No subject


Thu Jun 10 02:36:45 MDT 2010


perhaps there was something wrong with the smb.conf file, which I had
mostly copied over from another machine.  So, in desperation, I
commented out every single line in the file, and added back the most
basic configuration options until I could connect to the samba share
with smbclient.  Then, to discover what was causing my problem, I added
back the other commented lines one at a time to see which one broke it.
 Well, in the end I added them all back, and it still works!  So, in
short, the solution to my problem was to comment and then uncomment the
smb.conf file?!?  I just ran testparm again and the output is exactly
the same as the one from yesterday quoted below.  Nothing else on the
machine (should have) changed.

I think my machine is haunted... *sigh*

     - rob.

On 06/30/2010 03:26 PM, Rob Moser wrote:
> Hello folks.
> 
> Brand new 3.5.4 install of samba, on a brand new redhat 5.5 install,
> trying to connect to a windows domain and allow AD users access.  I used
> a series of how-tos to set things up, and modified the smb.conf and
> krb5.conf files from an existing (working, 3.2.8) system.  I apparently
> join the domain ok, and I can authenticate an AD user using wbinfo, but
> when I try to use the same user with smbclient I get a
> NT_STATUS_NO_SUCH_USER response.  I thought perhaps that smbclient was
> somehow not associating the username with the correct domain, but
> explicitly stating the domain didn't help.  Googling about on the
> problem found me (among a lot of dross) someone with similar symptoms
> who claimed to fix his problem by adding "client NTLMv2 auth = Yes" to
> his smb.conf, so I tried that, but got no joy there either.  Much
> diagnostic text follows; apologies for the bulk, but figured its better
> to put too much in than leave too much out.
> 
> Any suggestions would be most appreciated; thanks.
> 
>      - rob.
> 
> [root at dev-acadprtsrv3 log]# kinit -V rmoser
> Password for rmoser at STUDENTS.FROOT.NAU.EDU:
> Authenticated to Kerberos v5
> 
> [root at dev-acadprtsrv3 log]# klist -5
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: rmoser at STUDENTS.FROOT.NAU.EDU
> Valid starting     Expires            Service principal
> 06/30/10 14:19:56  07/01/10 00:20:00
> krbtgt/STUDENTS.FROOT.NAU.EDU at STUDENTS.FROOT.NAU.EDU
>         renew until 07/01/10 14:19:56
> 
> [root at dev-acadprtsrv3 log]# net ads testjoin -U rmoser
> Join is OK
> 
> [root at dev-acadprtsrv3 log]# wbinfo -t
> checking the trust secret for domain NAU-STUDENTS via RPC calls succeeded
> 
> [root at dev-acadprtsrv3 log]# wbinfo -a NAU-STUDENTS\\rmoser
> Enter NAU-STUDENTS\rmoser's password:
> plaintext password authentication succeeded
> Enter NAU-STUDENTS\rmoser's password:
> challenge/response password authentication succeeded
> 
> [root at dev-acadprtsrv3 log]# smbclient -d3 -U NAU-STUDENTS\\rmoser -L
> dev-acadprtsrv3.ucc.nau.edu
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
> Processing section "[global]"
> added interface eth0 ip=fe80::9015:73ff:fe64:54cf%eth0
> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> added interface eth0 ip=134.114.138.189 bcast=134.114.138.255
> netmask=255.255.255.0
> Client started (version 3.5.4).
> Enter NAU-STUDENTS\rmoser's password:
> resolve_lmhosts: Attempting lmhosts lookup for name
> dev-acadprtsrv3.ucc.nau.edu<0x20>
> resolve_wins: Attempting wins lookup for name
> dev-acadprtsrv3.ucc.nau.edu<0x20>
> resolve_wins: using WINS server 134.114.138.35 and tag '*'
> Got a positive name query response from 134.114.138.35 ( 134.114.138.189 )
> Connecting to 134.114.138.189 at port 445
> Doing spnego session setup (blob length=131)
> got OID=1.2.840.113554.1.2.2
> got OID=1.2.840.48018.1.2.2
> got OID=1.3.6.1.4.1.311.2.2.10
> got principal=cifs/dev-acadprtsrv3.ucc.nau.edu at STUDENTS.FROOT.NAU.EDU
> Got challenge flags:
> Got NTLMSSP neg_flags=0x60898215
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> SPNEGO login failed: Logon failure
> session setup failed: NT_STATUS_LOGON_FAILURE
> 
> [root at dev-acadprtsrv3 log]# tail /var/log/samba/log.smbd
> [2010/06/30 14:12:22.530813,  2] auth/auth.c:314(check_ntlm_password)
>   check_ntlm_password:  Authentication for user [rmoser] -> [rmoser]
> FAILED with error NT_STATUS_NO_SUCH_USER
> [2010/06/30 14:22:52.071828,  0] lib/util_sock.c:1505(matchname)
>   matchname: host name/address mismatch: ::ffff:134.114.138.189 !=
> dev-acadprtsrv3.ucc.nau.edu
> [2010/06/30 14:22:52.072189,  0] lib/util_sock.c:1626(get_peer_name)
>   Matchname failed on dev-acadprtsrv3.ucc.nau.edu ::ffff:134.114.138.189
> [2010/06/30 14:22:52.072281,  2] lib/access.c:406(check_access)
>   Allowed connection from UNKNOWN (::ffff:134.114.138.189)
> [2010/06/30 14:22:52.113502,  2] auth/auth.c:314(check_ntlm_password)
>   check_ntlm_password:  Authentication for user [rmoser] -> [rmoser]
> FAILED with error NT_STATUS_NO_SUCH_USER
> 
> [root at dev-acadprtsrv3 log]# testparm
> Load smb config files from /etc/samba/smb.conf
> rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
> Processing section "[printers]"
> Processing section "[print$]"
> Processing section "[tmp]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
> 
> [global]
>         workgroup = NAU-STUDENTS
>         realm = STUDENTS.FROOT.NAU.EDU
>         netbios aliases = dev-acadprtsrv3.ucc.nau.edu
>         server string = Samba Server
>         security = ADS
>         client NTLMv2 auth = Yes
>         log level = 2
>         max log size = 500000
>         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
> SO_RCVBUF=8192 SO_KEEPALIVE
>         printcap name = cups
>         wins server = 134.114.138.35
>         idmap alloc backend = tdb
>         idmap uid = 10000 - 4000000
>         idmap gid = 10000 - 4000000
>         winbind use default domain = Yes
>         idmap alloc config:range = 10000 - 4000000
>         idmap config FROOT:range = 3000001 - 4000000
>         idmap config FROOT:backend = tdb
>         idmap config FROOT:default = no
>         idmap config NAU:range = 2000001 - 3000000
>         idmap config NAU:backend = tdb
>         idmap config NAU:default = no
>         idmap config NAU-STUDENTS:range = 10000 - 2000000
>         idmap config NAU-STUDENTS:backend = tdb
>         idmap config NAU-STUDENTS:default = yes
>         hosts allow = 127., 134.114., 10.5.
> 
> [printers]
>         comment = All Printers
>         path = /var/spool/samba
>         printable = Yes
>         default devmode = No
>         browseable = No
> 
> [print$]
>         path = /var/lib/samba/drivers
>         write list = "@NAU-STUDENTS\Domain Admins", "@domain admins"
>         force user = root
>         force group = "domain admins"
>         force create mode = 0664
>         force directory mode = 0774
>         browseable = No
> 
> [tmp]
>         path = /tmp
> 
> [root at dev-acadprtsrv3 log]# cat /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = STUDENTS.FROOT.NAU.EDU
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  ticket_lifetime = 24h
>  forwardable = yes
> 
> [realms]
>  STUDENTS.FROOT.NAU.EDU = {
>   kdc = students.froot.nau.edu
>  }
>  NAU.FROOT.NAU.EDU = {
>   kdc = nau.froot.nau.edu
>  }
>  FROOT.NAU.EDU = {
>   kdc = froot.nau.edu
>  }
> 
> [domain_realm]
>  .students.froot.nau.edu = STUDENTS.FROOT.NAU.EDU
> 
> [appdefaults]
>  pam = {
>    debug = false
>    ticket_lifetime = 36000
>    renew_lifetime = 36000
>    forwardable = true
>    krb4_convert = false
>  }
> 
> 



More information about the samba mailing list