[Samba] smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains, can't force anonymous access from Windows
Linux Addict
linuxaddict7 at gmail.com
Fri Sep 17 14:45:49 MDT 2010
DId ya check your samba pam?
On Wed, Sep 15, 2010 at 10:45 AM, Gaiseric Vandal <gaiseric.vandal at gmail.com
> wrote:
> The samba share I need to access from the trusted domain has been
> configured
> with "guest ok=yes" parameter. Some of the files are world-readable
> since they do not contain any restricted information.
>
>
>
> So even though authenticated access fails with smb client
>
>
>
> #smbclient -U " WINDOMAIN\winuser" -L sambapdc
>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
>
>
>
> anonymous access with smbclient is OK
>
>
>
> #smbclient -N-L sambapdc
>
> Anonymous login successful
>
> Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.0.37]
>
>
>
>
>
>
>
> From a Windows machine, I try to map the drive as anonymous
>
> net use z: \\sambapdc\share1 <file:///\\sambapdc\share1>
>
>
>
> However I still get prompted for a user name and password. I don't seem
> to have a way to force the "net" command to connect anonymously.
>
>
>
> If I can force an anonymous connection from Windows, then I should be OK.
> (Again, this share does not contain information that needs much
> protection.)
>
>
>
>
> Thanks
>
>
>
>
>
> From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
> Sent: Tuesday, September 14, 2010 1:16 PM
> To: samba at lists.samba.org
> Subject: RE: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted
> domains, ntlm_auth succeeds
>
>
>
> Maybe this is some issue with parsing the user name properly?
>
>
>
> I noticed that if I have a user in the Windows domain AND a user with the
> same name in the Samba domain, then the Windows user can access shares on
> the Samba domain. For example, I have an Administrator account in each
> domain. They do NOT have the same password. In the example below the
> user authenticates to the samba domain using the trusted Windows domain
> password.
>
>
>
>
>
>
>
> sambapdc # smbclient "//sambapdc/dept_common" -U " WINDOMAIN
> \Administrator"
>
> Enter WINDOMAIN Administrator's password:
>
> Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.4.8]
>
> smb: \> quit
>
> sambapdc #
>
>
>
>
>
>
>
> So it seems like there are two steps -
>
> Verify that the user is legitimate (which seems to strip off
> the domain component and look for a local name)
>
> Then authenticate the user (which verifies the domain
> component.)
>
>
>
>
>
> I supposed the hack would be to create some dummy local accounts in the
> samba domain to represent each user in the trusted domain.
>
>
>
> FYI smb.conf includes
>
>
>
> winbind enum users = Yes
>
> winbind enum groups = Yes
>
> winbind use default domain = no
>
> winbind trusted domains only = no
>
>
>
>
>
> winbindd.log keeps showing
>
>
>
> [2010/09/14 13:05:49, 3]
> winbindd/winbindd_pam.c:1779(winbindd_pam_auth_crap)
>
> [ 1293]: pam auth crap domain: [WINDOMAIN] user: winuser
>
>
>
>
>
> I have never got an answer for what "pam auth crap domain" means.
>
>
>
>
>
> Thanks
>
>
>
> From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
> Sent: Tuesday, September 14, 2010 9:19 AM
> To: samba at lists.samba.org
> Subject: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains,
> ntlm_auth succeeds, wbinfo not caching
>
>
>
> FYI
>
>
>
> The ntlm_auth command does work with users from the trusted domain.
>
>
>
>
>
> sambapdc# ntlm_auth --username "WINDOMAIN\winuser"
>
> password:
>
> NT_STATUS_OK: Success (0x0)
>
> sambapdc #
>
>
>
>
>
> (winuser is the user in the trusted Windows 2003 AD domain.)
>
>
>
> I also removed a trust relationship with a 2nd Windows domain that was no
> longer active- this fixed the slow "wbinfo -u" response but did not fix
> the
> smbclient authentication issue to the existing windows domain.
>
>
>
>
>
> From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
> Sent: Monday, September 13, 2010 3:55 PM
> To: samba at lists.samba.org
> Subject: NT_STATUS_NO_SUCH_USER for trusted domains
>
>
>
>
>
> I am running Samba 3.4.7 (compiled from source) on Solaris 10 as a PDC. I
> have trusted domains setup with a Windows 2003 Active Directory domain in
> "2003 native" mode. Everything is in an LDAP backend (unix accounts for
> the Samba domain, idmap entries for trusted domains.) The Solaris 10 PDC
> is
> also an ldap/nfs server for linux and solaris clients.
>
>
>
> Assuming
>
> SAMBAPDC is the Solaris 10 PDC for the domain called
> "SAMBADOMAIN."
>
> WINSERVER is the PDC for the Win 2003 AD domain called
> "WINDOMAIN."
>
> "winuser" is a user in the "WINDOMAIN" domain.
>
>
>
>
>
> This was working for some time. Now, however, users in the Windows
> domain
> can no longer access resources on the samba domain. On a windows PC in
> the
> trs Smbclient on the PDC or on a linux workstation also fails, so this
> does not seem to be a mismatch in NTLM versions between windows and samba.
> Samba log files show "NT_STATUS_NO_SUCH_USER."
>
>
>
>
>
> sambapdc #smbclient -U "WINDOMAIN\winuser" -L \\SAMBAPDC
> <file:///\\SAMBAPDC>
>
> session setup failed: NT_STATUS_LOGON_FAILURE
>
>
>
>
>
>
>
>
> "wbinfo -u" does list the users from the trusted Windows domain.
>
>
>
> The "/etc/nsswitch.conf" file has the following entries
>
>
>
> passwd: files ldap winbind
>
> group: files ldap winbind
>
>
>
>
>
> "getent passwd" command does list users from the trusted Windows domain.
>
> "id "WINDOMAIN/winuser"" command returns valid uid and gid values.
>
> "wbinfo -s " and "winbinfo -n" commands show matching name-to-sid and
> sid-to-name entries.
>
>
>
>
>
>
>
> "Getent passwd" lists unix accounts from ldap quickly. There is a delay of
> about 10 seconds before it starts listing winbind users (i.e. from the
> trusted domain.) I suspect that the names are not getting returned to
> samba fast enough.
>
>
>
>
>
>
>
>
>
> sambapdc# cat winserver.log
>
> .
>
> .
>
> [2010/09/13 08:02:04, 3]
> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>
> NativeOS=[Windows Server 2003 R2 3790 Service Pack 2] NativeLanMan=[]
> PrimaryD
>
> omain=[Windows Server 2003 R2 5.2]
>
> [2010/09/13 08:02:04, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
>
> Got user=[winuser] domain=[WINDOMAIN] workstation=[WINSERVER] len1=24
> len2=24
>
> [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:210(push_sec_ctx)
>
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>
> [2010/09/13 08:02:04, 3] smbd/uid.c:428(push_conn_ctx)
>
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>
> [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
>
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:04, 3] auth/auth.c:222(check_ntlm_password)
>
> check_ntlm_password: Checking password for unmapped user [WINDOMAIN]\[li
>
> nus]@[WINSERVER] with the new password interface
>
> [2010/09/13 08:02:04, 3] auth/auth.c:225(check_ntlm_password)
>
> check_ntlm_password: mapped user is: [WINDOMAIN]\[winuser]@[WINSERVER]
>
> [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:210(push_sec_ctx)
>
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>
> [2010/09/13 08:02:04, 3] smbd/uid.c:428(push_conn_ctx)
>
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>
> [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
>
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:04, 2] auth/auth.c:320(check_ntlm_password)
>
> check_ntlm_password: Authentication for user [winuser] -> [winuser]
> FAILED with e
>
> rror NT_STATUS_NO_SUCH_USER
>
> [2010/09/13 08:02:04, 3] smbd/error.c:60(error_packet_set)
>
> error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_
>
> FAILURE
>
> [2010/09/13 08:02:12, 2] smbd/process.c:1988(deadtime_fn)
>
> Closing idle connection
>
> [2010/09/13 08:02:12, 3] smbd/server.c:146(msg_exit_server)
>
> got a SHUTDOWN message
>
> [2010/09/13 08:02:12, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>
> [2010/09/13 08:02:12, 3] smbd/connection.c:31(yield_connection)
>
> Yielding connection to
>
> [2010/09/13 08:02:12, 3] smbd/server.c:845(exit_server_common)
>
> Server exit (normal exit)
>
> #
>
>
>
>
>
>
>
> sambapdc #testparm -v | grep timeout
>
>
>
> passwd chat timeout = 2
>
> name cache timeout = 660
>
> cups connection timeout = 30
>
> machine password timeout = 604800
>
> ldap timeout = 15
>
> ldap connection timeout = 2
>
>
>
>
>
>
>
> Help is appreciated.
>
>
>
> Thanks
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list