[Samba] Samba 3.5 - user authentication issues

Thu, 01 Nov 2012 18:28:48 -0700 

Hi.
I'm using CentOS 5 with samba3x packages (Samba 3.5.10) and Solaris 10 (Samba 3.5.8) for achieving AD integration. Samba hosts are added as domain members. 


Now, I've tried to add CentOS 6, which also uses 3.5.10, but have 
encountered a problem -> users cannot authenticate for some reason. 
Configurations are pretty much the same across the board, and they look 
like this:


# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[www]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = DOMAIN
        realm = DOMAIN.LOCAL
        server string = www2 (Samba ver. %v)
        security = ADS
        allow trusted domains = No
        password server = server.domain.local
        log level = 10
        syslog = 0
        log file = /var/log/samba/log.%m
        load printers = No
        local master = No
        domain master = No
        idmap backend = rid:"DOMAIN=10000-49999"
        idmap uid = 10000-49999
        idmap gid = 10000-49999
        winbind use default domain = Yes
        cups options = raw

[share]
        comment = something
        path = /home/share/www
        force user = share
        force group = share
        read only = No
        force create mode = 0660
        force security mode = 0660
        force directory mode = 0770
        delete readonly = Yes


Tesparm is ok (exit: 0).

# net ads testjoin
Join is OK
# net ads testjoin -k
Join is OK
# net rpc testjoin -k
saf_store: refusing to store 0 length domain or servername!
Join to 'DOMAIN' is OK

# net ads info
LDAP server: 192.168.xx.y       y
LDAP server name: server.Domain.local
Realm: DOMAIN.LOCAL
Bind Path: dc=DOMAIN,dc=LOCAL
LDAP port: 389
Server time: Wed, 31 Oct 2012 17:46:46 CET
KDC server: 192.168.xx.yy
Server time offset: 0





wbinfo -u, wbinfo -g, wbinfo -i <username>  all work OK... so mapping is ok.



But when I try to access share from other computer, credentials are 
refused...


# smbclient \\\\www2\\www -U jakov.sosic
Enter jakov.sosic's password:
session setup failed: NT_STATUS_LOGON_FAILURE


If I take a look at the log, I see this:

[2012/10/31 17:39:41.443043,  6] param/loadparm.c:7158(lp_file_list_changed)
  lp_file_list_changed()

  file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Wed 
Oct 31 17:35:47 2012


[2012/10/31 17:39:41.443102,  5] auth/auth_util.c:211(make_user_info_map)
  Mapping user [DOMAIN]\[jakov.sosic] from workstation [WS101]
[2012/10/31 17:39:41.443592,  5] auth/auth_util.c:122(make_user_info)
  attempting to make a user_info for jakov.sosic (jakov.sosic)
[2012/10/31 17:39:41.443616,  5] auth/auth_util.c:132(make_user_info)
  making strings for jakov.sosic's user_info struct
[2012/10/31 17:39:41.443632,  5] auth/auth_util.c:164(make_user_info)
  making blobs for jakov.sosic's user_info struct
[2012/10/31 17:39:41.443651, 10] auth/auth_util.c:182(make_user_info)
  made an encrypted user_info for jakov.sosic (jakov.sosic)
[2012/10/31 17:39:41.443671,  3] auth/auth.c:216(check_ntlm_password)

  check_ntlm_password:  Checking password for unmapped user 
[DOMAIN]\[jakov.sosic]@[WS101] with the new password interface

[2012/10/31 17:39:41.443695,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[jakov.sosic]@[WS101]
[2012/10/31 17:39:41.443714, 10] auth/auth.c:228(check_ntlm_password)

  check_ntlm_password: auth_context challenge created by NTLMSSP 
callback (NTLM2)

[2012/10/31 17:39:41.443733, 10] auth/auth.c:230(check_ntlm_password)
  challenge is:
[2012/10/31 17:39:41.443763,  5] ../lib/util/util.c:278(_dump_data)
  [0000] C5 DA F3 11 9A 67 11 50                            .....g.P
[2012/10/31 17:39:41.443795, 10] auth/auth.c:256(check_ntlm_password)
  check_ntlm_password: guest had nothing to say
[2012/10/31 17:39:41.443817,  8] lib/util.c:1894(is_myname)
  is_myname("DOMAIN") returns 0

[2012/10/31 17:39:41.443837,  6] 
auth/auth_sam.c:556(check_samstrict_security)
  check_samstrict_security: DOMAIN is not one of my local names 
(ROLE_DOMAIN_MEMBER)

[2012/10/31 17:39:41.443860, 10] auth/auth.c:256(check_ntlm_password)
  check_ntlm_password: sam had nothing to say
[2012/10/31 17:39:41.443882,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2012/10/31 17:39:41.443904,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2012/10/31 17:39:41.443923,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2012/10/31 17:39:41.443959,  5] auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)

[2012/10/31 17:39:41.443977,  5] 
auth/token_util.c:551(debug_unix_user_token)

  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/10/31 17:39:41.452516,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/10/31 17:39:41.452561,  5] lib/username.c:133(Get_Pwnam_alloc)
  Finding user DOMAIN\jakov.sosic
[2012/10/31 17:39:41.452581,  5] lib/username.c:77(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is domain\jakov.sosic
[2012/10/31 17:39:41.452651,  5] lib/username.c:85(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as given is DOMAIN\jakov.sosic
[2012/10/31 17:39:41.452695,  5] lib/username.c:95(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is DOMAIN\JAKOV.SOSIC
[2012/10/31 17:39:41.452737,  5] lib/username.c:104(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in domain\jakov.sosic
[2012/10/31 17:39:41.452769,  5] lib/username.c:110(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [DOMAIN\jakov.sosic]!
[2012/10/31 17:39:41.452791,  5] lib/username.c:133(Get_Pwnam_alloc)
  Finding user jakov.sosic
[2012/10/31 17:39:41.452837,  5] lib/username.c:77(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is jakov.sosic
[2012/10/31 17:39:41.452911,  5] lib/username.c:95(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as uppercase is JAKOV.SOSIC
[2012/10/31 17:39:41.452983,  5] lib/username.c:104(Get_Pwnam_internals)
  Checking combinations of 0 uppercase letters in jakov.sosic
[2012/10/31 17:39:41.453023,  5] lib/username.c:110(Get_Pwnam_internals)
  Get_Pwnam_internals didn't find user [jakov.sosic]!
[2012/10/31 17:39:41.453141,  5] auth/auth.c:268(check_ntlm_password)

  check_ntlm_password: winbind authentication for user [jakov.sosic] 
FAILED with error NT_STATUS_NO_SUCH_USER

[2012/10/31 17:39:41.453168,  2] auth/auth.c:314(check_ntlm_password)

  check_ntlm_password:  Authentication for user [jakov.sosic] -> 
[jakov.sosic] FAILED with error NT_STATUS_NO_SUCH_USER

[2012/10/31 17:39:41.453189,  5] auth/auth_util.c:2119(free_user_info)
  attempting to free (and zero) a user_info structure
[2012/10/31 17:39:41.453205, 10] auth/auth_util.c:2123(free_user_info)
  structure was created for jakov.sosic
[2012/10/31 17:39:41.453238,  3] smbd/error.c:80(error_packet_set)

  error packet at smbd/sesssetup.c(111) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE

[2012/10/31 17:39:41.453270,  5] lib/util.c:639(show_msg)
[2012/10/31 17:39:41.453283,  5] lib/util.c:649(show_msg)
  size=35
  smb_com=0x73
  smb_rcls=109
  smb_reh=0
  smb_err=49152
  smb_flg=136
  smb_flg2=51203
  smb_tid=0
  smb_pid=32156
  smb_uid=100
  smb_mid=3
  smt_wct=0
  smb_bcc=0
[2012/10/31 17:39:41.453722,  5] lib/util_sock.c:462(read_fd_with_timeout)
  read_fd_with_timeout: blocking read. EOF from client.
[2012/10/31 17:39:41.453753, 10] smbd/process.c:286(receive_smb_raw_talloc)
  receive_smb_raw: NT_STATUS_END_OF_FILE
[2012/10/31 17:39:41.453775,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2012/10/31 17:39:41.453914,  5] auth/token_util.c:525(debug_nt_user_token)
  NT user token: (NULL)

[2012/10/31 17:39:41.453951,  5] 
auth/token_util.c:551(debug_unix_user_token)

  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2012/10/31 17:39:41.453983,  5] smbd/uid.c:369(change_to_root_user)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2012/10/31 17:39:41.454009,  3] smbd/connection.c:31(yield_connection)
  Yielding connection to
[2012/10/31 17:39:41.454077, 10] lib/dbwrap_tdb.c:100(db_tdb_fetch_locked)
  Locking key 1D4B0000FFFFFFFFFFFF
[2012/10/31 17:39:41.454106, 10] lib/dbwrap_tdb.c:129(db_tdb_fetch_locked)
  Allocated locked data 0x0x7f87f45cc5f0
[2012/10/31 17:39:41.454134, 10] lib/dbwrap_tdb.c:42(db_tdb_record_destr)
  Unlocking key 1D4B0000FFFFFFFFFFFF
[2012/10/31 17:39:41.454264,  3] smbd/server.c:924(exit_server_common)
  Server exit (failed to receive smb request)





And this is what log.winbind spits out:

[2012/10/31 17:43:09.223274,  6] winbindd/winbindd.c:768(new_connection)
  accepted socket 20
[2012/10/31 17:43:09.223356, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn INTERFACE_VERSION

[2012/10/31 17:43:09.223378,  3] 
winbindd/winbindd_misc.c:352(winbindd_interface_version)

  [19232]: request interface version

[2012/10/31 17:43:09.223415, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[19232:INTERFACE_VERSION]: deliverd 
response to client

[2012/10/31 17:43:09.223477, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR

[2012/10/31 17:43:09.223499,  3] 
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)

  [19232]: request location of privileged pipe

[2012/10/31 17:43:09.223546, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[19232:WINBINDD_PRIV_PIPE_DIR]: 
deliverd response to client
[2012/10/31 17:43:09.223596,  6] 
winbindd/winbindd.c:816(winbind_client_request_read)

  closing socket 20, client exited
[2012/10/31 17:43:09.223637,  6] winbindd/winbindd.c:768(new_connection)
  accepted socket 20
[2012/10/31 17:43:09.223677, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn DOMAIN_INFO

[2012/10/31 17:43:09.223698,  3] 
winbindd/winbindd_misc.c:244(winbindd_domain_info)

  [19232]: domain_info [DOMAIN]

[2012/10/31 17:43:09.223737, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[19232:DOMAIN_INFO]: deliverd response 
to client

[2012/10/31 17:43:09.224236, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn AUTH_CRAP

[2012/10/31 17:43:09.224273,  3] 
winbindd/winbindd_pam.c:1838(winbindd_pam_auth_crap)

  [19232]: pam auth crap domain: [DOMAIN] user: jakov.sosic
[2012/10/31 17:43:09.224294,  8] lib/util.c:1894(is_myname)
  is_myname("DOMAIN") returns 0

[2012/10/31 17:43:09.230954, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[19232:AUTH_CRAP]: deliverd response 
to client

[2012/10/31 17:43:09.231408, 10] winbindd/winbindd.c:593(process_request)
  process_request: Handling async request 19232:PING
[2012/10/31 17:43:09.231437, 10] winbindd/winbindd.c:655(wb_request_done)
  wb_request_done[19232:PING]: NT_STATUS_OK

[2012/10/31 17:43:09.231472, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)

  winbind_client_response_written[19232:PING]: deliverd response to client

[2012/10/31 17:43:09.233042,  6] 
winbindd/winbindd.c:816(winbind_client_request_read)

  closing socket 20, client exited




Problem is that this exact configuration works OK on both Solaris 10 
samba (3.5.8) and CentOS 5 samba3x (3.5.10), but refuses to work on 
CentOS 6 samba (3.5.10)...


Any ideas?


--
Jakov Sosic
www.srce.unizg.hr
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to