Igor Belyi wrote:
Here's maybe even more relevant part of the log:
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 3 6 1 4 1 311 2 2 10 [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 48018 1 2 2 [2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444) Got OID 1 2 840 113554 1 2 2
This OID corresponds to Kerberos authentication... So, it could be the case that Samba is not compiled with Kerberos?..
Igor
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447) Got secblob of size 48 [2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498) Making default auth method list for security=ADS
If I interpret it correctly, then either KRB5 is not compiled in for this smbd or OID return by ADS does not require Kerberos authentication...
Igor
Greg Adams wrote:
That completely sucks!
kinit and klist seem to work:
*********************************************************************************************************
# kinit [EMAIL PROTECTED] Password for [EMAIL PROTECTED]: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
10/20/04 09:20:13 10/20/04 19:20:14 krbtgt/[EMAIL PROTECTED]
renew until 10/21/04 09:20:13
*********************************************************************************************************
I don't have a krb5.conf to screw things up, on the recommendation of
either the Official Samba Howto or the By Example document.
*********************************************************************************************************
Here's my smb.conf: # cat smb.conf [global]
workgroup = EDSADDDM realm = EDSADDDM.DDM.APM.BPM.EDS.COM
server string = Maul Test Server
log level = 2
max log size = 100
security = ADS
local master = no
os level = 0
domain master = no
preferred master = no
wins server = 199.42.192.103 dns proxy = no
encrypt passwords = yes
idmap uid = 60000-70000 idmap gid = 80000-90000
winbind enum users = yes winbind enum groups = yes
winbind separator = +
winbind use default domain = no
[space]
comment = Space Partition Share
path = /space
writable = yes
browsable = yes
valid users = "EDSADDDM+imguser"
*********************************************************************************************************
So can anyone tell me what's causing Samba to use NTLM authentication instead of Kerberos? And how do I fix it?
Greg
On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter
<[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Greg Adams wrote:
| I tried to send a level 10 log from the moment of connection to the
| user that should be mapped touching a file, but the attachment was too
| large and the messages bounced, awaiting moderator approval. So
| instead, I'll try to post the sections I think are relevant here:
|
| searching for spnego and username.map led me to this section:
|
*********************************************************************************************************
| [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) | Doing spnego session setup | [2004/10/18 08:19:25, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) | NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows | 2002 5.1] PrimaryDomain=[] | [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615) | Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24 | len2=24
NTLMSSP authentication here. Not kerberos. :-) So maybe you have 2 problems going on ? username map and kerberos....
| Scanning username map /opt/samba/lib/username.map | user_in_list: checking user imguser in list | user_in_list: checking user |imguser| against |EDSADDDM+imguser| | make_user_info_map: Mapping user [EDSADDDM]\[imguser] from | workstation [MULE]
cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy zU0nasCPyhoO9pfobcZDpIo= =YogI -----END PGP SIGNATURE-----
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
