[Samba] disable NTLM on Fedora samba-3.0.9
Hi all, I have successfully configured a samba server as a domain member in my 2003 domain (native mode 2003). I also configured winbind, and my domain users successfully can access shares in the samba server. smb.conf: security = ADS I also configured /etc/krb5.conf and used net ads join - successfully. However, I can see that NTLM is the chosen protocol for each client machine (WinXP) accessing samba, and kerberos is not used: from the log: using SPNEGO Selected protocol NT LM 0.12 even though I tried to set client use spnego = no How can I force samba to use kerberos ? Thanks, Nir -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] disable NTLM on Fedora samba-3.0.9
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nir L wrote: | smb.conf: | security = ADS | I also configured /etc/krb5.conf and used net ads join | - successfully. | | However, I can see that NTLM is the chosen protocol for | each client machine (WinXP) accessing samba, and kerberos | is not used (from the log): | using SPNEGO | Selected protocol NT LM 0.12 This is the smb protocol dialect and has nothing to do with the authentication chosen (not directly at least). | even though I tried to set client use spnego = no The applies only to Samba's client code and not the capability bits set by the server when replying to clients. Besides, you really should not disable spnego. Generally if it doesn't work it would be considered a bug. | How can I force samba to use kerberos ? Look for thew SPNEGO communication in the level 10 log. I tried... I finaliy got not using SPNEGO, but still - got Using protocol NT LM 0.12 after the SPNEGO message. Hint: search for the string 'OID' and see what mechanism no OID strings in my log. is being negotiated. here is my smb.conf. [global] workgroup = domain2003 netbios name = defconn2Logs server string = Major Samba encrypt passwords = Yes log level = 10 log file = /var/samba/logs/log.%m lock dir = /var/samba/locks pid directory = /var/run max log size = 5 preferred master = False local master = No domain master = False dns proxy = No guest account = pacifsconn create mask = 0775 dead time = 15 debug pid = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY oplocks = Yes kernel oplocks = Yes level2 oplocks = Yes defer sharing violations = No name resolve order = lmhosts wins bcast host debug hires timestamp = Yes wins server = 192.168.41.108 realm = DOMAIN2003.com security = ADS domain logons = No client use spnego = No use spnego = No map to guest = bad password map hidden = Yes map system = Yes force group = 1 bind interfaces only = Yes interfaces = 192.168.41.139 smb passwd file = /var/samba/private/ private dir = /var/samba/private winbind separator = + idmap uid = 1-3 idmap gid = 1-3 winbind enum users = Yes winbind enum groups = Yes template homedir = /home/winnt/%D/%U template shell = /bin/bash use sendfile = No strict locking = Yes disable spoolss = Yes mangling method = hash2 [Logs] comment = Share for Logs path = /var/log browseable = Yes read only = Yes available = Yes writeable = No valid users = NONE EXCEPT domain2003+user2 map archive = Yes hide dot files = No directory mask = 751 dos filemode = Yes and part of the logfile: challenge is: [2004/12/06 20:03:36.498409, 5, pid=4142] lib/util.c:dump_data(1899) [000] AB 02 01 6F AA E3 15 2F ...o.../ [2004/12/06 20:03:36.498603, 3, pid=4142] smbd/negprot.c:reply_nt1(327) not using SPNEGO [2004/12/06 20:03:36.498710, 3, pid=4142] smbd/negprot.c:reply_negprot(549) Selected protocol NT LM 0.12 [2004/12/06 20:03:36.498811, 5, pid=4142] smbd/negprot.c:reply_negprot(555) negprot index=5 [2004/12/06 20:03:36.498918, 5, pid=4142] lib/util.c:show_msg(461) [2004/12/06 20:03:36.498982, 5, pid=4142] lib/util.c:show_msg(471) size=99 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=49153 smb_tid=0 smb_pid=65279 smb_uid=0 smb_mid=0 smt_wct=17 smb_vwv[ 0]=5 (0x5) smb_vwv[ 1]=12803 (0x3203) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]=0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]=11776 (0x2E00) smb_vwv[ 8]= 16 (0x10) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]=32995 (0x80E3) smb_vwv[11]=0 (0x0) smb_vwv[12]=62284 (0xF34C) smb_vwv[13]=48615 (0xBDE7) smb_vwv[14]=50395 (0xC4DB) smb_vwv[15]=34817 (0x8801) smb_vwv[16]= 2303 (0x8FF) smb_bcc=30 [2004/12/06 20:03:36.500113, 10, pid=4142] lib/util.c:dump_data(1899) [000] AB 02 01 6F AA E3 15 2F 44 00 4F 00 4D 00 41 00 ...o.../ D.O.M.A. [010] 49 00 4E 00 32 00 30 00 30 00 33 00 00 00I.N.2.0. 0.3... [2004/12/06 20:03:36.500380, 6, pid=4142] lib/util_sock.c:write_socket(449) write_socket(22,103) [2004/12/06 20:03:36.500758, 6, pid=4142] lib/util_sock.c:write_socket(452) write_socket(22,103) wrote 103 [2004/12/06 20:03:36.513975, 10, pid=4142] lib/util_sock.c:read_smb_length_return_keepalive(505) got smb length of 308 [2004/12/06 20:03:36.514150, 6, pid=4142] smbd/process.c:process_smb(1091) got message type 0x0 of len 0x134 [2004/12/06 20:03:36.514264, 3, pid=4142] smbd
Re: [Samba] disable NTLM on Fedora samba-3.0.9
In addition to my last email (the one with my smb.conf) I also found out that: if I connect the share using \\ip address\sharename I get access to the share after NTLM has been used. and if I connect using \\netbiosname\sharename I get access denied (NTLM is still used...) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nir L wrote: | smb.conf: | security = ADS | I also configured /etc/krb5.conf and used net ads join | - successfully. | | However, I can see that NTLM is the chosen protocol for | each client machine (WinXP) accessing samba, and kerberos | is not used (from the log): | using SPNEGO | Selected protocol NT LM 0.12 This is the smb protocol dialect and has nothing to do with the authentication chosen (not directly at least). | even though I tried to set client use spnego = no The applies only to Samba's client code and not the capability bits set by the server when replying to clients. Besides, you really should not disable spnego. Generally if it doesn't work it would be considered a bug. | How can I force samba to use kerberos ? Look for thew SPNEGO communication in the level 10 log. Hint: search for the string 'OID' and see what mechanism is being negotiated. cheers, jerry - - Alleviating the pain of Windows(tm) --- http://www.samba.org GnuPG Key- http://www.plainjoe.org/gpg_public.asc If we're adding to the noise, turn off this song--Switchfoot (2003) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBtIaZIR7qMdg1EfYRAmtkAKDc2777bMGrmvw3RAEnC3DhYkTYQACeN2fy tMgCGnfpxdChut+G3BGX+do= =4ywm -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba multiple instances and winbind
Hi all, I have a RedHat linux machine running multiple instances of samba, each binded to a different interface. each is joined to my win2k domain using a different netbios name. I want to start using winbind, and already done some research and tests configuring samba to cooperate with winbind. My question is: Do I also need multiple instances of winbind (one for each smbd instance), or do I use only one instance of winbind ? should it have its own smb.conf ? its own netbios name ? Thanks, Nir -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: --with-vfs and ACLs problem
The SID's that are returned to the client are 100% OK. Proof: I access an NT server from the client, and watch a file that MYDOM\UserA and MYDOM\UserB have permissions on. Then, I access the SAMBA server and watch a file that MYDOM\UserA,MYDOM\UserB and MYDOM\UserC have permissions on. The UserA and B SID's are translated to names correctly (because they are cached on the client machine). UserC's SID remains in SID form. So - I know for sure that SID's of UserA and UserB are returned from the SAMBA correctly, and probably UserC as well. (the SID that I see matches the exact SID of the user on the PDC). (if I didn't access the NT server before accessing the samba server, all 3 SID's would not have been translated) Could it be that the client does not access the PDC to translate SID's to names, but trying to access the server who gave him the SID's , and the server is supposed to relay the RPC to the PDC ? more info: There is only one PDC in out network. The security management delivers USERNAMES to samba and he translates them to SID's and sends them to the client. Samba version is 2.2.0 security = DOMAIN or security = SERVER (same result) (when security = DOMAIN the samba server is joined to the domain ...) more info 2: I ran samba with debug level = 10. I could see that the client asks SAMBA to translate the SID's. it calls lookup_sid, which tries to activate winbind to translate the SID. I suppose that in this part if winbind had been running, he might have translated the SID correctly for the client. But since winbind is not running, the SAMBA tries to translate the SID itself, and fails... log: 2002/06/23 12:09:20.584203, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(219) init_lsa_trans_names: looking up sid S-1-5-21-257908509-604318102-2002191721-1106[2002/06/23 12:09:20.584286, 10] smbd/uid.c:lookup_sid(366) lookup_sid: winbind lookup for SID S-1-5-21-257908509-604318102-2002191721-1106 failed - trying local.[2002/06/23 12:09:20.584368, 5] lib/util_sid.c:map_domain_sid_to_name(151) map_domain_sid_to_name: S-1-5-21-257908509-604318102-2002191721[2002/06/23 12:09:20.584428, 5] lib/util_sid.c:map_domain_sid_to_name(158) map_domain_sid_to_name: compare: S-1-5-21-3039204150-1313164136-3871986822[2002/06/23 12:09:20.584489, 5] lib/util_sid.c:map_domain_sid_to_name(158) map_domain_sid_to_name: compare: S-1-5-21-3039204150-1313164136-3871986822[2002/06/23 12:09:20.584541, 5] lib/util_sid.c:map_domain_sid_to_name(158) map_domain_sid_to_name: compare: S-1-5-32[2002/06/23 12:09:20.584588, 5] lib/util_sid.c:map_domain_sid_to_name(158) map_domain_sid_to_name: compare: S-1-1[2002/06/23 12:09:20.584635, 5] lib/util_sid.c:map_domain_sid_to_name(158) map_domain_sid_to_name: compare: S-1-3[2002/06/23 12:09:20.584682, 5] lib/util_sid.c:map_domain_sid_to_name(158) map_domain_sid_to_name: compare: S-1-5[2002/06/23 12:09:20.584724, 5] lib/util_sid.c:map_domain_sid_to_name(167) map_domain_sid_to_name: mapping for S-1-5 not found[2002/06/23 12:09:20.584769, 5] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(228) init_lsa_trans_names: not found[2002/06/23 12:09:20.584816, 10] rpc_server/srv_lsa_nt.c:init_lsa_trans_names(243) init_lsa_trans_names: added user '\' to referenced list. - Original Message - From: Eric Lee Steadle To: Nir L Sent: Thursday, June 20, 2002 8:01 PM Subject: RE: --with-vfs and ACLs problem Richard Sharpe already responded to you, but his explanation may not be clear. After the ACL is retrieved by the Security Editor on the Client Workstation (the machine displaying the security tab), the Security Editor on that machine will contact the domain controller responsible for each SID in the ACL, and attemt to lookup the names of the accounts associated with each SID. This appears to be what is failing. The Client is NOT talking to Samba at this point -- it's talking to the password server. If the password server doesn't know about a particular SID, it will ask other domain controllers that it may know about (basically anything with a trust relationship). If it still can't resolve the SID, it gives up. The Client will not be able to display the account names and so it will just show the SIDs instead. I'm not sure if your PDC has the accounts in it or not since you didn't provide details about the external ACL management product. Is it responsible for allocating SIDs too?Or does it just handle ACLs? An Ethereal or Netmon trace on the PDC should confirm this for you. Look for MSRPC packets -- the specific function is called lsaLookupNames, but I don't know the OpCode off the top of my head. To solve this problem, you need to get the client to talk to something that can resolve the Sids in the ACL into account names. Is this any clearer now
