Ivo Karabojkov
2015-Aug-02 20:54 UTC
[Samba] Samba 4.2 AD member accesible by name but not by IP
Hello, I have a strange problem with Samba AD member: It is accessible via \\server or \\server.domain.local But when I try to access it with its IP address, ex. \\10.15.10.1 I get access denied error and prompt for user and pass. Entering username and password with or without DOMAIN\ has no effect. The server is FreeBSD 10.1. It behaves the same way with Samba 4.1.18 and now with Samba 4.2.2 both installed via FreeBSD ports. Here is the log of successful session - \\server (log level = 3): [2015/08/02 22:58:46.763454, 3] ../source3/smbd/oplock.c:1306(init_oplocks) init_oplocks: initializing messages. [2015/08/02 22:58:46.763603, 3] ../source3/smbd/process.c:1879(process_smb) Transaction 0 of length 108 (0 toread) [2015/08/02 22:58:46.763765, 3] ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2015/08/02 22:58:46.829927, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_spnego' registered [2015/08/02 22:58:46.830010, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_krb5' registered [2015/08/02 22:58:46.830038, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2015/08/02 22:58:46.834257, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'sasl-DIGEST-MD5' registered [2015/08/02 22:58:46.834298, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'spnego' registered [2015/08/02 22:58:46.834333, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'schannel' registered [2015/08/02 22:58:46.834355, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'naclrpc_as_system' registered [2015/08/02 22:58:46.834383, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2015/08/02 22:58:46.834406, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'ntlmssp' registered [2015/08/02 22:58:46.834432, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'http_basic' registered [2015/08/02 22:58:46.834454, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'http_ntlm' registered [2015/08/02 22:58:47.252403, 3] ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) Found account name from PAC: myuser [Firstname Lastname] [2015/08/02 22:58:47.252483, 3] ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) Kerberos ticket principal name is [myuser at DOMAIN.LOCAL] [2015/08/02 22:58:47.296995, 3] ../source3/param/loadparm.c:3647(lp_load_ex) lp_load_ex: refreshing parameters [2015/08/02 22:58:47.297109, 3] ../source3/param/loadparm.c:564(init_globals) Initialising global parameters [2015/08/02 22:58:47.297252, 3] ../source3/param/loadparm.c:2597(lp_do_section) Processing section "[global]" [2015/08/02 22:58:47.298033, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[pub]" [2015/08/02 22:58:47.298408, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[departments]" [2015/08/02 22:58:47.298766, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[users]" [2015/08/02 22:58:47.299116, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[konto]" [2015/08/02 22:58:47.299464, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[trz]" [2015/08/02 22:58:47.299826, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[shared]" [2015/08/02 22:58:47.299957, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[scan-acct]" [2015/08/02 22:58:47.300305, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[scan-production]" [2015/08/02 22:58:47.300660, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[scan-trade]" [2015/08/02 22:58:47.301021, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[scan-reception]" [2015/08/02 22:58:47.301402, 3] ../source3/param/loadparm.c:1495(lp_add_ipc) adding IPC service [2015/08/02 22:58:47.302583, 3] ../source3/smbd/password.c:144(register_homes_share) Adding homes service for user 'DOMAIN\myuser' using home directory: '/home/DOMAIN/myuser' [2015/08/02 22:58:47.303692, 3] ../source3/lib/access.c:338(allow_access) Allowed connection from 10.15.1.10 (10.15.1.10) [2015/08/02 22:58:47.303821, 3] ../source3/smbd/service.c:614(make_connection_snum) Connect path is '/var/smb/shared' for service [shared] [2015/08/02 22:58:47.303911, 3] ../source3/smbd/vfs.c:113(vfs_init_default) Initialising default vfs hooks [2015/08/02 22:58:47.303941, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] [2015/08/02 22:58:47.303969, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) Initialising custom vfs hooks from [zfsacl] [2015/08/02 22:58:47.304777, 2] ../lib/util/modules.c:191(do_smb_load_module) Module 'zfsacl' loaded [2015/08/02 22:58:47.305038, 3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: SID @Administrators is not in a valid format [2015/08/02 22:58:47.309850, 3] ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) string_to_sid: SID @DOMAIN\Domain admins is not in a valid format [2015/08/02 22:58:47.310846, 2] ../source3/smbd/uid.c:270(check_user_ok) check_user_ok: user DOMAIN\myuser is an admin user. Setting uid as 0 [2015/08/02 22:58:47.311107, 2] ../source3/smbd/service.c:862(make_connection_snum) 10.15.1.10 (ipv4:10.15.1.10:63168) connect to service shared initially as user DOMAIN\myuser (uid=0, gid=10006) (pid 19606) [2015/08/02 22:58:47.312082, 3] ../source3/smbd/vfs.c:1143(check_reduced_name) check_reduced_name [desktop.ini] [/var/smb/shared] [2015/08/02 22:58:47.312135, 3] ../source3/smbd/vfs.c:1273(check_reduced_name) check_reduced_name: desktop.ini reduced to /var/smb/shared/desktop.ini [2015/08/02 22:58:47.312360, 3] ../source3/smbd/dosmode.c:196(unix_mode) unix_mode(desktop.ini) returning 0644 Here is an unsuccessful session (by \\IP): [2015/08/02 22:59:03.126703, 3] ../source3/smbd/oplock.c:1306(init_oplocks) init_oplocks: initializing messages. [2015/08/02 22:59:03.126841, 3] ../source3/smbd/process.c:1879(process_smb) Transaction 0 of length 159 (0 toread) [2015/08/02 22:59:03.126882, 3] ../source3/smbd/process.c:1489(switch_message) switch message SMBnegprot (pid 19611) conn 0x0 [2015/08/02 22:59:03.127014, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2015/08/02 22:59:03.127045, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [LANMAN1.0] [2015/08/02 22:59:03.127068, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [Windows for Workgroups 3.1a] [2015/08/02 22:59:03.127090, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [LM1.2X002] [2015/08/02 22:59:03.127121, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [LANMAN2.1] [2015/08/02 22:59:03.127143, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [NT LM 0.12] [2015/08/02 22:59:03.127165, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [SMB 2.002] [2015/08/02 22:59:03.127186, 3] ../source3/smbd/negprot.c:575(reply_negprot) Requested protocol [SMB 2.???] [2015/08/02 22:59:03.127371, 3] ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) Selected protocol SMB2_FF [2015/08/02 22:59:03.129924, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_spnego' registered [2015/08/02 22:59:03.129983, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_krb5' registered [2015/08/02 22:59:03.130007, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'gssapi_krb5_sasl' registered [2015/08/02 22:59:03.134188, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'sasl-DIGEST-MD5' registered [2015/08/02 22:59:03.134265, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'spnego' registered [2015/08/02 22:59:03.134289, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'schannel' registered [2015/08/02 22:59:03.134312, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'naclrpc_as_system' registered [2015/08/02 22:59:03.134340, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'sasl-EXTERNAL' registered [2015/08/02 22:59:03.134381, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'ntlmssp' registered [2015/08/02 22:59:03.134404, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'http_basic' registered [2015/08/02 22:59:03.134426, 3] ../auth/gensec/gensec_start.c:885(gensec_register) GENSEC backend 'http_ntlm' registered [2015/08/02 22:59:03.337949, 3] ../source3/smbd/negprot.c:683(reply_negprot) Selected protocol SMB 2.??? [2015/08/02 22:59:03.338430, 3] ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 [2015/08/02 22:59:03.669244, 3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088297 [2015/08/02 22:59:03.676620, 3] ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth) Got user=[myuser] domain=[DOMAIN] workstation=[WSNAME] len1=24 len2=230 [2015/08/02 22:59:03.676711, 3] ../source3/param/loadparm.c:3647(lp_load_ex) lp_load_ex: refreshing parameters [2015/08/02 22:59:03.676862, 3] ../source3/param/loadparm.c:564(init_globals) Initialising global parameters [2015/08/02 22:59:03.677014, 3] ../source3/param/loadparm.c:2597(lp_do_section) Processing section "[global]" [2015/08/02 22:59:03.677817, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[pub]" [2015/08/02 22:59:03.678176, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[departments]" [2015/08/02 22:59:03.678552, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[users]" [2015/08/02 22:59:03.678899, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[konto]" [2015/08/02 22:59:03.679247, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[trz]" [2015/08/02 22:59:03.679616, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[shared]" [2015/08/02 22:59:03.679741, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[scan-acct]" [2015/08/02 22:59:03.680097, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[scan-production]" [2015/08/02 22:59:03.680446, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[scan-trade]" [2015/08/02 22:59:03.680902, 2] ../source3/param/loadparm.c:2614(lp_do_section) Processing section "[scan-reception]" [2015/08/02 22:59:03.681356, 3] ../source3/param/loadparm.c:1495(lp_add_ipc) adding IPC service [2015/08/02 22:59:03.682265, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user [DOMAIN]\[myuser]@[WSNAME] with the new password interface [2015/08/02 22:59:03.682295, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN]\[myuser]@[WSNAME] [2015/08/02 22:59:03.729944, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [myuser] -> [myuser] FAILED with error NT_STATUS_ACCESS_DENIED [2015/08/02 22:59:03.730020, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_ACCESS_DENIED [2015/08/02 22:59:03.730658, 3] ../source3/smbd/server_exit.c:246(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) [2015/08/02 22:59:03.735828, 3] ../source3/smbd/oplock.c:1306(init_oplocks) init_oplocks: initializing messages. [2015/08/02 22:59:03.735962, 3] ../source3/smbd/process.c:1879(process_smb) Transaction 0 of length 108 (0 toread) [2015/08/02 22:59:03.736140, 3] ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) Selected protocol SMB2_10 Hers is my smb4.conf: # Global parameters [global] netbios name = SERVER workgroup = DOMAIN realm = DOMAIN.LOCAL server string = Server security = ADS encrypt passwords = Yes log level = 3 log file = /var/log/samba4/log.%m max log size = 500 hosts allow = 10.15. 127.0.0.1 interfaces = localhost, re0 bind interfaces only = Yes winbind trusted domains only = no winbind use default domain = no winbind enum users = yes winbind enum groups = yes # winbind refresh tickets = Yes winbind nested groups = Yes winbind expand groups = 10 # # Samba 4.2 wbinfo works but getent no # require strong key = false winbind sealed pipes = false #client ldap sasl wrapping = plain idmap config *:backend = tdb idmap config *:range = 10000-2000000 nsupdate command = /usr/local/bin/samba-nsupdate -g admin users = @Administrators, "@DOMAIN\Domain admins" vfs objects = zfsacl map acl inherit = yes ## Store DOS attributes in extended attributes (no mapping) map hidden = no map system = no map archive = no map readonly = no store dos attributes = no ## Extended attributes ea support = no veto files = /*.eml/*.nws/*.{*}/ veto oplock files /*.doc/*.xls/*.docx/*.xlsx/*.mdb/*.dbf/*.pst/*.ntx/*.idx/*.cdx/*.db/*.y??/*.xg?/*.mb/*.val/*.px/*.lck/ Thanks in advance for any help. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150802/f04389bd/signature.sig>
Min Wai Chan
2015-Aug-04 07:23 UTC
[Samba] Samba 4.2 AD member accesible by name but not by IP
Hi Ivo, I think I've a very similar issue on 4.1.16 and it seem that hosts allow = 10.15. 127.0.0.1 interfaces = localhost, re0 is to blame. please try to comment them and see if that work. On Mon, Aug 3, 2015 at 4:54 AM, Ivo Karabojkov <karabojkov at kit.bg> wrote:> Hello, > > I have a strange problem with Samba AD member: > It is accessible via \\server or \\server.domain.local > But when I try to access it with its IP address, ex. \\10.15.10.1 I get > access denied error and prompt for user and pass. Entering username and > password with or without DOMAIN\ has no effect. > The server is FreeBSD 10.1. It behaves the same way with Samba 4.1.18 > and now with Samba 4.2.2 both installed via FreeBSD ports. > > Here is the log of successful session - \\server (log level = 3): > [2015/08/02 22:58:46.763454, 3] > ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/08/02 22:58:46.763603, 3] > ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 108 (0 toread) > [2015/08/02 22:58:46.763765, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > [2015/08/02 22:58:46.829927, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2015/08/02 22:58:46.830010, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2015/08/02 22:58:46.830038, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2015/08/02 22:58:46.834257, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-DIGEST-MD5' registered > [2015/08/02 22:58:46.834298, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'spnego' registered > [2015/08/02 22:58:46.834333, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'schannel' registered > [2015/08/02 22:58:46.834355, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'naclrpc_as_system' registered > [2015/08/02 22:58:46.834383, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-EXTERNAL' registered > [2015/08/02 22:58:46.834406, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'ntlmssp' registered > [2015/08/02 22:58:46.834432, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_basic' registered > [2015/08/02 22:58:46.834454, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_ntlm' registered > [2015/08/02 22:58:47.252403, 3] > ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) > Found account name from PAC: myuser [Firstname Lastname] > [2015/08/02 22:58:47.252483, 3] > ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > Kerberos ticket principal name is [myuser at DOMAIN.LOCAL] > [2015/08/02 22:58:47.296995, 3] > ../source3/param/loadparm.c:3647(lp_load_ex) > lp_load_ex: refreshing parameters > [2015/08/02 22:58:47.297109, 3] > ../source3/param/loadparm.c:564(init_globals) > Initialising global parameters > [2015/08/02 22:58:47.297252, 3] > ../source3/param/loadparm.c:2597(lp_do_section) > Processing section "[global]" > [2015/08/02 22:58:47.298033, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[pub]" > [2015/08/02 22:58:47.298408, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[departments]" > [2015/08/02 22:58:47.298766, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[users]" > [2015/08/02 22:58:47.299116, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[konto]" > [2015/08/02 22:58:47.299464, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[trz]" > [2015/08/02 22:58:47.299826, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[shared]" > [2015/08/02 22:58:47.299957, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-acct]" > [2015/08/02 22:58:47.300305, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-production]" > [2015/08/02 22:58:47.300660, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-trade]" > [2015/08/02 22:58:47.301021, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-reception]" > [2015/08/02 22:58:47.301402, 3] > ../source3/param/loadparm.c:1495(lp_add_ipc) > adding IPC service > [2015/08/02 22:58:47.302583, 3] > ../source3/smbd/password.c:144(register_homes_share) > Adding homes service for user 'DOMAIN\myuser' using home directory: > '/home/DOMAIN/myuser' > [2015/08/02 22:58:47.303692, 3] ../source3/lib/access.c:338(allow_access) > Allowed connection from 10.15.1.10 (10.15.1.10) > [2015/08/02 22:58:47.303821, 3] > ../source3/smbd/service.c:614(make_connection_snum) > Connect path is '/var/smb/shared' for service [shared] > [2015/08/02 22:58:47.303911, 3] > ../source3/smbd/vfs.c:113(vfs_init_default) > Initialising default vfs hooks > [2015/08/02 22:58:47.303941, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) > Initialising custom vfs hooks from [/[Default VFS]/] > [2015/08/02 22:58:47.303969, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) > Initialising custom vfs hooks from [zfsacl] > [2015/08/02 22:58:47.304777, 2] > ../lib/util/modules.c:191(do_smb_load_module) > Module 'zfsacl' loaded > [2015/08/02 22:58:47.305038, 3] > ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) > string_to_sid: SID @Administrators is not in a valid format > [2015/08/02 22:58:47.309850, 3] > ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) > string_to_sid: SID @DOMAIN\Domain admins is not in a valid format > [2015/08/02 22:58:47.310846, 2] ../source3/smbd/uid.c:270(check_user_ok) > check_user_ok: user DOMAIN\myuser is an admin user. Setting uid as 0 > [2015/08/02 22:58:47.311107, 2] > ../source3/smbd/service.c:862(make_connection_snum) > 10.15.1.10 (ipv4:10.15.1.10:63168) connect to service shared initially > as user DOMAIN\myuser (uid=0, gid=10006) (pid 19606) > [2015/08/02 22:58:47.312082, 3] > ../source3/smbd/vfs.c:1143(check_reduced_name) > check_reduced_name [desktop.ini] [/var/smb/shared] > [2015/08/02 22:58:47.312135, 3] > ../source3/smbd/vfs.c:1273(check_reduced_name) > check_reduced_name: desktop.ini reduced to /var/smb/shared/desktop.ini > [2015/08/02 22:58:47.312360, 3] ../source3/smbd/dosmode.c:196(unix_mode) > unix_mode(desktop.ini) returning 0644 > > Here is an unsuccessful session (by \\IP): > [2015/08/02 22:59:03.126703, 3] > ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/08/02 22:59:03.126841, 3] > ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 159 (0 toread) > [2015/08/02 22:59:03.126882, 3] > ../source3/smbd/process.c:1489(switch_message) > switch message SMBnegprot (pid 19611) conn 0x0 > [2015/08/02 22:59:03.127014, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [PC NETWORK PROGRAM 1.0] > [2015/08/02 22:59:03.127045, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LANMAN1.0] > [2015/08/02 22:59:03.127068, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [Windows for Workgroups 3.1a] > [2015/08/02 22:59:03.127090, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LM1.2X002] > [2015/08/02 22:59:03.127121, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LANMAN2.1] > [2015/08/02 22:59:03.127143, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [NT LM 0.12] > [2015/08/02 22:59:03.127165, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [SMB 2.002] > [2015/08/02 22:59:03.127186, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [SMB 2.???] > [2015/08/02 22:59:03.127371, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_FF > [2015/08/02 22:59:03.129924, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2015/08/02 22:59:03.129983, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2015/08/02 22:59:03.130007, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2015/08/02 22:59:03.134188, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-DIGEST-MD5' registered > [2015/08/02 22:59:03.134265, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'spnego' registered > [2015/08/02 22:59:03.134289, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'schannel' registered > [2015/08/02 22:59:03.134312, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'naclrpc_as_system' registered > [2015/08/02 22:59:03.134340, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-EXTERNAL' registered > [2015/08/02 22:59:03.134381, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'ntlmssp' registered > [2015/08/02 22:59:03.134404, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_basic' registered > [2015/08/02 22:59:03.134426, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_ntlm' registered > [2015/08/02 22:59:03.337949, 3] > ../source3/smbd/negprot.c:683(reply_negprot) > Selected protocol SMB 2.??? > [2015/08/02 22:59:03.338430, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > [2015/08/02 22:59:03.669244, 3] > ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0xe2088297 > [2015/08/02 22:59:03.676620, 3] > ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth) > Got user=[myuser] domain=[DOMAIN] workstation=[WSNAME] len1=24 len2=230 > [2015/08/02 22:59:03.676711, 3] > ../source3/param/loadparm.c:3647(lp_load_ex) > lp_load_ex: refreshing parameters > [2015/08/02 22:59:03.676862, 3] > ../source3/param/loadparm.c:564(init_globals) > Initialising global parameters > [2015/08/02 22:59:03.677014, 3] > ../source3/param/loadparm.c:2597(lp_do_section) > Processing section "[global]" > [2015/08/02 22:59:03.677817, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[pub]" > [2015/08/02 22:59:03.678176, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[departments]" > [2015/08/02 22:59:03.678552, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[users]" > [2015/08/02 22:59:03.678899, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[konto]" > [2015/08/02 22:59:03.679247, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[trz]" > [2015/08/02 22:59:03.679616, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[shared]" > [2015/08/02 22:59:03.679741, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-acct]" > [2015/08/02 22:59:03.680097, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-production]" > [2015/08/02 22:59:03.680446, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-trade]" > [2015/08/02 22:59:03.680902, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-reception]" > [2015/08/02 22:59:03.681356, 3] > ../source3/param/loadparm.c:1495(lp_add_ipc) > adding IPC service > [2015/08/02 22:59:03.682265, 3] > ../source3/auth/auth.c:178(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [DOMAIN]\[myuser]@[WSNAME] with the new password interface > [2015/08/02 22:59:03.682295, 3] > ../source3/auth/auth.c:181(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [DOMAIN]\[myuser]@[WSNAME] > [2015/08/02 22:59:03.729944, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [myuser] -> [myuser] > FAILED with error NT_STATUS_ACCESS_DENIED > [2015/08/02 22:59:03.730020, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_ACCESS_DENIED > [2015/08/02 22:59:03.730658, 3] > ../source3/smbd/server_exit.c:246(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > [2015/08/02 22:59:03.735828, 3] > ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/08/02 22:59:03.735962, 3] > ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 108 (0 toread) > [2015/08/02 22:59:03.736140, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > > > Hers is my smb4.conf: > # Global parameters > [global] > netbios name = SERVER > workgroup = DOMAIN > realm = DOMAIN.LOCAL > server string = Server > security = ADS > encrypt passwords = Yes > > log level = 3 > log file = /var/log/samba4/log.%m > max log size = 500 > > hosts allow = 10.15. 127.0.0.1 > interfaces = localhost, re0 > bind interfaces only = Yes > > winbind trusted domains only = no > winbind use default domain = no > winbind enum users = yes > winbind enum groups = yes > # winbind refresh tickets = Yes > winbind nested groups = Yes > winbind expand groups = 10 > # > # Samba 4.2 wbinfo works but getent no > # > require strong key = false > winbind sealed pipes = false > #client ldap sasl wrapping = plain > > > idmap config *:backend = tdb > idmap config *:range = 10000-2000000 > > nsupdate command = /usr/local/bin/samba-nsupdate -g > > admin users = @Administrators, "@DOMAIN\Domain admins" > > vfs objects = zfsacl > map acl inherit = yes > ## Store DOS attributes in extended attributes (no mapping) > map hidden = no > map system = no > map archive = no > map readonly = no > store dos attributes = no > > ## Extended attributes > ea support = no > > veto files = /*.eml/*.nws/*.{*}/ > veto oplock files > > /*.doc/*.xls/*.docx/*.xlsx/*.mdb/*.dbf/*.pst/*.ntx/*.idx/*.cdx/*.db/*.y??/*.xg?/*.mb/*.val/*.px/*.lck/ > > Thanks in advance for any help. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Ivajlo Karabojkov
2015-Aug-04 08:39 UTC
[Samba] Samba 4.2 AD member accesible by name but not by IP
I've tried that before posting to the list. Starting Samba without any interface or IP limits has no effect. I've tested only access to \\IP but not records in the log. On 4.8.2015 г. 10:23, Min Wai Chan wrote:> Hi Ivo, > > I think I've a very similar issue on 4.1.16 > and it seem that > > hosts allow = 10.15. 127.0.0.1 > interfaces = localhost, re0 > > is to blame. > > please try to comment them and see if that work. > > > > On Mon, Aug 3, 2015 at 4:54 AM, Ivo Karabojkov <karabojkov at kit.bg > <mailto:karabojkov at kit.bg>> wrote: > > Hello, > > I have a strange problem with Samba AD member: > It is accessible via \\server or \\server.domain.local > But when I try to access it with its IP address, ex. \\10.15.10.1 > I get > access denied error and prompt for user and pass. Entering > username and > password with or without DOMAIN\ has no effect. > The server is FreeBSD 10.1. It behaves the same way with Samba 4.1.18 > and now with Samba 4.2.2 both installed via FreeBSD ports. > > Here is the log of successful session - \\server (log level = 3): > [2015/08/02 22:58:46.763454, 3] > ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/08/02 22:58:46.763603, 3] > ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 108 (0 toread) > [2015/08/02 22:58:46.763765, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > [2015/08/02 22:58:46.829927, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2015/08/02 22:58:46.830010, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2015/08/02 22:58:46.830038, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2015/08/02 22:58:46.834257, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-DIGEST-MD5' registered > [2015/08/02 22:58:46.834298, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'spnego' registered > [2015/08/02 22:58:46.834333, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'schannel' registered > [2015/08/02 22:58:46.834355, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'naclrpc_as_system' registered > [2015/08/02 22:58:46.834383, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-EXTERNAL' registered > [2015/08/02 22:58:46.834406, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'ntlmssp' registered > [2015/08/02 22:58:46.834432, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_basic' registered > [2015/08/02 22:58:46.834454, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_ntlm' registered > [2015/08/02 22:58:47.252403, 3] > ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) > Found account name from PAC: myuser [Firstname Lastname] > [2015/08/02 22:58:47.252483, 3] > ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > Kerberos ticket principal name is [myuser at DOMAIN.LOCAL] > [2015/08/02 22:58:47.296995, 3] > ../source3/param/loadparm.c:3647(lp_load_ex) > lp_load_ex: refreshing parameters > [2015/08/02 22:58:47.297109, 3] > ../source3/param/loadparm.c:564(init_globals) > Initialising global parameters > [2015/08/02 22:58:47.297252, 3] > ../source3/param/loadparm.c:2597(lp_do_section) > Processing section "[global]" > [2015/08/02 22:58:47.298033, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[pub]" > [2015/08/02 22:58:47.298408, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[departments]" > [2015/08/02 22:58:47.298766, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[users]" > [2015/08/02 22:58:47.299116, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[konto]" > [2015/08/02 22:58:47.299464, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[trz]" > [2015/08/02 22:58:47.299826, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[shared]" > [2015/08/02 22:58:47.299957, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-acct]" > [2015/08/02 22:58:47.300305, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-production]" > [2015/08/02 22:58:47.300660, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-trade]" > [2015/08/02 22:58:47.301021, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-reception]" > [2015/08/02 22:58:47.301402, 3] > ../source3/param/loadparm.c:1495(lp_add_ipc) > adding IPC service > [2015/08/02 22:58:47.302583, 3] > ../source3/smbd/password.c:144(register_homes_share) > Adding homes service for user 'DOMAIN\myuser' using home directory: > '/home/DOMAIN/myuser' > [2015/08/02 22:58:47.303692, 3] > ../source3/lib/access.c:338(allow_access) > Allowed connection from 10.15.1.10 (10.15.1.10) > [2015/08/02 22:58:47.303821, 3] > ../source3/smbd/service.c:614(make_connection_snum) > Connect path is '/var/smb/shared' for service [shared] > [2015/08/02 22:58:47.303911, 3] > ../source3/smbd/vfs.c:113(vfs_init_default) > Initialising default vfs hooks > [2015/08/02 22:58:47.303941, 3] > ../source3/smbd/vfs.c:139(vfs_init_custom) > Initialising custom vfs hooks from [/[Default VFS]/] > [2015/08/02 22:58:47.303969, 3] > ../source3/smbd/vfs.c:139(vfs_init_custom) > Initialising custom vfs hooks from [zfsacl] > [2015/08/02 22:58:47.304777, 2] > ../lib/util/modules.c:191(do_smb_load_module) > Module 'zfsacl' loaded > [2015/08/02 22:58:47.305038, 3] > ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) > string_to_sid: SID @Administrators is not in a valid format > [2015/08/02 22:58:47.309850, 3] > ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) > string_to_sid: SID @DOMAIN\Domain admins is not in a valid format > [2015/08/02 22:58:47.310846, 2] > ../source3/smbd/uid.c:270(check_user_ok) > check_user_ok: user DOMAIN\myuser is an admin user. Setting uid as 0 > [2015/08/02 22:58:47.311107, 2] > ../source3/smbd/service.c:862(make_connection_snum) > 10.15.1.10 (ipv4:10.15.1.10:63168 <http://10.15.1.10:63168>) > connect to service shared initially > as user DOMAIN\myuser (uid=0, gid=10006) (pid 19606) > [2015/08/02 22:58:47.312082, 3] > ../source3/smbd/vfs.c:1143(check_reduced_name) > check_reduced_name [desktop.ini] [/var/smb/shared] > [2015/08/02 22:58:47.312135, 3] > ../source3/smbd/vfs.c:1273(check_reduced_name) > check_reduced_name: desktop.ini reduced to > /var/smb/shared/desktop.ini > [2015/08/02 22:58:47.312360, 3] > ../source3/smbd/dosmode.c:196(unix_mode) > unix_mode(desktop.ini) returning 0644 > > Here is an unsuccessful session (by \\IP): > [2015/08/02 22:59:03.126703, 3] > ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/08/02 22:59:03.126841, 3] > ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 159 (0 toread) > [2015/08/02 22:59:03.126882, 3] > ../source3/smbd/process.c:1489(switch_message) > switch message SMBnegprot (pid 19611) conn 0x0 > [2015/08/02 22:59:03.127014, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [PC NETWORK PROGRAM 1.0] > [2015/08/02 22:59:03.127045, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LANMAN1.0] > [2015/08/02 22:59:03.127068, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [Windows for Workgroups 3.1a] > [2015/08/02 22:59:03.127090, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LM1.2X002] > [2015/08/02 22:59:03.127121, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LANMAN2.1] > [2015/08/02 22:59:03.127143, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [NT LM 0.12] > [2015/08/02 22:59:03.127165, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [SMB 2.002] > [2015/08/02 22:59:03.127186, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [SMB 2.???] > [2015/08/02 22:59:03.127371, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_FF > [2015/08/02 22:59:03.129924, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2015/08/02 22:59:03.129983, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2015/08/02 22:59:03.130007, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2015/08/02 22:59:03.134188, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-DIGEST-MD5' registered > [2015/08/02 22:59:03.134265, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'spnego' registered > [2015/08/02 22:59:03.134289, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'schannel' registered > [2015/08/02 22:59:03.134312, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'naclrpc_as_system' registered > [2015/08/02 22:59:03.134340, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-EXTERNAL' registered > [2015/08/02 22:59:03.134381, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'ntlmssp' registered > [2015/08/02 22:59:03.134404, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_basic' registered > [2015/08/02 22:59:03.134426, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_ntlm' registered > [2015/08/02 22:59:03.337949, 3] > ../source3/smbd/negprot.c:683(reply_negprot) > Selected protocol SMB 2.??? > [2015/08/02 22:59:03.338430, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > [2015/08/02 22:59:03.669244, 3] > ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0xe2088297 > [2015/08/02 22:59:03.676620, 3] > ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth) > Got user=[myuser] domain=[DOMAIN] workstation=[WSNAME] len1=24 > len2=230 > [2015/08/02 22:59:03.676711, 3] > ../source3/param/loadparm.c:3647(lp_load_ex) > lp_load_ex: refreshing parameters > [2015/08/02 22:59:03.676862, 3] > ../source3/param/loadparm.c:564(init_globals) > Initialising global parameters > [2015/08/02 22:59:03.677014, 3] > ../source3/param/loadparm.c:2597(lp_do_section) > Processing section "[global]" > [2015/08/02 22:59:03.677817, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[pub]" > [2015/08/02 22:59:03.678176, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[departments]" > [2015/08/02 22:59:03.678552, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[users]" > [2015/08/02 22:59:03.678899, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[konto]" > [2015/08/02 22:59:03.679247, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[trz]" > [2015/08/02 22:59:03.679616, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[shared]" > [2015/08/02 22:59:03.679741, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-acct]" > [2015/08/02 22:59:03.680097, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-production]" > [2015/08/02 22:59:03.680446, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-trade]" > [2015/08/02 22:59:03.680902, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-reception]" > [2015/08/02 22:59:03.681356, 3] > ../source3/param/loadparm.c:1495(lp_add_ipc) > adding IPC service > [2015/08/02 22:59:03.682265, 3] > ../source3/auth/auth.c:178(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [DOMAIN]\[myuser]@[WSNAME] with the new password interface > [2015/08/02 22:59:03.682295, 3] > ../source3/auth/auth.c:181(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [DOMAIN]\[myuser]@[WSNAME] > [2015/08/02 22:59:03.729944, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [myuser] -> [myuser] > FAILED with error NT_STATUS_ACCESS_DENIED > [2015/08/02 22:59:03.730020, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_ACCESS_DENIED > [2015/08/02 22:59:03.730658, 3] > ../source3/smbd/server_exit.c:246(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > [2015/08/02 22:59:03.735828, 3] > ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/08/02 22:59:03.735962, 3] > ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 108 (0 toread) > [2015/08/02 22:59:03.736140, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > > > Hers is my smb4.conf: > # Global parameters > [global] > netbios name = SERVER > workgroup = DOMAIN > realm = DOMAIN.LOCAL > server string = Server > security = ADS > encrypt passwords = Yes > > log level = 3 > log file = /var/log/samba4/log.%m > max log size = 500 > > hosts allow = 10.15. 127.0.0.1 > interfaces = localhost, re0 > bind interfaces only = Yes > > winbind trusted domains only = no > winbind use default domain = no > winbind enum users = yes > winbind enum groups = yes > # winbind refresh tickets = Yes > winbind nested groups = Yes > winbind expand groups = 10 > # > # Samba 4.2 wbinfo works but getent no > # > require strong key = false > winbind sealed pipes = false > #client ldap sasl wrapping = plain > > > idmap config *:backend = tdb > idmap config *:range = 10000-2000000 > > nsupdate command = /usr/local/bin/samba-nsupdate -g > > admin users = @Administrators, "@DOMAIN\Domain admins" > > vfs objects = zfsacl > map acl inherit = yes > ## Store DOS attributes in extended attributes (no mapping) > map hidden = no > map system = no > map archive = no > map readonly = no > store dos attributes = no > > ## Extended attributes > ea support = no > > veto files = /*.eml/*.nws/*.{*}/ > veto oplock files > /*.doc/*.xls/*.docx/*.xlsx/*.mdb/*.dbf/*.pst/*.ntx/*.idx/*.cdx/*.db/*.y??/*.xg?/*.mb/*.val/*.px/*.lck/ > > Thanks in advance for any help. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2015-Aug-04 09:37 UTC
[Samba] Samba 4.2 AD member accesible by name but not by IP
On 02/08/15 21:54, Ivo Karabojkov wrote:> Hello, > > I have a strange problem with Samba AD member: > It is accessible via \\server or \\server.domain.local > But when I try to access it with its IP address, ex. \\10.15.10.1 I get > access denied error and prompt for user and pass. Entering username and > password with or without DOMAIN\ has no effect. > The server is FreeBSD 10.1. It behaves the same way with Samba 4.1.18 > and now with Samba 4.2.2 both installed via FreeBSD ports. > > Here is the log of successful session - \\server (log level = 3): > [2015/08/02 22:58:46.763454, 3] ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/08/02 22:58:46.763603, 3] ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 108 (0 toread) > [2015/08/02 22:58:46.763765, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > [2015/08/02 22:58:46.829927, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2015/08/02 22:58:46.830010, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2015/08/02 22:58:46.830038, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2015/08/02 22:58:46.834257, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-DIGEST-MD5' registered > [2015/08/02 22:58:46.834298, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'spnego' registered > [2015/08/02 22:58:46.834333, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'schannel' registered > [2015/08/02 22:58:46.834355, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'naclrpc_as_system' registered > [2015/08/02 22:58:46.834383, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-EXTERNAL' registered > [2015/08/02 22:58:46.834406, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'ntlmssp' registered > [2015/08/02 22:58:46.834432, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_basic' registered > [2015/08/02 22:58:46.834454, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_ntlm' registered > [2015/08/02 22:58:47.252403, 3] > ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac) > Found account name from PAC: myuser [Firstname Lastname] > [2015/08/02 22:58:47.252483, 3] > ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info) > Kerberos ticket principal name is [myuser at DOMAIN.LOCAL] > [2015/08/02 22:58:47.296995, 3] > ../source3/param/loadparm.c:3647(lp_load_ex) > lp_load_ex: refreshing parameters > [2015/08/02 22:58:47.297109, 3] > ../source3/param/loadparm.c:564(init_globals) > Initialising global parameters > [2015/08/02 22:58:47.297252, 3] > ../source3/param/loadparm.c:2597(lp_do_section) > Processing section "[global]" > [2015/08/02 22:58:47.298033, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[pub]" > [2015/08/02 22:58:47.298408, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[departments]" > [2015/08/02 22:58:47.298766, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[users]" > [2015/08/02 22:58:47.299116, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[konto]" > [2015/08/02 22:58:47.299464, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[trz]" > [2015/08/02 22:58:47.299826, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[shared]" > [2015/08/02 22:58:47.299957, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-acct]" > [2015/08/02 22:58:47.300305, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-production]" > [2015/08/02 22:58:47.300660, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-trade]" > [2015/08/02 22:58:47.301021, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-reception]" > [2015/08/02 22:58:47.301402, 3] > ../source3/param/loadparm.c:1495(lp_add_ipc) > adding IPC service > [2015/08/02 22:58:47.302583, 3] > ../source3/smbd/password.c:144(register_homes_share) > Adding homes service for user 'DOMAIN\myuser' using home directory: > '/home/DOMAIN/myuser' > [2015/08/02 22:58:47.303692, 3] ../source3/lib/access.c:338(allow_access) > Allowed connection from 10.15.1.10 (10.15.1.10) > [2015/08/02 22:58:47.303821, 3] > ../source3/smbd/service.c:614(make_connection_snum) > Connect path is '/var/smb/shared' for service [shared] > [2015/08/02 22:58:47.303911, 3] ../source3/smbd/vfs.c:113(vfs_init_default) > Initialising default vfs hooks > [2015/08/02 22:58:47.303941, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) > Initialising custom vfs hooks from [/[Default VFS]/] > [2015/08/02 22:58:47.303969, 3] ../source3/smbd/vfs.c:139(vfs_init_custom) > Initialising custom vfs hooks from [zfsacl] > [2015/08/02 22:58:47.304777, 2] > ../lib/util/modules.c:191(do_smb_load_module) > Module 'zfsacl' loaded > [2015/08/02 22:58:47.305038, 3] > ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) > string_to_sid: SID @Administrators is not in a valid format > [2015/08/02 22:58:47.309850, 3] > ../libcli/security/dom_sid.c:209(dom_sid_parse_endp) > string_to_sid: SID @DOMAIN\Domain admins is not in a valid format > [2015/08/02 22:58:47.310846, 2] ../source3/smbd/uid.c:270(check_user_ok) > check_user_ok: user DOMAIN\myuser is an admin user. Setting uid as 0 > [2015/08/02 22:58:47.311107, 2] > ../source3/smbd/service.c:862(make_connection_snum) > 10.15.1.10 (ipv4:10.15.1.10:63168) connect to service shared initially > as user DOMAIN\myuser (uid=0, gid=10006) (pid 19606) > [2015/08/02 22:58:47.312082, 3] > ../source3/smbd/vfs.c:1143(check_reduced_name) > check_reduced_name [desktop.ini] [/var/smb/shared] > [2015/08/02 22:58:47.312135, 3] > ../source3/smbd/vfs.c:1273(check_reduced_name) > check_reduced_name: desktop.ini reduced to /var/smb/shared/desktop.ini > [2015/08/02 22:58:47.312360, 3] ../source3/smbd/dosmode.c:196(unix_mode) > unix_mode(desktop.ini) returning 0644 > > Here is an unsuccessful session (by \\IP): > [2015/08/02 22:59:03.126703, 3] ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/08/02 22:59:03.126841, 3] ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 159 (0 toread) > [2015/08/02 22:59:03.126882, 3] > ../source3/smbd/process.c:1489(switch_message) > switch message SMBnegprot (pid 19611) conn 0x0 > [2015/08/02 22:59:03.127014, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [PC NETWORK PROGRAM 1.0] > [2015/08/02 22:59:03.127045, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LANMAN1.0] > [2015/08/02 22:59:03.127068, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [Windows for Workgroups 3.1a] > [2015/08/02 22:59:03.127090, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LM1.2X002] > [2015/08/02 22:59:03.127121, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [LANMAN2.1] > [2015/08/02 22:59:03.127143, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [NT LM 0.12] > [2015/08/02 22:59:03.127165, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [SMB 2.002] > [2015/08/02 22:59:03.127186, 3] > ../source3/smbd/negprot.c:575(reply_negprot) > Requested protocol [SMB 2.???] > [2015/08/02 22:59:03.127371, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_FF > [2015/08/02 22:59:03.129924, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_spnego' registered > [2015/08/02 22:59:03.129983, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5' registered > [2015/08/02 22:59:03.130007, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'gssapi_krb5_sasl' registered > [2015/08/02 22:59:03.134188, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-DIGEST-MD5' registered > [2015/08/02 22:59:03.134265, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'spnego' registered > [2015/08/02 22:59:03.134289, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'schannel' registered > [2015/08/02 22:59:03.134312, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'naclrpc_as_system' registered > [2015/08/02 22:59:03.134340, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'sasl-EXTERNAL' registered > [2015/08/02 22:59:03.134381, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'ntlmssp' registered > [2015/08/02 22:59:03.134404, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_basic' registered > [2015/08/02 22:59:03.134426, 3] > ../auth/gensec/gensec_start.c:885(gensec_register) > GENSEC backend 'http_ntlm' registered > [2015/08/02 22:59:03.337949, 3] > ../source3/smbd/negprot.c:683(reply_negprot) > Selected protocol SMB 2.??? > [2015/08/02 22:59:03.338430, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > [2015/08/02 22:59:03.669244, 3] > ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) > Got NTLMSSP neg_flags=0xe2088297 > [2015/08/02 22:59:03.676620, 3] > ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth) > Got user=[myuser] domain=[DOMAIN] workstation=[WSNAME] len1=24 len2=230 > [2015/08/02 22:59:03.676711, 3] > ../source3/param/loadparm.c:3647(lp_load_ex) > lp_load_ex: refreshing parameters > [2015/08/02 22:59:03.676862, 3] > ../source3/param/loadparm.c:564(init_globals) > Initialising global parameters > [2015/08/02 22:59:03.677014, 3] > ../source3/param/loadparm.c:2597(lp_do_section) > Processing section "[global]" > [2015/08/02 22:59:03.677817, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[pub]" > [2015/08/02 22:59:03.678176, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[departments]" > [2015/08/02 22:59:03.678552, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[users]" > [2015/08/02 22:59:03.678899, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[konto]" > [2015/08/02 22:59:03.679247, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[trz]" > [2015/08/02 22:59:03.679616, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[shared]" > [2015/08/02 22:59:03.679741, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-acct]" > [2015/08/02 22:59:03.680097, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-production]" > [2015/08/02 22:59:03.680446, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-trade]" > [2015/08/02 22:59:03.680902, 2] > ../source3/param/loadparm.c:2614(lp_do_section) > Processing section "[scan-reception]" > [2015/08/02 22:59:03.681356, 3] > ../source3/param/loadparm.c:1495(lp_add_ipc) > adding IPC service > [2015/08/02 22:59:03.682265, 3] > ../source3/auth/auth.c:178(auth_check_ntlm_password) > check_ntlm_password: Checking password for unmapped user > [DOMAIN]\[myuser]@[WSNAME] with the new password interface > [2015/08/02 22:59:03.682295, 3] > ../source3/auth/auth.c:181(auth_check_ntlm_password) > check_ntlm_password: mapped user is: [DOMAIN]\[myuser]@[WSNAME] > [2015/08/02 22:59:03.729944, 2] > ../source3/auth/auth.c:315(auth_check_ntlm_password) > check_ntlm_password: Authentication for user [myuser] -> [myuser] > FAILED with error NT_STATUS_ACCESS_DENIED > [2015/08/02 22:59:03.730020, 2] > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) > SPNEGO login failed: NT_STATUS_ACCESS_DENIED > [2015/08/02 22:59:03.730658, 3] > ../source3/smbd/server_exit.c:246(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > [2015/08/02 22:59:03.735828, 3] ../source3/smbd/oplock.c:1306(init_oplocks) > init_oplocks: initializing messages. > [2015/08/02 22:59:03.735962, 3] ../source3/smbd/process.c:1879(process_smb) > Transaction 0 of length 108 (0 toread) > [2015/08/02 22:59:03.736140, 3] > ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot) > Selected protocol SMB2_10 > > > Hers is my smb4.conf: > # Global parameters > [global] > netbios name = SERVER > workgroup = DOMAIN > realm = DOMAIN.LOCAL > server string = Server > security = ADS > encrypt passwords = Yes > > log level = 3 > log file = /var/log/samba4/log.%m > max log size = 500 > > hosts allow = 10.15. 127.0.0.1 > interfaces = localhost, re0 > bind interfaces only = Yes > > winbind trusted domains only = no > winbind use default domain = no > winbind enum users = yes > winbind enum groups = yes > # winbind refresh tickets = Yes > winbind nested groups = Yes > winbind expand groups = 10 > # > # Samba 4.2 wbinfo works but getent no > # > require strong key = false > winbind sealed pipes = false > #client ldap sasl wrapping = plain > > > idmap config *:backend = tdb > idmap config *:range = 10000-2000000 > > nsupdate command = /usr/local/bin/samba-nsupdate -g > > admin users = @Administrators, "@DOMAIN\Domain admins" > > vfs objects = zfsacl > map acl inherit = yes > ## Store DOS attributes in extended attributes (no mapping) > map hidden = no > map system = no > map archive = no > map readonly = no > store dos attributes = no > > ## Extended attributes > ea support = no > > veto files = /*.eml/*.nws/*.{*}/ > veto oplock files > /*.doc/*.xls/*.docx/*.xlsx/*.mdb/*.dbf/*.pst/*.ntx/*.idx/*.cdx/*.db/*.y??/*.xg?/*.mb/*.val/*.px/*.lck/ > > Thanks in advance for any help. > > > >Hi, what are you using for the domain DC, a windows server, samba4 as an AD DC or something else ? What DNS are you using ? You may also like to look here to see how to set up a member server correctly: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Rowland
Apparently Analagous Threads
- Migration Samba3 -> Samba4: Accessing domain member server is not working
- smbclient works, mount.cifs fails NT_STATUS_LOGON_FAILURE in Samba 4.8.3
- Samba 4.2 AD member accesible by name but not by IP
- Samba 4.17 AD Cannot connect to shares as administrator
- Samba 4.17 Cannot join Win7 clients to domain