DId ya check your samba pam? On Wed, Sep 15, 2010 at 10:45 AM, Gaiseric Vandal <gaiseric.van...@gmail.com > wrote:
> The samba share I need to access from the trusted domain has been > configured > with "guest ok=yes" parameter. Some of the files are world-readable > since they do not contain any restricted information. > > > > So even though authenticated access fails with smb client > > > > #smbclient -U " WINDOMAIN\winuser" -L sambapdc > > session setup failed: NT_STATUS_LOGON_FAILURE > > > > > > anonymous access with smbclient is OK > > > > #smbclient -N-L sambapdc > > Anonymous login successful > > Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.0.37] > > > > > > > > From a Windows machine, I try to map the drive as anonymous > > net use z: \\sambapdc\share1 <file:///\\sambapdc\share1> > > > > However I still get prompted for a user name and password. I don't seem > to have a way to force the "net" command to connect anonymously. > > > > If I can force an anonymous connection from Windows, then I should be OK. > (Again, this share does not contain information that needs much > protection.) > > > > > Thanks > > > > > > From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] > Sent: Tuesday, September 14, 2010 1:16 PM > To: samba@lists.samba.org > Subject: RE: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted > domains, ntlm_auth succeeds > > > > Maybe this is some issue with parsing the user name properly? > > > > I noticed that if I have a user in the Windows domain AND a user with the > same name in the Samba domain, then the Windows user can access shares on > the Samba domain. For example, I have an Administrator account in each > domain. They do NOT have the same password. In the example below the > user authenticates to the samba domain using the trusted Windows domain > password. > > > > > > > > sambapdc # smbclient "//sambapdc/dept_common" -U " WINDOMAIN > \Administrator" > > Enter WINDOMAIN Administrator's password: > > Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.4.8] > > smb: \> quit > > sambapdc # > > > > > > > > So it seems like there are two steps - > > Verify that the user is legitimate (which seems to strip off > the domain component and look for a local name) > > Then authenticate the user (which verifies the domain > component.) > > > > > > I supposed the hack would be to create some dummy local accounts in the > samba domain to represent each user in the trusted domain. > > > > FYI smb.conf includes > > > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = no > > winbind trusted domains only = no > > > > > > winbindd.log keeps showing > > > > [2010/09/14 13:05:49, 3] > winbindd/winbindd_pam.c:1779(winbindd_pam_auth_crap) > > [ 1293]: pam auth crap domain: [WINDOMAIN] user: winuser > > > > > > I have never got an answer for what "pam auth crap domain" means. > > > > > > Thanks > > > > From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] > Sent: Tuesday, September 14, 2010 9:19 AM > To: samba@lists.samba.org > Subject: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains, > ntlm_auth succeeds, wbinfo not caching > > > > FYI > > > > The ntlm_auth command does work with users from the trusted domain. > > > > > > sambapdc# ntlm_auth --username "WINDOMAIN\winuser" > > password: > > NT_STATUS_OK: Success (0x0) > > sambapdc # > > > > > > (winuser is the user in the trusted Windows 2003 AD domain.) > > > > I also removed a trust relationship with a 2nd Windows domain that was no > longer active- this fixed the slow "wbinfo -u" response but did not fix > the > smbclient authentication issue to the existing windows domain. > > > > > > From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com] > Sent: Monday, September 13, 2010 3:55 PM > To: samba@lists.samba.org > Subject: NT_STATUS_NO_SUCH_USER for trusted domains > > > > > > I am running Samba 3.4.7 (compiled from source) on Solaris 10 as a PDC. I > have trusted domains setup with a Windows 2003 Active Directory domain in > "2003 native" mode. Everything is in an LDAP backend (unix accounts for > the Samba domain, idmap entries for trusted domains.) The Solaris 10 PDC > is > also an ldap/nfs server for linux and solaris clients. > > > > Assuming > > SAMBAPDC is the Solaris 10 PDC for the domain called > "SAMBADOMAIN." > > WINSERVER is the PDC for the Win 2003 AD domain called > "WINDOMAIN." > > "winuser" is a user in the "WINDOMAIN" domain. > > > > > > This was working for some time. Now, however, users in the Windows > domain > can no longer access resources on the samba domain. On a windows PC in > the > trs Smbclient on the PDC or on a linux workstation also fails, so this > does not seem to be a mismatch in NTLM versions between windows and samba. > Samba log files show "NT_STATUS_NO_SUCH_USER." > > > > > > sambapdc #smbclient -U "WINDOMAIN\winuser" -L \\SAMBAPDC > <file:///\\SAMBAPDC> > > session setup failed: NT_STATUS_LOGON_FAILURE > > > > > > > > > "wbinfo -u" does list the users from the trusted Windows domain. > > > > The "/etc/nsswitch.conf" file has the following entries > > > > passwd: files ldap winbind > > group: files ldap winbind > > > > > > "getent passwd" command does list users from the trusted Windows domain. > > "id "WINDOMAIN/winuser"" command returns valid uid and gid values. > > "wbinfo -s " and "winbinfo -n" commands show matching name-to-sid and > sid-to-name entries. > > > > > > > > "Getent passwd" lists unix accounts from ldap quickly. There is a delay of > about 10 seconds before it starts listing winbind users (i.e. from the > trusted domain.) I suspect that the names are not getting returned to > samba fast enough. > > > > > > > > > > sambapdc# cat winserver.log > > . > > . > > [2010/09/13 08:02:04, 3] > smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) > > NativeOS=[Windows Server 2003 R2 3790 Service Pack 2] NativeLanMan=[] > PrimaryD > > omain=[Windows Server 2003 R2 5.2] > > [2010/09/13 08:02:04, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) > > Got user=[winuser] domain=[WINDOMAIN] workstation=[WINSERVER] len1=24 > len2=24 > > [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:210(push_sec_ctx) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > [2010/09/13 08:02:04, 3] smbd/uid.c:428(push_conn_ctx) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:310(set_sec_ctx) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2010/09/13 08:02:04, 3] auth/auth.c:222(check_ntlm_password) > > check_ntlm_password: Checking password for unmapped user [WINDOMAIN]\[li > > n...@[winserver] with the new password interface > > [2010/09/13 08:02:04, 3] auth/auth.c:225(check_ntlm_password) > > check_ntlm_password: mapped user is: [windomain]\[winus...@[winserver] > > [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:210(push_sec_ctx) > > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > > [2010/09/13 08:02:04, 3] smbd/uid.c:428(push_conn_ctx) > > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > > [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:310(set_sec_ctx) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > > [2010/09/13 08:02:04, 3] smbd/sec_ctx.c:418(pop_sec_ctx) > > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2010/09/13 08:02:04, 2] auth/auth.c:320(check_ntlm_password) > > check_ntlm_password: Authentication for user [winuser] -> [winuser] > FAILED with e > > rror NT_STATUS_NO_SUCH_USER > > [2010/09/13 08:02:04, 3] smbd/error.c:60(error_packet_set) > > error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_ > > FAILURE > > [2010/09/13 08:02:12, 2] smbd/process.c:1988(deadtime_fn) > > Closing idle connection > > [2010/09/13 08:02:12, 3] smbd/server.c:146(msg_exit_server) > > got a SHUTDOWN message > > [2010/09/13 08:02:12, 3] smbd/sec_ctx.c:310(set_sec_ctx) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > > [2010/09/13 08:02:12, 3] smbd/connection.c:31(yield_connection) > > Yielding connection to > > [2010/09/13 08:02:12, 3] smbd/server.c:845(exit_server_common) > > Server exit (normal exit) > > # > > > > > > > > sambapdc #testparm -v | grep timeout > > > > passwd chat timeout = 2 > > name cache timeout = 660 > > cups connection timeout = 30 > > machine password timeout = 604800 > > ldap timeout = 15 > > ldap connection timeout = 2 > > > > > > > > Help is appreciated. > > > > Thanks > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba