René KIRSCHNER
2008-Nov-25 15:56 UTC
[Samba] Problems configuring samba with pam_mysql auth - NT_STATUS_NO_SUCH_USER / NT_STATUS_LOGON_FAILURE
Hello everyone,
First of all...sorry for this monster post, but I have tried to insert every
potentially useful information. :)
The last days I vainly tried to implement a samba server with MySQL
authentication on one of our servers (Debian 2.6.27.5). The server shall provide
fileshare services to some Mac clients (OS 10.4.11). Mail is already running
with pam_mysql auth against the mail user database, so we wanted to use it
synchronously for samba auth. I just copied the settings from /etc/pam.d/smtp to
/etc/pam.d/samba (I additionally enabled sqllog and verbose mode for debugging).
When trying to connected with smbclient directly on the server, I receive the
following error message:
NT_STATUS_LOGON_FAILURE
--------------------------------------------------------------------------
/etc/pam.d/samba
auth sufficient pam_mysql.so user=samba passwd=samba host=172.24.100.1
db=cip_cn_mail table=test usercolumn=name passwdcolumn=pw crypt=0 verbose=1
sqllog=1 logtable=log logmsgcolumn=msg logusercolumn=user loghostcolumn=host
logpidcolumn=pid logtimecolumn=time
account required pam_mysql.so user=samba passwd=samba host=172.24.100.1
db=cip_cn_mail table=test usercolumn=name passwdcolumn=pw crypt=0 verbose=1
sqllog=1
#password required pam_mysql.so user=samba passwd=samba host=172.24.100.1
db=cip_cn_mail table=test usercolumn=name passwdcolumn=pw crypt=0 verbose=1
sqllog=1
#Session required pam_mysql.so user=samba passwd=samba host=172.24.100.1
db=cip_cn_mail table=test usercolumn=name passwdcolumn=pw crypt=0 verbose=1
sqllog=1
---------------------------------------------------------------
/etc/samba/smb.conf
#
#======================= Global Settings ======================
[global]
server string = %h server
wins support = no
dns proxy = no
workgroup = hu
#### Networking ####
interfaces = eth1
bind interfaces only = yes
unix extensions = no
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
log level = 3
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = user
obey pam restrictions = Yes
encrypt passwords = No
update encrypted = No
client lanman auth = yes
client plaintext auth = yes
#======================= Share Definitions ======================
[Printers]
browseable = no
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = no
read only = yes
guest ok = no
; write list = root, @ntadmin
[shanghai]
comment = Shanghai Share
path = /d1/shares/shanghai
browseable = yes
# public = yes
writable = yes
printable = no
create mask = 0777
create mode = 0777
directory mask = 0777
# guest ok = yes
# guest only = yes
[it]
comment = IT Share
path = /d1/shares/it
browseable = yes
public = no
writable = yes
printable = no
create mask = 0777
create mode = 0777
directory mask = 0777
valid users = admin
[billy]
comment = usershare
path = /d1/shares/user/billy
browseable = yes
writable = yes
guest ok = no
valid users = billy
admin users = admin
-------------------------------------------------------------------------------
The authentication against the user-db seems to work, the information is added
correctly into the log table:
/var/log/auth.log
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option verbose is set to
"1"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option sqllog is set to
"1"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option logtable is set to
"log"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option logmsgcolumn is set to
"msg"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option logusercolumn is set to
"user"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option loghostcolumn is set to
"host"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option logpidcolumn is set to
"pid"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option logtimecolumn is set to
"time"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_close_db() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_sm_authenticate() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_converse() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_open_db() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_open_db() returning 0.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_check_passwd() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_format_string() called
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - SELECT pw FROM test WHERE name =
'admin'
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_sql_log() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_format_string() called
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - INSERT INTO log (msg, user, host,
pid, time) VALUES ('AUTHENTICATION SUCCESS', 'admin',
'(unknown)', '12885', NOW())
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_sql_log() returning 0.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_check_passwd() returning
0.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_sm_authenticate() returning 0.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option user is set to
"samba"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option passwd is set to
"samba"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option host is set to
"172.24.100.1"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option db is set to
"cip_cn_mail"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option table is set to
"test"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option usercolumn is set to
"name"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option passwdcolumn is set to
"pw"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option crypt is set to "0"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option verbose is set to
"1"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - option sqllog is set to
"1"
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_close_db() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_sm_acct_mgmt() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_open_db() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_open_db() returning 0.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_query_user_stat() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_format_string() called
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - SELECT 0, pw FROM test WHERE name =
'admin'
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_sql_log() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_format_string() called
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_quick_escape() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - INSERT INTO log (msg, user, host,
pid, time) VALUES ('QUERYING SUCCESS', 'admin',
'(unknown)', '12885', NOW())
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_sql_log() returning 0.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_query_user_stat()
returning 0.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_sm_acct_mgmt() returning 0.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_release_ctx() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_destroy_ctx() called.
Nov 25 16:03:40 hu smbd[12885]: pam_mysql - pam_mysql_close_db() called.
------------------------------------------------------
This is the samba log file:
[2008/11/25 16:03:37, 3] smbd/oplock.c:init_oplocks(875)
init_oplocks: initializing messages.
[2008/11/25 16:03:37, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(241)
Linux kernel oplocks enabled
[2008/11/25 16:03:37, 3] smbd/process.c:process_smb(1549)
Transaction 0 of length 194 (0 toread)
[2008/11/25 16:03:37, 3] smbd/process.c:switch_message(1361)
switch message SMBnegprot (pid 12885) conn 0x0
[2008/11/25 16:03:37, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [MICROSOFT NETWORKS 1.03]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [MICROSOFT NETWORKS 3.0]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [LANMAN1.0]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [LM1.2X002]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [DOS LANMAN2.1]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [LANMAN2.1]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [Samba]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [NT LANMAN 1.0]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(568)
Requested protocol [NT LM 0.12]
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_nt1(373)
not using SPNEGO
[2008/11/25 16:03:37, 3] smbd/negprot.c:reply_negprot(673)
Selected protocol NT LANMAN 1.0
[2008/11/25 16:03:40, 3] smbd/process.c:process_smb(1549)
Transaction 1 of length 128 (0 toread)
[2008/11/25 16:03:40, 3] smbd/process.c:switch_message(1361)
switch message SMBsesssetupX (pid 12885) conn 0x0
[2008/11/25 16:03:40, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/11/25 16:03:40, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1409)
wct=13 flg2=0xc801
[2008/11/25 16:03:40, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1608)
Domain=[HU] NativeOS=[Unix] NativeLanMan=[Samba 3.2.4] PrimaryDomain=[]
[2008/11/25 16:03:40, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1624)
sesssetupX:name=[HU]\[admin]@[172.24.100.1]
[2008/11/25 16:03:40, 3] auth/auth.c:check_ntlm_password(220)
check_ntlm_password: Checking password for unmapped user
[HU]\[admin]@[172.24.100.1] with the new password interface
[2008/11/25 16:03:40, 3] auth/auth.c:check_ntlm_password(223)
check_ntlm_password: mapped user is: [HU]\[admin]@[172.24.100.1]
[2008/11/25 16:03:40, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/11/25 16:03:40, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/11/25 16:03:40, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/11/25 16:03:40, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/11/25 16:03:40, 2] auth/auth.c:check_ntlm_password(318)
check_ntlm_password: Authentication for user [admin] -> [admin] FAILED
with error NT_STATUS_NO_SUCH_USER
[2008/11/25 16:03:40, 3] smbd/error.c:error_packet_set(61)
error packet at smbd/sesssetup.c(1725) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
[2008/11/25 16:03:40, 3] smbd/process.c:smbd_process(2035)
receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
[2008/11/25 16:03:40, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/11/25 16:03:40, 3] smbd/connection.c:yield_connection(31)
Yielding connection to
[2008/11/25 16:03:40, 3] smbd/server.c:exit_server_common(949)
Server exit (normal exit)
I tried almost every possible configuration, useless. Maybe I have missed
something.
Thanks in advance,
Rene
Collen Blijenberg
2008-Nov-27 09:42 UTC
[Samba] Problems configuring samba with pam_mysql auth - NT_STATUS_NO_SUCH_USER / NT_STATUS_LOGON_FAILURE
Hi, did you setup nss ??? since pam is for auth only, you still need the usernames.. (and there for nsswitch) or add them in /etc/passwd. (but then you can skip pam aawel ..) Cheers, Collen btw there are 2 mysql-nsswitch prodjects.. so you can use the auth data base for it as well.. Ren? KIRSCHNER wrote:> Hello everyone, > > First of all...sorry for this monster post, but I have tried to insert every potentially useful information. :) > > The last days I vainly tried to implement a samba server with MySQL authentication on one of our servers (Debian 2.6.27.5). The server shall provide fileshare services to some Mac clients (OS 10.4.11). Mail is already running with pam_mysql auth against the mail user database, so we wanted to use it synchronously for samba auth. I just copied the settings from /etc/pam.d/smtp to /etc/pam.d/samba (I additionally enabled sqllog and verbose mode for debugging). When trying to connected with smbclient directly on the server, I receive the following error message: > > NT_STATUS_LOGON_FAILURE > > -------------------------------------------------------------------------- > > [2008/11/25 16:03:40, 3] smbd/sec_ctx.c:set_sec_ctx(324) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2008/11/25 16:03:40, 3] smbd/sec_ctx.c:pop_sec_ctx(432) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2008/11/25 16:03:40, 2] auth/auth.c:check_ntlm_password(318) > check_ntlm_password: Authentication for user [admin] -> [admin] FAILED with error NT_STATUS_NO_SUCH_USER > [2008/11/25 16:03:40, 3] smbd/error.c:error_packet_set(61) > error packet at smbd/sesssetup.c(1725) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE > [2008/11/25 16:03:40, 3] smbd/process.c:smbd_process(2035) > receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting > [2008/11/25 16:03:40, 3] smbd/sec_ctx.c:set_sec_ctx(324) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2008/11/25 16:03:40, 3] smbd/connection.c:yield_connection(31) > Yielding connection to > [2008/11/25 16:03:40, 3] smbd/server.c:exit_server_common(949) > Server exit (normal exit) > > > I tried almost every possible configuration, useless. Maybe I have missed something. > > > Thanks in advance, > > Rene > >