Igor Belyi wrote:
Igor Belyi wrote:
Here's maybe even more relevant part of the log:
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 3 6 1 4 1 311 2 2 10
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 2 840 48018 1 2 2
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(444)
Got OID 1 2 840 113554 1 2 2
This OID corresponds to Kerberos authentication...
So, it could be the case that Samba is not compiled with Kerberos?..
No, wait! Samba checks only the first OID! And this is the reason for NTLM!
Here's the comment from source/smbd/sesssetup.c:
/* only look at the first OID for determining the mechToken --
accoirding to RFC2478, we should choose the one we want
and renegotiate, but i smell a client bug here..
Problem observed when connecting to a member (samba box)
of an AD domain as a user in a Samba domain. Samba member
server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
NTLMSSP mechtoken. --jerry */
Jerry, that's your comment, right? :)
Igor
[2004/10/18 08:08:04, 3] smbd/sesssetup.c:reply_spnego_negotiate(447)
Got secblob of size 48
[2004/10/18 08:08:04, 5] auth/auth.c:make_auth_context_subsystem(498)
Making default auth method list for security=ADS
If I interpret it correctly, then either KRB5 is not compiled in for
this smbd or OID return by ADS does not require Kerberos
authentication...
Igor
Greg Adams wrote:
That completely sucks!
kinit and klist seem to work:
*********************************************************************************************************
# kinit [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
10/20/04 09:20:13 10/20/04 19:20:14
krbtgt/[EMAIL PROTECTED]
renew until 10/21/04 09:20:13
*********************************************************************************************************
I don't have a krb5.conf to screw things up, on the recommendation of
either the Official Samba Howto or the By Example document.
*********************************************************************************************************
Here's my smb.conf:
# cat smb.conf
[global]
workgroup = EDSADDDM
realm = EDSADDDM.DDM.APM.BPM.EDS.COM
server string = Maul Test Server
log level = 2
max log size = 100
security = ADS
local master = no
os level = 0
domain master = no
preferred master = no
wins server = 199.42.192.103
dns proxy = no
encrypt passwords = yes
idmap uid = 60000-70000
idmap gid = 80000-90000
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
winbind use default domain = no
[space]
comment = Space Partition Share
path = /space
writable = yes
browsable = yes
valid users = "EDSADDDM+imguser"
*********************************************************************************************************
So can anyone tell me what's causing Samba to use NTLM authentication
instead of Kerberos? And how do I fix it?
Greg
On Wed, 20 Oct 2004 11:10:29 -0500, Gerald (Jerry) Carter
<[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greg Adams wrote:
| I tried to send a level 10 log from the moment of connection to the
| user that should be mapped touching a file, but the attachment
was too
| large and the messages bounced, awaiting moderator approval. So
| instead, I'll try to post the sections I think are relevant here:
|
| searching for spnego and username.map led me to this section:
|
*********************************************************************************************************
| [2004/10/18 08:19:25, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
| Doing spnego session setup
| [2004/10/18 08:19:25, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
| NativeOS=[Windows 2002 Service Pack 1 2600] NativeLanMan=[Windows
| 2002 5.1] PrimaryDomain=[]
| [2004/10/18 08:19:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
| Got user=[imguser] domain=[EDSADDDM] workstation=[MULE] len1=24
| len2=24
NTLMSSP authentication here. Not kerberos. :-) So maybe you have
2 problems going on ? username map and kerberos....
| Scanning username map /opt/samba/lib/username.map
| user_in_list: checking user imguser in list
| user_in_list: checking user |imguser| against |EDSADDDM+imguser|
| make_user_info_map: Mapping user [EDSADDDM]\[imguser] from
| workstation [MULE]
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFBdo31IR7qMdg1EfYRAsQxAKDPJvHy9xEcDFj2vs206GRyQ3nkdgCffYBy
zU0nasCPyhoO9pfobcZDpIo=
=YogI
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
