I tried that. After upgrading Samba yesterday using Gentoo's emerge
facility due to the vulnerability listed
http://www.samba.org/samba/security/CVE-2008-1105.html and
http://www.gentoo.org/security/en/glsa/glsa-200805-23.xml the
authentication of AD users has ceased working.
krb5.conf
[libdefaults]
default_realm = UTAH.EDU
[realms]
UTAH.EDU = {
kdc = 155.99.1.95
default_domain = scl.utah.edu
}
[domain_realm]
.utah.edu = UTAH.EDU
utah.edu = UTAH.EDU
scl.utah.edu = UTAH.EDU
[logging]
default = FILE:/var/log/krb5.log
[appdefaults]
pam = {
ticket_lifetime = 365d
renew_lifetime = 365d
forwardable = true
proxiable = false
retain_after_close = true
minimum_uid = 0
}
smb.conf
[global]
workgroup = SCL
realm = SCL.UTAH.EDU
server string = valhalla.scl.utah.edu
netbios name = valhalla
password server = *
encrypt passwords = true
security = ads
lanman auth = no
ntlm auth = no
os level = 20
allow trusted domains = yes
auth methods = winbind
ldap ssl = no
ldap suffix = dc=scl,dc=utah,dc=edu
interfaces = eth0, lo
bind interfaces only = yes
socket options = TCP_NODELAY
log level = 20
log file = /var/log/samba/log.%m
max log size = 50
client signing = yes
client schannel = no
client use spnego = yes
client lanman auth = no
client NTLMv2 auth = yes
client plaintext auth = no
preferred master = no
local master = no
domain master = no
wins proxy = no
dns proxy = No
obey pam restrictions = yes
template shell = /bin/bash
nt acl support = yes
inherit permissions = yes
create mask = 0022
template homedir = /home/samba/%U
winbind uid = 1000-2000000
winbind gid = 500-2000000
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind use default domain = yes
winbind offline logon = true
# winbind nss info = sfu
winbind nss info = rfc2307
idmap uid = 1000-2000000
idmap gid = 500-2000000
idmap domains = SCL
idmap config SCL:backend = ad
idmap config SCL:default = yes
# idmap config SCL:schema_mode = sfu
idmap config SCL:schema_mode = rfc2307
idmap config SCL:range = 1000 - 300000000
Enumerating users, enumerating groups, SID to UID conversion, and lookup
of user information using getent and wbinfo all work.
Here is some abbreviated log data:
%> tail -f /var/log/samba/log.* | grep smb
[2008/06/03 07:02:36, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Tue
Jun 3 06:32:45 2008
make_user_info_map: Mapping user [VALHALLA]\[smb] from workstation [LOKI]
attempting to make a user_info for smb (smb)
making strings for smb's user_info struct
making blobs for smb's user_info struct
made an encrypted user_info for smb (smb)
check_ntlm_password: Checking password for unmapped user
[EMAIL PROTECTED] with the new password interface
check_ntlm_password: mapped user is: [EMAIL PROTECTED]
check_ntlm_password: Authentication for user [smb] -> [smb] FAILED
with error NT_STATUS_NO_SUCH_USER
structure was created for smb
[2008/06/03 07:02:36, 3] smbd/error.c:error_packet_set(106)
error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
As you can see from the logs it is showing the message
NT_STATUS_NO_SUCH_USER even though wbinfo -i smb works and shows the
user account in Active directory.
I did however notice this odd entry in the logs as well:
Attempting to register auth backend smbserver
[2008/06/03 07:02:36, 5] auth/auth.c:smb_register_auth(59)
Successfully added auth method 'smbserver'
Not sure if the auth method being 'smbserver' is accurate or not. Any
help, pointers etc. is greatly appreciated.
Robert Mattson wrote:
Gentlemen,
The following links may or may not be of help.
http://bugs.gentoo.org/show_bug.cgi?id=224201
http://lists.samba.org/archive/samba/2008-June/141041.html
.....
clipped
.....
net-fs/samba-3.0.30 but not the PDC. No problems so far with that.
John
--
Jas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
