Thanks Alex. I'm not using winbind, just kerberos and LDAP and I have in all cases tried both domain\username as well as username.
Here's a better dump of the ip log that appens on a failed login attempt that seems to show that the authentication is OK from os x: [2010/02/20 13:13:17, 3] smbd/process.c:1453(process_smb) Transaction 2 of length 366 (0 toread) [2010/02/20 13:13:17, 3] smbd/process.c:1272(switch_message) switch message SMBsesssetupX (pid 6039) conn 0x0 [2010/02/20 13:13:17, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/02/20 13:13:17, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X) wct=12 flg2=0xc801 [2010/02/20 13:13:17, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego) Doing spnego session setup [2010/02/20 13:13:17, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) NativeOS=[Mac OS X 10.6] NativeLanMan=[SMBFS 1.6.0] PrimaryDomain=[] [2010/02/20 13:13:17, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) Got user=[grant] domain=[AD] workstation=[GRANT] len1=24 len2=126 [2010/02/20 13:13:19, 3] smbd/oplock.c:911(init_oplocks) init_oplocks: initializing messages. [2010/02/20 13:13:19, 3] smbd/oplock_linux.c:219(linux_init_kernel_oplocks) Linux kernel oplocks enabled [2010/02/20 13:13:19, 3] smbd/process.c:1453(process_smb) Transaction 0 of length 51 (0 toread) [2010/02/20 13:13:19, 3] smbd/process.c:1272(switch_message) switch message SMBnegprot (pid 6040) conn 0x0 [2010/02/20 13:13:19, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/02/20 13:13:19, 3] smbd/negprot.c:567(reply_negprot) Requested protocol [NT LM 0.12] [2010/02/20 13:13:19, 3] smbd/negprot.c:387(reply_nt1) using SPNEGO [2010/02/20 13:13:19, 3] smbd/negprot.c:672(reply_negprot) Selected protocol NT LM 0.12 [2010/02/20 13:13:21, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/02/20 13:13:21, 3] smbd/connection.c:31(yield_connection) Yielding connection to [2010/02/20 13:13:21, 3] smbd/server.c:848(exit_server_common) Server exit (failed to receive smb request) ------ what's weird is that there's no sign of the login in auth.log only the test via windows cleint a few seconds before: Feb 20 13:12:14 servername smbd[6033]: pam_unix(samba:session): session opened for user grant by (uid=0) Feb 20 13:12:24 servername smbd[6033]: pam_unix(samba:session): session closed for user grant after that nothing... On Sat, Feb 20, 2010 at 11:17 AM, Alex Ferrara <a...@receptiveit.com.au>wrote: > I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree > on Ubuntu 9.10 > > Try using domain\username for the username > > To me, it appears to be a bug in winbind not using the default domain, but > I could be wrong. > > Sent from my iPhone > > > On 20/02/2010, at 8:29 PM, grant little <grantlid...@gmail.com> wrote: > > Hello, >> having spent many hours scouring archives, docs, books and googling >> without >> finding an answer I need to ask your help on this. >> >> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can >> login >> to the share from windows clients but the same users is denied access when >> connecting from OS X via GO/Connect To Server in format >> smb://fqdnofserver >> >> user authentication is to active directory using kerberos and LDAP and am >> not running winbind >> >> pam.d/samba is set to allow smb logins, that is shell logins are not >> permitted for active directory authenticated users. here's that snippet: >> # /etc/pam.d/samba >> auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass >> account sufficient pam_ldap.so use_first_pass >> session sufficient pam_ldap.so >> >> >> I have tested my configs on samba 3.0.33 on CENTOS and it works fine there >> for both OS X and windows >> >> the share is setup on >> /shares/asgs >> with these permissions: >> drwxrwsrwx 8 root root 87 2010-02-20 00:17 shares >> drwxrws--- 2 grant ASGSFileUsers 18 2010-02-20 00:21 asgs >> >> here's smb.conf: >> [global] >> unix extensions = no >> disable spoolss = Yes >> disable netbios = yes >> name resolve order = hosts >> workgroup = AD >> realm = AD.UCSD.EDU >> server string = %h server (Samba, Ubuntu) >> dns proxy = no >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> log level = 3 >> panic action = /usr/share/samba/panic-action %d >> security = ads >> encrypt passwords = true >> passdb backend = tdbsam >> obey pam restrictions = yes >> unix password sync = yes >> pam password change = no >> map to guest = bad user >> usershare allow guests = no >> [asgs] >> comment = ASGS >> path = /shares/asgs >> browsable = Yes >> valid users = @ad\ASGSFileUsers >> write list = @ad\ASGSFileUsers >> create mask = 2660 >> directory mask = 2770 >> >> The tail n20 of the log of the conecting ip shows this for an OS X >> attempt: >> [2010/02/20 00:56:16, 3] >> smbd/oplock_linux.c:219(linux_init_kernel_oplocks) >> Linux kernel oplocks enabled >> [2010/02/20 00:56:16, 3] smbd/process.c:1453(process_smb) >> Transaction 0 of length 51 (0 toread) >> [2010/02/20 00:56:16, 3] smbd/process.c:1272(switch_message) >> switch message SMBnegprot (pid 5658) conn 0x0 >> [2010/02/20 00:56:16, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/02/20 00:56:16, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [NT LM 0.12] >> [2010/02/20 00:56:16, 3] smbd/negprot.c:387(reply_nt1) >> using SPNEGO >> [2010/02/20 00:56:16, 3] smbd/negprot.c:672(reply_negprot) >> Selected protocol NT LM 0.12 >> [2010/02/20 00:56:18, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/02/20 00:56:18, 3] smbd/connection.c:31(yield_connection) >> Yielding connection to >> [2010/02/20 00:56:18, 3] smbd/server.c:848(exit_server_common) >> Server exit (failed to receive smb request) >> >> >> >> Hope someone can give me a pointer where to look next or what to tweak. >> Let >> me know if you need other log snippets. >> >> Thanks, >> Grant >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba