[Samba] DFS not working on Win XP
Feustel, Thomas
tf at ksh.com
Sun Dec 30 11:34:17 MST 2012
Hello,
a heave a share on a samba server 3.6.3 that is used as a DFS-Root.
The DFS Links a working on Client with Windows 7 but not on Windows XP clients.
Searching on the internet gives me a hint that it can be a problem with "security = ADS".
The Samba server is member of a windows 2003 R2 Domain, and the Unix user info (uid, gid) are stored on the domain in der RFC 2302 schemata extensions.
So I have a second samba server, also version 3.6.3 update from an older samba version, and so have I tested of the DFS-Root on this machine with a Windows XP Client and is working. (This machine is also member of the same domain, and both machines an Ubuntu 12.04.1)
Ok cool I think, so I can trace the different on the configuration and bring the DFS-Root working on machine 1, so I thinking. =)
I have used the same configuration on both machines, with a log level = 3. (configure attached lower)
With the same configure file (smb.conf), it is also that machine 1 are the DFS-Root are not working for a Windows XP client (Windows 7 no Problem) and machine 2 are working with Windows XP and Windows 7.
I have attached to lower the trace files from both machine and the file size of the trace file are completely different. Machine 1 (the not working) product a log file with 2744 lines and the machine 2 (working) produced a trace file with 56 lines. (both machine have the same configure and the same account are taken from the client)
The first difference of the log files are that after "reply_spnego_negotiate" machine 1 are try to use "libads/authdata" and the machine 2 are "/libcli/auth/ntlmssp"
What are the different on both machine? And why became are the DFS-Root share to run?
Smb.conf:
[global]
workgroup = INT
realm = INT.TMG
server string = %h server (Samba, Ubuntu)
socket options = TCP_NODELAY
security = ADS
map to guest = Bad User
pam password change = Yes
syslog = 0
log level = 3
# log level = 4 msdfs:10
log file = /var/log/samba/log.%m
max log size = 1000
unix extensions = No
load printers = No
local master = No
domain master = No
dns proxy = No
wins server = 10.9.2.1, 10.9.2.2
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
template shell = /bin/bash
winbind cache time = 604800
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
idmap alloc config:range = 5000 - 9999
idmap config INT : schema_mode = rfc2307
idmap config INT : range = 10000 - 300000000
idmap config INT : default = yes
idmap config INT : backend = ad
idmap config * : backend = ad
idmap config * : schema_mode = rfc2307
idmap config * : range = 10000 - 300000000
admin users = int\administrators
[dfs-test]
comment = DFS - Test
msdfs root = yes
path = /srv/dfs-test
Trace machine 1 (not working DFS-Root share) first 68 lines:
[2012/12/30 18:34:26.945272, 3] lib/access.c:338(allow_access)
Allowed connection from 10.9.2.73 (10.9.2.73)
[2012/12/30 18:34:26.945875, 3] smbd/oplock.c:922(init_oplocks)
init_oplocks: initializing messages.
[2012/12/30 18:34:26.946263, 3] smbd/oplock_linux.c:226(linux_init_kernel_oplocks)
Linux kernel oplocks enabled
[2012/12/30 18:34:26.946662, 3] smbd/process.c:1662(process_smb)
Transaction 0 of length 137 (0 toread)
[2012/12/30 18:34:26.946822, 3] smbd/process.c:1467(switch_message)
switch message SMBnegprot (pid 1463) conn 0x0
[2012/12/30 18:34:26.949339, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2012/12/30 18:34:26.949525, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [LANMAN1.0]
[2012/12/30 18:34:26.949618, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [Windows for Workgroups 3.1a]
[2012/12/30 18:34:26.949705, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [LM1.2X002]
[2012/12/30 18:34:26.949790, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [LANMAN2.1]
[2012/12/30 18:34:26.949876, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [NT LM 0.12]
[2012/12/30 18:34:26.950208, 3] smbd/negprot.c:419(reply_nt1)
using SPNEGO
[2012/12/30 18:34:26.950346, 3] smbd/negprot.c:704(reply_negprot)
Selected protocol NT LM 0.12
[2012/12/30 18:34:26.951533, 3] smbd/process.c:1662(process_smb)
Transaction 1 of length 1376 (0 toread)
[2012/12/30 18:34:26.951682, 3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 1463) conn 0x0
[2012/12/30 18:34:26.951814, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/12/30 18:34:26.951940, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/12/30 18:34:26.952040, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/12/30 18:34:26.952158, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/12/30 18:34:26.952324, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 1144
[2012/12/30 18:34:27.054131, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: WS-PCM26$ [WS-PCM26$]
[2012/12/30 18:34:27.054378, 3] auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [WS-PCM26$@INT.TMG]
[2012/12/30 18:34:27.165496, 1] auth/user_krb5.c:162(get_user_from_kerberos_info)
Username INT\WS-PCM26$ is invalid on this system
[2012/12/30 18:34:27.165649, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
[2012/12/30 18:34:27.167217, 3] smbd/process.c:1662(process_smb)
Transaction 2 of length 1446 (0 toread)
[2012/12/30 18:34:27.167390, 3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 1463) conn 0x0
[2012/12/30 18:34:27.167491, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/12/30 18:34:27.167594, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/12/30 18:34:27.167681, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/12/30 18:34:27.167774, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/12/30 18:34:27.167888, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 1214
[2012/12/30 18:34:27.237115, 3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: tfeustel [Feustel, Thomas]
[2012/12/30 18:34:27.237299, 3] auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [tfeustel at INT.TMG]
[2012/12/30 18:34:27.242750, 3] passdb/lookup_sid.c:1737(get_primary_group_sid)
Forcing Primary Group to 'Domain Users' for INT\tfeustel
Trace machine 2 (working DFS-Root share):
[2012/12/30 18:37:03.048281, 3] lib/access.c:338(allow_access)
Allowed connection from 10.9.2.73 (10.9.2.73)
[2012/12/30 18:37:03.048822, 3] smbd/oplock.c:922(init_oplocks)
init_oplocks: initializing messages.
[2012/12/30 18:37:03.049072, 3] smbd/oplock_linux.c:226(linux_init_kernel_oplocks)
Linux kernel oplocks enabled
[2012/12/30 18:37:03.049395, 3] smbd/process.c:1662(process_smb)
Transaction 0 of length 137 (0 toread)
[2012/12/30 18:37:03.049569, 3] smbd/process.c:1467(switch_message)
switch message SMBnegprot (pid 12448) conn 0x0
[2012/12/30 18:37:03.051360, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2012/12/30 18:37:03.051534, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [LANMAN1.0]
[2012/12/30 18:37:03.051627, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [Windows for Workgroups 3.1a]
[2012/12/30 18:37:03.051716, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [LM1.2X002]
[2012/12/30 18:37:03.051803, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [LANMAN2.1]
[2012/12/30 18:37:03.051891, 3] smbd/negprot.c:598(reply_negprot)
Requested protocol [NT LM 0.12]
[2012/12/30 18:37:03.052178, 3] smbd/negprot.c:419(reply_nt1)
using SPNEGO
[2012/12/30 18:37:03.052303, 3] smbd/negprot.c:704(reply_negprot)
Selected protocol NT LM 0.12
[2012/12/30 18:37:03.161969, 3] smbd/process.c:1662(process_smb)
Transaction 1 of length 240 (0 toread)
[2012/12/30 18:37:03.162115, 3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 12448) conn 0x0
[2012/12/30 18:37:03.162242, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/12/30 18:37:03.162377, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/12/30 18:37:03.162484, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/12/30 18:37:03.162601, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/12/30 18:37:03.162742, 3] smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 40
[2012/12/30 18:37:03.163781, 3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xa2088207
[2012/12/30 18:37:03.164748, 3] smbd/process.c:1662(process_smb)
Transaction 2 of length 336 (0 toread)
[2012/12/30 18:37:03.164849, 3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 12448) conn 0x0
[2012/12/30 18:37:03.164947, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
[2012/12/30 18:37:03.165034, 2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2012/12/30 18:37:03.165120, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
[2012/12/30 18:37:03.165208, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2012/12/30 18:37:03.165315, 3] ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
Got user=[tfeustel] domain=[INT] workstation=[WS-PCM26] len1=24 len2=24
rest regards
Thomas Feustel
More information about the samba
mailing list