[Samba] smbclient inconsistant auth issue

Chris Weiss cweiss at gmail.com
Tue Jan 7 16:02:23 MST 2014

trying to get one server to mount.cifs a share on another and when it
failed I used smbclient and it lead me into this oddity and I just
can't seem to reason my way through.

so you can skim better in case this is too much info:  the mystery:
why does command #3 work from server1 against itself, but fail for all
other clients?

server1:  samba 3.4.7 (Ubuntu 10.04 server), NT4 domain member with
windbind.  NT4 domain has an AD domain trust
server2:  samba 3.6.18 (Ubutnu 13.10 server), AD domain member, with
kerberos not winbind.

-  both servers have "map to guest=bad user" and have a couple shares
that allow guests.
-  all other shares have group based access lists via "user=@groupname"
-  server2 is on another subnet, fully routable via VPN, ping and ssh
work both ways for all systems listed
-  I was going to wait until Ubuntu 14.04 was final and I tested to
upgrade server1's OS, but if all this is a know issue and it'll fix
this I can upgrade sooner.  This needs to be deployed well before
April rolls around.

client1: smbclient 4.0.13, a basic server, ubuntu 14.04 packages
client2: smbclient 3.6.18, full desktop system, ubuntu 13.10 packages
client3: smbclient 3.6.18, a basic server, ubuntu 13.10 packages

#1 smbclient -L $server
#2 smbclient -L $server -U user -W NT4
#3 smbclient -L $server -U user2 -W AD

client1: all 3 commands work as expected against server2.  against
server1 , 1&2 work, #3 gives NT_STATUS_ACCESS_DENIED

client2: all 3 commands work as expected against server2.  against
server1 , only #1 works, #2&3 gives NT_STATUS_ACCESS_DENIED.  Nautilus
file manager's smb:// works for server2, does not work for any user
for server1.

client3:  same as client2

smbclient commands from server2 against server1, only #1 works, #2&3

smbclient commands from server1 against server2, all commands work.

smbclient commands from server1 against itself, all commands work.

all window systems in either domain on either subnet work as expected
against both servers

so again, the mystery:  why does #3 work from server1 against itself,
but fail for all other clients?

server1's logs for one client:

[2014/01/06 15:18:22,  5] auth/auth_util.c:208(make_user_info_map)
  Mapping user [AD]\[user2] from workstation []
[2014/01/06 15:18:22,  5] auth/auth_util.c:120(make_user_info)
  attempting to make a user_info for user2 (user2)
[2014/01/06 15:18:22,  5] auth/auth_util.c:130(make_user_info)
  making strings for user2's user_info struct
[2014/01/06 15:18:22,  5] auth/auth_util.c:162(make_user_info)
  making blobs for user2's user_info struct
[2014/01/06 15:18:22,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[AD]\[user2]@[] with the new password interface
[2014/01/06 15:18:22,  3] auth/auth.c:225(check_ntlm_password)
  check_ntlm_password:  mapped user is: [AD]\[user2]@[]
[2014/01/06 15:18:22,  5] ../lib/util/util.c:304(_dump_data)
  [0000] 5B CE E5 66 DF 66 C0 B3                            [..f.f..
[2014/01/06 15:18:22,  6] auth/auth_sam.c:416(check_samstrict_security)
  check_samstrict_security: AD is not one of my local names (ROLE_DOMAIN_MEMBER)
[2014/01/06 15:18:22,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2014/01/06 15:18:22,  3] smbd/uid.c:428(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2014/01/06 15:18:22,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2014/01/06 15:18:22,  5] auth/token_util.c:522(debug_nt_user_token)
  NT user token: (NULL)
[2014/01/06 15:18:22,  5] auth/token_util.c:548(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2014/01/06 15:18:22,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/01/06 15:18:22,  5] auth/auth.c:274(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [user2] FAILED
[2014/01/06 15:18:22,  2] auth/auth.c:320(check_ntlm_password)
  check_ntlm_password:  Authentication for user [user2] -> [user2]
[2014/01/06 15:18:22,  5] auth/auth_util.c:2114(free_user_info)
  attempting to free (and zero) a user_info structure
[2014/01/06 15:18:22,  3] smbd/error.c:60(error_packet_set)
  error packet at smbd/sesssetup.c(1725) cmd=115 (SMBsesssetupX)

More information about the samba mailing list