samba - Apr 2005 - Authentication failure when accessing Samba server in a NT domain

Hello Samba Gurus,

I have configured my Samba install to be a domain member of a NT4-Style domain.
The version of samba used is 3.0.13. The domain joining process worked fine (net
rpc join). An excerpt of smb.conf is provided at the end for reference.

The problem is that when users access this server, they are challenged for the
username password. I was of the impression that this process would be seamless
to the user. On providing the NT username/password, the login process still
fails. It just comes back with the same prompt challenging the user.

These users are added in /etc/passwd but not in smbpasswd, as per the
documentation.

On using smbclient:
# ./smbclient -d 3 -U akamdar -L localhost

This was the output obtained:
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/usr/local/samba/lib/smb.conf"
Processing section "[global]"
added interface ip=192.168.2.37 bcast=192.168.2.255 nmask=255.255.255.0
Client started (version 3.0.13).
resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
resolve_wins: Attempting wins lookup for name localhost<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name localhost<0x20>
Connecting to 127.0.0.1 at port 445
Password:

Doing spnego session setup (blob length=58)
got OID=1 3 6 1 4 1 311 2 2 10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x60890215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60080215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60080215
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED

Can someone please help me understand what exactly is causing this problem and
of possible solutions? Any help would be greatly appreciated.

Regards,

Ashutosh

---smb.conf--------------------8<---------------------------

[global]
        dns proxy = no
        debug timestamp = yes
        encrypt passwords = yes
        idmap gid = 15000-20000
        socket options = TCP_NODELAY
        max log size = 1024
        password server = PASSWORDSERVER
        idmap uid = 15000-20000
        debug level = 3
        security = domain
        server string = Samba Server
        workgroup = DOMAINNAME
        log level = 3
        log file = /usr/local/samba/var/log.%m
        netbios name = appserver7
        load printers = yes
        os level = 33
        default = share
        winbind use default domain = Yes

[homes]
   comment = Home Directories
   valid users = %S
   browseable = no
   writable = yes

[share]
path = /share
comment = Solaris share
valid users = @staff
guest ok = Yes
read only = No

Hello Ankush,

Thanks for taking a look at this. I tried the two suggestions that you put
forward. Neither of them seemed to solve this problem...I increased the logging
level and found the following when trying to connect to the Samba share from the
WINXP machine.

[2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info_map(224)
  make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation
[ASHUTOSH]
[2005/04/27 05:51:16, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain DOMAINNAME found.
[2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info(132)
  attempting to make a user_info for akamdar (akamdar)
[2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info(142)
  making strings for akamdar's user_info struct
[2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info(184)
  making blobs for akamdar's user_info struct
[2005/04/27 05:51:16, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user
[DOMAINNAME]\[akamdar]@[ASHUTOSH] with the new password interface
[2005/04/27 05:51:16, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [DOMAINNAME]\[akamdar]@[ASHUTOSH]
[2005/04/27 05:51:16, 5] lib/util.c:dump_data(1995)
  [000] 49 59 CB 9A EB 49 C4 0E                           IY...I..
[2005/04/27 05:51:16, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/04/27 05:51:16, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/04/27 05:51:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/04/27 05:51:16, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2005/04/27 05:51:16, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2005/04/27 05:51:16, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 05:51:16, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [akamdar] FAILED with
error NT_STATUS_ACCESS_DENIED
[2005/04/27 05:51:16, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [akamdar] -> [akamdar] FAILED
with error NT_STATUS_ACCESS_DENIED
[2005/04/27 05:51:16, 5] auth/auth_util.c:free_user_info(1380)
  attempting to free (and zero) a user_info structure
[2005/04/27 05:51:16, 3] smbd/process.c:timeout_processing(1334)
  timeout_processing: End of file from client (client has disconnected).
[2005/04/27 05:51:16, 5] lib/gencache.c:gencache_shutdown(88)
  Closing cache file
[2005/04/27 05:51:16, 5] libsmb/namecache.c:namecache_shutdown(79)
  namecache_shutdown: netbios namecache closed successfully.
[2005/04/27 05:51:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 05:51:16, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2005/04/27 05:51:16, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2005/04/27 05:51:16, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2005/04/27 05:51:16, 2] smbd/server.c:exit_server(609)
  Closing connections
[2005/04/27 05:51:16, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2005/04/27 05:51:16, 5] smbd/oplock.c:receive_local_message(107)
  receive_local_message: doing select with timeout of 1 ms
[2005/04/27 05:51:16, 3] smbd/server.c:exit_server(652)
  Server exit (normal exit)

Any thoughts?

Regards,

Ash


------Original Message-----
-From: ankush grover [mailto:ankushmailing@gmail.com]
-Sent: Wednesday, April 27, 2005 07:38 AM
-To: 'Ashutosh Kamdar'
-Subject: Re: [Samba] Authentication failure when accessing Samba server in a NT
domain
-
-On 4/26/05, Ashutosh Kamdar <akamdar@gnsi.com> wrote:
-> Hello Samba Gurus,
-> 
-> I have configured my Samba install to be a domain member of a NT4-Style
domain. The version of samba used is 3.0.13. The domain joining process worked
fine (net rpc join). An excerpt of smb.conf is provided at the end for
reference.
-> 
-> The problem is that when users access this server, they are challenged for
the username password. I was of the impression that this process would be
seamless to the user. On providing the NT username/password, the login process
still fails. It just comes back with the same prompt challenging the user.
-> 
-> These users are added in /etc/passwd but not in smbpasswd, as per the
documentation.
-> 
-> On using smbclient:
-> # ./smbclient -d 3 -U akamdar -L localhost
-> 
-> This was the output obtained:
-> lp_load: refreshing parameters
-> Initialising global parameters
-> params.c:pm_process() - Processing configuration file
"/usr/local/samba/lib/smb.conf"
-> Processing section "[global]"
-> added interface ip=192.168.2.37 bcast=192.168.2.255 nmask=255.255.255.0
-> Client started (version 3.0.13).
-> resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20>
-> resolve_wins: Attempting wins lookup for name localhost<0x20>
-> resolve_wins: WINS server resolution selected and no WINS servers listed.
-> resolve_hosts: Attempting host lookup for name localhost<0x20>
-> Connecting to 127.0.0.1 at port 445
-> Password:
-> 
-> Doing spnego session setup (blob length=58)
-> got OID=1 3 6 1 4 1 311 2 2 10
-> got principal=NONE
-> Got challenge flags:
-> Got NTLMSSP neg_flags=0x60890215
-> NTLMSSP: Set final flags:
-> Got NTLMSSP neg_flags=0x60080215
-> NTLMSSP Sign/Seal - Initialising with flags:
-> Got NTLMSSP neg_flags=0x60080215
-> SPNEGO login failed: Access denied
-> session setup failed: NT_STATUS_ACCESS_DENIED
-> 
-> Can someone please help me understand what exactly is causing this problem
and of possible solutions? Any help would be greatly appreciated.
-> 
-> Regards,
-> 
-> Ashutosh
-> 
-> ---smb.conf--------------------8<---------------------------
-> 
-> [global]
->         dns proxy = no
->         debug timestamp = yes
->         encrypt passwords = yes
->         idmap gid = 15000-20000
->         socket options = TCP_NODELAY
->         max log size = 1024
->         password server = PASSWORDSERVER
->         idmap uid = 15000-20000
->         debug level = 3
->         security = domain
->         server string = Samba Server
->         workgroup = DOMAINNAME
->         log level = 3
->         log file = /usr/local/samba/var/log.%m
->         netbios name = appserver7
->         load printers = yes
->         os level = 33
->         default = share
->         winbind use default domain = Yes
-> 
-> [homes]
->    comment = Home Directories
->    valid users = %S
->    browseable = no
->    writable = yes
-> 
-> [share]
-> path = /share
-> comment = Solaris share
-> valid users = @staff
-> guest ok = Yes
-> read only = No
-
-
-Where is the hosts allow in the smb.conf .I think that is missing in
-your configuration
- like 192.168.1. 127.
-moreover try to change winbind use default domain = no
-
-Regards
-
-Ankush
-