[Samba] smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains, can't force anonymous access from Windows

Linux Addict linuxaddict7 at gmail.com
Fri Sep 17 14:45:49 MDT 2010


DId ya check your samba pam?

On Wed, Sep 15, 2010 at 10:45 AM, Gaiseric Vandal <gaiseric.vandal at gmail.com
> wrote:

> The samba share I need to access from the trusted domain has been
> configured
> with "guest ok=yes" parameter.     Some of the files are world-readable
> since they do not contain any restricted information.
>
>
>
> So even though authenticated  access fails with smb client
>
>
>
> #smbclient -U " WINDOMAIN\winuser" -L sambapdc
>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
>
>
>
> anonymous access with smbclient is OK
>
>
>
> #smbclient -N-L sambapdc
>
> Anonymous login successful
>
> Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.0.37]
>
>
>
>
>
>
>
> From a Windows machine, I try to map the drive as anonymous
>
>                net use z:  \\sambapdc\share1 <file:///\\sambapdc\share1>
>
>
>
> However I still get prompted for a user name and password.     I don't seem
> to have a way to force the "net" command to connect anonymously.
>
>
>
> If I can force an anonymous connection from Windows, then I should be OK.
> (Again, this share does not contain information that needs much
> protection.)
>
>
>
>
> Thanks
>
>
>
>
>
> From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
> Sent: Tuesday, September 14, 2010 1:16 PM
> To: samba at lists.samba.org
> Subject: RE: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted
> domains, ntlm_auth succeeds
>
>
>
> Maybe this is some issue with parsing the user name properly?
>
>
>
> I noticed that if I have a user in the Windows domain AND a user with the
> same name in the Samba domain, then the Windows user can access shares on
> the Samba domain.    For example, I have an Administrator account in each
> domain.    They do NOT have the same password.  In the example below the
> user authenticates to the samba domain using the trusted Windows domain
> password.
>
>
>
>
>
>
>
> sambapdc # smbclient "//sambapdc/dept_common" -U " WINDOMAIN
> \Administrator"
>
> Enter WINDOMAIN Administrator's password:
>
> Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.4.8]
>
> smb: \> quit
>
> sambapdc #
>
>
>
>
>
>
>
> So it seems like there are two steps -
>
>                Verify that the user is legitimate (which seems to strip off
> the domain component and look for a local name)
>
>                Then authenticate the user (which verifies the domain
> component.)
>
>
>
>
>
> I supposed the hack would be to create some dummy local accounts in the
> samba domain to represent each user in the trusted domain.
>
>
>
> FYI  smb.conf includes
>
>
>
>       winbind enum users = Yes
>
>       winbind enum groups = Yes
>
>       winbind use default domain = no
>
>       winbind trusted domains only = no
>
>
>
>
>
> winbindd.log keeps showing
>
>
>
> [2010/09/14 13:05:49,  3]
> winbindd/winbindd_pam.c:1779(winbindd_pam_auth_crap)
>
>  [ 1293]: pam auth crap domain: [WINDOMAIN] user: winuser
>
>
>
>
>
> I have never got an answer for what "pam auth crap domain" means.
>
>
>
>
>
> Thanks
>
>
>
> From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
> Sent: Tuesday, September 14, 2010 9:19 AM
> To: samba at lists.samba.org
> Subject: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains,
> ntlm_auth succeeds, wbinfo not caching
>
>
>
> FYI
>
>
>
> The ntlm_auth command does work with users from the trusted domain.
>
>
>
>
>
> sambapdc# ntlm_auth --username "WINDOMAIN\winuser"
>
> password:
>
> NT_STATUS_OK: Success (0x0)
>
> sambapdc #
>
>
>
>
>
> (winuser is the user in the trusted Windows 2003 AD domain.)
>
>
>
> I also removed a trust relationship with a 2nd Windows domain  that was no
> longer active-  this fixed the slow "wbinfo -u" response but did not fix
> the
> smbclient authentication issue to the existing windows domain.
>
>
>
>
>
> From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
> Sent: Monday, September 13, 2010 3:55 PM
> To: samba at lists.samba.org
> Subject: NT_STATUS_NO_SUCH_USER for trusted domains
>
>
>
>
>
> I am running Samba 3.4.7 (compiled from source) on Solaris 10 as a PDC.  I
> have trusted domains setup with a Windows 2003 Active Directory domain in
> "2003 native" mode.    Everything is  in an LDAP backend (unix accounts for
> the Samba domain, idmap entries for trusted domains.)  The Solaris 10 PDC
> is
> also an ldap/nfs server for linux and solaris clients.
>
>
>
> Assuming
>
>                SAMBAPDC is the Solaris 10 PDC for the domain called
> "SAMBADOMAIN."
>
>                WINSERVER is the PDC for the Win 2003 AD domain called
> "WINDOMAIN."
>
>                "winuser" is a user in the "WINDOMAIN" domain.
>
>
>
>
>
> This was working for some time.    Now, however, users in the Windows
> domain
> can no longer access resources on the samba domain.   On a windows PC in
> the
> trs   Smbclient on the PDC or on a linux workstation  also fails, so this
> does not seem to be a mismatch in NTLM versions between windows and samba.
> Samba log files show "NT_STATUS_NO_SUCH_USER."
>
>
>
>
>
> sambapdc #smbclient -U "WINDOMAIN\winuser" -L \\SAMBAPDC
> <file:///\\SAMBAPDC>
>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
>
>
>
>
>
>
> "wbinfo -u" does list the users from the trusted  Windows domain.
>
>
>
> The "/etc/nsswitch.conf" file  has the following entries
>
>
>
> passwd:     files ldap winbind
>
> group:      files ldap winbind
>
>
>
>
>
> "getent passwd" command does list users from the trusted Windows domain.
>
> "id "WINDOMAIN/winuser""  command  returns valid uid and gid values.
>
> "wbinfo -s " and "winbinfo -n" commands show matching name-to-sid and
> sid-to-name entries.
>
>
>
>
>
>
>
> "Getent passwd" lists unix accounts from ldap quickly.  There is a delay of
> about 10 seconds before it starts listing winbind users (i.e. from the
> trusted domain.)   I suspect that the names are not getting returned to
> samba fast enough.
>
>
>
>
>
>
>
>
>
> sambapdc# cat winserver.log
>
> .
>
> .
>
> [2010/09/13 08:02:04,  3]
> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>
>  NativeOS=[Windows Server 2003 R2 3790 Service Pack 2] NativeLanMan=[]
> PrimaryD
>
> omain=[Windows Server 2003 R2 5.2]
>
> [2010/09/13 08:02:04,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
>
>  Got user=[winuser] domain=[WINDOMAIN] workstation=[WINSERVER] len1=24
> len2=24
>
> [2010/09/13 08:02:04,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>
>  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>
> [2010/09/13 08:02:04,  3] smbd/uid.c:428(push_conn_ctx)
>
>  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>
> [2010/09/13 08:02:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>
>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:04,  3] auth/auth.c:222(check_ntlm_password)
>
>  check_ntlm_password:  Checking password for unmapped user [WINDOMAIN]\[li
>
> nus]@[WINSERVER] with the new password interface
>
> [2010/09/13 08:02:04,  3] auth/auth.c:225(check_ntlm_password)
>
>  check_ntlm_password:  mapped user is: [WINDOMAIN]\[winuser]@[WINSERVER]
>
> [2010/09/13 08:02:04,  3] smbd/sec_ctx.c:210(push_sec_ctx)
>
>  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>
> [2010/09/13 08:02:04,  3] smbd/uid.c:428(push_conn_ctx)
>
>  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>
> [2010/09/13 08:02:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>
>  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:04,  2] auth/auth.c:320(check_ntlm_password)
>
>  check_ntlm_password:  Authentication for user [winuser] -> [winuser]
> FAILED with e
>
> rror NT_STATUS_NO_SUCH_USER
>
> [2010/09/13 08:02:04,  3] smbd/error.c:60(error_packet_set)
>
>  error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_
>
> FAILURE
>
> [2010/09/13 08:02:12,  2] smbd/process.c:1988(deadtime_fn)
>
>  Closing idle connection
>
> [2010/09/13 08:02:12,  3] smbd/server.c:146(msg_exit_server)
>
>  got a SHUTDOWN message
>
> [2010/09/13 08:02:12,  3] smbd/sec_ctx.c:310(set_sec_ctx)
>
>  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:12,  3] smbd/connection.c:31(yield_connection)
>
>  Yielding connection to
>
> [2010/09/13 08:02:12,  3] smbd/server.c:845(exit_server_common)
>
>  Server exit (normal exit)
>
> #
>
>
>
>
>
>
>
> sambapdc #testparm -v | grep timeout
>
>
>
>        passwd chat timeout = 2
>
>        name cache timeout = 660
>
>        cups connection timeout = 30
>
>        machine password timeout = 604800
>
>        ldap timeout = 15
>
>        ldap connection timeout = 2
>
>
>
>
>
>
>
> Help is appreciated.
>
>
>
> Thanks
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list