Eric Boehm
2005-Aug-24 19:26 UTC
[Samba] Username.map works in 2.2.8a, doesn't work in 3.0.14a
I'm a bit puzzled. I am able to map an account without any problem on Samba 2.2.8a (security=domain). However, access fails with Samba 3.0.14a when everything else is the same (same configuration files). Any advice as to the cause of the problems (and its solution) would be appreciated.>From 2.2.8a logs[2005/08/24 14:59:51, 3, pid=7767] smbd/reply.c:(880) Domain=[americase] NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] [2005/08/24 14:59:51, 3, pid=7767] smbd/reply.c:(890) sesssetupX:name=[pnmadm09] [2005/08/24 14:59:51, 3, pid=7767] lib/username.c:(168) Mapped user pnmadm09 to pnmadm [2005/08/24 14:59:51, 3, pid=7767] libsmb/namequery.c:(769) resolve_lmhosts: Attempting lmhosts lookup for name ZRTPD0PP<0x20> [2005/08/24 14:59:51, 3, pid=7767] lib/util_sock.c:(845) Connecting to 47.140.205.113 at port 445 [2005/08/24 14:59:52, 3, pid=7767] smbd/password.c:(340) User name: pnmadm Real name: PNM Admin,PSD17792 [2005/08/24 14:59:52, 3, pid=7767] smbd/password.c:(736) authorise_login: ACCEPTED: validated uid ok as non-guest (user=pnmadm) [2005/08/24 14:59:52, 1, pid=7767] smbd/service.c:(636) boehm-1 (47.143.20.49) connect to service export as user pnmadm (uid=34344, gid=4794) (pid 7767)>From 3.0.14a logs[2005/08/24 15:09:11, 3, pid=10515] libsmb/ntlmssp.c:(606) Got user=[pnmadm09] domain=[americase] workstation=[BOEHM-1] len1=24 len2=24 [2005/08/24 15:09:11, 3, pid=10515] lib/username.c:(173) Mapped user pnmadm09 to pnmadm [2005/08/24 15:09:11, 3, pid=10515] auth/auth.c:(219) check_ntlm_password: Checking password for unmapped user [americase]\[pnmadm09]@[BOEHM-1] with the new password interface [2005/08/24 15:09:11, 3, pid=10515] auth/auth.c:(222) check_ntlm_password: mapped user is: [americase]\[pnmadm]@[BOEHM-1] [2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(118) connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine ZRTPD0PP. Error was : NT_STATUS_ACCESS_DENIED. [2005/08/24 15:09:11, 3, pid=10515] libsmb/cliconnect.c:(1406) Connecting to host=ZRTPD0PP [2005/08/24 15:09:11, 3, pid=10515] lib/util_sock.c:(752) Connecting to 47.140.205.113 at port 445 [2005/08/24 15:09:11, 3, pid=10515] rpc_client/cli_netlogon.c:(290) cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED [2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(118) connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine ZRTPD0PP. Error was : NT_STATUS_ACCESS_DENIED. [2005/08/24 15:09:11, 3, pid=10515] libsmb/cliconnect.c:(1406) Connecting to host=ZRTPD0PP [2005/08/24 15:09:11, 3, pid=10515] lib/util_sock.c:(752) Connecting to 47.140.205.113 at port 445 [2005/08/24 15:09:11, 3, pid=10515] rpc_client/cli_netlogon.c:(290) cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED [2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(118) connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine ZRTPD0PP. Error was : NT_STATUS_ACCESS_DENIED. [2005/08/24 15:09:11, 0, pid=10515] auth/auth_domain.c:(170) domain_client_validate: Domain password server not available. [2005/08/24 15:09:11, 2, pid=10515] auth/auth.c:(312) check_ntlm_password: Authentication for user [pnmadm09] -> [pnmadm] FAILED wi th error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE [2005/08/24 15:09:21, 3, pid=105 -- Eric M. Boehm /"\ ASCII Ribbon Campaign boehm@nortel.com \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail
Eric Boehm
2005-Aug-29 14:48 UTC
[Samba] Username.map works in 2.2.8a, doesn't work in 3.0.14a - SOLVED
On Wed, Aug 24, 2005 at 03:26:23PM -0400, Boehm, Eric [GWRTP:CM21:EXCH] wrote:>>>>> "Eric" == Boehm, Eric [GWRTP:CM21:EXCH] <Boehm> writes:Eric> I'm a bit puzzled. I am able to map an account without any Eric> problem on Samba 2.2.8a (security=domain). However, access Eric> fails with Samba 3.0.14a when everything else is the same Eric> (same configuration files). Eric> Any advice as to the cause of the problems (and its Eric> solution) would be appreciated. I'll follow up and answer my own question. The problem is that I didn't understand the Release notes for 3.0.8 ===================== Change in Username Map ===================== Previous Samba releases would only support reading the fully qualified username (e.g. DOMAIN\user) from the username map when performing a kerberos login from a client. However, when looking up a map entry for a user authenticated by NTLM[SSP], only the login name would be used for matches. This resulted in inconsistent behavior sometimes even on the same server. Samba 3.0.8 obeys the following rules when applying the username map functionality: * When performing local authentication, the username map is applied to the login name before attempting to authenticate the connection. * When relying upon a external domain controller for validating authentication requests, smbd will apply the username map to the fully qualified username (i.e. DOMAIN\user) only after the user has been successfully authenticated. Previously, I had used unix_user = windows_user After reading the notes above, I tried DOMAIN\unix_user = windows_user I should have used (and this did work) unix_user = DOMAIN\windows_user -- Eric M. Boehm /"\ ASCII Ribbon Campaign boehm@nortel.com \ / No HTML or RTF in mail X No proprietary word-processing Respect Open Standards / \ files in mail
Maybe Matching Threads
- BUG REPORT: change_trust_account_password works in 2.0.7, fails in 2.2.3a through 2.2.8
- Questions about 3.0.12rc1
- Samba 2.2.8 is failing on change machine account password
- Failed to set socket option problems Samba 2.0.6/Solaris 7
- Problem with smbclient and tar archive