Re: [Samba] smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains, can't force anonymous access from Windows

[Gaiseric Vandal]

No-

 

I am not quite sure what would be involved.      My understanding of pam
support was so that you could have pam-compatible unix services authenticate
against samba accounts. 

 

 

 

From: Linux Addict [mailto:linuxaddi...@gmail.com] 
Sent: Friday, September 17, 2010 4:46 PM
To: gaiseric.van...@gmail.com
Cc: samba@lists.samba.org
Subject: Re: [Samba] smbclient fails with "NT_STATUS_NO_SUCH_USER" for
trusted domains, can't force anonymous access from Windows

 

DId ya check your samba pam?

On Wed, Sep 15, 2010 at 10:45 AM, Gaiseric Vandal
<gaiseric.van...@gmail.com> wrote:

The samba share I need to access from the trusted domain has been configured
with "guest ok=yes" parameter.     Some of the files are world-readable
since they do not contain any restricted information.



So even though authenticated  access fails with smb client



#smbclient -U " WINDOMAIN\winuser" -L sambapdc

session setup failed: NT_STATUS_LOGON_FAILURE





anonymous access with smbclient is OK



#smbclient -N-L sambapdc

Anonymous login successful

Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.0.37]







>From a Windows machine, I try to map the drive as anonymous

               net use z:  \\sambapdc\share1 <file:///\\sambapdc\share1>



However I still get prompted for a user name and password.     I don't seem
to have a way to force the "net" command to connect anonymously.



If I can force an anonymous connection from Windows, then I should be OK.
(Again, this share does not contain information that needs much protection.)




Thanks





From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com]
Sent: Tuesday, September 14, 2010 1:16 PM
To: samba@lists.samba.org
Subject: RE: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted
domains, ntlm_auth succeeds



Maybe this is some issue with parsing the user name properly?



I noticed that if I have a user in the Windows domain AND a user with the
same name in the Samba domain, then the Windows user can access shares on
the Samba domain.    For example, I have an Administrator account in each
domain.    They do NOT have the same password.  In the example below the
user authenticates to the samba domain using the trusted Windows domain
password.







sambapdc # smbclient "//sambapdc/dept_common" -U " WINDOMAIN \Administrator"

Enter WINDOMAIN Administrator's password:

Domain=[SAMBADOMAIN] OS=[Unix] Server=[Samba 3.4.8]

smb: \> quit

sambapdc #







So it seems like there are two steps -

               Verify that the user is legitimate (which seems to strip off
the domain component and look for a local name)

               Then authenticate the user (which verifies the domain
component.)





I supposed the hack would be to create some dummy local accounts in the
samba domain to represent each user in the trusted domain.



FYI  smb.conf includes



      winbind enum users = Yes

      winbind enum groups = Yes

      winbind use default domain = no

      winbind trusted domains only = no





winbindd.log keeps showing



[2010/09/14 13:05:49,  3]
winbindd/winbindd_pam.c:1779(winbindd_pam_auth_crap)

 [ 1293]: pam auth crap domain: [WINDOMAIN] user: winuser





I have never got an answer for what "pam auth crap domain" means.





Thanks



From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com]
Sent: Tuesday, September 14, 2010 9:19 AM
To: samba@lists.samba.org
Subject: smbclient fails with "NT_STATUS_NO_SUCH_USER" for trusted domains,
ntlm_auth succeeds, wbinfo not caching



FYI



The ntlm_auth command does work with users from the trusted domain.





sambapdc# ntlm_auth --username "WINDOMAIN\winuser"

password:

NT_STATUS_OK: Success (0x0)

sambapdc #





(winuser is the user in the trusted Windows 2003 AD domain.)



I also removed a trust relationship with a 2nd Windows domain  that was no
longer active-  this fixed the slow "wbinfo -u" response but did not fix the
smbclient authentication issue to the existing windows domain.





From: Gaiseric Vandal [mailto:gaiseric.van...@gmail.com]
Sent: Monday, September 13, 2010 3:55 PM
To: samba@lists.samba.org
Subject: NT_STATUS_NO_SUCH_USER for trusted domains





I am running Samba 3.4.7 (compiled from source) on Solaris 10 as a PDC.  I
have trusted domains setup with a Windows 2003 Active Directory domain in
"2003 native" mode.    Everything is  in an LDAP backend (unix accounts for
the Samba domain, idmap entries for trusted domains.)  The Solaris 10 PDC is
also an ldap/nfs server for linux and solaris clients.



Assuming

               SAMBAPDC is the Solaris 10 PDC for the domain called
"SAMBADOMAIN."

               WINSERVER is the PDC for the Win 2003 AD domain called
"WINDOMAIN."

               "winuser" is a user in the "WINDOMAIN" domain.





This was working for some time.    Now, however, users in the Windows domain
can no longer access resources on the samba domain.   On a windows PC in the
trs   Smbclient on the PDC or on a linux workstation  also fails, so this
does not seem to be a mismatch in NTLM versions between windows and samba.
Samba log files show "NT_STATUS_NO_SUCH_USER."





sambapdc #smbclient -U "WINDOMAIN\winuser" -L \\SAMBAPDC
<file:///\\SAMBAPDC>

session setup failed: NT_STATUS_LOGON_FAILURE








"wbinfo -u" does list the users from the trusted  Windows domain.



The "/etc/nsswitch.conf" file  has the following entries



passwd:     files ldap winbind

group:      files ldap winbind





"getent passwd" command does list users from the trusted Windows domain.

"id "WINDOMAIN/winuser""  command  returns valid uid and gid values.

"wbinfo -s " and "winbinfo -n" commands show matching name-to-sid and
sid-to-name entries.







"Getent passwd" lists unix accounts from ldap quickly.  There is a delay of
about 10 seconds before it starts listing winbind users (i.e. from the
trusted domain.)   I suspect that the names are not getting returned to
samba fast enough.









sambapdc# cat winserver.log

.

.

[2010/09/13 08:02:04,  3]
smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)

 NativeOS=[Windows Server 2003 R2 3790 Service Pack 2] NativeLanMan=[]
PrimaryD

omain=[Windows Server 2003 R2 5.2]

[2010/09/13 08:02:04,  3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)

 Got user=[winuser] domain=[WINDOMAIN] workstation=[WINSERVER] len1=24
len2=24

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:210(push_sec_ctx)

 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/uid.c:428(push_conn_ctx)

 push_conn_ctx(0) : conn_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)

 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx)

 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  3] auth/auth.c:222(check_ntlm_password)

 check_ntlm_password:  Checking password for unmapped user [WINDOMAIN]\[li

n...@[winserver] with the new password interface

[2010/09/13 08:02:04,  3] auth/auth.c:225(check_ntlm_password)

 check_ntlm_password:  mapped user is: [windomain]\[winus...@[winserver]

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:210(push_sec_ctx)

 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/uid.c:428(push_conn_ctx)

 push_conn_ctx(0) : conn_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:310(set_sec_ctx)

 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1

[2010/09/13 08:02:04,  3] smbd/sec_ctx.c:418(pop_sec_ctx)

 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:04,  2] auth/auth.c:320(check_ntlm_password)

 check_ntlm_password:  Authentication for user [winuser] -> [winuser]
FAILED with e

rror NT_STATUS_NO_SUCH_USER

[2010/09/13 08:02:04,  3] smbd/error.c:60(error_packet_set)

 error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_

FAILURE

[2010/09/13 08:02:12,  2] smbd/process.c:1988(deadtime_fn)

 Closing idle connection

[2010/09/13 08:02:12,  3] smbd/server.c:146(msg_exit_server)

 got a SHUTDOWN message

[2010/09/13 08:02:12,  3] smbd/sec_ctx.c:310(set_sec_ctx)

 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0

[2010/09/13 08:02:12,  3] smbd/connection.c:31(yield_connection)

 Yielding connection to

[2010/09/13 08:02:12,  3] smbd/server.c:845(exit_server_common)

 Server exit (normal exit)

#







sambapdc #testparm -v | grep timeout



       passwd chat timeout = 2

       name cache timeout = 660

       cups connection timeout = 30

       machine password timeout = 604800

       ldap timeout = 15

       ldap connection timeout = 2







Help is appreciated.



Thanks





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba