samba - Aug 2003 - Invalid auth info 68 or level 5 on schannel only prior to

logins 
Reply-To: 

I've sourced the groups, but haven't had any success with solving this
problem.  Here are the details:

I have a debian/testing system running samba 3.0.0beta2-1.  It was
working fine with the 2.x series, until I upgraded to 3.0.  The debian
server (al) is a PDC for a small NT domain (isabela) with three
workstations, all running win2k pro.  All but one work fine between each
other and al.  The problematic workstation (he2) logs onto the domain
fine, can access shares all over the domain, however no other
workstation *or* the PDC can access shares on he2.

It gets weird though; if anyone logs onto he2 locally, THEN they can
access the shares over the network, ie if let's say a user named
"Brian"
was trying to access a share on he2, it would give an access denied
message.  This is either from a win2k workstation or using smbclient -L
//he2 -U Brian.  However, if he sat down at he2, logged in, and possibly
logged out, he could go to any workstation (or use the smbclient
command) and suddenly, he2 gives him access to the shares.

Can anyone clue me in on what's going on?  Here's the errors I get when
someone like the user "Brian" tries to access shares prior to logging
in
locally:

log.he2:

[2003/08/26 15:49:32, 2] smbd/sesssetup.c:setup_new_vc_session(504)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2003/08/26 15:49:32, 2] smbd/sesssetup.c:setup_new_vc_session(504)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2003/08/26 15:49:32, 2] lib/access.c:check_access(325)
  Allowed connection from  (192.168.0.2)
[2003/08/26 15:49:32, 2] lib/access.c:check_access(325)
  Allowed connection from  (192.168.0.2)
[2003/08/26 15:49:32, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1340)
  Invalid auth info 68 or level 5 on schannel
[2003/08/26 15:49:32, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
  process_request_pdu: failed to do schannel processing.
[2003/08/26 15:49:32, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1340)
  Invalid auth info 68 or level 5 on schannel
[2003/08/26 15:49:32, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
  process_request_pdu: failed to do schannel processing.

log.nmbd:

[2003/08/26 15:54:25, 1]
nmbd/nmbd_processlogon.c:process_logon_packet(96)
  process_logon_packet: Logon from 192.168.0.2: code = 0x12
  [2003/08/26 15:54:25, 1]
  nmbd/nmbd_processlogon.c:process_logon_packet(96)
    process_logon_packet: Logon from 192.168.0.2: code = 0x12
    [2003/08/26 15:54:25, 1]
    nmbd/nmbd_processlogon.c:process_logon_packet(96)
      process_logon_packet: Logon from 192.168.0.2: code = 0x12
      [2003/08/26 15:54:25, 1]
      nmbd/nmbd_processlogon.c:process_logon_packet(96)
        process_logon_packet: Logon from 192.168.0.2: code = 0x12


Note that I even went so far as to deleting the machine account from the
smbpasswd db, passwd, and shadow, then rebooted he2 with it back in
normal workgroup mode, restarted samba, readded the he2 machine accounts
in, and added it back into the domain.  Same thing.  

Obviously, it kind of defeats the purpose of a network if someone has to
log in locally first to access things remotely.  Anyone have some
insight?

--

hose

On Wed, 2003-08-27 at 06:48, Hose wrote:
> Obviously, it kind of defeats the purpose of a network if someone has to
> log in locally first to access things remotely.  Anyone have some
> insight?
Your client is set to 'sign only' it's secure channel connection to
the
DC.  Samba 3.0 supports only fully sealed, not sign only.  (I need to
get some more data on the checksums involved).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030904/98eaf3c4/attachment.bin