Geoff Winkless
2011-Mar-03 08:27 UTC
[Samba] samba 3.5.7 tries to authenticate on ADS by machine name, not username
Hi There's a lot of this all over the web but there doesn't seem to be much in the way of in-depth investigation. I have a RHEL5.3 server on which I've installed samba 3.5.7 from http://ftp.sernet.de/pub/samba/3.5/rhel/5/i386/ It's set up with identical kdc.conf and smb.conf files to a server I set up on the same network last week which is working flawlessly. I can log on to the shares as long as I use \\192.168.x.x\share but if I use \\netbiosname\share I get "extended error" from XP. Now the various suggestions from the web are that when you log in using the IP it authenticates using ntlmssp but using the name it authenticates using kerberos. So just to make sure, I'll check kerberos auth: /etc/samba wbinfo -K geoff.winkless Enter geoff.winkless's password: plaintext kerberos password authentication for [geoff.winkless] succeeded (requesting cctype: FILE) credentials were put in: FILE:/tmp/krb5cc_0 Kerberos seems fine... log.smbd suggests that the system is trying to authenticate with the client machine name as the username (wtf?). Here's the section from the log when I try to log in (domain name is replaced with XXXX, server is guava, client is XXXX-001119): [2011/03/03 08:20:09.107028, 3] smbd/oplock.c:895(init_oplocks) init_oplocks: initializing messages. [2011/03/03 08:20:09.108415, 3] smbd/oplock_linux.c:224(linux_init_kernel_oplocks) Linux kernel oplocks enabled [2011/03/03 08:20:09.109092, 3] smbd/process.c:1485(process_smb) Transaction 0 of length 72 (0 toread) [2011/03/03 08:20:09.109241, 2] smbd/reply.c:554(reply_special) netbios connect: name1=GUAVA 0x20 name2=XXXX-001119 0x0 [2011/03/03 08:20:09.109419, 2] smbd/reply.c:565(reply_special) netbios connect: local=guava remote=XXXX-001119, name type = 0 [2011/03/03 08:20:09.111109, 3] smbd/process.c:1485(process_smb) Transaction 0 of length 137 (0 toread) [2011/03/03 08:20:09.111223, 3] smbd/process.c:1294(switch_message) switch message SMBnegprot (pid 2815) conn 0x0 [2011/03/03 08:20:09.111309, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/03/03 08:20:09.111326, 3] smbd/negprot.c:586(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2011/03/03 08:20:09.111342, 3] smbd/negprot.c:586(reply_negprot) Requested protocol [LANMAN1.0] [2011/03/03 08:20:09.111355, 3] smbd/negprot.c:586(reply_negprot) Requested protocol [Windows for Workgroups 3.1a] [2011/03/03 08:20:09.111366, 3] smbd/negprot.c:586(reply_negprot) Requested protocol [LM1.2X002] [2011/03/03 08:20:09.111376, 3] smbd/negprot.c:586(reply_negprot) Requested protocol [LANMAN2.1] [2011/03/03 08:20:09.111587, 3] smbd/negprot.c:586(reply_negprot) Requested protocol [NT LM 0.12] [2011/03/03 08:20:09.113207, 3] smbd/negprot.c:404(reply_nt1) using SPNEGO [2011/03/03 08:20:09.113298, 3] smbd/negprot.c:691(reply_negprot) Selected protocol NT LM 0.12 [2011/03/03 08:20:09.114628, 3] smbd/process.c:1485(process_smb) Transaction 1 of length 1428 (0 toread) [2011/03/03 08:20:09.115007, 3] smbd/process.c:1294(switch_message) switch message SMBsesssetupX (pid 2815) conn 0x0 [2011/03/03 08:20:09.115062, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/03/03 08:20:09.115169, 3] smbd/sesssetup.c:1436(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2011/03/03 08:20:09.115249, 2] smbd/sesssetup.c:1391(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2011/03/03 08:20:09.115314, 3] smbd/sesssetup.c:1190(reply_sesssetup_and_X_spnego) Doing spnego session setup [2011/03/03 08:20:09.115380, 3] smbd/sesssetup.c:1232(reply_sesssetup_and_X_spnego) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2011/03/03 08:20:09.115489, 3] smbd/sesssetup.c:806(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 1197 [2011/03/03 08:20:09.127334, 3] libads/authdata.c:304(decode_pac_data) Found account name from PAC: XXXX-001119$ [XXXX-001119$] [2011/03/03 08:20:09.127570, 3] smbd/sesssetup.c:338(reply_spnego_kerberos) Ticket name is [XXXX-001119$@LAN.XXXX.CO.UK] [2011/03/03 08:20:09.146847, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/03/03 08:20:09.146977, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/03/03 08:20:09.147045, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/03/03 08:20:09.148006, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/03/03 08:20:09.148144, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-644159478-2111868696-1206633297-1475] [2011/03/03 08:20:09.148527, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-21-644159478-2111868696-1206633297-515] [2011/03/03 08:20:09.148531, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/03/03 08:20:09.148818, 3] lib/privileges.c:63(get_privileges) get_privileges: No privileges assigned to SID [S-1-5-11] [2011/03/03 08:20:09.149000, 3] smbd/password.c:282(register_existing_vuid) register_existing_vuid: User name: XXXX+XXXX-001119$ Real name: XXXX-001119$ Why is samba trying to authenticate by machine name? Thanks! Geoff
Geoff Winkless
2011-Mar-03 09:55 UTC
[Samba] samba 3.5.7 tries to authenticate on ADS by machine name, not username
On 3 March 2011 08:27, Geoff Winkless <samba at geoff.dj> wrote:> log.smbd suggests that the system is trying to authenticate with the > client machine name as the username (wtf?).Interestingly, if I force authentication with the correct username using (on the XP box) net use \\guava\$ /user:XXXX\geoff.winkless everything works fine, which suggests that XP is defaulting to sending the "wrong" information. Upping the debug level does confirm that XP doesn't send the username in the authentication packets. Is there some machine-trust mechanism that XP is trying to make use of that samba doesn't understand? Should samba be returning "I don't understand that, what's your username??" to the XP client, rather than trying to read the machine name as a username?
Maybe Matching Threads
- upgraded samba server causes winXP integrated authentication to fail
- samba ADS-based authentication fails with NT_STATUS_USER_UNKNOWN but wbinfo works
- I'm Sure I'm Missing Something Simple and Stupid, But...
- Performance problem when copy from samba server to client
- How to get users from a second AD domain recognized by samba?