Ashutosh Kamdar
2005-Apr-26 12:10 UTC
[Samba] Authentication failure when accessing Samba server in a NT domain
Hello Samba Gurus, I have configured my Samba install to be a domain member of a NT4-Style domain. The version of samba used is 3.0.13. The domain joining process worked fine (net rpc join). An excerpt of smb.conf is provided at the end for reference. The problem is that when users access this server, they are challenged for the username password. I was of the impression that this process would be seamless to the user. On providing the NT username/password, the login process still fails. It just comes back with the same prompt challenging the user. These users are added in /etc/passwd but not in smbpasswd, as per the documentation. On using smbclient: # ./smbclient -d 3 -U akamdar -L localhost This was the output obtained: lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/usr/local/samba/lib/smb.conf" Processing section "[global]" added interface ip=192.168.2.37 bcast=192.168.2.255 nmask=255.255.255.0 Client started (version 3.0.13). resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20> resolve_wins: Attempting wins lookup for name localhost<0x20> resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name localhost<0x20> Connecting to 127.0.0.1 at port 445 Password: Doing spnego session setup (blob length=58) got OID=1 3 6 1 4 1 311 2 2 10 got principal=NONE Got challenge flags: Got NTLMSSP neg_flags=0x60890215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 SPNEGO login failed: Access denied session setup failed: NT_STATUS_ACCESS_DENIED Can someone please help me understand what exactly is causing this problem and of possible solutions? Any help would be greatly appreciated. Regards, Ashutosh ---smb.conf--------------------8<--------------------------- [global] dns proxy = no debug timestamp = yes encrypt passwords = yes idmap gid = 15000-20000 socket options = TCP_NODELAY max log size = 1024 password server = PASSWORDSERVER idmap uid = 15000-20000 debug level = 3 security = domain server string = Samba Server workgroup = DOMAINNAME log level = 3 log file = /usr/local/samba/var/log.%m netbios name = appserver7 load printers = yes os level = 33 default = share winbind use default domain = Yes [homes] comment = Home Directories valid users = %S browseable = no writable = yes [share] path = /share comment = Solaris share valid users = @staff guest ok = Yes read only = No
Ashutosh Kamdar
2005-Apr-27 10:07 UTC
[Samba] Authentication failure when accessing Samba server in a NT domain
Hello Ankush, Thanks for taking a look at this. I tried the two suggestions that you put forward. Neither of them seemed to solve this problem...I increased the logging level and found the following when trying to connect to the Samba share from the WINXP machine. [2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info_map(224) make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation [ASHUTOSH] [2005/04/27 05:51:16, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184) no entry for trusted domain DOMAINNAME found. [2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info(132) attempting to make a user_info for akamdar (akamdar) [2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info(142) making strings for akamdar's user_info struct [2005/04/27 05:51:16, 5] auth/auth_util.c:make_user_info(184) making blobs for akamdar's user_info struct [2005/04/27 05:51:16, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [DOMAINNAME]\[akamdar]@[ASHUTOSH] with the new password interface [2005/04/27 05:51:16, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [DOMAINNAME]\[akamdar]@[ASHUTOSH] [2005/04/27 05:51:16, 5] lib/util.c:dump_data(1995) [000] 49 59 CB 9A EB 49 C4 0E IY...I.. [2005/04/27 05:51:16, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2005/04/27 05:51:16, 3] smbd/uid.c:push_conn_ctx(365) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2005/04/27 05:51:16, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2005/04/27 05:51:16, 5] auth/auth_util.c:debug_nt_user_token(485) NT user token: (NULL) [2005/04/27 05:51:16, 5] auth/auth_util.c:debug_unix_user_token(506) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2005/04/27 05:51:16, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/04/27 05:51:16, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: winbind authentication for user [akamdar] FAILED with error NT_STATUS_ACCESS_DENIED [2005/04/27 05:51:16, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [akamdar] -> [akamdar] FAILED with error NT_STATUS_ACCESS_DENIED [2005/04/27 05:51:16, 5] auth/auth_util.c:free_user_info(1380) attempting to free (and zero) a user_info structure [2005/04/27 05:51:16, 3] smbd/process.c:timeout_processing(1334) timeout_processing: End of file from client (client has disconnected). [2005/04/27 05:51:16, 5] lib/gencache.c:gencache_shutdown(88) Closing cache file [2005/04/27 05:51:16, 5] libsmb/namecache.c:namecache_shutdown(79) namecache_shutdown: netbios namecache closed successfully. [2005/04/27 05:51:16, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2005/04/27 05:51:16, 5] auth/auth_util.c:debug_nt_user_token(485) NT user token: (NULL) [2005/04/27 05:51:16, 5] auth/auth_util.c:debug_unix_user_token(506) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2005/04/27 05:51:16, 5] smbd/uid.c:change_to_root_user(296) change_to_root_user: now uid=(0,0) gid=(0,0) [2005/04/27 05:51:16, 2] smbd/server.c:exit_server(609) Closing connections [2005/04/27 05:51:16, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2005/04/27 05:51:16, 5] smbd/oplock.c:receive_local_message(107) receive_local_message: doing select with timeout of 1 ms [2005/04/27 05:51:16, 3] smbd/server.c:exit_server(652) Server exit (normal exit) Any thoughts? Regards, Ash ------Original Message----- -From: ankush grover [mailto:ankushmailing@gmail.com] -Sent: Wednesday, April 27, 2005 07:38 AM -To: 'Ashutosh Kamdar' -Subject: Re: [Samba] Authentication failure when accessing Samba server in a NT domain - -On 4/26/05, Ashutosh Kamdar <akamdar@gnsi.com> wrote: -> Hello Samba Gurus, -> -> I have configured my Samba install to be a domain member of a NT4-Style domain. The version of samba used is 3.0.13. The domain joining process worked fine (net rpc join). An excerpt of smb.conf is provided at the end for reference. -> -> The problem is that when users access this server, they are challenged for the username password. I was of the impression that this process would be seamless to the user. On providing the NT username/password, the login process still fails. It just comes back with the same prompt challenging the user. -> -> These users are added in /etc/passwd but not in smbpasswd, as per the documentation. -> -> On using smbclient: -> # ./smbclient -d 3 -U akamdar -L localhost -> -> This was the output obtained: -> lp_load: refreshing parameters -> Initialising global parameters -> params.c:pm_process() - Processing configuration file "/usr/local/samba/lib/smb.conf" -> Processing section "[global]" -> added interface ip=192.168.2.37 bcast=192.168.2.255 nmask=255.255.255.0 -> Client started (version 3.0.13). -> resolve_lmhosts: Attempting lmhosts lookup for name localhost<0x20> -> resolve_wins: Attempting wins lookup for name localhost<0x20> -> resolve_wins: WINS server resolution selected and no WINS servers listed. -> resolve_hosts: Attempting host lookup for name localhost<0x20> -> Connecting to 127.0.0.1 at port 445 -> Password: -> -> Doing spnego session setup (blob length=58) -> got OID=1 3 6 1 4 1 311 2 2 10 -> got principal=NONE -> Got challenge flags: -> Got NTLMSSP neg_flags=0x60890215 -> NTLMSSP: Set final flags: -> Got NTLMSSP neg_flags=0x60080215 -> NTLMSSP Sign/Seal - Initialising with flags: -> Got NTLMSSP neg_flags=0x60080215 -> SPNEGO login failed: Access denied -> session setup failed: NT_STATUS_ACCESS_DENIED -> -> Can someone please help me understand what exactly is causing this problem and of possible solutions? Any help would be greatly appreciated. -> -> Regards, -> -> Ashutosh -> -> ---smb.conf--------------------8<--------------------------- -> -> [global] -> dns proxy = no -> debug timestamp = yes -> encrypt passwords = yes -> idmap gid = 15000-20000 -> socket options = TCP_NODELAY -> max log size = 1024 -> password server = PASSWORDSERVER -> idmap uid = 15000-20000 -> debug level = 3 -> security = domain -> server string = Samba Server -> workgroup = DOMAINNAME -> log level = 3 -> log file = /usr/local/samba/var/log.%m -> netbios name = appserver7 -> load printers = yes -> os level = 33 -> default = share -> winbind use default domain = Yes -> -> [homes] -> comment = Home Directories -> valid users = %S -> browseable = no -> writable = yes -> -> [share] -> path = /share -> comment = Solaris share -> valid users = @staff -> guest ok = Yes -> read only = No - - -Where is the hosts allow in the smb.conf .I think that is missing in -your configuration - like 192.168.1. 127. -moreover try to change winbind use default domain = no - -Regards - -Ankush -