Andrew, as you konw, I'm trying to get samba-3.0-alpha20 to authenticate
a user that logs in to an AD domain workstation with the user's AD
kerberos credentials. looking at the logs, it's not clear to me whether
samba is trying to do kerberos or NTLM authentication for the client.
in smb.conf I have:
[global]
security = ADS
realm = HSSOE.UCI.EDU
ads server = dc1.hssoe.uci.edu
lanman auth = no
ntlm auth = no
disable netbios = yes
use spnego = yes
# protocol =
# encrypt passwords = yes
ldap admin dn = Administrator
How do i get it to only do GSS-SPNEGO or whatever it's called? Is this
just not possible yet?
I noticed that in the log at some point it says realm(NULL). could the
AD KDC be rejecting it because of that?
Thanks for any help,
Donald
(time running out for this quarter's launch...)
[2002/09/28 23:05:33, 3] auth/auth_sam.c:sam_password_ok(259)
sam_password_ok: NEITHER LanMan nor NT password supplied for user djs
...
[2002/09/28 23:05:33, 0] auth/auth_domain.c:domain_client_validate(401)
domain_client_validate: unable to validate password for user djs in
domain HSSOE to Domain controller \\
DC1. Error was NT_STATUS_WRONG_PASSWORD.
[2002/09/28 23:05:33, 2] auth/auth.c:check_ntlm_password(273)
check_password: Authentication for user [djs] -> [djs] FAILED with
error NT_STATUS_WRONG_PASSWORD
[2002/09/28 23:05:34, 3] auth/auth.c:check_ntlm_password(191)
check_password: Checking password for unmapped user
[HSSOE]\[djs]@[COMPUT8] with the new password inter
face
[2002/09/28 23:05:34, 3] auth/auth.c:check_ntlm_password(194)
check_password: mapped user is: [HSSOE]\[djs]@[COMPUT8]
[2002/09/28 23:05:34, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2002/09/28 23:05:34, 3] smbd/uid.c:push_conn_ctx(285)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2002/09/28 23:05:34, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2002/09/28 23:05:34, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(189)
startsmbfilepwent_internal: unable to open file /var/samba/smbpasswd.
Error was No such file or director
y
[2002/09/28 23:05:34, 0]
passdb/pdb_smbpasswd.c:smbpasswd_getsampwnam(1350)
unable to open passdb database.
[2002/09/28 23:05:34, 4] lib/substitute.c:automount_server(249)
Home server: LUX
[2002/09/28 23:05:34, 4] lib/substitute.c:automount_server(249)
Home server: LUX
[2002/09/28 23:05:34, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2002/09/28 23:05:34, 3] auth/auth_sam.c:sam_password_ok(172)
sam_password_ok: NO NT password stored for user djs.
[2002/09/28 23:05:34, 3] auth/auth_sam.c:sam_password_ok(215)
sam_password_ok: NO LanMan password set for user djs (and no NT
password supplied)
[2002/09/28 23:05:34, 3] auth/auth_sam.c:sam_password_ok(259)
sam_password_ok: NEITHER LanMan nor NT password supplied for user djs
[2002/09/28 23:05:34, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(240)
Using ADS machine password
[2002/09/28 23:05:34, 4] auth/auth_domain.c:ads_resolve_dc(49)
ads_resolve_dc: realm=(NULL)
[2002/09/28 23:05:34, 3] libads/ldap.c:ads_connect(239)
Connected to LDAP server 128.200.54.189
[2002/09/28 23:05:34, 3] libads/ldap.c:ads_server_info(1735)
got ldap server name dc1@HSSOE.UCI.EDU
[2002/09/28 23:05:34, 4] libads/ldap.c:ads_server_info(1741)
time offset is 5 seconds
[2002/09/28 23:05:34, 4] auth/auth_domain.c:ads_resolve_dc(70)
ads_resolve_dc: using server='DC1' IP=128.200.54.189
[2002/09/28 23:05:34, 3] libsmb/cliconnect.c:cli_full_connection(1199)
--
Connecting to host=DC1 share=IPC$
[2002/09/28 23:05:34, 3] lib/util_sock.c:open_socket_out(752)
Connecting to 128.200.54.189 at port 445
[2002/09/28 23:05:34, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(46)
cli_net_req_chal: LSA Request Challenge from LUX to DC1:
DBF3C8F76528F870
[2002/09/28 23:05:34, 4] libsmb/credentials.c:cred_session_key(59)
cred_session_key
[2002/09/28 23:05:34, 4] libsmb/credentials.c:cred_create(90)
cred_create
[2002/09/28 23:05:34, 4] rpc_client/cli_netlogon.c:cli_net_auth2(104)
cli_net_auth2: srv:\\DC1 acct:LUX$ sc:2 mc: LUX chal 1FA0114F0656A83F
neg: 1ff
[2002/09/28 23:05:34, 4] libsmb/credentials.c:cred_create(90)
cred_create
[2002/09/28 23:05:34, 4] libsmb/credentials.c:cred_assert(121)
cred_assert
[2002/09/28 23:05:34, 4] libsmb/credentials.c:cred_create(90)
cred_create
[2002/09/28 23:05:34, 0] auth/auth_domain.c:domain_client_validate(401)
domain_client_validate: unable to validate password for user djs in
domain HSSOE to Domain controller \\
DC1. Error was NT_STATUS_WRONG_PASSWORD.
[2002/09/28 23:05:34, 2] auth/auth.c:check_ntlm_password(273)
check_password: Authentication for user [djs] -> [djs] FAILED with
error NT_STATUS_WRONG_PASSWORD
[2002/09/28 23:05:34, 3] smbd/error.c:error_packet(110)
error packet at smbd/sesssetup.c(472) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2002/09/28 23:05:34, 3] smbd/process.c:process_smb(862)
Transaction 18 of length 214