samba - Jul 2016 - failure to authenticate from a Toshiba MFD

I have a toshiba multifunction device that can save to an smb share.

For years its been saving to an windows server.

I'm trying to move it to samba 4.x.

My samba 4 is running an samba AD DC on a machine called vc1. The samba 4
file services is running on a system called srv1.

I've made the share on the srv1 smb.conf and have been able to connect to
it using the smbclient tool. I've also been able to connect to it using a
fuse file system and a kerb tgt.

Connection with smbclient use the form of
smbclient \\\\srv1\\share -U IN\user

Where IN is my AD DC domain name

This works as expected. However, I cannot use a user name in the form of
user at IN . I'm not sure if that is the fault of the smbclient tool or
something in my setup.

kinit user at IN.**** works fine where I used the FQDN for the domain name.

The difficulty here is that I cannot make the toshiba printer save to the
share at all. I've tried using the form
IN\user and user at IN

It just doesn't seem to matter how if specify the user name, the toshiba
fails to store files and I think it is all related to an authentication
failure.

Any pointers on how I might troubleshoot this? The toshiba doesn't seem to
have any detail log file.

Here is a tail of the log file for the toshiba
The connecting user is 'fax'
[2016/07/30 16:55:44.550461,  5]
../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2016/07/30 16:55:44.550473,  5]
../source3/auth/token_util.c:639(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2016/07/30 16:55:44.550569,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2016/07/30 16:55:44.550601,  4]
../source3/lib/privileges.c:98(get_privileges)
  get_privileges: No privileges assigned to SID
[S-1-5-21-2710280408-1741972466-1138394509-1135]
[2016/07/30 16:55:44.550625,  4]
../source3/lib/privileges.c:98(get_privileges)
  get_privileges: No privileges assigned to SID
[S-1-5-21-2710280408-1741972466-1138394509-513]
[2016/07/30 16:55:44.550645,  4]
../source3/lib/privileges.c:98(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-22-2-10090]
[2016/07/30 16:55:44.550665,  5]
../source3/lib/privileges.c:176(get_privileges_for_sids)
  get_privileges_for_sids: sid = S-1-1-0
  Privilege set: 0x0
[2016/07/30 16:55:44.550688,  4]
../source3/lib/privileges.c:98(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2016/07/30 16:55:44.550706,  4]
../source3/lib/privileges.c:98(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2016/07/30 16:55:44.550726,  4]
../source3/lib/privileges.c:98(get_privileges)
  get_privileges: No privileges assigned to SID [S-1-5-32-545]
[2016/07/30 16:55:44.550834,  5]
../source3/lib/username.c:181(Get_Pwnam_alloc)
  Finding user IN\fax
[2016/07/30 16:55:44.550853,  5]
../source3/lib/username.c:120(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is in\fax
[2016/07/30 16:55:44.550871,  5]
../source3/lib/username.c:159(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [IN\fax]!
[2016/07/30 16:55:44.550884,  3]
../source3/smbd/password.c:144(register_homes_share)
  Adding homes service for user 'IN\fax' using home directory:
'/home/IN/fax'
[2016/07/30 16:55:44.550923,  5]
../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
  check lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb
[2016/07/30 16:55:44.550995,  5]
../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
  release lock order 1 for
/usr/local/samba/var/lock/smbXsrv_session_global.tdb

Any advice?

-- 
David Bear
mobile: (602) 903-6476

See inline comments

On 31/07/16 03:44, David Bear wrote:
> I have a toshiba multifunction device that can save to an smb share.
>
> For years its been saving to an windows server.
>
> I'm trying to move it to samba 4.x.
>
> My samba 4 is running an samba AD DC on a machine called vc1. The samba 4
> file services is running on a system called srv1.
>
> I've made the share on the srv1 smb.conf and have been able to connect
to
> it using the smbclient tool. I've also been able to connect to it using
a
> fuse file system and a kerb tgt.
>
> Connection with smbclient use the form of
> smbclient \\\\srv1\\share -U IN\user
>
> Where IN is my AD DC domain name
>
> This works as expected. However, I cannot use a user name in the form of
> user at IN . I'm not sure if that is the fault of the smbclient tool or
> something in my setup.
Neither, if you give the REALM in the kinit command, it must be the full 
realm name or you can choose to not use it

rowland at devstation:~$ kinit rowland at SAMDOM
kinit: Cannot find KDC for realm "SAMDOM" while getting initial
credentials
rowland at devstation:~$ kinit rowland at SAMDOM.EXAMPLE.COM
Password for rowland at SAMDOM.EXAMPLE.COM:
rowland at devstation:~$ kinit rowland
Password for rowland at SAMDOM.EXAMPLE.COM:

>
> kinit user at IN.**** works fine where I used the FQDN for the domain name.
>
> The difficulty here is that I cannot make the toshiba printer save to the
> share at all. I've tried using the form
> IN\user and user at IN
>
> It just doesn't seem to matter how if specify the user name, the
toshiba
> fails to store files and I think it is all related to an authentication
> failure.
>
> Any pointers on how I might troubleshoot this? The toshiba doesn't seem
to
> have any detail log file.
>
Try raising the log level on the fileserver and see if anything pops 
out, because it seems that your user is found, but then nothing happens.

Rowland

Maybe this post is of help for you

https://groups.google.com/forum/#!topic/linux.samba/FYKZJriLNoY


Am 31.07.2016 um 04:44 schrieb David Bear:
> I have a toshiba multifunction device that can save to an smb share.
>
> For years its been saving to an windows server.
>
> I'm trying to move it to samba 4.x.
>
> My samba 4 is running an samba AD DC on a machine called vc1. The samba 4
> file services is running on a system called srv1.
>
> I've made the share on the srv1 smb.conf and have been able to connect
to
> it using the smbclient tool. I've also been able to connect to it using
a
> fuse file system and a kerb tgt.
>
> Connection with smbclient use the form of
> smbclient \\\\srv1\\share -U IN\user
>
> Where IN is my AD DC domain name
>
> This works as expected. However, I cannot use a user name in the form of
> user at IN . I'm not sure if that is the fault of the smbclient tool or
> something in my setup.
>
> kinit user at IN.**** works fine where I used the FQDN for the domain name.
>
> The difficulty here is that I cannot make the toshiba printer save to the
> share at all. I've tried using the form
> IN\user and user at IN
>
> It just doesn't seem to matter how if specify the user name, the
toshiba
> fails to store files and I think it is all related to an authentication
> failure.
>
> Any pointers on how I might troubleshoot this? The toshiba doesn't seem
to
> have any detail log file.
>
> Here is a tail of the log file for the toshiba
> The connecting user is 'fax'
> [2016/07/30 16:55:44.550461,  5]
> ../libcli/security/security_token.c:53(security_token_debug)
>    Security token: (NULL)
> [2016/07/30 16:55:44.550473,  5]
> ../source3/auth/token_util.c:639(debug_unix_user_token)
>    UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2016/07/30 16:55:44.550569,  4] ../source3/smbd/sec_ctx.c:439(pop_sec_ctx)
>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2016/07/30 16:55:44.550601,  4]
> ../source3/lib/privileges.c:98(get_privileges)
>    get_privileges: No privileges assigned to SID
> [S-1-5-21-2710280408-1741972466-1138394509-1135]
> [2016/07/30 16:55:44.550625,  4]
> ../source3/lib/privileges.c:98(get_privileges)
>    get_privileges: No privileges assigned to SID
> [S-1-5-21-2710280408-1741972466-1138394509-513]
> [2016/07/30 16:55:44.550645,  4]
> ../source3/lib/privileges.c:98(get_privileges)
>    get_privileges: No privileges assigned to SID [S-1-22-2-10090]
> [2016/07/30 16:55:44.550665,  5]
> ../source3/lib/privileges.c:176(get_privileges_for_sids)
>    get_privileges_for_sids: sid = S-1-1-0
>    Privilege set: 0x0
> [2016/07/30 16:55:44.550688,  4]
> ../source3/lib/privileges.c:98(get_privileges)
>    get_privileges: No privileges assigned to SID [S-1-5-2]
> [2016/07/30 16:55:44.550706,  4]
> ../source3/lib/privileges.c:98(get_privileges)
>    get_privileges: No privileges assigned to SID [S-1-5-11]
> [2016/07/30 16:55:44.550726,  4]
> ../source3/lib/privileges.c:98(get_privileges)
>    get_privileges: No privileges assigned to SID [S-1-5-32-545]
> [2016/07/30 16:55:44.550834,  5]
> ../source3/lib/username.c:181(Get_Pwnam_alloc)
>    Finding user IN\fax
> [2016/07/30 16:55:44.550853,  5]
> ../source3/lib/username.c:120(Get_Pwnam_internals)
>    Trying _Get_Pwnam(), username as lowercase is in\fax
> [2016/07/30 16:55:44.550871,  5]
> ../source3/lib/username.c:159(Get_Pwnam_internals)
>    Get_Pwnam_internals did find user [IN\fax]!
> [2016/07/30 16:55:44.550884,  3]
> ../source3/smbd/password.c:144(register_homes_share)
>    Adding homes service for user 'IN\fax' using home directory:
> '/home/IN/fax'
> [2016/07/30 16:55:44.550923,  5]
> ../lib/dbwrap/dbwrap.c:178(dbwrap_check_lock_order)
>    check lock order 1 for
> /usr/local/samba/var/lock/smbXsrv_session_global.tdb
> [2016/07/30 16:55:44.550995,  5]
> ../lib/dbwrap/dbwrap.c:146(dbwrap_lock_order_state_destructor)
>    release lock order 1 for
> /usr/local/samba/var/lock/smbXsrv_session_global.tdb
>
> Any advice?
>