[Samba] samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works
Geoff Winkless
samba at geoff.dj
Fri Feb 18 06:52:43 MST 2011
Hi
I've found a few list posts with this problem but none of their
solutions helped.
Apologies for the long mail but I've no idea which section of the
various logs will be the important part.
I've set up a RHEL5.3 server (with Samba 3.0.33) to authenticate to an
existing active directory realm on our local network.
The AD server is Windows-based and works fine for a couple of hundred
users on their windows clients (mix of XP, Vista, Win7); it also works
ok with an existing Samba install. I'm trying to set it up to
authenticate those users to access a second server; unfortunately the
authentication fails.
I copied the krb5.conf and smb.conf files from the working server,
then followed the various ADS howtos (to join the machine to the AD
and obtain krb tickets) and have got to the point where klist behaves
as expected, as does wbinfo, which implies that the machine account is
set up correctly, yes?
(I've replaced company name with XXXX in all these logs).
[root at pd-pistachio samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: geoff.winkless at LAN.XXXX.CO.UK
Valid starting Expires Service principal
02/18/11 10:48:32 02/18/11 20:48:34 krbtgt/LAN.XXXX.CO.UK at LAN.XXXX.CO.UK
renew until 02/19/11 10:48:32
02/18/11 11:08:48 02/18/11 20:48:34 dc1$@LAN.XXXX.CO.UK
renew until 02/19/11 10:48:32
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root at pd-pistachio samba]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root at pd-pistachio samba]# wbinfo -a geoff.winkless
Enter geoff.winkless's password:
plaintext password authentication succeeded
Enter geoff.winkless's password:
challenge/response password authentication succeeded
If I try to log onto a share on pd-pistachio from my XP machine (named
XXXX-001119) I get:
[2011/02/18 13:05:24, 3] smbd/oplock.c:init_oplocks(863)
init_oplocks: initializing messages.
[2011/02/18 13:05:24, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(234)
Linux kernel oplocks enabled
[2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069)
Transaction 0 of length 137
[2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927)
switch message SMBnegprot (pid 31421) conn 0x0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505)
Requested protocol [LANMAN1.0]
[2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505)
Requested protocol [Windows for Workgroups 3.1a]
[2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505)
Requested protocol [LM1.2X002]
[2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505)
Requested protocol [LANMAN2.1]
[2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505)
Requested protocol [NT LM 0.12]
[2011/02/18 13:05:24, 3] smbd/negprot.c:reply_nt1(364)
using SPNEGO
[2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(606)
Selected protocol NT LM 0.12
[2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069)
Transaction 1 of length 240
[2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927)
switch message SMBsesssetupX (pid 31421) conn 0x0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
wct=12 flg2=0xc807
[2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
Doing spnego session setup
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows
2002 5.1] PrimaryDomain=[]
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
reply_spnego_negotiate: Got secblob of size 40
[2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069)
Transaction 2 of length 272
[2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927)
switch message SMBsesssetupX (pid 31421) conn 0x0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
wct=12 flg2=0xc807
[2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
Doing spnego session setup
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows
2002 5.1] PrimaryDomain=[]
[2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
Got user=[] domain=[] workstation=[XXXX-001119] len1=1 len2=0
[2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user
[]\[]@[XXXX-001119] with the new password interface
[2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [XXXX]\[]@[XXXX-001119]
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(270)
check_ntlm_password: guest authentication for user [] succeeded
[2011/02/18 13:05:24, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
fetch gid from cache 10000 -> S-1-5-32-544
[2011/02/18 13:05:24, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
fetch gid from cache 10001 -> S-1-5-32-545
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID
[S-1-5-21-1416276913-313263019-1178628374-501]
[2011/02/18 13:05:24, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-5-2]
[2011/02/18 13:05:24, 3] lib/privileges.c:get_privileges(261)
get_privileges: No privileges assigned to SID [S-1-5-32-546]
[2011/02/18 13:05:24, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
NTLMSSP Sign/Seal - Initialising with flags:
[2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088205
[2011/02/18 13:05:24, 3] smbd/password.c:register_vuid(304)
User name: nobody Real name: Nobody
[2011/02/18 13:05:24, 3] smbd/password.c:register_vuid(325)
UNIX uid 99 is UNIX user nobody, and will be vuid 101
[2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069)
Transaction 3 of length 94
[2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927)
switch message SMBtconX (pid 31421) conn 0x0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/service.c:make_connection_snum(806)
Connect path is '/tmp' for service [IPC$]
[2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(250)
[2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-5-21-1416276913-313263019-1178628374-501
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
[2011/02/18 13:05:24, 3] smbd/vfs.c:vfs_init_default(95)
Initialising default vfs hooks
[2011/02/18 13:05:24, 3] smbd/vfs.c:vfs_init_custom(128)
Initialising custom vfs hooks from [/[Default VFS]/]
[2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(250)
[2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(251)
se_access_check: user sid is S-1-5-21-1416276913-313263019-1178628374-501
se_access_check: also S-1-1-0
se_access_check: also S-1-5-2
se_access_check: also S-1-5-32-546
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (99, 99) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/service.c:make_connection_snum(1033)
XXXX-001119 (192.168.3.52) connect to service IPC$ initially as user
nobody (uid=99, gid=99) (pid 31421)
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/reply.c:reply_tcon_and_X(574)
tconX service=IPC$
[2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069)
Transaction 4 of length 132
[2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927)
switch message SMBtrans2 (pid 31421) conn 0x89a3950
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (99, 99) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/service.c:find_service(286)
checking for home directory geoff.winkless gave (NULL)
[2011/02/18 13:05:24, 3] smbd/service.c:find_service(360)
find_service() failed to find service geoff.winkless
[2011/02/18 13:05:24, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/trans2.c(6307) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND
[2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069)
Transaction 5 of length 240
[2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927)
switch message SMBsesssetupX (pid 31421) conn 0x0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
wct=12 flg2=0xc807
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
Doing spnego session setup
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows
2002 5.1] PrimaryDomain=[]
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
reply_spnego_negotiate: Got secblob of size 40
[2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa2088207
[2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069)
Transaction 6 of length 364
[2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927)
switch message SMBsesssetupX (pid 31421) conn 0x0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
wct=12 flg2=0xc807
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
Doing spnego session setup
[2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows
2002 5.1] PrimaryDomain=[]
[2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
Got user=[geoff.winkless] domain=[XXXX] workstation=[XXXX-001119]
len1=24 len2=24
[2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user
[XXXX]\[geoff.winkless]@[XXXX-001119] with the new password interface
[2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [XXXX]\[geoff.winkless]@[XXXX-001119]
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/18 13:05:24, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [geoff.winkless] ->
[geoff.winkless] FAILED with error NT_STATUS_NO_SUCH_USER
[2011/02/18 13:05:24, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
I get the same result if I try using smbclient from a linux box.
smb.conf looks like this:
workgroup = XXXX
realm = LAN.XXXX.CO.UK
netbios name = PD-PISTACHIO
netbios aliases = pd-pistachio pd-pistachio.lan.XXXX.co.uk
pd-pistachio.XXXX.co.uk
server string = Samba %v on %L
security=ads
debug level=3
password server = 192.168.3.1
encrypt passwords = yes
allow trusted domains = no
map untrusted to domain = yes
local master = no
domain master=no
preferred master=no
dns proxy=no
wins proxy=no
wins support=no
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind refresh tickets = yes
winbind use default domain = yes
winbind cache time = 1
idmap uid = 10000-1000000
idmap gid = 10000-1000000
nt acl support = yes
map acl inherit = yes
;======================= end of smb.conf
For what it's worth I've been using samba with NT domains since 1999.
Not that that in any way precludes me from doing something stupid
(heh) but I do know the obvious stuff to look out for.
I tried updating the samba version with the ones from
http://ftp.sernet.de/pub/samba/3.5/rhel/5/i386/
but it's made no difference - I get the same result.
Is it something to do with the hosts I'm authenticating _from_? eg
check_ntlm_password: mapped user is: [XXXX]\[geoff.winkless]@[XXXX-001119]
Do I need to do something to lose the [XXXX-001119], or is that log
entry expected?
Any suggestions would be really appreciated.
Geoff
More information about the samba
mailing list