Wolfgang.Mair@emerson.com
2008-Sep-04 10:12 UTC
[Samba] Samba server as part of AD domain keeps asking for username and password
Hello all,
I'm trying to set up my samba server rev 3.2.3 on opensuse 10.3 as a
member of the active directory domain, so that client connections can be
authenticated by the AD server. Unfortunately when I try to connect to
the samba server from a windows XP system, it keeps on asking me for
user name and password.
I've been reading through various howto's and descriptions but no matter
what I change on the settings I still get the same result. The samba
server keeps on asking me for username and password. :(
So hopefully someone can help me out with this.
Here is my config:
[libdefaults]
default_realm = TESTDOM.ORG
clockskew = 300
#dns_lookup_realm = false
#dns_lookup_kdc = false
[realms]
TESTDOM.ORG = {
kdc = SRV.testdom.org
}
[domain_realms]
.testdom.org = TESTDOM.ORG
[logging]
default = FILE:/var/log/krb5/krb5libs.log
kdc = FILE:/var/log/krb5/kdc.log
kadmind = FILE:/var/log/krb5/kadmind.log
With this config I can execute the kinit command and get a ticket which
I can view with klist.
Here is the smb.conf file:
[global]
workgroup = TESTDOM
netbios name = jaguar
realm = TESTDOM.ORG
idmap uid = 100000-1000000
idmap gid = 100000-1000000
security = ads
encrypt passwords = yes
password server = 10.88.36.6
client use spnego = yes
Client ntlmv2 auth = yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 50
template shell = /bin/bash
template homedir = /home/%U
winbind enum users = yes
winbind enum groups = yes
preferred master = No
local master = No
domain master = No
printing = cups
cups options = raw
print command lpq command = %p
lprm command
[woma]
comment = test folder for ads
path = /home/woma
browseable = yes
read only = No
guest ok = no
create mask = 0770
directory mask = 0770
(/home/woma is set to chmod 777)
With this config I am able to execute wbinfo -u and get a list of users.
But I
have to execute it a few times unitl I see the list. Is this normal?
However
I am albe to map a sid to use and do other queries for user informations
with
wbinfo.
I guess this is all I need so far. Now if I open explorer on the windows
box
and enter \\jaguar I get the user name and password promt all the time.
Also
entering username and password won't change anything.
The log file says 'invalid user' which I beleive is the problem. But
why?????
[2008/08/29 11:40:00, 3] smbd/negprot.c:reply_nt1(364)
using SPNEGO
[2008/08/29 11:40:00, 3] smbd/negprot.c:reply_negprot(606)
Selected protocol NT LM 0.12
[2008/08/29 11:40:00, 3] smbd/process.crocess_smb(1069)
Transaction 1 of length 1668
[2008/08/29 11:40:00, 3] smbd/process.c:switch_message(927)
switch message SMBsesssetupX (pid 21191) conn 0x0
[2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
wct=12 flg2=0xc807
[2008/08/29 11:40:00, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old
resources.
[2008/08/29 11:40:00, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
Doing spnego session setup
[2008/08/29 11:40:00, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1]
PrimaryDomain=[]
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
reply_spnego_negotiate: Got secblob of size 1436
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
Ticket name is [AWM013@TESTDOM.ORG]
[2008/08/29 11:40:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username TESTDOM\AWM013 is invalid on this system <--------------------
There it is
[2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2008/08/29 11:40:00, 3] smbd/process.crocess_smb(1069)
Transaction 2 of length 1668
[2008/08/29 11:40:00, 3] smbd/process.c:switch_message(927)
switch message SMBsesssetupX (pid 21191) conn 0x0
[2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
wct=12 flg2=0xc807
[2008/08/29 11:40:00, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old
resources.
[2008/08/29 11:40:00, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
Doing spnego session setup
[2008/08/29 11:40:00, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1]
PrimaryDomain=[]
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
reply_spnego_negotiate: Got secblob of size 1436
[2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
Ticket name is [AWM013@TESTDOM.ORG]
[2008/08/29 11:40:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
Username TESTDOM\AWM013 is invalid on this system
[2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2008/08/29 11:40:00, 3] smbd/process.c:timeout_processing(1329)
timeout_processing: End of file from client (client has disconnected).
[2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/08/29 11:40:00, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2008/08/29 11:40:00, 3] smbd/server.c:exit_server_common(768)
Server exit (normal exit)
Below is a smbclient debug. It fails at the spnego but for what reason?
prinz:~ # smbclient -d 4 -U awm013 -W TESTDOM -L jaguar
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = TESTDOM
doing parameter printing = cups
doing parameter printcap name = cups
doing parameter printcap cache time = 750 doing parameter cups options raw doing
parameter map to guest = Bad User doing parameter usershare
allow guests = Yes doing parameter passdb backend = smbpasswd
pm_process() returned Yes
added interface ip=192.168.230.30 bcast=192.168.230.255
nmask=255.255.255.0 added interface ip=10.88.35.136 bcast=10.88.35.255
nmask=255.255.255.0 added interface ip=192.168.200.4
bcast=192.168.200.255 nmask=255.255.255.0 added interface ip=192.168.0.1
bcast=192.168.0.255 nmask=255.255.255.0 Client started (version
3.0.26a-3.7-1787-SUSE-SL10.3).
Connecting to 10.88.35.133 at port 445
session request ok
Password:
Doing spnego session setup (blob length=107) got OID=1 2 840 113554 1 2
2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got
principal=cifs/jaguar.testdom.org@TESTDOM.ORG
Got challenge flags:
Got NTLMSSP neg_flags=0x60898215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_CHAL_TARGET_INFO
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Logon failure
session setup failed: NT_STATUS_LOGON_FAILURE
Thanks for any help on this.
Wolfgang
Andreas Ladanyi
2008-Sep-04 11:08 UTC
[Samba] Re: Samba server as part of AD domain keeps asking for username and password
Hallo Wolfgang,> [woma] > comment = test folder for ads > path = /home/woma > browseable = yes > read only = No > guest ok = no > create mask = 0770 > directory mask = 0770guest ok = no -> Result is you have to authenticate if you want to access this share ! So you have to to define a "valid user" list: valid user = DOMAIN\user or @DOMAIN\group or both ! The \ between DOMAIN and user or group is given by the parameter: winbind separator = .... Default ist: \ If you set "guest ok = yes" then i'am sure you will have no use/password prompt ! Then you dont need a "valid user = .." list. bye, Andy
Andreas Ladanyi
2008-Sep-04 18:46 UTC
[Samba] Re: Samba server as part of AD domain keeps asking for username and password
Wolfgang.Mair@Emerson.com schrieb:> Hi Andy, > > Thanks for the answer but I've tryed this already. > > With > guest ok = yes > And/or > valid users = TESTDOM\awm013 awm013 testdom\awm013 AWM013 > > I haven't set the winbind seperator so it should be ok to use \ > > And also with guest ok = yes I still get the password promt. > > Thanks > WolfgangHi Wolfgang, The error message is: Username TESTDOM\AWM013 is invalid on this system <-------------------- There it is [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE The username is invalid !! Is AWM013 really a user with unix attributes in the Active Directory ? You are working with winbind. Which backend do you use to save you unix user information ? Windows Server 2003 R2 ? Iam wondering i cant read an "idmap backend = " parameter in your smb.conf ! What is the result of "wbinfo -u" and "wbinfo -g" and "wbinfo -t" ??????? Bye, Andy
Henrik Beckman
2008-Sep-05 15:49 UTC
[Samba] Re: Samba server as part of AD domain keeps asking for username and password
Sorry, My german is not that good so I?ll stick to english. I had a similar problem which was cause by samba not being able to recognize machines (AWM013 is a machine account or a user?), we have a unix heavy samba enviroment with user in both AD and unix both computers only in AD. We had problems when the computer account tried to gain access to IPC$? but where denied because the account not being recognized by samba. If you to allow guest for bad users that would go away, security might be solvable by mapping guest to nobody? Not that I would run this in production but it?s a way to test. Also if wbinfo -u or -g doesn?t work to set a valid user account in winbind to use when connecting to the domain. /Henrik 2008/9/5 Andreas Ladanyi <andy.ladanyi@web.de>> Hallo Hendrik, > > Dein Beitrag ist leider nur bei mir gelandet ! Weder bei Wolfgang, noch auf > der Mailingliste :-( > > Zum testen finde ich den parameter: > > map to guest = Bad User > > ok, aber nicht unbedingt f?rs Produktivsystem. > > Was meinst Du ? > > Sollte ein "?ffentliches" share "public=yes" oder "guest ok = yes" nicht > dazu f?hren, dass Du eben kein Passwort Popup bekommst ? Sonst macht das ja > irgendwo keinen Sinn oder ? > > Gr??e, > Andy > > > > -----Urspr?ngliche Nachricht----- > > Von: "Henrik Beckman" <henrik.list@gmail.com> > > Gesendet: 04.09.08 22:06:33 > > An: "Andreas Ladanyi" <knuffiandy@web.de> > > Betreff: Re: [Samba] Re: Samba server as part of AD domain keeps asking > for username and password > > > > > > On Thu, Sep 4, 2008 at 8:45 PM, Andreas Ladanyi <knuffiandy@web.de> > > wrote: > > > > Wolfgang.Mair@Emerson.com schrieb: > > Hi Andy, > > > > Thanks for the answer but I've tryed this already. > > With guest ok = yes And/or > > valid users = TESTDOM\awm013 awm013 testdom\awm013 AWM013 > > > > I haven't set the winbind seperator so it should be ok to use \ > > > > And also with guest ok = yes I still get the password promt. > > > > Thanks > > Wolfgang > > > > Hi Wolfgang, > > > > The error message is: > > > > Username TESTDOM\AWM013 is invalid on this system <------------------ > > -- > > There it is > > [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) > > error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) > > NT_STATUS_LOGON_FAILURE > > > > The username is invalid !! Is AWM013 really a user with unix > > attributes in the Active Directory ? > > > > You are working with winbind. Which backend do you use to save you > > unix user information ? Windows Server 2003 R2 ? > > > > Iam wondering i cant read an "idmap backend = " parameter in your > > smb.conf ! > > > > What is the result of "wbinfo -u" and "wbinfo -g" and "wbinfo -t" ??? > > ???? > > > > Bye, > > Andy > > > > > > Is awm013 a computer? > > If so try guest = Ok and map to guest = Bad User. > > Also as Andy asks does wbinfo -u and -g work, otherwise what user > > does winbindd use? > > > > Do you have 2008 server as password servers? > > > > /Henrik > > > > > > > > > > > > > _____________________________________________________________________ > Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! > http://smartsurfer.web.de/?mc=100071&distributionid=000000000066 > >