On Thu, Oct 03, 2019 at 08:59:35PM +0100, Rowland penny via samba wrote:> On 03/10/2019 20:30, Christopher Cox via samba wrote: > > > > > > > Took a while to get a bugzilla account.? Submitted > > https://bugzilla.samba.org/show_bug.cgi?id=14151 > > > I am not the expert here, but: > > A) you are using Samba as a standalone server 'security = user' > > B) you also seem to want to use another server for passwords 'password > server = ldap.skopos.me' > > C) Samba tries to use kerberos : > > ???? Enter SKOPOS\ccox's password: cli_session_creds_prepare_krb5: Doing > kinit for ccox at SKOPOS to access doc_svr2 > ???? kerberos_kinit_password: as ccox at SKOPOS using [MEMORY:cliconnect] as > ccache and config [(null)] > > ???? And fails: > > ???? Kinit for ccox at SKOPOS to access doc_svr2 failed: Cannot find KDC for > requested realm > > ???? But then seems to authenticate via kerberos: > > ???? Kinit for ccox at SKOPOS to access doc_svr2 failed: Cannot find KDC for > requested realm > > Do you want to use kerberos ? > > If so, change 'security = user' to 'security = ads' and it might work. > > Can you also tell us just how you are trying to connect to the Samba server, > are you using smbclient, a GUI or what ?This isn't talking to a Samba server, it's smbclient talking to a MacOS/X server. wireshark trace on that bug is corrupt, but as it's a 4.9.x build I'm guessing this is a path in the client libraries that messes up and allows an SMB1 frame to be sent on an SMB2 connection. I vaguely remember such bugs getting fixed by Metze in the past. But I'll take a look at the specific version and see. Jeremy.
On 03/10/2019 21:06, Jeremy Allison wrote:> On Thu, Oct 03, 2019 at 08:59:35PM +0100, Rowland penny via samba wrote: >> On 03/10/2019 20:30, Christopher Cox via samba wrote: >>> Took a while to get a bugzilla account.? Submitted >>> https://bugzilla.samba.org/show_bug.cgi?id=14151 >>> >> I am not the expert here, but: >> >> A) you are using Samba as a standalone server 'security = user' >> >> B) you also seem to want to use another server for passwords 'password >> server = ldap.skopos.me' >> >> C) Samba tries to use kerberos : >> >> ???? Enter SKOPOS\ccox's password: cli_session_creds_prepare_krb5: Doing >> kinit for ccox at SKOPOS to access doc_svr2 >> ???? kerberos_kinit_password: as ccox at SKOPOS using [MEMORY:cliconnect] as >> ccache and config [(null)] >> >> ???? And fails: >> >> ???? Kinit for ccox at SKOPOS to access doc_svr2 failed: Cannot find KDC for >> requested realm >> >> ???? But then seems to authenticate via kerberos: >> >> ???? Kinit for ccox at SKOPOS to access doc_svr2 failed: Cannot find KDC for >> requested realm >> >> Do you want to use kerberos ? >> >> If so, change 'security = user' to 'security = ads' and it might work. >> >> Can you also tell us just how you are trying to connect to the Samba server, >> are you using smbclient, a GUI or what ? > This isn't talking to a Samba server, it's smbclient > talking to a MacOS/X server. > > wireshark trace on that bug is corrupt, but as it's > a 4.9.x build I'm guessing this is a path in the client > libraries that messes up and allows an SMB1 frame to > be sent on an SMB2 connection. > > I vaguely remember such bugs getting fixed by Metze > in the past. But I'll take a look at the specific > version and see. > > Jeremy.Ah, then the smb.conf is pointless, that is if the OP is using smbclient. Rowland
On 10/3/19 3:12 PM, Rowland penny via samba wrote:> On 03/10/2019 21:06, Jeremy Allison wrote: >> On Thu, Oct 03, 2019 at 08:59:35PM +0100, Rowland penny via samba wrote: >>> On 03/10/2019 20:30, Christopher Cox via samba wrote: >>>> Took a while to get a bugzilla account.? Submitted >>>> https://bugzilla.samba.org/show_bug.cgi?id=14151 >>>> >>> I am not the expert here, but: >>> >>> A) you are using Samba as a standalone server 'security = user' >>> >>> B) you also seem to want to use another server for passwords 'password >>> server = ldap.skopos.me' >>> >>> C) Samba tries to use kerberos : >>> >>> ????? Enter SKOPOS\ccox's password: cli_session_creds_prepare_krb5: >>> Doing >>> kinit for ccox at SKOPOS to access doc_svr2 >>> ????? kerberos_kinit_password: as ccox at SKOPOS using >>> [MEMORY:cliconnect] as >>> ccache and config [(null)] >>> >>> ????? And fails: >>> >>> ????? Kinit for ccox at SKOPOS to access doc_svr2 failed: Cannot find >>> KDC for >>> requested realm >>> >>> ????? But then seems to authenticate via kerberos: >>> >>> ????? Kinit for ccox at SKOPOS to access doc_svr2 failed: Cannot find >>> KDC for >>> requested realm >>> >>> Do you want to use kerberos ? >>> >>> If so, change 'security = user' to 'security = ads' and it might work. >>> >>> Can you also tell us just how you are trying to connect to the Samba >>> server, >>> are you using smbclient, a GUI or what ? >> This isn't talking to a Samba server, it's smbclient >> talking to a MacOS/X server. >> >> wireshark trace on that bug is corrupt, but as it's >> a 4.9.x build I'm guessing this is a path in the client >> libraries that messes up and allows an SMB1 frame to >> be sent on an SMB2 connection. >> >> I vaguely remember such bugs getting fixed by Metze >> in the past. But I'll take a look at the specific >> version and see. >> >> Jeremy. > > Ah, then the smb.conf is pointless, that is if the OP is using smbclient. > > RowlandYes the level 10 debugs in the attachement are from smbclient (the command line used is in the description). Let me know on what options I need to supply to tcpdump that would help with regards to a pcap.