[Samba] smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains, ntlm_auth succeeds

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Sep 14 11:16:13 MDT 2010


Maybe this is some issue with parsing the user name properly?

 

I noticed that if I have a user in the Windows domain AND a user with the
same name in the Samba domain, then the Windows user can access shares on
the Samba domain.    For example, I have an Administrator account in each
domain.    They do NOT have the same password.  In the example below the
user authenticates to the samba domain using the trusted Windows domain
password.  

 

 

 

sambapdc # smbclient "//spooky/dept_common" -U " WINDOMAIN \Administrator"

Enter WINDOMAIN Administrator's password: 

Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.4.8]

smb: \> quit

sambapdc #

 

 

 

So it seems like there are two steps -

                Verify that the user is legitimate (which seems to strip off
the domain component and look for a local name)

                Then authenticate the user (which verifies the domain
component.)

 

 

I supposed the hack would be to create some dummy local accounts in the
samba domain to represent each user in the trusted domain.

 

FYI  smb.conf includes

 

       winbind enum users = Yes

       winbind enum groups = Yes

       winbind use default domain = no

       winbind trusted domains only = no

 

 

winbindd.log keeps showing 

 

[2010/09/14 13:05:49,  3]
winbindd/winbindd_pam.c:1779(winbindd_pam_auth_crap)

  [ 1293]: pam auth crap domain: [WINDOMAIN] user: winuser

 

 

I have never got an answer for what "pam auth crap domain" means.

 

 

Thanks

 

From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] 
Sent: Tuesday, September 14, 2010 9:19 AM
To: samba at lists.samba.org
Subject: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains,
ntlm_auth succeeds, wbinfo not caching

 

FYI

 

The ntlm_auth command does work with users from the trusted domain.     

 

 

sambapdc# ntlm_auth --username "WINDOMAIN\winuser"

password: 

NT_STATUS_OK: Success (0x0)

sambapdc #

 

 

(winuser is the user in the trusted Windows 2003 AD domain.)  

 

I also removed a trust relationship with a 2nd Windows domain  that was no
longer active-  this fixed the slow "wbinfo -u" response but did not fix the
smbclient authentication issue to the existing windows domain.

 

 

From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com] 
Sent: Monday, September 13, 2010 3:55 PM
To: samba at lists.samba.org
Subject: NT_STATUS_NO_SUCH_USER for trusted domains

 

 

I am running Samba 3.4.7 (compiled from source) on Solaris 10 as a PDC.  I
have trusted domains setup with a Windows 2003 Active Directory domain in
"2003 native" mode.    Everything is  in an LDAP backend (unix accounts for
the Samba domain, idmap entries for trusted domains.)  The Solaris 10 PDC is
also an ldap/nfs server for linux and solaris clients.

 

Assuming

                SAMBAPDC is the Solaris 10 PDC for the domain called
"SAMBADOMAIN."

                WINSERVER is the PDC for the Win 2003 AD domain called
"WINDOMAIN."

                "winuser" is a user in the "WINDOMAIN" domain.

 

 

This was working for some time.    Now, however, users in the Windows domain
can no longer access resources on the samba domain.   On a windows PC in the
trs   Smbclient on the PDC or on a linux workstation  also fails, so this
does not seem to be a mismatch in NTLM versions between windows and samba.
Samba log files show "NT_STATUS_NO_SUCH_USER."  

 

 

sambapdc #smbclient -U "WINDOMAIN\winuser" -L \\SAMBAPDC
<file:///\\SAMBAPDC> 

session setup failed: NT_STATUS_LOGON_FAILURE

 

 

 


"wbinfo -u" does list the users from the trusted  Windows domain.

 

The "/etc/nsswitch.conf" file  has the following entries

 

passwd:     files ldap winbind

group:      files ldap winbind

 

 

"getent passwd" command does list users from the trusted Windows domain.

"id "WINDOMAIN/winuser""  command  returns valid uid and gid values.

"wbinfo -s " and "winbinfo -n" commands show matching name-to-sid and
sid-to-name entries.

 

 

 

"Getent passwd" lists unix accounts from ldap quickly.  There is a delay of
about 10 seconds before it starts listing winbind users (i.e. from the
trusted domain.)   I suspect that the names are not getting returned to
samba fast enough.  

 

 

 

 

sambapdc# cat winserver.log

.

.

[2010/09/13 08:02:04,  3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)

  NativeOS=[Windows Server 2003 R2 3790 Service Pack 2] NativeLanMan=[]
PrimaryD

omain=[Windows Server 2003 R2 5.2]

[2010/09/13 08:02:04,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)

  Got user=[winuser] domain=[WINDOMAIN] workstation=[WINSERVER] len1=24
len2=24

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:210(push_sec_ctx)

  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/uid.c:428(push_conn_ctx)

  push_conn_ctx(0) : conn_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx)

  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  3] auth/auth.c:222(check_ntlm_password)

  check_ntlm_password:  Checking password for unmapped user [WINDOMAIN]\[li

nus]@[WINSERVER] with the new password interface

[2010/09/13 08:02:04,  3] auth/auth.c:225(check_ntlm_password)

  check_ntlm_password:  mapped user is: [WINDOMAIN]\[winuser]@[WINSERVER]

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:210(push_sec_ctx)

  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/uid.c:428(push_conn_ctx)

  push_conn_ctx(0) : conn_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx)

  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  2] auth/auth.c:320(check_ntlm_password)

  check_ntlm_password:  Authentication for user [winuser] -> [winuser]
FAILED with e

rror NT_STATUS_NO_SUCH_USER

[2010/09/13 08:02:04,  3] smbd/error.c:60(error_packet_set)

  error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_

FAILURE

[2010/09/13 08:02:12,  2] smbd/process.c:1988(deadtime_fn)

  Closing idle connection

[2010/09/13 08:02:12,  3] smbd/server.c:146(msg_exit_server)

  got a SHUTDOWN message

[2010/09/13 08:02:12,  3] smbd/sec_ctx.c:310(set_sec_ctx)

  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:12,  3] smbd/connection.c:31(yield_connection)

  Yielding connection to 

[2010/09/13 08:02:12,  3] smbd/server.c:845(exit_server_common)

  Server exit (normal exit)

#

 

 

 

sambapdc #testparm -v | grep timeout

 

        passwd chat timeout = 2

        name cache timeout = 660

        cups connection timeout = 30

        machine password timeout = 604800

        ldap timeout = 15

        ldap connection timeout = 2

 

 

 

Help is appreciated.

 

Thanks

 

 



More information about the samba mailing list