Andrei Nazarenko
2006-Sep-06 12:56 UTC
[Samba] Problem with "Security=ADS" and domain users afer upgrading to 3.0.23c
Hello all, I am not sure if this is a bug or a feature of the newly released Samba 3.0.23c. I had this samba.conf working fully ok for smbd 3.0.23b : [global] map to guest = Bad User guest account = nobody disable netbios = Yes lanman auth = No unix charset = ISO8859-15 display charset = ISO8859-15 printing = bsd workgroup = OAAD realm = OA.PNRAD.NET <http://oa.pnrad.net/> security = ADS [public] path = /srv/www/htdocs/public valid users = nazaand, orloale write list = nazaand, orloale force group = public create mask = 0660 directory mask = 0770 browseable = No As soon as I upgraded to 3.0.23c I encountered the following problem. If I try to map the [public] share from a simple standalone PC, which does not belong to a domain, everything works fine (I am being asked for a username and password and I enter "nazaand" as the username and the corresponding password. However, if I try to map the same share from the PC which belongs to the domain " OA.PNRAD.NET <http://oa.pnrad.net/>" the authentication fails, unless I enter "localhost\nazaand" as the username. With 3.0.23b I did not need to enter any username/password when mapping the share from the domain PC, because I was already logged in with the right account in the domain. I have studied level 3 log file, and see that the authentication is performed differently now when the domain PC is used. For the PC that is not in the domain I have this in the log: Got user=[nazaand] domain=[PC35355] workstation=[PC35355] len1=24 len2=24 check_ntlm_password: mapped user is: [OAAD]\[nazaand]@[PC35355] check_ntlm_password: winbind authentication for user [nazaand] succeeded For the domain PC nothing like that is present. Instead I get this: Ticket name is [PC35355$@OA.PNRAD.NET] Username OAAD\PC35355$ is invalid on this system error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE ... Ticket name is [ NAZAAND@OA.PNRAD.NET] make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER! error packet at smbd/sesssetup.c(339) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE Finally, if on the domain PC I enter "localhost\nazaand" as my username, then the share does get mapped and the following is in the log: Got user=[nazaand] domain=[localhost] workstation=[PC3535] len1=24 len2=24 check_ntlm_password: Checking password for unmapped user [localhost]\[nazaand]@[PC3535] with the new password interface check_ntlm_password: mapped user is: [OAAD]\[nazaand]@[PC3535] check_ntlm_password: winbind authentication for user [nazaand] succeeded It is obvious that the authentication breaks at the "Ticket name is [NAZAAND@OA.PNRAD.NET] - NO SUCH USER" part (in the domain). So my question is basically, is this the intended behaviour? If so, how can I make it work again the same way 3.0.23b did? Regards, Andrei Nazarenko
Gerald (Jerry) Carter
2006-Sep-06 14:15 UTC
[Samba] Problem with "Security=ADS" and domain users afer upgrading to 3.0.23c
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andrei Nazarenko wrote:> Hello all, > > I am not sure if this is a bug or a feature of > the newly released Samba 3.0.23c. > I had this samba.conf working fully ok for smbd > 3.0.23b : >...> For the domain PC nothing like that is present. Instead > I get this: > > Ticket name is [PC35355$@OA.PNRAD.NET] > Username OAAD\PC35355$ is invalid on this system > error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > ... > Ticket name is [ NAZAAND@OA.PNRAD.NET] > make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER! > error packet at smbd/sesssetup.c(339) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURECan you send me a full level 10 debug log from smbd? Thanks. jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE/tgBIR7qMdg1EfYRAgsYAKC6xnB23KIDDkGQvjg3AXca19SurwCgrG0F 3dXM30/oidr7K85N28VAzic=Bjgg -----END PGP SIGNATURE-----
Svinopas Evgnatyevich
2006-Sep-12 07:58 UTC
[Samba] Problem with "Security=ADS" and domain users afer upgrading to 3.0.23c
Hello all, I am not sure if this is a bug or a feature of the newly released Samba 3.0.23c. I had this samba.conf working fully ok for smbd 3.0.23b : [global] map to guest = Bad User guest account = nobody disable netbios = Yes lanman auth = No unix charset = ISO8859-15 display charset = ISO8859-15 printing = bsd workgroup = OAAD realm = OA.PNRAD.NET security = ADS [public] path = /srv/www/htdocs/public valid users = nazaand, orloale write list = nazaand, orloale force group = public create mask = 0660 directory mask = 0770 browseable = No As soon as I upgraded to 3.0.23c I encountered the following problem. If I try to map the [public] share from a simple standalone PC, which does not belong to a domain, everything works fine (I am being asked for a username and password and I enter "nazaand" as the username and the corresponding password. However, if I try to map the same share from the PC which belongs to the domain "OA.PNRAD.NET" the authentication fails, unless I enter "localhost\nazaand" as the username. With 3.0.23b I did not need to enter any username/password when mapping the share from the domain PC, because I was already logged in with the right account in the domain. I have studied level 3 log file, and see that the authentication is performed differently now when the domain PC is used. For the PC that is not in the domain I have this in the log: Got user=[nazaand] domain=[PC35355] workstation=[PC35355] len1=24 len2=24 check_ntlm_password: mapped user is: [OAAD]\[nazaand]@[PC35355] check_ntlm_password: winbind authentication for user [nazaand] succeeded For the domain PC nothing like that is present. Instead I get this: Ticket name is [PC35355$@OA.PNRAD.NET] Username OAAD\PC35355$ is invalid on this system error packet at smbd/sesssetup.c(315) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE ... Ticket name is [NAZAAND@OA.PNRAD.NET] make_server_info_info3 failed: NT_STATUS_NO_SUCH_USER! error packet at smbd/sesssetup.c(339) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE Finally, if on the domain PC I enter "localhost\nazaand" as my username, then the share does get mapped and the following is in the log: Got user=[nazaand] domain=[localhost] workstation=[PC3535] len1=24 len2=24 check_ntlm_password: Checking password for unmapped user [localhost]\[nazaand]@[PC3535] with the new password interface check_ntlm_password: mapped user is: [OAAD]\[nazaand]@[PC3535] check_ntlm_password: winbind authentication for user [nazaand] succeeded It is obvious that the authentication breaks at the "Ticket name is [NAZAAND@OA.PNRAD.NET] - NO SUCH USER" part (in the domain). So my question is basically, is this the intended behaviour? If so, how can I make it work again the same way 3.0.23b did? Regards, Andrei Nazarenko
Reasonably Related Threads
- Samba 3.0.23 + ADS + 'valid users' + 'force user' does not work
- permission issues afer upgrade from 2.0.7 to 2.2.2
- CentOS 5 - locking out users afer 3 failed attempts
- That the Linux bridge configuration does not work afer I upgraded the kernel to 2.6.33.2.
- compiling 3.2.15: cifs.upcall not found afer RPM build