[Samba] Client Windows accessing Samba Share (krb5/ad2008/winbind)

Thiago Ferreira thiagoferreira05 at gmail.com
Mon Jul 5 13:01:38 MDT 2010 

I have a Samba server, its joinning on AD2008, the commands bellow has
sucess when I test:

# net ads testjoin
Join is OK
# wbinfo -t
checking the trust secret via RPC calls succeeded
# wbinfo -u
# wbinfo -g
# net ads user
# net ads group
# net ads user info administrator
# wbinfo -u
# wbinfo -g

However, I need to open your share on the Windows Client(WinXP), but it
doesn't work, stay asking login/passwd.

Follows the logs:
==> log.__ffff_10.215.0.232 <==
[2010/07/05 15:21:55,  3] smbd/oplock.c:init_oplocks(875)
  init_oplocks: initializing messages.
[2010/07/05 15:21:55,  3] smbd/oplock_linux.c:linux_init_kernel_oplocks(241)
  Linux kernel oplocks enabled
[2010/07/05 15:21:55,  3] smbd/process.c:process_smb(1570)
  Transaction 0 of length 137 (0 toread)
[2010/07/05 15:21:55,  3] smbd/process.c:switch_message(1374)
  switch message SMBnegprot (pid 6326) conn 0x0
[2010/07/05 15:21:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/05 15:21:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2010/07/05 15:21:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [LANMAN1.0]
[2010/07/05 15:21:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [Windows for Workgroups 3.1a]
[2010/07/05 15:21:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [LM1.2X002]
[2010/07/05 15:21:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [LANMAN2.1]
[2010/07/05 15:21:55,  3] smbd/negprot.c:reply_negprot(568)
  Requested protocol [NT LM 0.12]
[2010/07/05 15:21:55,  3] smbd/negprot.c:reply_nt1(392)
  using SPNEGO
[2010/07/05 15:21:55,  3] smbd/negprot.c:reply_negprot(673)
  Selected protocol NT LM 0.12
[2010/07/05 15:21:55,  3] smbd/process.c:process_smb(1570)
  Transaction 1 of length 240 (0 toread)
[2010/07/05 15:21:55,  3] smbd/process.c:switch_message(1374)
  switch message SMBsesssetupX (pid 6326) conn 0x0
[2010/07/05 15:21:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/05 15:21:55,  3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
  wct=12 flg2=0xc807
[2010/07/05 15:21:55,  2] smbd/sesssetup.c:setup_new_vc_session(1363)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2010/07/05 15:21:55,  3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
  Doing spnego session setup
[2010/07/05 15:21:55,  3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2010/07/05 15:21:55,  3] smbd/sesssetup.c:reply_spnego_negotiate(800)
  reply_spnego_negotiate: Got secblob of size 40
[2010/07/05 15:21:55,  3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0xa2088207
[2010/07/05 15:21:55,  3] smbd/process.c:process_smb(1570)
  Transaction 2 of length 358 (0 toread)
[2010/07/05 15:21:55,  3] smbd/process.c:switch_message(1374)
  switch message SMBsesssetupX (pid 6326) conn 0x0
[2010/07/05 15:21:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/05 15:21:55,  3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
  wct=12 flg2=0xc807
[2010/07/05 15:21:55,  2] smbd/sesssetup.c:setup_new_vc_session(1363)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2010/07/05 15:21:55,  3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
  Doing spnego session setup
[2010/07/05 15:21:55,  3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2010/07/05 15:21:55,  3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
  Got user=[thiago.ferreira] domain=[GRANSAPORE] workstation=[TI-09] len1=24
len2=24

==> log.ti-09 <==
[2010/07/05 15:21:55,  3] auth/auth.c:check_ntlm_password(220)
  check_ntlm_password:  Checking password for unmapped user
[GRANSAPORE]\[thiago.ferreira]@[TI-09] with the new password interface
[2010/07/05 15:21:55,  3] auth/auth.c:check_ntlm_password(223)
  check_ntlm_password:  mapped user is:
[GRANSAPORE]\[thiago.ferreira]@[TI-09]
[2010/07/05 15:21:55,  3] smbd/sec_ctx.c:push_sec_ctx(224)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/07/05 15:21:55,  3] smbd/uid.c:push_conn_ctx(357)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/07/05 15:21:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/07/05 15:21:55,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/05 15:21:55,  2] auth/auth.c:check_ntlm_password(318)
  check_ntlm_password:  Authentication for user [thiago.ferreira] ->
[thiago.ferreira] FAILED with error NT_STATUS_NO_SUCH_USER
[2010/07/05 15:21:55,  3] smbd/error.c:error_packet_set(61)
  error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2010/07/05 15:21:55,  3] smbd/process.c:smbd_process(2068)
  receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2010/07/05 15:21:55,  3] smbd/sec_ctx.c:set_sec_ctx(324)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/07/05 15:21:55,  3] smbd/connection.c:yield_connection(31)
  Yielding connection to
[2010/07/05 15:21:55,  3] smbd/server.c:exit_server_common(949)
  Server exit (normal exit)

==> log.wb-GRANSAPORE <==
[2010/07/05 15:21:55,  3]
winbindd/winbindd_pam.c:winbindd_dual_pam_auth_crap(1825)
  [ 6311]: pam auth crap domain: GRANSAPORE user: thiago.ferreira

==> log.winbindd <==
[2010/07/05 15:21:55,  3]
winbindd/winbindd_misc.c:winbindd_interface_version(757)
  [ 6326]: request interface version
[2010/07/05 15:21:55,  3]
winbindd/winbindd_misc.c:winbindd_priv_pipe_dir(790)
  [ 6326]: request location of privileged pipe
[2010/07/05 15:21:55,  3] winbindd/winbindd_misc.c:winbindd_domain_info(657)
  [ 6326]: domain_info [GRANSAPORE]
[2010/07/05 15:21:55,  3]
winbindd/winbindd_pam.c:winbindd_pam_auth_crap(1754)
  [ 6326]: pam auth crap domain: [GRANSAPORE] user: thiago.ferreira
[2010/07/05 15:21:55,  3]
winbindd/winbindd_misc.c:winbindd_interface_version(757)
  [ 6326]: request interface version
[2010/07/05 15:21:55,  3]
winbindd/winbindd_misc.c:winbindd_priv_pipe_dir(790)
  [ 6326]: request location of privileged pipe
[2010/07/05 15:21:55,  3] winbindd/winbindd_user.c:winbindd_getpwnam(373)
  [ 6326]: getpwnam gransapore\thiago.ferreira
[2010/07/05 15:21:55,  3] winbindd/winbindd_user.c:winbindd_getpwnam(373)
  [ 6326]: getpwnam GRANSAPORE\thiago.ferreira
[2010/07/05 15:21:55,  3] winbindd/winbindd_user.c:winbindd_getpwnam(373)
  [ 6326]: getpwnam GRANSAPORE\THIAGO.FERREIRA
[2010/07/05 15:21:55,  3] winbindd/winbindd_user.c:winbindd_getpwnam(373)
  [ 6326]: getpwnam thiago.ferreira
[2010/07/05 15:21:55,  3] winbindd/winbindd_user.c:winbindd_getpwnam(373)
  [ 6326]: getpwnam THIAGO.FERREIRA
[2010/07/05 15:21:55,  3] winbindd/winbindd_misc.c:winbindd_ping(736)
  [ 6326]: ping



*I also tried with this command: *
CPSmonitor:/etc/pam.d# smbclient \\\\192.168.0.12\\share01 -U
administrator at password -k -d10
INFO: Current debug levels:
  all: True/10
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
  dmapi: False/0
  registry: False/0
lp_load_ex: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = GRANSAPORE
doing parameter netbios name = cpsmonitor
handle_netbios_name: set global_myname to: CPSMONITOR
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter syslog = 5
doing parameter log level = 3
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter security = ADS
doing parameter realm = GRANSAPORE.CORP.DC
doing parameter password server = gscpsvmad01.gransapore.corp.dc,
gsgcvmad01.gransapore.corp.dc, gsgcvmad02.gransapore.corp.dc
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter template shell = /bin/bash
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind use default domain = yes
doing parameter winbind trusted domains only = Yes
doing parameter client use spnego = yes
doing parameter printing = cups
doing parameter printcap name = cups
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_MEMBER
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
added interface eth0 ip=fe80::218:8bff:fee6:c266%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.12 bcast=192.168.0.255
netmask=255.255.255.0
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Substituting charset 'UTF-8' for LOCALE
Netbios name list:-
my_netbios_names[0]="CPSMONITOR"
Client started (version 3.2.5).
Connecting to 192.168.0.12 at port 445
socket option SO_KEEPALIVE = 0
socket option SO_REUSEADDR = 0
socket option SO_BROADCAST = 0
socket option TCP_NODELAY = 1
socket option TCP_KEEPCNT = 9
socket option TCP_KEEPIDLE = 7200
socket option TCP_KEEPINTVL = 75
socket option IPTOS_LOWDELAY = 0
socket option IPTOS_THROUGHPUT = 0
socket option SO_SNDBUF = 50844
socket option SO_RCVBUF = 87712
socket option SO_SNDLOWAT = 1
socket option SO_RCVLOWAT = 1
socket option SO_SNDTIMEO = 0
socket option SO_RCVTIMEO = 0
 session request ok
write_socket(4,194)
write_socket(4,194) wrote 194
got smb length of 198
size=198
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=6357
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    8 (0x8)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   65 (0x41)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=54784 (0xD600)
smb_vwv[ 8]=   24 (0x18)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=33011 (0x80F3)
smb_vwv[11]=  128 (0x80)
smb_vwv[12]=52296 (0xCC48)
smb_vwv[13]=28562 (0x6F92)
smb_vwv[14]=51996 (0xCB1C)
smb_vwv[15]=46081 (0xB401)
smb_vwv[16]=    0 (0x0)
smb_bcc=129
[000] 63 70 73 6D 6F 6E 69 74  6F 72 00 00 00 00 00 00  cpsmonit or......
[010] 60 6F 06 06 2B 06 01 05  05 02 A0 65 30 63 A0 24  `o..+... ...e0c.$
[020] 30 22 06 09 2A 86 48 86  F7 12 01 02 02 06 09 2A  0"..*.H. .......*
[030] 86 48 82 F7 12 01 02 02  06 0A 2B 06 01 04 01 82  .H...... ..+.....
[040] 37 02 02 0A A3 3B 30 39  A0 37 1B 35 63 69 66 73  7....;09 .7.5cifs
[050] 2F 63 70 73 6D 6F 6E 69  74 6F 72 2E 67 72 61 6E  /cpsmoni tor.gran
[060] 73 61 70 6F 72 65 2E 63  6F 72 70 2E 64 63 40 47  sapore.c orp.dc at G
[070] 52 41 4E 53 41 50 4F 52  45 2E 43 4F 52 50 2E 44  RANSAPOR E.CORP.D
[080] 43                                                C
size=198
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=6357
smb_uid=0
smb_mid=1
smt_wct=17
smb_vwv[ 0]=    8 (0x8)
smb_vwv[ 1]=12803 (0x3203)
smb_vwv[ 2]=  256 (0x100)
smb_vwv[ 3]= 1024 (0x400)
smb_vwv[ 4]=   65 (0x41)
smb_vwv[ 5]=    0 (0x0)
smb_vwv[ 6]=  256 (0x100)
smb_vwv[ 7]=54784 (0xD600)
smb_vwv[ 8]=   24 (0x18)
smb_vwv[ 9]=64768 (0xFD00)
smb_vwv[10]=33011 (0x80F3)
smb_vwv[11]=  128 (0x80)
smb_vwv[12]=52296 (0xCC48)
smb_vwv[13]=28562 (0x6F92)
smb_vwv[14]=51996 (0xCB1C)
smb_vwv[15]=46081 (0xB401)
smb_vwv[16]=    0 (0x0)
smb_bcc=129
[000] 63 70 73 6D 6F 6E 69 74  6F 72 00 00 00 00 00 00  cpsmonit or......
[010] 60 6F 06 06 2B 06 01 05  05 02 A0 65 30 63 A0 24  `o..+... ...e0c.$
[020] 30 22 06 09 2A 86 48 86  F7 12 01 02 02 06 09 2A  0"..*.H. .......*
[030] 86 48 82 F7 12 01 02 02  06 0A 2B 06 01 04 01 82  .H...... ..+.....
[040] 37 02 02 0A A3 3B 30 39  A0 37 1B 35 63 69 66 73  7....;09 .7.5cifs
[050] 2F 63 70 73 6D 6F 6E 69  74 6F 72 2E 67 72 61 6E  /cpsmoni tor.gran
[060] 73 61 70 6F 72 65 2E 63  6F 72 70 2E 64 63 40 47  sapore.c orp.dc at G
[070] 52 41 4E 53 41 50 4F 52  45 2E 43 4F 52 50 2E 44  RANSAPOR E.CORP.D
[080] 43                                                C
*Doing spnego session setup (blob length=129)
got OID=1 2 840 113554 1 2 2
got OID=1 2 840 48018 1 2 2
got OID=1 3 6 1 4 1 311 2 2 10
got principal=cifs/cpsmonitor.gransapore.corp.dc at GRANSAPORE.CORP.DC
Doing kerberos session setup
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_0] expiration
Tue, 06 Jul 2010 01:20:34 BRT
ads_krb5_mk_req: Ticket
(cifs/cpsmonitor.gransapore.corp.dc at GRANSAPORE.CORP.DC) in ccache
(FILE:/tmp/krb5cc_0) is valid until: (Tue, 06 Jul 2010 01:20:34 BRT -
1278390034)
ads_krb5_mk_req: server marked as OK to delegate to, building forwardable
TGT
Got KRB5 session key of length 16
cli_session_setup_blob: Remaining (0) sending (3226) current (3226)*
write_socket(4,3312)
write_socket(4,3312) wrote 3312
got smb length of 35
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=6357
smb_uid=0
smb_mid=2
smt_wct=0
smb_bcc=0
size=35
smb_com=0x73
smb_rcls=109
smb_reh=0
smb_err=49152
smb_flg=136
smb_flg2=51201
smb_tid=0
smb_pid=6357
smb_uid=0
smb_mid=2
smt_wct=0
smb_bcc=0
*cli_session_setup_blob: receive failed (NT_STATUS_LOGON_FAILURE)
SPNEGO login failed: Logon failure
lang_tdb_init: /usr/share/samba/en_US.UTF-8.msg: No such file or directory
session setup failed: NT_STATUS_LOGON_FAILURE*

*Someone has got any idea?*

More information about the samba mailing list