[Samba] Samba server as part of AD domain keeps asking for usernameand password
This is a discussion on [Samba] Samba server as part of AD domain keeps asking for usernameand password within the Samba forums, part of the Networking and Network Related category; Hello all, I'm trying to set up my samba server rev 3.2.3 on opensuse 10.3 as ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-04-2008
|
|||
|
|||
[Samba] Samba server as part of AD domain keeps asking for usernameand password
Hello all,
I'm trying to set up my samba server rev 3.2.3 on opensuse 10.3 as a member of the active directory domain, so that client connections can be authenticated by the AD server. Unfortunately when I try to connect to the samba server from a windows XP system, it keeps on asking me for user name and password. I've been reading through various howto's and descriptions but no matter what I change on the settings I still get the same result. The samba server keeps on asking me for username and password. :( So hopefully someone can help me out with this. Here is my config: [libdefaults] default_realm = TESTDOM.ORG clockskew = 300 #dns_lookup_realm = false #dns_lookup_kdc = false [realms] TESTDOM.ORG = { kdc = SRV.testdom.org } [domain_realms] ..testdom.org = TESTDOM.ORG [logging] default = FILE:/var/log/krb5/krb5libs.log kdc = FILE:/var/log/krb5/kdc.log kadmind = FILE:/var/log/krb5/kadmind.log With this config I can execute the kinit command and get a ticket which I can view with klist. Here is the smb.conf file: [global] workgroup = TESTDOM netbios name = jaguar realm = TESTDOM.ORG idmap uid = 100000-1000000 idmap gid = 100000-1000000 security = ads encrypt passwords = yes password server = 10.88.36.6 client use spnego = yes Client ntlmv2 auth = yes log level = 3 log file = /var/log/samba/log.%m max log size = 50 template shell = /bin/bash template homedir = /home/%U winbind enum users = yes winbind enum groups = yes preferred master = No local master = No domain master = No printing = cups cups options = raw print command = lpq command = %p lprm command = [woma] comment = test folder for ads path = /home/woma browseable = yes read only = No guest ok = no create mask = 0770 directory mask = 0770 (/home/woma is set to chmod 777) With this config I am able to execute wbinfo -u and get a list of users. But I have to execute it a few times unitl I see the list. Is this normal? However I am albe to map a sid to use and do other queries for user informations with wbinfo. I guess this is all I need so far. Now if I open explorer on the windows box and enter \\jaguar I get the user name and password promt all the time. Also entering username and password won't change anything. The log file says 'invalid user' which I beleive is the problem. But why????? [2008/08/29 11:40:00, 3] smbd/negprot.c:reply_nt1(364) using SPNEGO [2008/08/29 11:40:00, 3] smbd/negprot.c:reply_negprot(606) Selected protocol NT LM 0.12 [2008/08/29 11:40:00, 3] smbd/process.crocess_smb(1069) Transaction 1 of length 1668 [2008/08/29 11:40:00, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 21191) conn 0x0 [2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244) wct=12 flg2=0xc807 [2008/08/29 11:40:00, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029) Doing spnego session setup [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 1436 [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_kerberos(321) Ticket name is [AWM013@TESTDOM.ORG] [2008/08/29 11:40:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(439) Username TESTDOM\AWM013 is invalid on this system <-------------------- There it is [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2008/08/29 11:40:00, 3] smbd/process.crocess_smb(1069) Transaction 2 of length 1668 [2008/08/29 11:40:00, 3] smbd/process.c:switch_message(927) switch message SMBsesssetupX (pid 21191) conn 0x0 [2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244) wct=12 flg2=0xc807 [2008/08/29 11:40:00, 2] smbd/sesssetup.c:setup_new_vc_session(1200) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029) Doing spnego session setup [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_negotiate(697) reply_spnego_negotiate: Got secblob of size 1436 [2008/08/29 11:40:00, 3] smbd/sesssetup.c:reply_spnego_kerberos(321) Ticket name is [AWM013@TESTDOM.ORG] [2008/08/29 11:40:00, 1] smbd/sesssetup.c:reply_spnego_kerberos(439) Username TESTDOM\AWM013 is invalid on this system [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2008/08/29 11:40:00, 3] smbd/process.c:timeout_processing(1329) timeout_processing: End of file from client (client has disconnected). [2008/08/29 11:40:00, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2008/08/29 11:40:00, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2008/08/29 11:40:00, 3] smbd/server.c:exit_server_common(768) Server exit (normal exit) Below is a smbclient debug. It fails at the spnego but for what reason? prinz:~ # smbclient -d 4 -U awm013 -W TESTDOM -L jaguar lp_load: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" doing parameter workgroup = TESTDOM doing parameter printing = cups doing parameter printcap name = cups doing parameter printcap cache time = 750 doing parameter cups options = raw doing parameter map to guest = Bad User doing parameter usershare allow guests = Yes doing parameter passdb backend = smbpasswd pm_process() returned Yes added interface ip=192.168.230.30 bcast=192.168.230.255 nmask=255.255.255.0 added interface ip=10.88.35.136 bcast=10.88.35.255 nmask=255.255.255.0 added interface ip=192.168.200.4 bcast=192.168.200.255 nmask=255.255.255.0 added interface ip=192.168.0.1 bcast=192.168.0.255 nmask=255.255.255.0 Client started (version 3.0.26a-3.7-1787-SUSE-SL10.3). Connecting to 10.88.35.133 at port 445 session request ok Password: Doing spnego session setup (blob length=107) got OID=1 2 840 113554 1 2 2 got OID=1 2 840 48018 1 2 2 got OID=1 3 6 1 4 1 311 2 2 10 got principal=cifs/jaguar.testdom.org@TESTDOM.ORG Got challenge flags: Got NTLMSSP neg_flags=0x60898215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_CHAL_TARGET_INFO NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP_NEGOTIATE_UNICODE NTLMSSP_REQUEST_TARGET NTLMSSP_NEGOTIATE_SIGN NTLMSSP_NEGOTIATE_NTLM NTLMSSP_NEGOTIATE_ALWAYS_SIGN NTLMSSP_NEGOTIATE_NTLM2 NTLMSSP_NEGOTIATE_128 NTLMSSP_NEGOTIATE_KEY_EXCH SPNEGO login failed: Logon failure session setup failed: NT_STATUS_LOGON_FAILURE Thanks for any help on this. Wolfgang -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
|
09-04-2008
|
|||
|
|||
|
[Samba] Re: Samba server as part of AD domain keeps asking forusername and password
Hallo Wolfgang,
> [woma] > comment = test folder for ads > path = /home/woma > browseable = yes > read only = No > guest ok = no > create mask = 0770 > directory mask = 0770 guest ok = no -> Result is you have to authenticate if you want to access this share ! So you have to to define a "valid user" list: valid user = DOMAIN\user or @DOMAIN\group or both ! The \ between DOMAIN and user or group is given by the parameter: winbind separator = .... Default ist: \ If you set "guest ok = yes" then i'am sure you will have no use/password prompt ! Then you dont need a "valid user = .." list. bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
09-04-2008
|
|||
|
|||
|
RE: [Samba] Re: Samba server as part of AD domain keeps asking forusername and password
Hi Andy,
Thanks for the answer but I've tryed this already. With guest ok = yes And/or valid users = TESTDOM\awm013 awm013 testdom\awm013 AWM013 I haven't set the winbind seperator so it should be ok to use \ And also with guest ok = yes I still get the password promt. Thanks Wolfgang -----Original Message----- From: samba-bounces+wolfgang.mair=emerson.com@lists.samba.org [mailto:samba-bounces+wolfgang.mair=emerson.com@lists.samba.org] On Behalf Of Andreas Ladanyi Sent: Donnerstag, 4. September 2008 13:08 To: samba@lists.samba.org Subject: [Samba] Re: Samba server as part of AD domain keeps asking for username and password Hallo Wolfgang, > [woma] > comment = test folder for ads > path = /home/woma > browseable = yes > read only = No > guest ok = no > create mask = 0770 > directory mask = 0770 guest ok = no -> Result is you have to authenticate if you want to access this share ! So you have to to define a "valid user" list: valid user = DOMAIN\user or @DOMAIN\group or both ! The \ between DOMAIN and user or group is given by the parameter: winbind separator = .... Default ist: \ If you set "guest ok = yes" then i'am sure you will have no use/password prompt ! Then you dont need a "valid user = .." list. bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
|
09-04-2008
|
|||
|
|||
|
[Samba] Re: Samba server as part of AD domain keeps asking forusername and password
Wolfgang.Mair@Emerson.com schrieb:
> Hi Andy, > > Thanks for the answer but I've tryed this already. > > With > guest ok = yes > And/or > valid users = TESTDOM\awm013 awm013 testdom\awm013 AWM013 > > I haven't set the winbind seperator so it should be ok to use \ > > And also with guest ok = yes I still get the password promt. > > Thanks > Wolfgang Hi Wolfgang, The error message is: Username TESTDOM\AWM013 is invalid on this system <-------------------- There it is [2008/08/29 11:40:00, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE The username is invalid !! Is AWM013 really a user with unix attributes in the Active Directory ? You are working with winbind. Which backend do you use to save you unix user information ? Windows Server 2003 R2 ? Iam wondering i cant read an "idmap backend = " parameter in your smb.conf ! What is the result of "wbinfo -u" and "wbinfo -g" and "wbinfo -t" ??????? Bye, Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
|
Linear Mode
