Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On 1/21/2013 9:14 PM, Kyle Brantley wrote: On 1/21/2013 8:46 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett Thanks. I've filed the bug (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently rebuilding samba with the patch applied. I'll let you know how it goes... --Kyle That worked great. I've been able to enumerate the shares and connect to them now. I validated with wireshark that the kerberos authentication was occurring, and it looks like everything functions now thanks to your previously attached patch. Thanks much! --Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On 1/21/2013 8:46 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: On 1/21/2013 3:15 PM, Andrew Bartlett wrote: On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett As far as I can tell, prior to accepting a connection: Full logs: http://averageurl.com/samba/samba-log.gz http://averageurl.com/samba/samba-strace-log.gz I've already changed the keys out, so I'm not too worried about what key data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett Thanks. I've filed the bug (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently rebuilding samba with the patch applied. I'll let you know how it goes... --Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote:
> On 1/21/2013 3:15 PM, Andrew Bartlett wrote:
> > On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
> >> Hello --
> >>
> >> I'm trying to run a samba4 server (note: Fedora packaged version,
> >> samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
> >>
> >> This is a summation of the config that I'm using (works under samba 3.6):
> >>
> >> security = ADS
> >> passdb backend = tdbsam
> >> restrict anonymous = yes
> >> server signing = auto
> >> client signing = auto
> >> smb encrypt = auto
> >> realm = MYREALM.COM
> >> kerberos method = system keytab
> >>
> >> However, whenever I try to access the samba server, the client fails to
> >> connect. I can see that a ticket has been issued for
> >> cifs/hostn...@myrealm.com, but in /var/log/messages I get this:
> >>
> >> Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0]
> >> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> >> Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI
> >> gss_get_name_attribute failed: The operation or option is not available
> >> or unsupported: No such file or directory
> >> Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0]
> >> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> >> Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI
> >> gss_get_name_attribute failed: The operation or option is not available
> >> or unsupported: No such file or directory
> >> Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0]
> >> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> >> Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI
> >> gss_get_name_attribute failed: The operation or option is not available
> >> or unsupported: No such file or directory
> >>
> >> Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)
> >>
> >> Does anyone know what I need to be doing to get this working again?
> > It is probably a bug in the reworked krb5 code. The code paths to
> > support this are still there, but clearly something doesn't trigger
> > correctly.
> >
> > The first thing to do would be to turn up the log level, to see what the
> > real failure is (the mentioned message shouldn't actually be fatal).
> >
> > Then, once we rule out it being something else, it probably just needs a
> > new test environment to be created in our 'make test' that tells our AD
> > server to not send the PAC. This will allow this code path to be
> > covered, and prevent regressions.
> >
> > Andrew Bartlett
> >
> As far as I can tell, prior to accepting a connection:
> Full logs:
> http://averageurl.com/samba/samba-log.gz
> http://averageurl.com/samba/samba-strace-log.gz
>
> I've already changed the keys out, so I'm not too worried about what key
> data is actually in those logs.
The logs were very helpful. The attached patch should fix it, or at
least move the failure to somewhere else :-). Please file the bug, so
we can get this into 4.0.2
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Tue, 22 Jan 2013 14:45:14 +1100
Subject: [PATCH] gensec: Allow login without a PAC by default
The sense of this test was inverted. We only want to take the ACCESS_DENIED error
if gensec:require_pac=true.
Andrew Bartlett
---
auth/gensec/gensec_util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index d732213..64952b1 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!pac_blob) {
- if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
principal_string));
return NT_STATUS_ACCESS_DENIED;
--
1.7.11.7
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.10 not reading groups
Am Montag, 21. Januar 2013, 22:27:44 schrieb Benjamin Huntsman: > The problem seems to be when 'security = SHARE' is set. It works just fine > when 'security = USER'. Seeing as 4.0 removed the option to set SHARE, I > guess it's moot for that release... > > Unfortunate, but what can be done... > > -Ben the setting "security = share" is deprecated for a long time already - now in 4.0 it has been removed. But the same "anonymous guest" access can be achieved with "security = user" plus some additional lines ... (also in samba-3.6.x). See https://wiki.samba.org/index.php/Public_Samba_Server Cheers, Günter > > From: Chris Smith [smb...@chrissmith.org] > Sent: Monday, January 21, 2013 1:19 PM > To: Benjamin Huntsman > Cc: samba@lists.samba.org > Subject: Re: [Samba] Samba 3.6.10 not reading groups > > Might be related to my bug: > https://bugzilla.samba.org/show_bug.cgi?id=9561 > > Unfortunately I'm not getting any traction on it. From my testing > there still hasn't, after 10 releases, been a fully usable 3.6.x and > now it's claimed to be in "maintenance mode" due to the release of > Samba 4.x, which I guess must not have any major issues. > > On Mon, Jan 21, 2013 at 1:06 PM, Benjamin Huntsman > > wrote: > > It isn't honoring groups specified in the valid users clause of the share > > configuration. I'm running in security = SHARE mode, and user > > authentication is working just fine. Even if I specify individual users > > on the valid users = line, it works. Just not groups. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 man pages?
This was addressed on this list a while back, some people shared what they had to do to get manpages. For more information, search that out, but the gist should be that if you have the right packages (xsltproc and docbook, maybe docbook-xsl?) installed on your system, man pages will compile and install with the rest of the program -- Computerisms Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca On Mon, 2013-01-21 at 22:51 +, Benjamin Huntsman wrote: > Are the man pages not included with the Samba 4 distribution? > After running configure and make (using the old-style build environment under > source3), a "make installman" gives the the following error: > > No manpages present. Development version maybe? > > How would I go about getting the man pages built and installed? > > Thanks! > > -Ben -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 man pages?
Are the man pages not included with the Samba 4 distribution? After running configure and make (using the old-style build environment under source3), a "make installman" gives the the following error: No manpages present. Development version maybe? How would I go about getting the man pages built and installed? Thanks! -Ben -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using samba4 with kerberos outside of an AD realm
On 1/21/2013 3:15 PM, Andrew Bartlett wrote:
On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
Hello --
I'm trying to run a samba4 server (note: Fedora packaged version,
samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
This is a summation of the config that I'm using (works under samba 3.6):
security = ADS
passdb backend = tdbsam
restrict anonymous = yes
server signing = auto
client signing = auto
smb encrypt = auto
realm = MYREALM.COM
kerberos method = system keytab
However, whenever I try to access the samba server, the client fails to
connect. I can see that a ticket has been issued for
cifs/hostn...@myrealm.com, but in /var/log/messages I get this:
Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)
Does anyone know what I need to be doing to get this working again?
It is probably a bug in the reworked krb5 code. The code paths to
support this are still there, but clearly something doesn't trigger
correctly.
The first thing to do would be to turn up the log level, to see what the
real failure is (the mentioned message shouldn't actually be fatal).
Then, once we rule out it being something else, it probably just needs a
new test environment to be created in our 'make test' that tells our AD
server to not send the PAC. This will allow this code path to be
covered, and prevent regressions.
Andrew Bartlett
As far as I can tell, prior to accepting a connection:
dns_send_req: Failed to resolve _ldap._tcp.dc._msdcs.AVERAGEURL.COM
(Success)
ads_dns_lookup_srv: Failed to send DNS query (NT_STATUS_UNSUCCESSFUL)
[ ... ]
Could not look up dc's for domain AVERAGEURL.COM
ads_connect: leaving with: No logon servers
Those records (*._msdcs.) don't exist all right...
And while the socket is connected:
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
name_to_fqdn: lookup for ELASTIC failed. /* Reverse DNS and forward DNS
IS resolving properly here... one thing to note: this is an IPv6 only
host */
Security token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or
option is not available or unsupported: No such file or directory
Unable to find PAC in ticket from k...@averageurl.com, failing to allow
access
Checking the process with strace isn't really useful either, unfortunately:
open("/etc/krb5.keytab", O_RDONLY) = 33
[ ... ]
open("/dev/urandom", O_RDONLY) = 33
open("/dev/urandom", O_RDONLY) = 33
open("/dev/urandom", O_RDONLY) = 33
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 33
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
[ ... ]
open("/usr/share/locale/en_US/LC_MESSAGES/mit-krb5.mo", O_RDONLY) = 33
[ ... ]
open("/var/tmp/cifs_0", O_RDWR) = 33
open("/usr/lib64/krb5/plugins/authdata/sssd_pac_plugin.so",
O_RDONLY|O_CLOEXEC) = 35
open("/dev/urandom", O_RDONLY) = 34
open("/dev/urandom", O_RDONLY) = 34
open("/dev/urandom", O_RDONLY) = 34
obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or
option is not available or unsupported: No such file or directory
open("/etc/krb5.conf", O_RDONLY)= 33
open("/dev/urandom", O_RDONLY) = 33
open("/etc/krb5.conf", O_RDONLY)= 33
open("/dev/urandom", O_RDONLY) = 33
--- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=958, si_uid=0} ---
+++ killed by SIGTERM +++
Full logs:
http://averageurl.com/samba/samba-log.gz
http://averageurl.com/samba/samba-strace-log.gz
I've already changed the keys out, so I'm not too worried about what key
data is actually in those logs.
--Kyle
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Using samba4 with kerberos outside of an AD realm
On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: > Hello -- > > I'm trying to run a samba4 server (note: Fedora packaged version, > samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. > > This is a summation of the config that I'm using (works under samba 3.6): > > security = ADS > passdb backend = tdbsam > restrict anonymous = yes > server signing = auto > client signing = auto > smb encrypt = auto > realm = MYREALM.COM > kerberos method = system keytab > > However, whenever I try to access the samba server, the client fails to > connect. I can see that a ticket has been issued for > cifs/hostn...@myrealm.com, but in /var/log/messages I get this: > > Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] > ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) > Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI > gss_get_name_attribute failed: The operation or option is not available > or unsupported: No such file or directory > Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] > ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) > Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI > gss_get_name_attribute failed: The operation or option is not available > or unsupported: No such file or directory > Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] > ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) > Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI > gss_get_name_attribute failed: The operation or option is not available > or unsupported: No such file or directory > > Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) > > Does anyone know what I need to be doing to get this working again? It is probably a bug in the reworked krb5 code. The code paths to support this are still there, but clearly something doesn't trigger correctly. The first thing to do would be to turn up the log level, to see what the real failure is (the mentioned message shouldn't actually be fatal). Then, once we rule out it being something else, it probably just needs a new test environment to be created in our 'make test' that tells our AD server to not send the PAC. This will allow this code path to be covered, and prevent regressions. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.10 not reading groups
The problem seems to be when 'security = SHARE' is set. It works just fine when 'security = USER'. Seeing as 4.0 removed the option to set SHARE, I guess it's moot for that release... Unfortunate, but what can be done... -Ben From: Chris Smith [smb...@chrissmith.org] Sent: Monday, January 21, 2013 1:19 PM To: Benjamin Huntsman Cc: samba@lists.samba.org Subject: Re: [Samba] Samba 3.6.10 not reading groups Might be related to my bug: https://bugzilla.samba.org/show_bug.cgi?id=9561 Unfortunately I'm not getting any traction on it. From my testing there still hasn't, after 10 releases, been a fully usable 3.6.x and now it's claimed to be in "maintenance mode" due to the release of Samba 4.x, which I guess must not have any major issues. On Mon, Jan 21, 2013 at 1:06 PM, Benjamin Huntsman wrote: > It isn't honoring groups specified in the valid users clause of the share > configuration. > I'm running in security = SHARE mode, and user authentication is working just > fine. Even if I specify individual users on the valid users = line, it > works. Just not groups. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.10 not reading groups
Might be related to my bug: https://bugzilla.samba.org/show_bug.cgi?id=9561 Unfortunately I'm not getting any traction on it. From my testing there still hasn't, after 10 releases, been a fully usable 3.6.x and now it's claimed to be in "maintenance mode" due to the release of Samba 4.x, which I guess must not have any major issues. On Mon, Jan 21, 2013 at 1:06 PM, Benjamin Huntsman wrote: > It isn't honoring groups specified in the valid users clause of the share > configuration. > I'm running in security = SHARE mode, and user authentication is working just > fine. Even if I specify individual users on the valid users = line, it > works. Just not groups. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Using samba4 with kerberos outside of an AD realm
Hello -- I'm trying to run a samba4 server (note: Fedora packaged version, samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. This is a summation of the config that I'm using (works under samba 3.6): security = ADS passdb backend = tdbsam restrict anonymous = yes server signing = auto client signing = auto smb encrypt = auto realm = MYREALM.COM kerberos method = system keytab However, whenever I try to access the samba server, the client fails to connect. I can see that a ticket has been issued for cifs/hostn...@myrealm.com, but in /var/log/messages I get this: Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI gss_get_name_attribute failed: The operation or option is not available or unsupported: No such file or directory Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) Does anyone know what I need to be doing to get this working again? --Kyle -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.6.10 not reading groups
Helpp! :) We didn't catch this in testing and now it's killing me in production! I'm getting stuck with my fresh build of Samba 3.6.10. It isn't honoring groups specified in the valid users clause of the share configuration. I'm running in security = SHARE mode, and user authentication is working just fine. Even if I specify individual users on the valid users = line, it works. Just not groups. Here's my configuration: # Samba config file created using SWAT # from UNKNOWN (10.33.224.61) # Date: 2013/01/21 10:00:00 [global] interfaces = 10.33.72.67/22, 127.0.0.1 bind interfaces only = Yes security = SHARE encrypt passwords = No log level = 3 os level = 8 local master = No domain master = No idmap config * : range = idmap config * : backend = tdb [testshare] path = /testshare valid users = +titan, benhu read only = No I'm in the group 'titan' also. Here's the log I get at log level = 3: [2013/01/21 10:03:05.928101, 3] param/loadparm.c:9572(lp_load_ex) lp_load_ex: refreshing parameters [2013/01/21 10:03:05.928257, 3] param/loadparm.c:5192(init_globals) Initialising global parameters [2013/01/21 10:03:05.928594, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba-3.6.10/smb.conf" [2013/01/21 10:03:05.928696, 3] param/loadparm.c:8310(do_section) Processing section "[global]" [2013/01/21 10:03:05.929629, 2] param/loadparm.c:8327(do_section) Processing section "[testshare]" [2013/01/21 10:03:05.929862, 3] param/loadparm.c:6630(lp_add_ipc) adding IPC service [2013/01/21 10:03:05.929926, 1] param/loadparm.c:9670(lp_load_ex) WARNING: The security=share option is deprecated [2013/01/21 10:03:05.930333, 2] lib/interface.c:479(interpret_interface) interpret_interface: Adding interface 10.33.72.67/22 [2013/01/21 10:03:05.930401, 2] lib/interface.c:341(add_interface) added interface 10.33.72.67/22 ip=10.33.72.67 bcast=10.33.75.255 netmask=255.255.252.0 [2013/01/21 10:03:05.930493, 2] lib/interface.c:341(add_interface) added interface lo0 ip=127.0.0.1 bcast=127.242.234.223 netmask= [2013/01/21 10:03:05.930626, 3] lib/access.c:338(allow_access) Allowed connection from 10.33.75.164 (10.33.75.164) [2013/01/21 10:03:05.930715, 3] smbd/oplock.c:922(init_oplocks) init_oplocks: initializing messages. [2013/01/21 10:03:05.930887, 3] smbd/process.c:1662(process_smb) Transaction 0 of length 159 (0 toread) [2013/01/21 10:03:05.930970, 3] smbd/process.c:1467(switch_message) switch message SMBnegprot (pid 7864494) conn 0x0 [2013/01/21 10:03:05.931110, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [PC NETWORK PROGRAM 1.0] [2013/01/21 10:03:05.931178, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LANMAN1.0] [2013/01/21 10:03:05.931245, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [Windows for Workgroups 3.1a] [2013/01/21 10:03:05.931313, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LM1.2X002] [2013/01/21 10:03:05.931379, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [LANMAN2.1] [2013/01/21 10:03:05.931445, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [NT LM 0.12] [2013/01/21 10:03:05.931511, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [SMB 2.002] [2013/01/21 10:03:05.931577, 3] smbd/negprot.c:598(reply_negprot) Requested protocol [SMB 2.???] [2013/01/21 10:03:05.931749, 3] smbd/negprot.c:401(reply_nt1) not using SPNEGO [2013/01/21 10:03:05.931811, 3] smbd/negprot.c:704(reply_negprot) Selected protocol NT LM 0.12 [2013/01/21 10:03:05.933695, 3] smbd/process.c:1662(process_smb) Transaction 1 of length 176 (0 toread) [2013/01/21 10:03:05.933776, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 7864494) conn 0x0 [2013/01/21 10:03:05.933865, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=13 flg2=0xc807 [2013/01/21 10:03:05.933953, 3] smbd/sesssetup.c:1536(reply_sesssetup_and_X) Domain=[10.33.72.67] NativeOS=[] NativeLanMan=[] PrimaryDomain=[null] [2013/01/21 10:03:05.934049, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2013/01/21 10:03:05.934111, 3] smbd/sesssetup.c:1552(reply_sesssetup_and_X) sesssetupX:name=[10.33.72.67]\[benhu]@[10.33.75.164] [2013/01/21 10:03:05.934785, 3] smbd/sesssetup.c:151(check_guest_password) Got anonymous request [2013/01/21 10:03:05.934884, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[]@[] with the new password interface [2013/01/21 10:03:05.934976, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: []\[]@[] [2013/01/21 10:03:05.935069, 3] auth/auth.c:268(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2013/01/21 10:03:05
Re: [Samba] How to debug SID problems
From: Knut Olav Bøhmer Date: Sun, 20 Jan 2013 15:03:25 +0100 >> - On Windows side >> whoami /user (an user's) > > I could not find the command whoami. Where should it be located? > I also installed powershell to see if it was required, but there was > no whoami command there either. Sorry, whoami command appears at Windows Vista / Windows Server 2003. >> - On Samba side >> pdbedit (an user's) >> profiles (a profile file's) > > What is the name of a profile file? is it NTUSER.DAT? Yes, but as I answered at another mail, profiles command does not work well. --- TAKAHASHI Motonobu / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to debug SID problems
From: Hervé Hénoch Date: Mon, 21 Jan 2013 14:43:11 +0100 > Hello > > Can you give an example with the profiles command on linux ? Hmmm... In those days, I got the output below: - # profiles -v NTUSER.DAT ACL for $$$PROTO.HIV Owner SID: S-1-5-32-544 Group SID: (NULL SID) DACL: 8 entries: Trustee SID: S-1-5-21-2535719703-1779805756-2758924810-1017 Trustee SID: S-1-5-18 Trustee SID: S-1-5-32-544 Trustee SID: S-1-5-12 Trustee SID: S-1-5-21-2535719703-1779805756-2758924810-1017 Trustee SID: S-1-5-18 Trustee SID: S-1-5-32-544 Trustee SID: S-1-5-12 ACL for $$$PROTO.HIV\AppEvents Owner SID: S-1-5-32-544 Group SID: (NULL SID) DACL: 8 entries: ... - But now, I tried the same command and get errors... I examined profiles bundled in Samba 3.5.6. --- TAKAHASHI Motonobu / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to debug SID problems
Hello Can you give an example with the profiles command on linux ? Regard Le 20/01/2013 07:39, TAKAHASHI Motonobu a écrit : From: Knut Olav Bøhmer Date: Wed, 16 Jan 2013 13:00:42 +0100 Hi, Is there a tool to debug SIDs on a samba domain. To check that there is no problems with SIDs on the samba server, windows client or user? (snip) There are probably a problem with the machine account or the users SIDs. But I'm new to windows and samba so I find it dificult to navigate through this windows mess. You can see SID: - On Windows side whoami /user (an user's) - On Samba side pdbedit (an user's) profiles (a profile file's) --- TAKAHASHI Motonobu / @damemonyo facebook.com/takahashi.motonobu -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 — 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Accsse Deny
Hi On 20 January 2013 21:12, Helmut Hullen wrote: > Hallo, Usuário, > > Du meintest am 20.01.13: > >> Substituting charset 'UTF-8' for LOCALE >> password: >> lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or >> directory NT_STATUS_ACCESS_DENIED: Access denied (0xc022) > >> Why it's returning Access Denied for me ? > > As I've told you in the squid mailing list: the main problem is > > "/usr/lib/samba/en_US.UTF-8.msg: No such file or directory". Your > machine can't find that file. Why? I think this is a red herring. It looks like it's just looking for the en_US.UTF-8 version of the Samba localised messages and not finding them. It shouldn't impact on the behaviour of ntlm_auth. To silence it, you could try something like: export LANG=en_US ntlm_auth ... or maybe: export LANG=C but that won't solve the actual problem. -- Michael Wood -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5.6 : netlogon_creds_server_check errors in logs
On Mon, 2013-01-21 at 11:17 +0100, Jaymzwise Jaymzwise wrote: > Hi, > > I have a Samba (v3.5.6) PDC with a LDAP backend. We have Windows XP and 7 > workstations, everything "seems" to run smoothly but the following messages > appear in the logs for each Windows 7 joined to the domain : > > Jan 21 10:45:13 srvlan smbd[2737]: [2013/01/21 10:45:13.722795, 0] > rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) > Jan 21 10:45:13 srvlan smbd[2737]: _netr_ServerAuthenticate3: > netlogon_creds_server_check failed. Rejecting auth request from client > HP8540P_13_NG machine account HP8540P_13_NG$ > > We can access samba shares from 7 workstations and users can authenticate > on the domain but I would like to have clean logs. > > How can I resolve this problem ? I've looked into a similar error recently, and as far as I know this is all just normal. As far as I could pin it down, the client knows both the current and previous domain join pw, and will sometimes try the old domain join password. That is, as you noticed, no harm seems to come from these messages, despite them normally indicating a breakdown in the trust relationship. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.5.6 : netlogon_creds_server_check errors in logs
Hi, I have a Samba (v3.5.6) PDC with a LDAP backend. We have Windows XP and 7 workstations, everything "seems" to run smoothly but the following messages appear in the logs for each Windows 7 joined to the domain : Jan 21 10:45:13 srvlan smbd[2737]: [2013/01/21 10:45:13.722795, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) Jan 21 10:45:13 srvlan smbd[2737]: _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client HP8540P_13_NG machine account HP8540P_13_NG$ We can access samba shares from 7 workstations and users can authenticate on the domain but I would like to have clean logs. How can I resolve this problem ? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to set ACLs with Samba4 AD?
Zitat von Lee Allen : I apologize if this is very beginner/basic. In my defense, I can't get the Samba4 documentation to compile on my system, and I can't find the man pages online (a pointer to them would be extremely helpful). And in general, I am having difficulty sorting through the documentation on the wiki because much of it is clearly pre-Samba4 and therefore obsolete, or at least questionable. It's hard to know what is relevant. Most of the posts I see here seem to be much better informed than I am. I would love to know how they obtained their knowledge. So here is my question: I am running Samba4 as an AD and file server. How do I define ACLs for the samba shares, for domain users & groups? These users and groups are not defined on the underlying OS (CentOS 6.3). It seems the answer is to do it via the underlying filesystem, but how is that possible when the domain users & groups are not defined in the OS? I see samba-tool has some ACL get/set capability. Is that the answer? Or is there some special magic to get CentOS to control file access by referring to the Samba4 AD? Many thanks in advance for any help. And I would be very grateful for pointers to Samba4 introductory or background material (I have used the HOW-TOs extensively). I second that - it took me some time to learn that after setting acls by "write user" for years I can now use the Windows tools. So perhaps someone could add a few lines about setting acls in the howto? regards Lukas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [Announce] Samba 3.6.11 Available for Download
=== "No great discovery was ever made without a bold guess." Isaac Newton === Release Announcements = This is is the latest stable release of Samba 3.6. Major enhancements in Samba 3.6.11 include: o defer_open is triggered multiple times on the same request (bug #9196). o Fix SEGV wh_n using second vfs module (bug #9471). Changes since 3.6.10: o Jeremy Allison * BUG 9196: defer_open is triggered multiple times on the same request. * BUG 9550: Mask off signals the correct way from the signal handler. o Björn Baumbach * BUG 9569: ntlm_auth.1: Fix format and make examples visible. o Tsukasa Hamano * BUG 9471: Fix SEGV when using second vfs module. o Volker Lendecke * BUG 9548: Correctly detect O_DIRECT. * BUG 9546: Fix aio_suspend detection on FreeBSD. ## Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba corresponding product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/ The release notes are available online at: http://www.samba.org/samba/ftp/history/samba-3.6.11.html Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
