[Samba] windows users can login but OS X users cannot
grant little
grantliddle at gmail.com
Sat Feb 20 14:31:47 MST 2010
Thanks Alex.
I'm not using winbind, just kerberos and LDAP and I have in all cases tried
both domain\username as well as username.
Here's a better dump of the ip log that appens on a failed login attempt
that seems to show that the authentication is OK from os x:
[2010/02/20 13:13:17, 3] smbd/process.c:1453(process_smb)
Transaction 2 of length 366 (0 toread)
[2010/02/20 13:13:17, 3] smbd/process.c:1272(switch_message)
switch message SMBsesssetupX (pid 6039) conn 0x0
[2010/02/20 13:13:17, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 13:13:17, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
wct=12 flg2=0xc801
[2010/02/20 13:13:17, 3]
smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2010/02/20 13:13:17, 3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
NativeOS=[Mac OS X 10.6] NativeLanMan=[SMBFS 1.6.0] PrimaryDomain=[]
[2010/02/20 13:13:17, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
Got user=[grant] domain=[AD] workstation=[GRANT] len1=24 len2=126
[2010/02/20 13:13:19, 3] smbd/oplock.c:911(init_oplocks)
init_oplocks: initializing messages.
[2010/02/20 13:13:19, 3] smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
Linux kernel oplocks enabled
[2010/02/20 13:13:19, 3] smbd/process.c:1453(process_smb)
Transaction 0 of length 51 (0 toread)
[2010/02/20 13:13:19, 3] smbd/process.c:1272(switch_message)
switch message SMBnegprot (pid 6040) conn 0x0
[2010/02/20 13:13:19, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 13:13:19, 3] smbd/negprot.c:567(reply_negprot)
Requested protocol [NT LM 0.12]
[2010/02/20 13:13:19, 3] smbd/negprot.c:387(reply_nt1)
using SPNEGO
[2010/02/20 13:13:19, 3] smbd/negprot.c:672(reply_negprot)
Selected protocol NT LM 0.12
[2010/02/20 13:13:21, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/02/20 13:13:21, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2010/02/20 13:13:21, 3] smbd/server.c:848(exit_server_common)
Server exit (failed to receive smb request)
------
what's weird is that there's no sign of the login in auth.log only the test
via windows cleint a few seconds before:
Feb 20 13:12:14 servername smbd[6033]: pam_unix(samba:session): session
opened for user grant by (uid=0)
Feb 20 13:12:24 servername smbd[6033]: pam_unix(samba:session): session
closed for user grant
after that nothing...
On Sat, Feb 20, 2010 at 11:17 AM, Alex Ferrara <alex at receptiveit.com.au>wrote:
> I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree
> on Ubuntu 9.10
>
> Try using domain\username for the username
>
> To me, it appears to be a bug in winbind not using the default domain, but
> I could be wrong.
>
> Sent from my iPhone
>
>
> On 20/02/2010, at 8:29 PM, grant little <grantliddle at gmail.com> wrote:
>
> Hello,
>> having spent many hours scouring archives, docs, books and googling
>> without
>> finding an answer I need to ask your help on this.
>>
>> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can
>> login
>> to the share from windows clients but the same users is denied access when
>> connecting from OS X via GO/Connect To Server in format
>> smb://fqdnofserver
>>
>> user authentication is to active directory using kerberos and LDAP and am
>> not running winbind
>>
>> pam.d/samba is set to allow smb logins, that is shell logins are not
>> permitted for active directory authenticated users. here's that snippet:
>> # /etc/pam.d/samba
>> auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
>> account sufficient pam_ldap.so use_first_pass
>> session sufficient pam_ldap.so
>>
>>
>> I have tested my configs on samba 3.0.33 on CENTOS and it works fine there
>> for both OS X and windows
>>
>> the share is setup on
>> /shares/asgs
>> with these permissions:
>> drwxrwsrwx 8 root root 87 2010-02-20 00:17 shares
>> drwxrws--- 2 grant ASGSFileUsers 18 2010-02-20 00:21 asgs
>>
>> here's smb.conf:
>> [global]
>> unix extensions = no
>> disable spoolss = Yes
>> disable netbios = yes
>> name resolve order = hosts
>> workgroup = AD
>> realm = AD.UCSD.EDU
>> server string = %h server (Samba, Ubuntu)
>> dns proxy = no
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> syslog = 0
>> log level = 3
>> panic action = /usr/share/samba/panic-action %d
>> security = ads
>> encrypt passwords = true
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> unix password sync = yes
>> pam password change = no
>> map to guest = bad user
>> usershare allow guests = no
>> [asgs]
>> comment = ASGS
>> path = /shares/asgs
>> browsable = Yes
>> valid users = @ad\ASGSFileUsers
>> write list = @ad\ASGSFileUsers
>> create mask = 2660
>> directory mask = 2770
>>
>> The tail n20 of the log of the conecting ip shows this for an OS X
>> attempt:
>> [2010/02/20 00:56:16, 3]
>> smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
>> Linux kernel oplocks enabled
>> [2010/02/20 00:56:16, 3] smbd/process.c:1453(process_smb)
>> Transaction 0 of length 51 (0 toread)
>> [2010/02/20 00:56:16, 3] smbd/process.c:1272(switch_message)
>> switch message SMBnegprot (pid 5658) conn 0x0
>> [2010/02/20 00:56:16, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/20 00:56:16, 3] smbd/negprot.c:567(reply_negprot)
>> Requested protocol [NT LM 0.12]
>> [2010/02/20 00:56:16, 3] smbd/negprot.c:387(reply_nt1)
>> using SPNEGO
>> [2010/02/20 00:56:16, 3] smbd/negprot.c:672(reply_negprot)
>> Selected protocol NT LM 0.12
>> [2010/02/20 00:56:18, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/20 00:56:18, 3] smbd/connection.c:31(yield_connection)
>> Yielding connection to
>> [2010/02/20 00:56:18, 3] smbd/server.c:848(exit_server_common)
>> Server exit (failed to receive smb request)
>>
>>
>>
>> Hope someone can give me a pointer where to look next or what to tweak.
>> Let
>> me know if you need other log snippets.
>>
>> Thanks,
>> Grant
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list