James MacLean
2004-Nov-18 18:50 UTC
[Samba] Samba 3.0.8 - Unable to login/logon from Windows 2003 or CIFS
Hi Folks, Recently (I believe since recent 3.0.x releases), I have been unable to login to a Samba instance using CIFS (Linux mount) or Windows 2003. If I change the smb.conf from: security = server to security = user I _can_ login again fine. The NT PDC always replies with NT_STATUS_LOGON_FAILURE. It's event viewer shows that the proper username is being used, but that the password is not correct. Logging in with smbclient or 2000 or XP is fine, although possibly slow as if it is trying one way, failing then trying another. Always failing at auth/auth_server.c:check_smbserver_security(363). I'm usually not too bad at digging in and at least having a clue with these problems, but this time I am lost. Did Google searches, looked at the archives and although I saw similar problems, they where either fixed with something that didn't work here, or the question was not answered :(. Any help, even to look at something obvious, appreciated, JES
James MacLean
2004-Nov-21 02:42 UTC
[Samba] Samba 3.0.8 using NT PDC for authentication - Unable to login/logon from Windows 2003 or CIFS - Partial Fix
James MacLean wrote:> Hi Folks, > > Recently (I believe since recent 3.0.x releases), I have been unable > to login to a Samba instance using CIFS (Linux mount) or Windows 2003. > If I change the smb.conf from: > > security = server > to > security = user > > I _can_ login again fine. The NT PDC always replies with > NT_STATUS_LOGON_FAILURE. It's event viewer shows that the proper > username is being used, but that the password is not correct. > > Logging in with smbclient or 2000 or XP is fine, although possibly > slow as if it is trying one way, failing then trying another. > > Always failing at auth/auth_server.c:check_smbserver_security(363). > > I'm usually not too bad at digging in and at least having a clue with > these problems, but this time I am lost. Did Google searches, looked > at the archives and although I saw similar problems, they where either > fixed with something that didn't work here, or the question was not > answered :(. > > Any help, even to look at something obvious, appreciated, > JESBy setting "use spnego = no" I am able to authenticate the Windows 2003 servers against the Samba server that uses an NT4 server for authentication. It appears that Windows 2003 makes Samba think that it should use spnego to authenticate against an old NT domain :(? According to the man : Unless further issues are discovered with our SPNEGO implementation, there is no reason this should ever be disabled. So having now found a reason ;), I still can not log in from a Linux system using CIFS (smbfs is fine). Some logging: [2004/11/20 22:32:49, 3] smbd/oplock.c:init_oplocks(1302) open_oplock_ipc: opening loopback UDP socket. [2004/11/20 22:32:49, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303) Linux kernel oplocks enabled [2004/11/20 22:32:49, 3] smbd/oplock.c:init_oplocks(1333) open_oplock ipc: pid = 6701, global_oplock_port = 44311 [2004/11/20 22:32:49, 3] lib/access.c:check_access(313) check_access: no hostnames in host allow/deny list. [2004/11/20 22:32:49, 2] lib/access.c:check_access(324) Allowed connection from (10.227.7.66) [2004/11/20 22:32:49, 3] smbd/process.c:process_smb(1092) Transaction 0 of length 51 [2004/11/20 22:32:49, 3] smbd/process.c:switch_message(887) switch message SMBnegprot (pid 6701) conn 0x0 [2004/11/20 22:32:49, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/11/20 22:32:49, 3] smbd/negprot.c:reply_negprot(461) Requested protocol [NT LM 0.12] [2004/11/20 22:32:49, 3] lib/util_sock.c:open_socket_out(752) Connecting to 10.227.0.8 at port 445 [2004/11/20 22:32:49, 2] lib/util_sock.c:open_socket_out(789) error connecting to 10.227.0.8:445 (Connection refused) [2004/11/20 22:32:49, 3] lib/util_sock.c:open_socket_out(752) Connecting to 10.227.0.8 at port 139 [2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(75) connected to password server MYSERVER [2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(100) got session [2004/11/20 22:32:49, 3] auth/auth_server.c:server_cryptkey(133) password server OK [2004/11/20 22:32:49, 3] auth/auth_server.c:auth_get_challenge_server(183) using password server validation [2004/11/20 22:32:49, 3] smbd/negprot.c:reply_nt1(327) not using SPNEGO [2004/11/20 22:32:49, 3] smbd/negprot.c:reply_negprot(549) Selected protocol NT LM 0.12 [2004/11/20 22:32:49, 3] smbd/process.c:process_smb(1092) Transaction 1 of length 220 [2004/11/20 22:32:49, 3] smbd/process.c:switch_message(887) switch message SMBsesssetupX (pid 6701) conn 0x0 [2004/11/20 22:32:49, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=13 flg2=0xc001 [2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(789) Domain=[EDUC] NativeOS=[Linux version 2.6.10-rc1] NativeLanMan=[CIFS VFS Client for Linux] PrimaryDomain=[] [2004/11/20 22:32:49, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2004/11/20 22:32:49, 3] smbd/sesssetup.c:reply_sesssetup_and_X(804) sesssetupX:name=[EDUC]\[macleajb]@[10.227.7.66] [2004/11/20 22:32:49, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [MYDOMAIN]\[JUSTME]@[10.0.0.1] withthe new password interface [2004/11/20 22:32:49, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [MYDOMAIN]\[JUSTME]@[10.0.0.1] [2004/11/20 22:32:55, 1] auth/auth_server.c:check_smbserver_security(363) password server MYSERVER rejected the password [2004/11/20 22:32:55, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [JUSTME] -> [JUSTME] FAILED with error NT_STATUS_LOGON_FAILURE [2004/11/20 22:32:55, 3] smbd/error.c:error_packet(129) error packet at smbd/sesssetup.c(887) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2004/11/20 22:32:55, 3] smbd/process.c:timeout_processing(1337) timeout_processing: End of file from client (client has disconnected). [2004/11/20 22:32:55, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/11/20 22:32:55, 2] smbd/server.c:exit_server(571) Closing connections [2004/11/20 22:32:55, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2004/11/20 22:32:55, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2004/11/20 22:32:55, 3] smbd/server.c:exit_server(614) Server exit (normal exit) Anyone explain this? Even just an ACK to say I'm way off the deap end and sinking quickly :)? thanks, JES