[Samba] smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains, ntlm_auth succeeds
Gaiseric Vandal
gaiseric.vandal at gmail.com
Tue Sep 14 11:16:13 MDT 2010
Maybe this is some issue with parsing the user name properly?
I noticed that if I have a user in the Windows domain AND a user with the
same name in the Samba domain, then the Windows user can access shares on
the Samba domain. For example, I have an Administrator account in each
domain. They do NOT have the same password. In the example below the
user authenticates to the samba domain using the trusted Windows domain
password.
sambapdc # smbclient "//spooky/dept_common" -U " WINDOMAIN \Administrator"
Enter WINDOMAIN Administrator's password:
Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.4.8]
smb: \> quit
sambapdc #
So it seems like there are two steps -
Verify that the user is legitimate (which seems to strip off
the domain component and look for a local name)
Then authenticate the user (which verifies the domain
component.)
I supposed the hack would be to create some dummy local accounts in the
samba domain to represent each user in the trusted domain.
FYI smb.conf includes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = no
winbind trusted domains only = no
winbindd.log keeps showing
[2010/09/14 13:05:49, 3]
winbindd/winbindd_pam.c:1779(winbindd_pam_auth_crap)
[ 1293]: pam auth crap domain: [WINDOMAIN] user: winuser
I have never got an answer for what "pam auth crap domain" means.
Thanks
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Tuesday, September 14, 2010 9:19 AM
To: samba at lists.samba.org
Subject: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains,
ntlm_auth succeeds, wbinfo not caching
FYI
The ntlm_auth command does work with users from the trusted domain.
sambapdc# ntlm_auth --username "WINDOMAIN\winuser"
password:
NT_STATUS_OK: Success (0x0)
sambapdc #
(winuser is the user in the trusted Windows 2003 AD domain.)
I also removed a trust relationship with a 2nd Windows domain that was no
longer active- this fixed the slow "wbinfo -u" response but did not fix the
smbclient authentication issue to the existing windows domain.
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Monday, September 13, 2010 3:55 PM
To: samba at lists.samba.org
Subject: NT_STATUS_NO_SUCH_USER for trusted domains
I am running Samba 3.4.7 (compiled from source) on Solaris 10 as a PDC. I
have trusted domains setup with a Windows 2003 Active Directory domain in
"2003 native" mode. Everything is in an LDAP backend (unix accounts for
the Samba domain, idmap entries for trusted domains.) The Solaris 10 PDC is
also an ldap/nfs server for linux and solaris clients.
Assuming
SAMBAPDC is the Solaris 10 PDC for the domain called
"SAMBADOMAIN."
WINSERVER is the PDC for the Win 2003 AD domain called
"WINDOMAIN."
"winuser" is a user in the "WINDOMAIN" domain.
This was working for some time. Now, however, users in the Windows domain
can no longer access resources on the samba domain. On a windows PC in the
trs Smbclient on the PDC or on a linux workstation also fails, so this
does not seem to be a mismatch in NTLM versions between windows and samba.
Samba log files show "NT_STATUS_NO_SUCH_USER."
sambapdc #smbclient -U "WINDOMAIN\winuser" -L \\SAMBAPDC
<file:///\\SAMBAPDC>
session setup failed: NT_STATUS_LOGON_FAILURE
"wbinfo -u" does list the users from the trusted Windows domain.
The "/etc/nsswitch.conf" file has the following entries
passwd: files ldap winbind
group: files ldap winbind
"getent passwd" command does list users from the trusted Windows domain.
"id "WINDOMAIN/winuser"" command returns valid uid and gid values.
"wbinfo -s " and "winbinfo -n" commands show matching name-to-sid and
sid-to-name entries.
"Getent passwd" lists unix accounts from ldap quickly. There is a delay of
about 10 seconds before it starts listing winbind users (i.e. from the
trusted domain.) I suspect that the names are not getting returned to
samba fast enough.
sambapdc# cat winserver.log
.
.
[2010/09/13 08:02:04, 3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
NativeOS=[Windows Server 2003 R2 3790 Service Pack 2] NativeLanMan=[]
PrimaryD
omain=[Windows Server 2003 R2 5.2]
[2010/09/13 08:02:04, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
Got user=[winuser] domain=[WINDOMAIN] workstation=[WINSERVER] len1=24
len2=24
[2010/09/13 08:02:04, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/09/13 08:02:04, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/09/13 08:02:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/09/13 08:02:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/09/13 08:02:04, 3] auth/auth.c:222(check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [WINDOMAIN]\[li
nus]@[WINSERVER] with the new password interface
[2010/09/13 08:02:04, 3] auth/auth.c:225(check_ntlm_password)
check_ntlm_password: mapped user is: [WINDOMAIN]\[winuser]@[WINSERVER]
[2010/09/13 08:02:04, 3] smbd/sec_ctx.c:210(push_sec_ctx)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/09/13 08:02:04, 3] smbd/uid.c:428(push_conn_ctx)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/09/13 08:02:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/09/13 08:02:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/09/13 08:02:04, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [winuser] -> [winuser]
FAILED with e
rror NT_STATUS_NO_SUCH_USER
[2010/09/13 08:02:04, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_
FAILURE
[2010/09/13 08:02:12, 2] smbd/process.c:1988(deadtime_fn)
Closing idle connection
[2010/09/13 08:02:12, 3] smbd/server.c:146(msg_exit_server)
got a SHUTDOWN message
[2010/09/13 08:02:12, 3] smbd/sec_ctx.c:310(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/09/13 08:02:12, 3] smbd/connection.c:31(yield_connection)
Yielding connection to
[2010/09/13 08:02:12, 3] smbd/server.c:845(exit_server_common)
Server exit (normal exit)
#
sambapdc #testparm -v | grep timeout
passwd chat timeout = 2
name cache timeout = 660
cups connection timeout = 30
machine password timeout = 604800
ldap timeout = 15
ldap connection timeout = 2
Help is appreciated.
Thanks
More information about the samba
mailing list