Hi All, I havent heard a response back to my previous posts so I am now trying from a "broader" topic. What I have is the following: A 2 Form Factor Token Authentication system similar to RSA SecureID A Linux SAMBA 3.0.14a-Debian I've got the two systems authenticating against each other with RADIUS via PAM support. When I tell SAMBA to use this PAM support as well, I see the following happen: ===== With a known bad password 08:17:17.406519 IP 192.168.0.200.2582 > crypto.radius: RADIUS, Access Request (1), id: 0x2f length: 90 08:17:19.478763 IP crypto.radius > 192.168.0.200.2582: RADIUS, Access Reject (3), id: 0x2f length: 20 fileserver:~# smbclient -U rhandorf -L \\\\localhost Password: session setup failed: NT_STATUS_LOGON_FAILURE ===== With the secured Token password: 08:18:57.581672 IP 192.168.0.200.2584 > crypto..radius: RADIUS, Access Request (1), id: 0xb3 length: 90 08:18:58.491265 IP crypto.radius > 192.168.0.200.2584: RADIUS, Access Accept (2), id: 0xb3 length: 20 08:18:58.531395 IP 192.168.0.200.2585 > crypto.radius: RADIUS, Access Request (1), id: 0x99 length: 90 08:18:59.108133 IP crypto.radius > 192.168.0.200.2585: RADIUS, Access Reject (3), id: 0x99 length: 20 fileserver:~# smbclient -U rhandorf -L \\\\localhost Password: Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk Network Logon Service public Disk IPC$ IPC IPC Service (samba file services) ADMIN$ IPC IPC Service (samba file services) rhandorf Disk Home directory of rhandorf session setup failed: NT_STATUS_LOGON_FAILURE NetBIOS over TCP disabled -- no workgroup available ===== So, why does it auth twice? Why doesnt SAMBA keep the first auth session as a success, and of course fail on the second when my token has changed? Attached is the smb.conf file - Someone have some ideas? Thanks, r [global] workgroup = <snip> server string = samba file services netbios name = Fileserver log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = True local master = Yes domain master = True dns proxy = yes remote announce = 192.168.0.255 os level = 40 ;domain logons = yes ;logon script = logon.bat ;logon home = \\%G\%U\.profile name resolve order = wins lmhosts bcast wins proxy = yes ;preserve case = yes ;short preserve case = yes wins support= yes security = user #must be set to 'no' to use PAM encrypt passwords = No update encrypted = No allow trusted domains = Yes #min password length = 6 null passwords = No [homes] comments = Home Dir browsable = no writable = yes hide dot files = yes [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes writable = no share modes = no write list = domain_admin [Profiles] path = /%G/%U/.profile browseable = no guest ok = yes [public] path = /samba/public valid users = users force group = users writeable = Yes guest ok = No
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Russell Handorf wrote:> fileserver:~# smbclient -U rhandorf -L \\\\localhost > Password: > Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk Network Logon Service > public Disk IPC$ IPC IPC > Service (samba file services) > ADMIN$ IPC IPC Service (samba file services) > rhandorf Disk Home directory of rhandorf > session setup failed: NT_STATUS_LOGON_FAILURE > NetBIOS over TCP disabled -- no workgroup available > > =====> > So, why does it auth twice? Why doesnt SAMBA keep > the first auth session as a success, and of course fail > on the second when my token has changed?Restrict the connection to port 139 (-p 139) and smbclient will resuse the first connection. The problem is that the first one uses port 445 by default but you can only get browse lists over port 139. So it has to retry. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFGUFpIR7qMdg1EfYRAj1pAKCiSoGjsNLVBbwrsH/9J6Sg2CNd8gCg3qN3 Uf5kW0g+mf5UQOCbdfrsMKI=IdZ1 -----END PGP SIGNATURE-----
Thanks! That worked for the unix clients! Now, with Windows I have the error of "\\<IP-ADDRESS> is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The account is not authorized to log in from this station." But when I disable PAM authentication and use the smbpasswd file, the error goes away. Thanks again! r Gerald (Jerry) Carter wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Russell Handorf wrote: > >> fileserver:~# smbclient -U rhandorf -L \\\\localhost >> Password: >> Domain=[<snip>] OS=[Unix] Server=[Samba 3.0.14a-Debian] >> >> Sharename Type Comment >> --------- ---- ------- >> netlogon Disk Network Logon Service >> public Disk IPC$ IPC IPC >> Service (samba file services) >> ADMIN$ IPC IPC Service (samba file services) >> rhandorf Disk Home directory of rhandorf >> session setup failed: NT_STATUS_LOGON_FAILURE >> NetBIOS over TCP disabled -- no workgroup available >> >> =====>> >> So, why does it auth twice? Why doesnt SAMBA keep >> the first auth session as a success, and of course fail >> on the second when my token has changed? >> > > Restrict the connection to port 139 (-p 139) > and smbclient will resuse the first connection. > The problem is that the first one uses port 445 by default > but you can only get browse lists over port 139. So it > has to retry. > > > > > > > cheers, jerry > ====================================================================> Samba ------- http://www.samba.org > Centeris ----------- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.4 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFFGUFpIR7qMdg1EfYRAj1pAKCiSoGjsNLVBbwrsH/9J6Sg2CNd8gCg3qN3 > Uf5kW0g+mf5UQOCbdfrsMKI> =IdZ1 > -----END PGP SIGNATURE----- >