Hi All,
I havent heard a response back to my previous posts so I am now trying
from a "broader" topic.
What I have is the following:
A 2 Form Factor Token Authentication system similar to RSA SecureID
A Linux SAMBA 3.0.14a-Debian
I've got the two systems authenticating against each other with RADIUS
via PAM support. When I tell SAMBA to use this PAM support as well, I
see the following happen:
=====
With a known bad password
08:17:17.406519 IP 192.168.0.200.2582 > crypto.radius: RADIUS, Access
Request (1), id: 0x2f length: 90
08:17:19.478763 IP crypto.radius > 192.168.0.200.2582: RADIUS, Access
Reject (3), id: 0x2f length: 20
fileserver:~# smbclient -U rhandorf -L \\\\localhost
Password:
session setup failed: NT_STATUS_LOGON_FAILURE
=====
With the secured Token password:
08:18:57.581672 IP 192.168.0.200.2584 > crypto..radius: RADIUS, Access
Request (1), id: 0xb3 length: 90
08:18:58.491265 IP crypto.radius > 192.168.0.200.2584: RADIUS, Access
Accept (2), id: 0xb3 length: 20
08:18:58.531395 IP 192.168.0.200.2585 > crypto.radius: RADIUS, Access
Request (1), id: 0x99 length: 90
08:18:59.108133 IP crypto.radius > 192.168.0.200.2585: RADIUS, Access
Reject (3), id: 0x99 length: 20
fileserver:~# smbclient -U rhandorf -L \\\\localhost
Password:
Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
public Disk
IPC$ IPC IPC Service (samba file services)
ADMIN$ IPC IPC Service (samba file services)
rhandorf Disk Home directory of rhandorf
session setup failed: NT_STATUS_LOGON_FAILURE
NetBIOS over TCP disabled -- no workgroup available
=====
So, why does it auth twice? Why doesnt SAMBA keep the first auth session
as a success, and of course fail on the second when my token has changed?
Attached is the smb.conf file - Someone have some ideas?
Thanks,
r
[global]
workgroup = <snip>
server string = samba file services
netbios name = Fileserver
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
preferred master = True
local master = Yes
domain master = True
dns proxy = yes
remote announce = 192.168.0.255
os level = 40
;domain logons = yes
;logon script = logon.bat
;logon home = \\%G\%U\.profile
name resolve order = wins lmhosts bcast
wins proxy = yes
;preserve case = yes
;short preserve case = yes
wins support= yes
security = user
#must be set to 'no' to use PAM
encrypt passwords = No
update encrypted = No
allow trusted domains = Yes
#min password length = 6
null passwords = No
[homes]
comments = Home Dir
browsable = no
writable = yes
hide dot files = yes
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
writable = no
share modes = no
write list = domain_admin
[Profiles]
path = /%G/%U/.profile
browseable = no
guest ok = yes
[public]
path = /samba/public
valid users = users
force group = users
writeable = Yes
guest ok = No
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Russell Handorf wrote:> fileserver:~# smbclient -U rhandorf -L \\\\localhost > Password: > Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk Network Logon Service > public Disk IPC$ IPC IPC > Service (samba file services) > ADMIN$ IPC IPC Service (samba file services) > rhandorf Disk Home directory of rhandorf > session setup failed: NT_STATUS_LOGON_FAILURE > NetBIOS over TCP disabled -- no workgroup available > > =====> > So, why does it auth twice? Why doesnt SAMBA keep > the first auth session as a success, and of course fail > on the second when my token has changed?Restrict the connection to port 139 (-p 139) and smbclient will resuse the first connection. The problem is that the first one uses port 445 by default but you can only get browse lists over port 139. So it has to retry. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFGUFpIR7qMdg1EfYRAj1pAKCiSoGjsNLVBbwrsH/9J6Sg2CNd8gCg3qN3 Uf5kW0g+mf5UQOCbdfrsMKI=IdZ1 -----END PGP SIGNATURE-----
Thanks! That worked for the unix clients! Now, with Windows I have the error of "\\<IP-ADDRESS> is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The account is not authorized to log in from this station." But when I disable PAM authentication and use the smbpasswd file, the error goes away. Thanks again! r Gerald (Jerry) Carter wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Russell Handorf wrote: > >> fileserver:~# smbclient -U rhandorf -L \\\\localhost >> Password: >> Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian] >> >> Sharename Type Comment >> --------- ---- ------- >> netlogon Disk Network Logon Service >> public Disk IPC$ IPC IPC >> Service (samba file services) >> ADMIN$ IPC IPC Service (samba file services) >> rhandorf Disk Home directory of rhandorf >> session setup failed: NT_STATUS_LOGON_FAILURE >> NetBIOS over TCP disabled -- no workgroup available >> >> =====>> >> So, why does it auth twice? Why doesnt SAMBA keep >> the first auth session as a success, and of course fail >> on the second when my token has changed? >> > > Restrict the connection to port 139 (-p 139) > and smbclient will resuse the first connection. > The problem is that the first one uses port 445 by default > but you can only get browse lists over port 139. So it > has to retry. > > > > > > > cheers, jerry > ====================================================================> Samba ------- http://www.samba.org > Centeris ----------- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.4 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFFGUFpIR7qMdg1EfYRAj1pAKCiSoGjsNLVBbwrsH/9J6Sg2CNd8gCg3qN3 > Uf5kW0g+mf5UQOCbdfrsMKI> =IdZ1 > -----END PGP SIGNATURE----- >