samba - Mar 2011 - samba 3.5.7 tries to authenticate on ADS by machine name, not username

Hi

There's a lot of this all over the web but there doesn't seem to be
much in the way of in-depth investigation.

I have a RHEL5.3 server on which I've installed samba 3.5.7 from
http://ftp.sernet.de/pub/samba/3.5/rhel/5/i386/

It's set up with identical kdc.conf and smb.conf files to a server I
set up on the same network last week which is working flawlessly.

I can log on to the shares as long as I use \\192.168.x.x\share but if
I use \\netbiosname\share I get "extended error" from XP.

Now the various suggestions from the web are that when you log in
using the IP it authenticates using ntlmssp but using the name it
authenticates using kerberos. So just to make sure, I'll check
kerberos auth:

/etc/samba wbinfo -K geoff.winkless
Enter geoff.winkless's password:
plaintext kerberos password authentication for [geoff.winkless]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0

Kerberos seems fine...

log.smbd suggests that the system is trying to authenticate with the
client machine name as the username (wtf?).

Here's the section from the log when I try to log in (domain name is
replaced with XXXX, server is guava, client is XXXX-001119):

[2011/03/03 08:20:09.107028,  3] smbd/oplock.c:895(init_oplocks)
  init_oplocks: initializing messages.
[2011/03/03 08:20:09.108415,  3]
smbd/oplock_linux.c:224(linux_init_kernel_oplocks)
  Linux kernel oplocks enabled
[2011/03/03 08:20:09.109092,  3] smbd/process.c:1485(process_smb)
  Transaction 0 of length 72 (0 toread)
[2011/03/03 08:20:09.109241,  2] smbd/reply.c:554(reply_special)
  netbios connect: name1=GUAVA          0x20 name2=XXXX-001119  0x0
[2011/03/03 08:20:09.109419,  2] smbd/reply.c:565(reply_special)
  netbios connect: local=guava remote=XXXX-001119, name type = 0
[2011/03/03 08:20:09.111109,  3] smbd/process.c:1485(process_smb)
  Transaction 0 of length 137 (0 toread)
[2011/03/03 08:20:09.111223,  3] smbd/process.c:1294(switch_message)
  switch message SMBnegprot (pid 2815) conn 0x0
[2011/03/03 08:20:09.111309,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/03/03 08:20:09.111326,  3] smbd/negprot.c:586(reply_negprot)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2011/03/03 08:20:09.111342,  3] smbd/negprot.c:586(reply_negprot)
  Requested protocol [LANMAN1.0]
[2011/03/03 08:20:09.111355,  3] smbd/negprot.c:586(reply_negprot)
  Requested protocol [Windows for Workgroups 3.1a]
[2011/03/03 08:20:09.111366,  3] smbd/negprot.c:586(reply_negprot)
  Requested protocol [LM1.2X002]
[2011/03/03 08:20:09.111376,  3] smbd/negprot.c:586(reply_negprot)
  Requested protocol [LANMAN2.1]
[2011/03/03 08:20:09.111587,  3] smbd/negprot.c:586(reply_negprot)
  Requested protocol [NT LM 0.12]
[2011/03/03 08:20:09.113207,  3] smbd/negprot.c:404(reply_nt1)
  using SPNEGO
[2011/03/03 08:20:09.113298,  3] smbd/negprot.c:691(reply_negprot)
  Selected protocol NT LM 0.12
[2011/03/03 08:20:09.114628,  3] smbd/process.c:1485(process_smb)
  Transaction 1 of length 1428 (0 toread)
[2011/03/03 08:20:09.115007,  3] smbd/process.c:1294(switch_message)
  switch message SMBsesssetupX (pid 2815) conn 0x0
[2011/03/03 08:20:09.115062,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/03/03 08:20:09.115169,  3] smbd/sesssetup.c:1436(reply_sesssetup_and_X)
  wct=12 flg2=0xc807
[2011/03/03 08:20:09.115249,  2] smbd/sesssetup.c:1391(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.
[2011/03/03 08:20:09.115314,  3]
smbd/sesssetup.c:1190(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2011/03/03 08:20:09.115380,  3]
smbd/sesssetup.c:1232(reply_sesssetup_and_X_spnego)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows
2002 5.1] PrimaryDomain=[]
[2011/03/03 08:20:09.115489,  3] smbd/sesssetup.c:806(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 1197
[2011/03/03 08:20:09.127334,  3] libads/authdata.c:304(decode_pac_data)
  Found account name from PAC: XXXX-001119$ [XXXX-001119$]
[2011/03/03 08:20:09.127570,  3] smbd/sesssetup.c:338(reply_spnego_kerberos)
  Ticket name is [XXXX-001119$@LAN.XXXX.CO.UK]
[2011/03/03 08:20:09.146847,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/03/03 08:20:09.146977,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/03/03 08:20:09.147045,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/03/03 08:20:09.148006,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/03/03 08:20:09.148144,  3] lib/privileges.c:63(get_privileges)
  get_privileges: No privileges assigned to SID
[S-1-5-21-644159478-2111868696-1206633297-1475]
[2011/03/03 08:20:09.148527,  3] lib/privileges.c:63(get_privileges)
  get_privileges: No privileges assigned to SID
[S-1-5-21-644159478-2111868696-1206633297-515]
[2011/03/03 08:20:09.148531,  3] lib/privileges.c:63(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2011/03/03 08:20:09.148818,  3] lib/privileges.c:63(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2011/03/03 08:20:09.149000,  3] smbd/password.c:282(register_existing_vuid)
  register_existing_vuid: User name: XXXX+XXXX-001119$      Real name:
XXXX-001119$

Why is samba trying to authenticate by machine name?

Thanks!

Geoff

On 3 March 2011 08:27, Geoff Winkless <samba at geoff.dj>
wrote:
> log.smbd suggests that the system is trying to authenticate with the
> client machine name as the username (wtf?).
Interestingly, if I force authentication with the correct username
using (on the XP box)

net use \\guava\$ /user:XXXX\geoff.winkless

everything works fine, which suggests that XP is defaulting to sending
the "wrong" information.

Upping the debug level does confirm that XP doesn't send the username
in the authentication packets. Is there some machine-trust mechanism
that XP is trying to make use of that samba doesn't understand? Should
samba be returning "I don't understand that, what's your
username??"
to the XP client, rather than trying to read the machine name as a
username?