Wolfgang.Mair@emerson.com
2008-Sep-04 10:12 UTC
[Samba] Samba server as part of AD domain keeps asking for username and password
Hello all, I'm trying to set up my samba server rev 3.2.3 on opensuse 10.3 as a member of the active directory domain, so that client connections can be authenticated by the AD server. Unfortunately when I try to connect to the samba server from a windows XP system, it keeps on asking me for user name and password. I've been reading through various howto's and descriptions but no matter what I change on the settings I still get the same result. The samba server keeps on asking me for username and password. :( So hopefully someone can help me out with this. Here is my config: [libdefaults] default_realm = TESTDOM.ORG clockskew = 300 #dns_lookup_realm = false #dns_lookup_kdc = false [realms] TESTDOM.ORG = { kdc = SRV.testdom.org } [domain_realms] .testdom.org = TESTDOM.ORG [logging] default = FILE:/var/log/krb5/krb5libs.log kdc = FILE:/var/log/krb5/kdc.log kadmind = FILE:/var/log/krb5/kadmind.log With this config I can execute the kinit command and get a ticket which I can view with klist. Here is the smb.conf file: [global] workgroup = TESTDOM netbios name = jaguar realm = TESTDOM.ORG idmap uid = 100000-1000000 idmap gid = 100000-1000000 security = ads encrypt passwords = yes password server = 10.88.36.6 client use spnego = yes Client ntlmv2 auth = yes log level = 3 log file = /var/log/samba/log.%m max log size = 50 template shell = /bin/bash template homedir = /home/%U winbind enum users = yes winbind enum groups = yes preferred master = No local master = No domain master = No printing = cups cups options = raw print command lpq command = %p lprm command [woma] comment = test folder for ads path = /home/woma browseable = yes read only = No guest ok = no create mask = 0770 directory mask = 0770 (/home/woma is set to chmod 777) With this config I am able to execute wbinfo -u and get a list of users. But I have to execute it a few times unitl I see the list. Is this normal? However I am albe to map a sid to use and do other queries for user informations with wbinfo. I guess this is all I need so far. Now if I open explorer on the windows box and enter \\jaguar I get the user name and password promt all the time. Also entering username and password won't change anything. The log file says 'invalid user' which I beleive is the problem. But why????? [2008/08/29 11:40:00, 3] smbd/negprot.c:reply_nt1(364) using SPNEGO [2008/08/29 11:40:00, 3] smbd/negprot.c:reply_negprot(606) Selected protocol NT LM 0.12 [2008/08/29 11:40:00, 3] smbd/process.crocess_smb(1069) Transaction 1 of length 1668 [2008/08/29 11:40:00, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 21191) conn 0x0 [2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244) wct=12 flg2=0xc807 [2008/08/29 11:40:00, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029) Doing spnego session setup [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 1436 [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_kerberos(321) Ticket name is [AWM013@TESTDOM.ORG] [2008/08/29 11:40:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(439) Username TESTDOM\AWM013 is invalid on this system <-------------------- There it is [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2008/08/29 11:40:00, 3] smbd/process.crocess_smb(1069) Transaction 2 of length 1668 [2008/08/29 11:40:00, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 21191) conn 0x0 [2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244) wct=12 flg2=0xc807 [2008/08/29 11:40:00, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029) Doing spnego session setup [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 1436 [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_kerberos(321) Ticket name is [AWM013@TESTDOM.ORG] [2008/08/29 11:40:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(439) Username TESTDOM\AWM013 is invalid on this system [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2008/08/29 11:40:00, 3] smbd/process.c:timeout_processing(1329) timeout_processing: End of file from client (client has disconnected). [2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/29 11:40:00, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2008/08/29 11:40:00, 3] smbd/server.c:exit_server_common(768) Server exit (normal exit) Below is a smbclient debug. It fails at the spnego but for what reason? prinz:~ # smbclient -d 4 -U awm013 -W TESTDOM -L jaguar lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter workgroup = TESTDOM doing parameter printing = cups doing parameter printcap name = cups doing parameter printcap cache time = 750 doing parameter cups options raw doing parameter map to guest = Bad User doing parameter usershare allow guests = Yes doing parameter passdb backend = smbpasswd pm_process() returned Yes added interface ip=192.168.230.30 bcast=192.168.230.255 nmask=255.255.255.0 added interface ip=10.88.35.136 bcast=10.88.35.255 nmask=255.255.255.0 added interface ip=192.168.200.4 bcast=192.168.200.255 nmask=255.255.255.0 added interface ip=192.168.0.1 bcast=192.168.0.255 nmask=255.255.255.0 Client started (version 3.0.26a-3.7-1787-SUSE-SL10.3). Connecting to 10.88.35.133 at port 445 session request ok Password: Doing spnego session setup (blob length=107) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/jaguar.testdom.org@TESTDOM.ORG Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE Thanks for any help on this. Wolfgang
Andreas Ladanyi
2008-Sep-04 11:08 UTC
[Samba] Re: Samba server as part of AD domain keeps asking for username and password
Hallo Wolfgang,> [woma] > comment = test folder for ads > path = /home/woma > browseable = yes > read only = No > guest ok = no > create mask = 0770 > directory mask = 0770guest ok = no -> Result is you have to authenticate if you want to access this share ! So you have to to define a "valid user" list: valid user = DOMAIN\user or @DOMAIN\group or both ! The \ between DOMAIN and user or group is given by the parameter: winbind separator = .... Default ist: \ If you set "guest ok = yes" then i'am sure you will have no use/password prompt ! Then you dont need a "valid user = .." list. bye, Andy
Andreas Ladanyi
2008-Sep-04 18:46 UTC
[Samba] Re: Samba server as part of AD domain keeps asking for username and password
Wolfgang.Mair@Emerson.com schrieb:> Hi Andy, > > Thanks for the answer but I've tryed this already. > > With > guest ok = yes > And/or > valid users = TESTDOM\awm013 awm013 testdom\awm013 AWM013 > > I haven't set the winbind seperator so it should be ok to use \ > > And also with guest ok = yes I still get the password promt. > > Thanks > WolfgangHi Wolfgang, The error message is: Username TESTDOM\AWM013 is invalid on this system <-------------------- There it is [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE The username is invalid !! Is AWM013 really a user with unix attributes in the Active Directory ? You are working with winbind. Which backend do you use to save you unix user information ? Windows Server 2003 R2 ? Iam wondering i cant read an "idmap backend = " parameter in your smb.conf ! What is the result of "wbinfo -u" and "wbinfo -g" and "wbinfo -t" ??????? Bye, Andy
Henrik Beckman
2008-Sep-05 15:49 UTC
[Samba] Re: Samba server as part of AD domain keeps asking for username and password
Sorry, My german is not that good so I?ll stick to english. I had a similar problem which was cause by samba not being able to recognize machines (AWM013 is a machine account or a user?), we have a unix heavy samba enviroment with user in both AD and unix both computers only in AD. We had problems when the computer account tried to gain access to IPC$? but where denied because the account not being recognized by samba. If you to allow guest for bad users that would go away, security might be solvable by mapping guest to nobody? Not that I would run this in production but it?s a way to test. Also if wbinfo -u or -g doesn?t work to set a valid user account in winbind to use when connecting to the domain. /Henrik 2008/9/5 Andreas Ladanyi <andy.ladanyi@web.de>> Hallo Hendrik, > > Dein Beitrag ist leider nur bei mir gelandet ! Weder bei Wolfgang, noch auf > der Mailingliste :-( > > Zum testen finde ich den parameter: > > map to guest = Bad User > > ok, aber nicht unbedingt f?rs Produktivsystem. > > Was meinst Du ? > > Sollte ein "?ffentliches" share "public=yes" oder "guest ok = yes" nicht > dazu f?hren, dass Du eben kein Passwort Popup bekommst ? Sonst macht das ja > irgendwo keinen Sinn oder ? > > Gr??e, > Andy > > > > -----Urspr?ngliche Nachricht----- > > Von: "Henrik Beckman" <henrik.list@gmail.com> > > Gesendet: 04.09.08 22:06:33 > > An: "Andreas Ladanyi" <knuffiandy@web.de> > > Betreff: Re: [Samba] Re: Samba server as part of AD domain keeps asking > for username and password > > > > > > On Thu, Sep 4, 2008 at 8:45 PM, Andreas Ladanyi <knuffiandy@web.de> > > wrote: > > > > Wolfgang.Mair@Emerson.com schrieb: > > Hi Andy, > > > > Thanks for the answer but I've tryed this already. > > With guest ok = yes And/or > > valid users = TESTDOM\awm013 awm013 testdom\awm013 AWM013 > > > > I haven't set the winbind seperator so it should be ok to use \ > > > > And also with guest ok = yes I still get the password promt. > > > > Thanks > > Wolfgang > > > > Hi Wolfgang, > > > > The error message is: > > > > Username TESTDOM\AWM013 is invalid on this system <------------------ > > -- > > There it is > > [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) > > error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) > > NT_STATUS_LOGON_FAILURE > > > > The username is invalid !! Is AWM013 really a user with unix > > attributes in the Active Directory ? > > > > You are working with winbind. Which backend do you use to save you > > unix user information ? Windows Server 2003 R2 ? > > > > Iam wondering i cant read an "idmap backend = " parameter in your > > smb.conf ! > > > > What is the result of "wbinfo -u" and "wbinfo -g" and "wbinfo -t" ??? > > ???? > > > > Bye, > > Andy > > > > > > Is awm013 a computer? > > If so try guest = Ok and map to guest = Bad User. > > Also as Andy asks does wbinfo -u and -g work, otherwise what user > > does winbindd use? > > > > Do you have 2008 server as password servers? > > > > /Henrik > > > > > > > > > > > > > _____________________________________________________________________ > Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! > http://smartsurfer.web.de/?mc=100071&distributionid=000000000066 > >