Ralf Gross
2005-Jan-14 09:46 UTC
[Samba] security = server, username map, different domain -> no login
Hi, I posted a similar question a few days before. I'm still confused what might be wrong with my config. Setup: - update from Samaba 2.2.12 to 3.0.10 - Solaris 8 Server - server is not a domain (EMEA) member, and it's not possible to add the server to the EMEA domain :(- server is only in workgroup ERS (our department, no DC, only a few hosts). - no winbind - authentification happens agains the EMEA domain password server, where each local unix user has a valid account- mapping of some unix accounts via username map Extract of the smb.conf [global] workgroup = ERS netbios name = SAMBASERVER encrypt passwords = Yes username map = /etc/samba/smbusers security = server password server = PASSWORDSERVER smbusers file rg=ralfgro This worked without a problem till 2.2.12. Since 3.0.10 (tried 3.0.11.pre1 too) the 'wrong' domain/workgroup is passed to the password server for authentification. I tried smbclient //sambaserver/ralfgro -U RALFGRO -W EMEA part of the smbd debug output: ... Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [MICROSOFT NETWORKS 3.0] Requested protocol [LANMAN1.0] Requested protocol [LM1.2X002] Requested protocol [DOS LANMAN2.1] Requested protocol [Samba] using SPNEGO Selected protocol NT LANMAN 1.0 Transaction 1 of length 164 switch message SMBsesssetupX (pid 26508) conn 0x0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 wct=12 flg2=0xc801 Doing spnego session setup NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] Got OID 1 3 6 1 4 1 311 2 2 10 Got secblob of size 44 Got NTLMSSP neg_flags=0x60080215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH Connecting to PASSWORDSERVERIP at port 445 error connecting to PASSWORDSERVERIP:445 (Verbindungsaufbau abgelehnt) Connecting to PASSWORDSERVERIP at port 139 connected to password server PASSWORDSERVER got session password server OK using password server validation Transaction 2 of length 264 switch message SMBsesssetupX (pid 26508) conn 0x0 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 wct=12 flg2=0xc801 Doing spnego session setup NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] Got user=[ralfgro] domain=[EMEA] workstation=[CLIENT] len1=24 len2=24 Scanning username map /etc/samba/smbusers Mapped user ralfgro to rg get_dc_list: returning 1 ip addresses in an ordered list get_dc_list: PASSWORDSERVER:0 enumerate_domain_trusts: can't locate a DC for domain ERS check_ntlm_password: Checking password for unmapped user [EMEA]\[ralfgro]@[CLIENT] with the new password interfacecheck_ntlm_password: mapped user is: [ERS]\[rg]@[CLIENT] password server PASSWORDSERVER rejected the password check_ntlm_password: Authentication for user [ralfgro] -> [rg] FAILED with error NT_STATUS_LOGON_FAILUREtimeout_processing: End of file from client (client has disconnected). ... ethereal trace ---> Samba 2.2.12 Session Setup AndX Request, User: EMEA\RALFGRO Account: RALFGRO Primary Domain: EMEA ---> Samba 3.0.10 Session Setup AndX Request, User: ERS\RALFGRO Account: RALFGRO Primary Domain: ERS I can see that the mapping via the smbuser file is working, but why is samba 3.0.10 passing domain ERS insted of EMEA to the password server? Is it not possible to do these things in 3.0.10? What do I have to change to get this working in samba 3.x? Any ideas? I'm a bit lost at the moment. Our samba 2.x config was nice, simple and just working. Ralf
Gerald (Jerry) Carter
2005-Jan-14 20:08 UTC
[Samba] security = server, username map, different domain -> no login
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ralf Gross wrote: | | ---> Samba 2.2.12 | Session Setup AndX Request, User: EMEA\RALFGRO | Account: RALFGRO | Primary Domain: EMEA | | ---> Samba 3.0.10 | Session Setup AndX Request, User: ERS\RALFGRO | Account: RALFGRO | Primary Domain: ERS | | I can see that the mapping via the smbuser file is working, | but why is samba 3.0.10 passing domain ERS insted of EMEA | to the password server? Is it not possible to do these things | in 3.0.10? What do I have to change to get this working in | samba 3.x? Any ideas? | | I'm a bit lost at the moment. Our samba 2.x config was | nice, simple and just working. The simpliest thing is to swap over to security = domain. cheers, jerry ====================================================================Alleviating the pain of Windows(tm) ------- http://www.samba.org GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc "I never saved anything for the swim back." Ethan Hawk in Gattaca -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFB6Ca0IR7qMdg1EfYRAtP0AJ9QQJq+Ic1BXo6v7ngdsmhfHp19MgCfXk8i i2AZ6JV9vVQr21xFfNckgKM=MgW1 -----END PGP SIGNATURE-----
Apparently Analagous Threads
- Log on problems since update from 2.2.12 to 3.0.10
- winbind - timeouts in domain with >100000 domain users
- domain/unix groups and valid users parameter
- 3.0.23 - different errors on solaris 8 (Error in dskattr...)
- file permissions with inherit permission + ACL's