auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
>> account sufficient pam_ldap.so use_first_pass
>> session sufficient pam_ldap.so
>>
>>
>> I have tested my configs on samba 3.0.33 on CENTOS and it works fine there
>> for both OS X and windows
>>
>> the share is setup on
>> /shares/asgs
>> with these permissions:
>> drwxrwsrwx   8 root root   87 2010-02-20 00:17 shares
>> drwxrws--- 2 grant ASGSFileUsers  18 2010-02-20 00:21 asgs
>>
>> here's smb.conf:
>> [global]
>>  unix extensions = no
>>  disable spoolss = Yes
>>  disable netbios = yes
>>  name resolve order = hosts
>>  workgroup = AD
>>  realm = AD.UCSD.EDU
>>  server string = %h server (Samba, Ubuntu)
>>  dns proxy = no
>>  log file = /var/log/samba/log.%m
>>  max log size = 1000
>>  syslog = 0
>>  log level = 3
>>  panic action = /usr/share/samba/panic-action %d
>>  security = ads
>>  encrypt passwords = true
>>  passdb backend = tdbsam
>>  obey pam restrictions = yes
>>  unix password sync = yes
>>  pam password change = no
>>  map to guest = bad user
>>  usershare allow guests = no
>> [asgs]
>>  comment = ASGS
>>  path = /shares/asgs
>>  browsable = Yes
>>  valid users = @ad\ASGSFileUsers
>>  write list = @ad\ASGSFileUsers
>>  create mask = 2660
>>  directory mask = 2770
>>
>> The tail n20 of the log of the conecting ip shows this for an OS X
>> attempt:
>> [2010/02/20 00:56:16,  3]
>> smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
>>  Linux kernel oplocks enabled
>> [2010/02/20 00:56:16,  3] smbd/process.c:1453(process_smb)
>>  Transaction 0 of length 51 (0 toread)
>> [2010/02/20 00:56:16,  3] smbd/process.c:1272(switch_message)
>>  switch message SMBnegprot (pid 5658) conn 0x0
>> [2010/02/20 00:56:16,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/20 00:56:16,  3] smbd/negprot.c:567(reply_negprot)
>>  Requested protocol [NT LM 0.12]
>> [2010/02/20 00:56:16,  3] smbd/negprot.c:387(reply_nt1)
>>  using SPNEGO
>> [2010/02/20 00:56:16,  3] smbd/negprot.c:672(reply_negprot)
>>  Selected protocol NT LM 0.12
>> [2010/02/20 00:56:18,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/20 00:56:18,  3] smbd/connection.c:31(yield_connection)
>>  Yielding connection to
>> [2010/02/20 00:56:18,  3] smbd/server.c:848(exit_server_common)
>>  Server exit (failed to receive smb request)
>>
>>
>>
>> Hope someone can give me a pointer where to look next or what to tweak.
>> Let
>> me know if you need other log snippets.
>>
>> Thanks,
>> Grant
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list