Geoff Winkless
2011-Feb-18 13:52 UTC
[Samba] samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works
Hi I've found a few list posts with this problem but none of their solutions helped. Apologies for the long mail but I've no idea which section of the various logs will be the important part. I've set up a RHEL5.3 server (with Samba 3.0.33) to authenticate to an existing active directory realm on our local network. The AD server is Windows-based and works fine for a couple of hundred users on their windows clients (mix of XP, Vista, Win7); it also works ok with an existing Samba install. I'm trying to set it up to authenticate those users to access a second server; unfortunately the authentication fails. I copied the krb5.conf and smb.conf files from the working server, then?followed the various ADS howtos (to join the machine to the AD and obtain krb tickets) and have got to the point where klist behaves as expected, as does wbinfo, which implies that the machine account is set up correctly, yes? (I've replaced company name with XXXX in all these logs). [root at pd-pistachio samba]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: geoff.winkless at LAN.XXXX.CO.UK Valid starting ? ? Expires ? ? ? ? ? ?Service principal 02/18/11 10:48:32 ?02/18/11 20:48:34 ?krbtgt/LAN.XXXX.CO.UK at LAN.XXXX.CO.UK ?? ? ? ?renew until 02/19/11 10:48:32 02/18/11 11:08:48 ?02/18/11 20:48:34 ?dc1$@LAN.XXXX.CO.UK ?? ? ? ?renew until 02/19/11 10:48:32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root at pd-pistachio samba]# wbinfo -t checking the trust secret via RPC calls succeeded [root at pd-pistachio samba]# wbinfo -a geoff.winkless Enter geoff.winkless's password: plaintext password authentication succeeded Enter geoff.winkless's password: challenge/response password authentication succeeded If I try to log onto a share on pd-pistachio from my XP machine (named XXXX-001119) I get: [2011/02/18 13:05:24, 3] smbd/oplock.c:init_oplocks(863) ??init_oplocks: initializing messages. [2011/02/18 13:05:24, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(234) ??Linux kernel oplocks enabled [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 0 of length 137 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBnegprot (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [PC NETWORK PROGRAM 1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [LANMAN1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [Windows for Workgroups 3.1a] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [LM1.2X002] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [LANMAN2.1] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [NT LM 0.12] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_nt1(364) ??using SPNEGO [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(606) ??Selected protocol NT LM 0.12 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 1 of length 240 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) ??wct=12 flg2=0xc807 [2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212) ??setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) ??Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) ??NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) ??reply_spnego_negotiate: Got secblob of size 40 [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) ??Got NTLMSSP neg_flags=0xa2088207 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 2 of length 272 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) ??wct=12 flg2=0xc807 [2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212) ??setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) ??Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) ??NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739) ??Got user=[] domain=[] workstation=[XXXX-001119] len1=1 len2=0 [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(221) ??check_ntlm_password: ?Checking password for unmapped user []\[]@[XXXX-001119] with the new password interface [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(224) ??check_ntlm_password: ?mapped user is: [XXXX]\[]@[XXXX-001119] [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208) ??push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358) ??push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356) ??pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208) ??push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358) ??push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356) ??pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(270) ??check_ntlm_password: guest authentication for user [] succeeded [2011/02/18 13:05:24, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) ??fetch gid from cache 10000 -> S-1-5-32-544 [2011/02/18 13:05:24, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) ??fetch gid from cache 10001 -> S-1-5-32-545 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208) ??push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358) ??push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356) ??pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] lib/privileges.c:get_privileges(261) ??get_privileges: No privileges assigned to SID [S-1-5-21-1416276913-313263019-1178628374-501] [2011/02/18 13:05:24, 3] lib/privileges.c:get_privileges(261) ??get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/18 13:05:24, 3] lib/privileges.c:get_privileges(261) ??get_privileges: No privileges assigned to SID [S-1-5-32-546] [2011/02/18 13:05:24, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338) ??NTLMSSP Sign/Seal - Initialising with flags: [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) ??Got NTLMSSP neg_flags=0xa2088205 [2011/02/18 13:05:24, 3] smbd/password.c:register_vuid(304) ??User name: nobody ? ? Real name: Nobody [2011/02/18 13:05:24, 3] smbd/password.c:register_vuid(325) ??UNIX uid 99 is UNIX user nobody, and will be vuid 101 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 3 of length 94 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBtconX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/service.c:make_connection_snum(806) ??Connect path is '/tmp' for service [IPC$] [2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(250) [2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(251) ??se_access_check: user sid is S-1-5-21-1416276913-313263019-1178628374-501 ??se_access_check: also S-1-1-0 ??se_access_check: also S-1-5-2 ??se_access_check: also S-1-5-32-546 [2011/02/18 13:05:24, 3] smbd/vfs.c:vfs_init_default(95) ??Initialising default vfs hooks [2011/02/18 13:05:24, 3] smbd/vfs.c:vfs_init_custom(128) ??Initialising custom vfs hooks from [/[Default VFS]/] [2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(250) [2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(251) ??se_access_check: user sid is S-1-5-21-1416276913-313263019-1178628374-501 ??se_access_check: also S-1-1-0 ??se_access_check: also S-1-5-2 ??se_access_check: also S-1-5-32-546 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (99, 99) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/service.c:make_connection_snum(1033) ??XXXX-001119 (192.168.3.52) connect to service IPC$ initially as user nobody (uid=99, gid=99) (pid 31421) [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/reply.c:reply_tcon_and_X(574) ??tconX service=IPC$ [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 4 of length 132 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBtrans2 (pid 31421) conn 0x89a3950 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (99, 99) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/service.c:find_service(286) ??checking for home directory geoff.winkless gave (NULL) [2011/02/18 13:05:24, 3] smbd/service.c:find_service(360) ??find_service() failed to find service geoff.winkless [2011/02/18 13:05:24, 3] smbd/error.c:error_packet_set(106) ??error packet at smbd/trans2.c(6307) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 5 of length 240 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) ??wct=12 flg2=0xc807 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) ??Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) ??NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) ??reply_spnego_negotiate: Got secblob of size 40 [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) ??Got NTLMSSP neg_flags=0xa2088207 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 6 of length 364 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) ??wct=12 flg2=0xc807 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) ??Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) ??NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739) ??Got user=[geoff.winkless] domain=[XXXX] workstation=[XXXX-001119] len1=24 len2=24 [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(221) ??check_ntlm_password: ?Checking password for unmapped user [XXXX]\[geoff.winkless]@[XXXX-001119] with the new password interface [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(224) ??check_ntlm_password: ?mapped user is: [XXXX]\[geoff.winkless]@[XXXX-001119] [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208) ??push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358) ??push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356) ??pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 2] auth/auth.c:check_ntlm_password(319) ??check_ntlm_password: ?Authentication for user [geoff.winkless] -> [geoff.winkless] FAILED with error NT_STATUS_NO_SUCH_USER [2011/02/18 13:05:24, 3] smbd/error.c:error_packet_set(106) ??error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE I get the same result if I try using smbclient from a linux box. smb.conf looks like this: workgroup = XXXX realm = LAN.XXXX.CO.UK netbios name = PD-PISTACHIO netbios aliases = pd-pistachio pd-pistachio.lan.XXXX.co.uk pd-pistachio.XXXX.co.uk server string = Samba %v on %L security=ads debug level=3 password server = 192.168.3.1 encrypt passwords = yes allow trusted domains = no map untrusted to domain = yes local master = no domain master=no preferred master=no dns proxy=no wins proxy=no wins support=no winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind refresh tickets = yes winbind use default domain = yes winbind cache time = 1 idmap uid = 10000-1000000 idmap gid = 10000-1000000 nt acl support = yes map acl inherit = yes ;======================= end of smb.conf For what it's worth I've been using samba with NT domains since 1999. Not that that in any way precludes me from doing something stupid (heh) but I do know the obvious stuff to look out for. I tried updating the samba version with the ones from http://ftp.sernet.de/pub/samba/3.5/rhel/5/i386/ but it's made no difference - I get the same result. Is it something to do with the hosts I'm authenticating _from_? eg ??check_ntlm_password: ?mapped user is: [XXXX]\[geoff.winkless]@[XXXX-001119] Do I need to do something to lose the [XXXX-001119], or is that log entry expected? Any suggestions would be really appreciated. Geoff
Andrew Masterson
2011-Feb-18 16:32 UTC
[Samba] samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works
First thing I would do is a testparm -v on both the old and new boxes, and do a diff -a on those files to see what has changed. Samba changes default options between versions so what may have worked on an older version is not guaranteed to work on the new ones. Also, what does your krb5.conf file look like? -=Andrew -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Geoff Winkless Sent: Friday, February 18, 2011 6:53 AM To: samba Subject: [Samba] samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works Hi I've found a few list posts with this problem but none of their solutions helped. Apologies for the long mail but I've no idea which section of the various logs will be the important part. I've set up a RHEL5.3 server (with Samba 3.0.33) to authenticate to an existing active directory realm on our local network. The AD server is Windows-based and works fine for a couple of hundred users on their windows clients (mix of XP, Vista, Win7); it also works ok with an existing Samba install. I'm trying to set it up to authenticate those users to access a second server; unfortunately the authentication fails. I copied the krb5.conf and smb.conf files from the working server, then?followed the various ADS howtos (to join the machine to the AD and obtain krb tickets) and have got to the point where klist behaves as expected, as does wbinfo, which implies that the machine account is set up correctly, yes? (I've replaced company name with XXXX in all these logs). [root at pd-pistachio samba]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: geoff.winkless at LAN.XXXX.CO.UK Valid starting ? ? Expires ? ? ? ? ? ?Service principal 02/18/11 10:48:32 ?02/18/11 20:48:34 ?krbtgt/LAN.XXXX.CO.UK at LAN.XXXX.CO.UK ?? ? ? ?renew until 02/19/11 10:48:32 02/18/11 11:08:48 ?02/18/11 20:48:34 ?dc1$@LAN.XXXX.CO.UK ?? ? ? ?renew until 02/19/11 10:48:32 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [root at pd-pistachio samba]# wbinfo -t checking the trust secret via RPC calls succeeded [root at pd-pistachio samba]# wbinfo -a geoff.winkless Enter geoff.winkless's password: plaintext password authentication succeeded Enter geoff.winkless's password: challenge/response password authentication succeeded If I try to log onto a share on pd-pistachio from my XP machine (named XXXX-001119) I get: [2011/02/18 13:05:24, 3] smbd/oplock.c:init_oplocks(863) ??init_oplocks: initializing messages. [2011/02/18 13:05:24, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(234) ??Linux kernel oplocks enabled [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 0 of length 137 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBnegprot (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [PC NETWORK PROGRAM 1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [LANMAN1.0] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [Windows for Workgroups 3.1a] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [LM1.2X002] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [LANMAN2.1] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(505) ??Requested protocol [NT LM 0.12] [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_nt1(364) ??using SPNEGO [2011/02/18 13:05:24, 3] smbd/negprot.c:reply_negprot(606) ??Selected protocol NT LM 0.12 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 1 of length 240 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) ??wct=12 flg2=0xc807 [2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212) ??setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) ??Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) ??NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) ??reply_spnego_negotiate: Got secblob of size 40 [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) ??Got NTLMSSP neg_flags=0xa2088207 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 2 of length 272 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) ??wct=12 flg2=0xc807 [2011/02/18 13:05:24, 2] smbd/sesssetup.c:setup_new_vc_session(1212) ??setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) ??Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) ??NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739) ??Got user=[] domain=[] workstation=[XXXX-001119] len1=1 len2=0 [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(221) ??check_ntlm_password: ?Checking password for unmapped user []\[]@[XXXX-001119] with the new password interface [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(224) ??check_ntlm_password: ?mapped user is: [XXXX]\[]@[XXXX-001119] [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208) ??push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358) ??push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356) ??pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208) ??push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358) ??push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356) ??pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(270) ??check_ntlm_password: guest authentication for user [] succeeded [2011/02/18 13:05:24, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) ??fetch gid from cache 10000 -> S-1-5-32-544 [2011/02/18 13:05:24, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107) ??fetch gid from cache 10001 -> S-1-5-32-545 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208) ??push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358) ??push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356) ??pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] lib/privileges.c:get_privileges(261) ??get_privileges: No privileges assigned to SID [S-1-5-21-1416276913-313263019-1178628374-501] [2011/02/18 13:05:24, 3] lib/privileges.c:get_privileges(261) ??get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/18 13:05:24, 3] lib/privileges.c:get_privileges(261) ??get_privileges: No privileges assigned to SID [S-1-5-32-546] [2011/02/18 13:05:24, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338) ??NTLMSSP Sign/Seal - Initialising with flags: [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) ??Got NTLMSSP neg_flags=0xa2088205 [2011/02/18 13:05:24, 3] smbd/password.c:register_vuid(304) ??User name: nobody ? ? Real name: Nobody [2011/02/18 13:05:24, 3] smbd/password.c:register_vuid(325) ??UNIX uid 99 is UNIX user nobody, and will be vuid 101 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 3 of length 94 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBtconX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/service.c:make_connection_snum(806) ??Connect path is '/tmp' for service [IPC$] [2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(250) [2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(251) ??se_access_check: user sid is S-1-5-21-1416276913-313263019-1178628374-501 ??se_access_check: also S-1-1-0 ??se_access_check: also S-1-5-2 ??se_access_check: also S-1-5-32-546 [2011/02/18 13:05:24, 3] smbd/vfs.c:vfs_init_default(95) ??Initialising default vfs hooks [2011/02/18 13:05:24, 3] smbd/vfs.c:vfs_init_custom(128) ??Initialising custom vfs hooks from [/[Default VFS]/] [2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(250) [2011/02/18 13:05:24, 3] lib/util_seaccess.c:se_access_check(251) ??se_access_check: user sid is S-1-5-21-1416276913-313263019-1178628374-501 ??se_access_check: also S-1-1-0 ??se_access_check: also S-1-5-2 ??se_access_check: also S-1-5-32-546 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (99, 99) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/service.c:make_connection_snum(1033) ??XXXX-001119 (192.168.3.52) connect to service IPC$ initially as user nobody (uid=99, gid=99) (pid 31421) [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/reply.c:reply_tcon_and_X(574) ??tconX service=IPC$ [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 4 of length 132 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBtrans2 (pid 31421) conn 0x89a3950 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (99, 99) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/service.c:find_service(286) ??checking for home directory geoff.winkless gave (NULL) [2011/02/18 13:05:24, 3] smbd/service.c:find_service(360) ??find_service() failed to find service geoff.winkless [2011/02/18 13:05:24, 3] smbd/error.c:error_packet_set(106) ??error packet at smbd/trans2.c(6307) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 5 of length 240 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) ??wct=12 flg2=0xc807 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) ??Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) ??NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) ??reply_spnego_negotiate: Got secblob of size 40 [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63) ??Got NTLMSSP neg_flags=0xa2088207 [2011/02/18 13:05:24, 3] smbd/process.c:process_smb(1069) ??Transaction 6 of length 364 [2011/02/18 13:05:24, 3] smbd/process.c:switch_message(927) ??switch message SMBsesssetupX (pid 31421) conn 0x0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256) ??wct=12 flg2=0xc807 [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038) ??Doing spnego session setup [2011/02/18 13:05:24, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069) ??NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/02/18 13:05:24, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739) ??Got user=[geoff.winkless] domain=[XXXX] workstation=[XXXX-001119] len1=24 len2=24 [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(221) ??check_ntlm_password: ?Checking password for unmapped user [XXXX]\[geoff.winkless]@[XXXX-001119] with the new password interface [2011/02/18 13:05:24, 3] auth/auth.c:check_ntlm_password(224) ??check_ntlm_password: ?mapped user is: [XXXX]\[geoff.winkless]@[XXXX-001119] [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:push_sec_ctx(208) ??push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/uid.c:push_conn_ctx(358) ??push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:set_sec_ctx(241) ??setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/02/18 13:05:24, 3] smbd/sec_ctx.c:pop_sec_ctx(356) ??pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/18 13:05:24, 2] auth/auth.c:check_ntlm_password(319) ??check_ntlm_password: ?Authentication for user [geoff.winkless] -> [geoff.winkless] FAILED with error NT_STATUS_NO_SUCH_USER [2011/02/18 13:05:24, 3] smbd/error.c:error_packet_set(106) ??error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE I get the same result if I try using smbclient from a linux box. smb.conf looks like this: workgroup = XXXX realm = LAN.XXXX.CO.UK netbios name = PD-PISTACHIO netbios aliases = pd-pistachio pd-pistachio.lan.XXXX.co.uk pd-pistachio.XXXX.co.uk server string = Samba %v on %L security=ads debug level=3 password server = 192.168.3.1 encrypt passwords = yes allow trusted domains = no map untrusted to domain = yes local master = no domain master=no preferred master=no dns proxy=no wins proxy=no wins support=no winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind refresh tickets = yes winbind use default domain = yes winbind cache time = 1 idmap uid = 10000-1000000 idmap gid = 10000-1000000 nt acl support = yes map acl inherit = yes ;======================= end of smb.conf For what it's worth I've been using samba with NT domains since 1999. Not that that in any way precludes me from doing something stupid (heh) but I do know the obvious stuff to look out for. I tried updating the samba version with the ones from http://ftp.sernet.de/pub/samba/3.5/rhel/5/i386/ but it's made no difference - I get the same result. Is it something to do with the hosts I'm authenticating _from_? eg ??check_ntlm_password: ?mapped user is: [XXXX]\[geoff.winkless]@[XXXX-001119] Do I need to do something to lose the [XXXX-001119], or is that log entry expected? Any suggestions would be really appreciated. Geoff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Seemingly Similar Threads
- samba 3.5.7 tries to authenticate on ADS by machine name, not username
- AD Integration drives me nuts
- Problems with Samba and Active Directory
- How to get users from a second AD domain recognized by samba?
- upgraded samba server causes winXP integrated authentication to fail