Re: [Samba] disable NTLM on Fedora samba-3.0.9

2004-12-06 Thread Nir L 
In addition to my last email (the one with my smb.conf)
I also found out that:
if I connect the share using \\\
I get access to the share after NTLM has been used.
and
if I connect using \\\
I get access denied (NTLM is still used...)

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Nir L wrote:
> 
> | smb.conf:
> | security = ADS
> | I also configured /etc/krb5.conf and used net ads join
> | - successfully.
> |
> | However, I can see that NTLM is the chosen protocol for
> | each client machine (WinXP) accessing samba, and kerberos
> | is not used (from the log):
> | using SPNEGO
> | Selected protocol NT LM 0.12
> 
> This is the smb protocol dialect and has nothing to do
> with the authentication chosen (not directly at least).
> 
> | even though I tried to set "client use spnego = no"
> 
> The applies only to Samba's client code and not the
> capability bits set by the server when replying to
> clients.  Besides, you really should not disable spnego.
> Generally if it doesn't work it would be considered a bug.
> 
> | How can I force samba to use kerberos ?
> 
> Look for thew SPNEGO communication in the level 10 log.
> Hint: search for the string 'OID' and see what mechanism
> is being negotiated.
> 
> 
> 
> 
> 
> cheers, jerry
> - -
> Alleviating the pain of Windows(tm)  --- http://www.samba.org
> GnuPG Key- http://www.plainjoe.org/gpg_public.asc
> "If we're adding to the noise, turn off this song"--Switchfoot (2003)
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBtIaZIR7qMdg1EfYRAmtkAKDc2777bMGrmvw3RAEnC3DhYkTYQACeN2fy
> tMgCGnfpxdChut+G3BGX+do=
> =4ywm
> -END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] disable NTLM on Fedora samba-3.0.9

2004-12-06 Thread Nir L 

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Nir L wrote:
>
> | smb.conf:
> | security = ADS
> | I also configured /etc/krb5.conf and used net ads join
> | - successfully.
> |
> | However, I can see that NTLM is the chosen protocol for
> | each client machine (WinXP) accessing samba, and kerberos
> | is not used (from the log):
> | using SPNEGO
> | Selected protocol NT LM 0.12
>
> This is the smb protocol dialect and has nothing to do
> with the authentication chosen (not directly at least).
>
> | even though I tried to set "client use spnego = no"
>
> The applies only to Samba's client code and not the
> capability bits set by the server when replying to
> clients.  Besides, you really should not disable spnego.
> Generally if it doesn't work it would be considered a bug.
>
> | How can I force samba to use kerberos ?
>
> Look for thew SPNEGO communication in the level 10 log.

I tried...
I finaliy got "not using SPNEGO", but still - got
Using protocol NT LM 0.12 after the SPNEGO message.

> Hint: search for the string 'OID' and see what mechanism

no OID strings in my log.

> is being negotiated.

here is my smb.conf.
[global]
workgroup = domain2003
netbios name = defconn2Logs
server string = Major Samba
encrypt passwords = Yes
log level = 10
log file = /var/samba/logs/log.%m
lock dir = /var/samba/locks
pid directory = /var/run
max log size = 5
preferred master = False
local master = No
domain master = False
dns proxy = No
guest account = pacifsconn
create mask = 0775
dead time = 15
debug pid = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
oplocks = Yes
kernel oplocks = Yes
level2 oplocks = Yes
defer sharing violations = No
name resolve order = lmhosts wins bcast host
debug hires timestamp = Yes
wins server = 192.168.41.108
realm = DOMAIN2003.com
security = ADS
domain logons = No
client use spnego = No
use spnego = No
map to guest = bad password
map hidden = Yes
map system = Yes
force group = 1
bind interfaces only = Yes
interfaces = 192.168.41.139
smb passwd file = /var/samba/private/
private dir = /var/samba/private
winbind separator = +
idmap uid = 1-3
idmap gid = 1-3
winbind enum users = Yes
winbind enum groups = Yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
use sendfile = No
strict locking = Yes
disable spoolss = Yes
mangling method = hash2

[Logs]
comment = Share for Logs
path = /var/log
browseable = Yes
read only = Yes
available = Yes
writeable = No
valid users = NONE EXCEPT  domain2003+user2
map archive = Yes
hide dot files = No
directory mask = 751
dos filemode = Yes

and part of the logfile:
challenge is:
[2004/12/06 20:03:36.498409, 5, pid=4142] lib/util.c:dump_data(1899)
  [000] AB 02 01 6F AA E3 15 2F   ...o.../
[2004/12/06 20:03:36.498603, 3, pid=4142] smbd/negprot.c:reply_nt1(327)
  not using SPNEGO
[2004/12/06 20:03:36.498710, 3, pid=4142] smbd/negprot.c:reply_negprot(549)
  Selected protocol NT LM 0.12
[2004/12/06 20:03:36.498811, 5, pid=4142] smbd/negprot.c:reply_negprot(555)
  negprot index=5
[2004/12/06 20:03:36.498918, 5, pid=4142] lib/util.c:show_msg(461)
[2004/12/06 20:03:36.498982, 5, pid=4142] lib/util.c:show_msg(471)
  size=99
  smb_com=0x72
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=49153
  smb_tid=0
  smb_pid=65279
  smb_uid=0
  smb_mid=0
  smt_wct=17
  smb_vwv[ 0]=5 (0x5)
  smb_vwv[ 1]=12803 (0x3203)
  smb_vwv[ 2]=  256 (0x100)
  smb_vwv[ 3]= 1024 (0x400)
  smb_vwv[ 4]=   65 (0x41)
  smb_vwv[ 5]=0 (0x0)
  smb_vwv[ 6]=  256 (0x100)
  smb_vwv[ 7]=11776 (0x2E00)
  smb_vwv[ 8]=   16 (0x10)
  smb_vwv[ 9]=64768 (0xFD00)
  smb_vwv[10]=32995 (0x80E3)
  smb_vwv[11]=0 (0x0)
  smb_vwv[12]=62284 (0xF34C)
  smb_vwv[13]=48615 (0xBDE7)
  smb_vwv[14]=50395 (0xC4DB)
  smb_vwv[15]=34817 (0x8801)
  smb_vwv[16]= 2303 (0x8FF)
  smb_bcc=30
[2004/12/06 20:03:36.500113, 10, pid=4142] lib/util.c:dump_data(1899)
  [000] AB 02 01 6F AA E3 15 2F  44 00 4F 00 4D 00 41 00  ...o.../ D.O.M.A.
  [010] 49 00 4E 00 32 00 30 00  30 00 33 00 00 00I.N.2.0. 0.3...
[2004/12/06 20:03:36.500380, 6, pid=4142] lib/util_sock.c:write_socket(449)
  write_socket(22,103)
[2004/12/06 20:03:36.500758, 6, pid=4142] lib/util_sock.c:write_socket(452)
  write_socket(22,103) wrote 103
[2004/12/06 20:03:36.513975, 10, pid=4142]
lib/util_sock.c:read_smb_length_return_keepalive(505)
  got smb length of 308
[2004

[Samba] disable NTLM on Fedora samba-3.0.9

2004-12-06 Thread Nir L 
Hi all,

I have successfully configured a samba server as a domain member in my 2003
domain (native mode 2003).
I also configured winbind, and my domain users successfully can access
shares in the samba server.
smb.conf:
security = ADS
I also configured /etc/krb5.conf and used net ads join - successfully.

However, I can see that NTLM is the chosen protocol for each client machine
(WinXP) accessing samba, and kerberos is not used:
from the log:
using SPNEGO
Selected protocol NT LM 0.12

even though I tried to set "client use spnego = no"

How can I force samba to use kerberos ?

Thanks,
Nir

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] samba multiple instances and winbind

2004-08-31 Thread Nir L 
Hi all,
I have a RedHat linux machine running multiple instances of samba, each
binded to a different interface.
each is joined to my win2k domain using a different netbios name.

I want to start using winbind, and already done some research and tests
configuring samba to cooperate with winbind.

My question is:
Do I also need multiple instances of winbind (one for each smbd instance),
or do I use only one instance of winbind ?
should it have its own smb.conf ? its own netbios name ?

Thanks,
Nir

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba