[Samba] Auth problem
Hello I've got a problem with users from a Winxp client authenticating to a debian 6 (samba 3.5.6~dfsg-3squeeze2) domain member. The PDC runs samba 3.5.4. The domain is called SBS. In the debug log of the debian box, the PDC seems to answer correct to the auth request but the on the Winxp client I still get prompted for a username/password... The winxp client is a member of SBS and called blubber, the debian6 box is called print-new and the PDC is called SBS_PDC Attached are the logs and smb.conf's thanks in advance & regards [global] netbios name = SBS_PDC netbios aliases = s01 workgroup = SBS server string = SBS primary domain controller interfaces = 10.0.9.1 127.0.0.1 bind interfaces only = yes deny hosts = all allow hosts = 10.0. 127. 192.168.1. follow symlinks = yes wide links = yes unix extensions = no os level = 99 local master = yes domain master = yes domain logons = yes security = user wins support = yes lanman auth = yes ntlm auth = Yes username map = /etc/samba/smbusers logon path = \\nas_office\profiles_xp\%U ### meierv 2011-02-14 #logon drive = L: ### meierv 2011-02-14 end ## (mr) absolute path is not valid for logon script ## (mr) script name is relative to [netlogon] share (see below) logon script = deflogin.bat keepalive = 0 deadtime = 60 socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY hide files = /desktop.ini/ syslog = 0 syslog only = no log level = 5 log file = /var/log/samba/%m.log max log size = 1000 [netlogon] comment = Logon Scripts path = /nas/pdc/netlogon browseable = no inherit permissions = yes create mask = 0460 force create mode = 0460 directory mask = 2775 force directory mode = 2775 map archive = no map hidden = no map system = no dos filemode = no force group = +ntadmin valid users = +users, +ntadmin, +inf read list = +users write list = +ntadmin, +inf [test] path = /nas/test writeable = yes valid users = +inf +rep +ntadmin force group = rep[global] workgroup = SBS server string = %h server netbios name = PRINT-NEW deny hosts = all allow hosts = 10.0. 127. local master = no preferred master = no domain master = no wins support = yes security = domain password server = * printing = cups printcap name = cups load printers = yes disable spoolss = no show add printer wizard = yes min protocol = LANMAN1 lanman auth = yes client lanman auth = yes client ntlmv2 auth = yes ntlm auth = yes map untrusted to domain = Yes dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 log level = 10 syslog = 0 panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam obey pam restrictions = no unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes [printers] comment = All Printers browseable = yes path = /var/spool/samba printable = yes guest ok = yes read only = yes create mask = 0700 use client driver = No [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no write list = meierv, root, @ntadmin create mask = 0664-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Auth problem with AD member server
I am having trouble with certain versions of Windows accessing shares provided by our Samba (3.0.24) servers which are AD members (Windows Server 2003 AD Controller). The problem seems to be with the hyphen in the domain name; if a (domain) user of XP, Server2003, or Linux accesses a share, everything works. If a domain user on Vista or Windows7 tries to access the same share (same user as above), they get permission denied. HOWEVER, if the user provides the credentials as DOMAIN\User instead of DOMAIN-NAME\User, then everything works. We're using the LM/NTLM settings in Vista, not NTLM2. Does anyone have an idea how to resolve this? THANKS! Our smb.conf file is below; [global] workgroup = DOMAIN-NAME realm = DOMAIN-NAME.COM preferred master = no server string = Debian security = ADS encrypt passwords = yes log level = 3 log file = /var/log/samba/%m max log size = 50 printcap name = cups printing = cups winbind use default domain = Yes winbind nested groups = Yes winbind separator = + allow trusted domains = No idmap backend = idmap_rid:DOMAIN-NAME=10-1 idmap uid = 10-1 idmap gid = 10-1 template shell = /bin/bash winbind enum users = yes winbind enum groups = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Krb5 + Samba auth problem on subsequent volume mounts
Hi all, I have, what I think is a relatively simple samba/kerberos problem that I am not seeing the obvious side to. I'll explain the scenario. I have an OpenLDAP KDC or Directory Master. For the purposes of this conversation, it is the authentication server, and the bit that grants/ hands out all the ticket information. I have a Solaris 10 system running the default Sun shipped Samba 3.0.28 (/usr/sfw/sbin/smbd). This Solaris fileserver is connected via LDAP to the OpenLDAP master and has an appropriate /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab installed. In my /etc/sfw/smb.conf, I have the simple "magic lines" to connect my samba service to Kerberos as follows in the [global] section: password server = somehost.somewhere.nowhere.interesting.here workgroup = STAFF realm = somehost.somewhere.nowhere.interesting.here netbios name = somehost.somewhere.nowhere.interesting.here netbios aliases = SUN SAM-FS HSM security = SERVER use kerberos keytab = yes encrypt passwords = yes So, once I have created some shares, all seems to go swimmingly. Users connect using their SSO credentials, they are passed a ticket through the TGT process and they are then allowed to write to the share/ directory/wherever I have specified. The problem is, when my user decideds he/she/it has had enough of that network mounted volume, they eject it. No big deal there - however, when they REMOUNT the volume with their Kerberos ticket in-fact (default ticket time out is 10 hours in my policy), they for SOME reason authenticate as the "nobody" user - and as a result, get denied access: Some logs. A "healthy" connection to the service: [2008/08/09 09:43:18, 1, pid=3893] smbd/service.c:(1033) aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) connect to service group_IT initially as user zebra (uid=1027, gid=1028) (pid 3893) Now, lets disconnect the share on the desktop: [2008/08/09 09:46:50, 1, pid=3893] smbd/service.c:(1230) aaa.bb.ccc.ddd (aaa.bb.ccc.ddd) closed connection to service group_IT Now, lets try reconnecting with our kerberos ticket in-tact and see what happens: [2008/08/09 09:53:16, 4, pid=3953] smbd/reply.c:(506) Client requested device type [A:] for share [GROUP_IT] [2008/08/09 09:53:16, 5, pid=3953] smbd/service.c:(1205) making a connection to 'normal' service group_it [2008/08/09 09:53:16, 2, pid=3953] smbd/service.c:(605) *guest user (from session setup) not permitted to access this share (group_IT)* *[2008/08/09 09:53:16, 3, pid=3953] smbd/error.c:(106)* *error packet at smbd/reply.c(514) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED* [2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(484) [2008/08/09 09:53:16, 5, pid=3953] lib/util.c:(494) size=35 smb_com=0x75 smb_rcls=34 smb_reh=0 smb_err=49152 smb_flg=136 smb_flg2=49153 smb_tid=65535 smb_pid=1 smb_uid=100 smb_mid=8 smt_wct=0 smb_bcc=0 [2008/08/09 09:53:20, 3, pid=3953] smbd/process.c:(1068) Transaction 9 of length 43 [2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(484) [2008/08/09 09:53:20, 5, pid=3953] lib/util.c:(494) size=39 smb_com=0x74 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=8 smb_flg2=49153 smb_tid=65535 smb_pid=1 smb_uid=100 smb_mid=9 smt_wct=2 smb_vwv[ 0]= 255 (0xFF) smb_vwv[ 1]=0 (0x0) smb_bcc=0 What the? I've got a legit ticket: MacbookPro:~ zebra$ klist Kerberos 5 ticket cache: 'API:Initial default ccache' Default principal: [EMAIL PROTECTED] Valid Starting ExpiresService Principal 08/09/08 09:42:32 08/09/08 19:42:32 krbtgt/[EMAIL PROTECTED] renew until 08/16/08 09:42:32 Frustratingly, if I to a kdestroy on my ticket on the client desktop, then remount the share, everything is perfect - I am the correct user, and all goes according to plan again. Has anyone ever come up against such issues? I am not sure if this is *too* Kerberos oriented for the samba list, or it is something you see all the time. Hopefully it is simply rectified. Thanks for your time. JC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Auth Problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/02/2006 06:57 AM, Marian Neagul escreveu: > Hello, Hey! > I have a problem related to user authentication: Users can not login from > Windows workstations. > > I get the following error: > > "The system could not log you in. Make sure your User Name and domain are > correct then type your password again." > > Users can access shares, they are prompted for a user and password and it is > ok. The same user and password does not work for login. > > What could be the problem? I've posted the logs and smb.conf at > http://www.info.uvt.ro/~neagul/samba/ > > I want to mention that the server is a production server and was hit by a > hardware failure. :-( I restored everything but it doesn't work. Are you using LDAP, right? How did you restore the LDAP information? Did you define the proper sid on the Samba? Did you store the LDAP password (smbpasswd -w)? [2006/10/02 13:25:39, 5] lib/smbldap.c:smbldap_search_ext(1080) smbldap_search_ext: base => [dc=info,dc=uvt,dc=ro], filter => [(&(sambaSID=S-1-5-21-891903661-3504879653-345467806-501)(objectclass=sambaSamAccount))], scope => [2] [2006/10/02 13:25:39, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1569) ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-891903661-3504879653-345467806-501] count=0 This is what got my attention. > Thank you! > Marian Neagul I hope this helps. - -- Felipe Augusto van de Wiel <[EMAIL PROTECTED]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFIppjCj65ZxU4gPQRAoKuAJ96D185sPZApFZgI9/vFdeeCk9eogCfdDHC Gk0oDXbmJej8VJwseKASJ+g= =Dn4f -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Auth Problem
Hello, I have a problem related to user authentication: Users can not login from Windows workstations. I get the following error: "The system could not log you in. Make sure your User Name and domain are correct then type your password again." Users can access shares, they are prompted for a user and password and it is ok. The same user and password does not work for login. What could be the problem? I've posted the logs and smb.conf at http://www.info.uvt.ro/~neagul/samba/ I want to mention that the server is a production server and was hit by a hardware failure. :-( I restored everything but it doesn't work. Thank you! Marian Neagul -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] auth problem: wbinfo works, smbclient doesn't
Hi all, I'm still having this problem. What could possibly cause authentication to work via wbinfo, but not via smbclient? Any clues or pointers as to where I should be looking? I assumed the authentication code (the bit that talks to winbindd) would be the same. Many thanks in advance, Timbo. On 29/03/06, Tim <[EMAIL PROTECTED]> wrote: > Hi guys, > > I have a strange problem. I can authenticate a user with wbinfo from my > domain > controller (security =3D ads), however when I try and map a share, the > authentication fails. i.e. > > # wbinfo -a 'COAL+bcanglo%bcpass' > plaintext password authentication succeeded > challenge/response password authentication succeeded > > # smbclient '\\xxx\timtest' -U 'COAL\bcanglo' bcpass > added interface ip=3D10.xxx.xxx.101 bcast=3D10.xxx.xxx.255 nmask=255.255.255.0 > Client started (version 3.0.14a based HP CIFS Server A.02.02). > Connecting to 10.xxx.xxx.101 at port 445 > session setup failed: NT_STATUS_LOGON_FAILURE > > Note: That share definately exists. > > I'm running winbindd in debug mode and I can see both commands talk to winbind > and both attempt to talk to the domain controller. Yet wbinfo works fine, > and > smbclient fails with this: > > add_trusted_domain: COAL is an ADS native mode domain > [ 2547]: request interface version > [ 2547]: request location of privileged pipe > [ 2547]: getpwnam coal+bcanglo > ads: fetch sequence_number for COAL > sys_gethostbyname: Unknown host. \\10.xx.xx.101 > ads_connect for domain COAL failed: No such file or directory > user 'bcanglo' does not exist > [ 2547]: getpwnam COAL+bcanglo > user 'bcanglo' does not exist > [ 2547]: getpwnam COAL+BCANGLO > user 'BCANGLO' does not exist > > ..and smbd debug says: > > check_ntlm_password: Authentication for user [bcanglo] -> [bcanglo] FAILED > with error NT_STATUS_NO_SUCH_USER > > which makes no sense, because the user DEFINATELY exists, and the > winbindd/krb/ldap stuff is DEFINATELY set up and working: > > # wbinfo -n 'COAL+bcanglo' > S-1-5-21-1955927045-6-239210854-5002 User (1) > # wbinfo -n 'COAL+BCANGLO' > S-1-5-21-1955927045-6-239210854-5002 User (1) > > Now, interestingly if I use smbclient and intentionally get the password > wrong, > smbd says this: > > check_ntlm_password: Authentication for user [bcanglo] -> [bcanglo] FAILED > with > error NT_STATUS_WRONG_PASSWORD > > Busted! So I know its talking to the domain controller, and I know that it > knows the user exists. > > Note: The COAL domain is a trusted domain: > > # wbinfo -m > XX > BUILTIN > COAL > > I'm running the latest HP-UX packages and recommended libraries, so > this version of Samba is: > > # smbd -V > Version 3.0.14a based HP CIFS Server A.02.02 > > So why can I test out a username/password with wbinfo, but get "User does not > exist" when I try and map a share with smbclient? > > If you need more verbose debug output from smbd or winbindd, I'll be happy to > put some in. > > Thanks, > > Tim. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] auth problem: wbinfo works, smbclient doesn't
Hi guys, I have a strange problem. I can authenticate a user with wbinfo from my domain controller (security =3D ads), however when I try and map a share, the authentication fails. i.e. # wbinfo -a 'COAL+bcanglo%bcpass' plaintext password authentication succeeded challenge/response password authentication succeeded # smbclient '\\xxx\timtest' -U 'COAL\bcanglo' bcpass added interface ip=3D10.xxx.xxx.101 bcast=3D10.xxx.xxx.255 nmask=255.255.255.0 Client started (version 3.0.14a based HP CIFS Server A.02.02). Connecting to 10.xxx.xxx.101 at port 445 session setup failed: NT_STATUS_LOGON_FAILURE Note: That share definately exists. I'm running winbindd in debug mode and I can see both commands talk to winbind and both attempt to talk to the domain controller. Yet wbinfo works fine, and smbclient fails with this: add_trusted_domain: COAL is an ADS native mode domain [ 2547]: request interface version [ 2547]: request location of privileged pipe [ 2547]: getpwnam coal+bcanglo ads: fetch sequence_number for COAL sys_gethostbyname: Unknown host. \\10.xx.xx.101 ads_connect for domain COAL failed: No such file or directory user 'bcanglo' does not exist [ 2547]: getpwnam COAL+bcanglo user 'bcanglo' does not exist [ 2547]: getpwnam COAL+BCANGLO user 'BCANGLO' does not exist ..and smbd debug says: check_ntlm_password: Authentication for user [bcanglo] -> [bcanglo] FAILED with error NT_STATUS_NO_SUCH_USER which makes no sense, because the user DEFINATELY exists, and the winbindd/krb/ldap stuff is DEFINATELY set up and working: # wbinfo -n 'COAL+bcanglo' S-1-5-21-1955927045-6-239210854-5002 User (1) # wbinfo -n 'COAL+BCANGLO' S-1-5-21-1955927045-6-239210854-5002 User (1) Now, interestingly if I use smbclient and intentionally get the password wrong, smbd says this: check_ntlm_password: Authentication for user [bcanglo] -> [bcanglo] FAILED with error NT_STATUS_WRONG_PASSWORD Busted! So I know its talking to the domain controller, and I know that it knows the user exists. Note: The COAL domain is a trusted domain: # wbinfo -m XX BUILTIN COAL I'm running the latest HP-UX packages and recommended libraries, so this version of Samba is: # smbd -V Version 3.0.14a based HP CIFS Server A.02.02 So why can I test out a username/password with wbinfo, but get "User does not exist" when I try and map a share with smbclient? If you need more verbose debug output from smbd or winbindd, I'll be happy to put some in. Thanks, Tim. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] auth problem
On Fri, 2005-09-23 at 09:43 -0600, Ric Tibbetts wrote: [...] > > Greg; > Well, what was working yesterday, has stopped today. This is getting > frustrating. I have been seeing spotty workings as well, usually though it is the ADS integration, with the ADS side being 99.99% of the trouble. Being mostly un-known and blindly following M$ advice Admins. > In short: I'm trying to use Samba in it's most basic form. I don't > need a windows login server, nor a domain controller, none of that. > I just, very simply, need it serve out shares to already logged in > windows users. I've done this many times, in other places. I can't > possibly imagine why it's not working now. I don't need a passwd > database. I don't even need passwords. That is a bugger. > The process is: > > 1) users are at a PC (which is already logged in via the Windows ADS. > 2) Users need a share from Unix server "X" > 3) uinx server "X" should only need to validate that the request is > coming from a valid subnet, from a valid user. They don't need > anything else. Just the share. > > That's it. This is Samba at it's simplest. > The only wrinkle in this whole thing is that the user names between > the windows side, and the Unix side, don't match. So I have a > smbusers file to translate that. Other than that, it's all pretty basic. > > I'm getting crazy errors in the logs. Everything from unknown user, > to no domain controller, to no password server, etc... It's almost random. > What was working yesterday, is dead today, and I didn't change > anything while I was at home last night. > > I'll strip it all down "again" today, and piece it back together, and > hope I can make it work again. > This is just nuts. Yep, sometimes I have found SWAT to be the best bet against spelling errors and or erroneous settings. Good luck. -- greg, [EMAIL PROTECTED] The technology that is Stronger, Better, Faster: Linux Use Debian GNU/Linux, its a bazaar thing. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] auth problem
At 08:54 AM 9/23/2005, Greg Folkert wrote: On Thu, 2005-09-22 at 14:48 -0600, Ric Tibbetts wrote: > > > >There is a terribly good howto: > > > >http://www.idealx.org/prj/samba/smbldap-howto.en.html > > > Thank you! > That helped, I'm closer. > I left out one line from my smb.conf > I found it from digging through that how-to. > > password server = > > With that in, it now picks up the users from LDAP, which is exactly > what I was after! > Now I just need to work out a performance issue. getting the IDs from > LDAP is SLOW > It works, just as I wanted it to. It's just slow. Well, it depends. How *slow* is slow? And also, have you cranked up the logging on the auth part? log level = passdb:10 auth:10 Also have you set: passdb backend = ldapsam ldap://auth.yourhost.com I am also assuming you have all the LDAP stuff setup properly, of course as needed/if needed. ldap admin dn ldap delete dn ldap filter ldap group suffix ldap idmap suffix ldap machine suffix ldap passwd sync ldap replication sleep ldap suffix ldap timeout ldap user suffix Hopefully, if you have good throughput, its all in these settings. If you don't have good throughput... well time to check the networking tweaks for samba. Also, if the delay turns out to be a lookup delay, try hard coding the name and ipaddr in the /etc/hosts file on the AIX box. This sometimes is a good work around for DNS queries gone bad. Greg; Well, what was working yesterday, has stopped today. This is getting frustrating. In short: I'm trying to use Samba in it's most basic form. I don't need a windows login server, nor a domain controller, none of that. I just, very simply, need it serve out shares to already logged in windows users. I've done this many times, in other places. I can't possibly imagine why it's not working now. I don't need a passwd database. I don't even need passwords. The process is: 1) users are at a PC (which is already logged in via the Windows ADS. 2) Users need a share from Unix server "X" 3) uinx server "X" should only need to validate that the request is coming from a valid subnet, from a valid user. They don't need anything else. Just the share. That's it. This is Samba at it's simplest. The only wrinkle in this whole thing is that the user names between the windows side, and the Unix side, don't match. So I have a smbusers file to translate that. Other than that, it's all pretty basic. I'm getting crazy errors in the logs. Everything from unknown user, to no domain controller, to no password server, etc... It's almost random. What was working yesterday, is dead today, and I didn't change anything while I was at home last night. I'll strip it all down "again" today, and piece it back together, and hope I can make it work again. This is just nuts. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] auth problem
On Thu, 2005-09-22 at 14:48 -0600, Ric Tibbetts wrote: > > > >There is a terribly good howto: > > > >http://www.idealx.org/prj/samba/smbldap-howto.en.html > > > Thank you! > That helped, I'm closer. > I left out one line from my smb.conf > I found it from digging through that how-to. > > password server = > > With that in, it now picks up the users from LDAP, which is exactly > what I was after! > Now I just need to work out a performance issue. getting the IDs from > LDAP is SLOW > It works, just as I wanted it to. It's just slow. Well, it depends. How *slow* is slow? And also, have you cranked up the logging on the auth part? log level = passdb:10 auth:10 Also have you set: passdb backend = ldapsam ldap://auth.yourhost.com I am also assuming you have all the LDAP stuff setup properly, of course as needed/if needed. ldap admin dn ldap delete dn ldap filter ldap group suffix ldap idmap suffix ldap machine suffix ldap passwd sync ldap replication sleep ldap suffix ldap timeout ldap user suffix Hopefully, if you have good throughput, its all in these settings. If you don't have good throughput... well time to check the networking tweaks for samba. Also, if the delay turns out to be a lookup delay, try hard coding the name and ipaddr in the /etc/hosts file on the AIX box. This sometimes is a good work around for DNS queries gone bad. -- greg, [EMAIL PROTECTED] The technology that is Stronger, Better, Faster: Linux Use Debian GNU/Linux, its a bazaar thing. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] auth problem
There is a terribly good howto: http://www.idealx.org/prj/samba/smbldap-howto.en.html Thank you! That helped, I'm closer. I left out one line from my smb.conf I found it from digging through that how-to. password server = With that in, it now picks up the users from LDAP, which is exactly what I was after! Now I just need to work out a performance issue. getting the IDs from LDAP is SLOW It works, just as I wanted it to. It's just slow. -Ric -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] auth problem
On Thu, 2005-09-22 at 09:43 -0600, Ric Tibbetts wrote: > Okay, I'll keep asking questions, until I word one in a way that > someone will answer. :) > > i'm trying to get Samba setup. I've done this before, and it has > never given me this much trouble. > In short, it seems to be insisting that the user be in smbpasswd > (I've not experienced this before). > > If the user is in smbpasswd, all seems well. If not, even though they > exist on the server (via ldap + kerberos), I get a user not found error. > On the last set of servers I did this on, even ones who authenticate > via ldap, I never did anything special to samba to get it to work. > But I've not been so lucky this time. > > The setup: > > Server: IBM AIX 5.2 > Samba 3.0.14a > > Authentication: LDAP > Security: Kerberos > > The user entry in /etc/security/user: > > SYSTEM = "KRB5files" > > smb.conf (in a simple form) > >[global] > workgroup = WIN > log level = 5 auth > log file = /var/log/samba/%m.log > username map = /usr/local/samba/lib/smbusers > > [Homes] > comment = User home directories > guest ok = no > read only = No > > I need the username map because the user names do not match between > the windows clients & the samba server. So I need to map the translation. > > > When I try to access the system, I get an unknown user error. > > The ONLY thing I need samba to do is provide shares (not shown above) > to windows users. Nothing else. > If, I add a user to samba with smbpasswd . then the users can > access the shares. If not, they can't. > I also, in the past have not had a server prompt me for passwords to > access shares. > I'm missing something really obvious. > I'd really appreciate some assistance on this one. There is a terribly good howto: http://www.idealx.org/prj/samba/smbldap-howto.en.html -- greg, [EMAIL PROTECTED] The technology that is Stronger, Better, Faster: Linux Use Debian GNU/Linux, its a bazaar thing. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] auth problem
Okay, I'll keep asking questions, until I word one in a way that someone will answer. :) i'm trying to get Samba setup. I've done this before, and it has never given me this much trouble. In short, it seems to be insisting that the user be in smbpasswd (I've not experienced this before). If the user is in smbpasswd, all seems well. If not, even though they exist on the server (via ldap + kerberos), I get a user not found error. On the last set of servers I did this on, even ones who authenticate via ldap, I never did anything special to samba to get it to work. But I've not been so lucky this time. The setup: Server: IBM AIX 5.2 Samba 3.0.14a Authentication: LDAP Security: Kerberos The user entry in /etc/security/user: SYSTEM = "KRB5files" smb.conf (in a simple form) [global] workgroup = WIN log level = 5 auth log file = /var/log/samba/%m.log username map = /usr/local/samba/lib/smbusers [Homes] comment = User home directories guest ok = no read only = No I need the username map because the user names do not match between the windows clients & the samba server. So I need to map the translation. When I try to access the system, I get an unknown user error. The ONLY thing I need samba to do is provide shares (not shown above) to windows users. Nothing else. If, I add a user to samba with smbpasswd . then the users can access the shares. If not, they can't. I also, in the past have not had a server prompt me for passwords to access shares. I'm missing something really obvious. I'd really appreciate some assistance on this one. thanks in advance! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Auth problem
Hi All, I am experiencing a strange problem with authentication process. Everything was going very fine until today, my users account stop to login on domain, but the administrator account is the only one that can do it without problems. I get this error log. Sep 19 11:04:32 zeus smbd[3227]: [2005/09/19 11:04:32, 2] smbd/sesssetup.c:setup_new_vc_session(608) Sep 19 11:04:32 zeus smbd[3227]: setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. Sep 19 11:04:32 zeus smbd[3227]: [2005/09/19 11:04:32, 2] smbd/sesssetup.c:setup_new_vc_session(608) Sep 19 11:04:32 zeus smbd[3227]: setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. Sep 19 11:04:32 zeus smbd[3227]: [2005/09/19 11:04:32, 2] lib/smbldap.c:smbldap_open_connection(692) Sep 19 11:04:32 zeus smbd[3227]: smbldap_open_connection: connection opened Sep 19 11:04:32 zeus slapd[2123]: conn=29 fd=20 ACCEPT from IP=127.0.0.1:32806 (IP=0.0.0.0:389) Sep 19 11:04:32 zeus slapd[2123]: conn=29 op=0 BIND dn="cn=admin,dc=cultura,dc=gov,dc=br" method=128 Sep 19 11:04:32 zeus slapd[2123]: conn=29 op=0 BIND dn="cn=admin,dc=cultura,dc=gov,dc=br" mech=SIMPLE ssf=0 Sep 19 11:04:32 zeus slapd[2123]: conn=29 op=0 RESULT tag=97 err=0 text= Sep 19 11:04:32 zeus slapd[2123]: conn=29 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 19 11:04:32 zeus slapd[2123]: conn=29 op=1 SRCH attr=supportedControl Sep 19 11:04:32 zeus slapd[2123]: conn=29 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 19 11:04:32 zeus slapd[2123]: conn=29 op=2 SRCH base="dc=cultura,dc=gov,dc=br" scope=2 deref=0 filter="(&(uid=testuser)(objectClass=sambaSamAccount))" Sep 19 11:04:32 zeus slapd[2123]: conn=29 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Sep 19 11:04:32 zeus slapd[2123]: conn=29 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Sep 19 11:04:32 zeus smbd[3227]: [2005/09/19 11:04:32, 2] auth/auth.c:check_ntlm_password(312) Sep 19 11:04:32 zeus smbd[3227]: check_ntlm_password: Authentication for user [testuser] -> [testuser] FAILED with error NT_STATUS_NO_SUCH_USER Sep 19 11:04:32 zeus smbd[3227]: [2005/09/19 11:04:32, 2] smbd/server.c:exit_server(609) Sep 19 11:04:32 zeus smbd[3227]: Closing connections Sep 19 11:04:32 zeus slapd[2123]: conn=29 fd=20 closed Anyone have an idea to fix it? Thanks, Sergio -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Auth problem?
When I connected Samba 3.0 as ADS Domain member, I always got error messages as below. Nov 25 18:10:12 maorui 11?? 25 18:10:12 smbd[11169]: [2003/11/25 18:10:12, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 25 18:10:12 maorui 11?? 25 18:10:12 smbd[11169]: make_server_info_info3: pdb_init_sam failed! And Windows client cannot show share list. What's the error messages mean? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] auth problem on Samba 3 & W2k PDC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all currently i have a w2k box configured as a PDC, I want to set samba server to be a file server. It did work when I use Samba 2.2. after upgrading to 3, i always got "session setup failed: NT_STATUS_LOGON_FAILURE", any one has experience on successful configuration. Tao System Administrator Interflex Marketing Ltd. -BEGIN PGP SIGNATURE- Version: PGP 8.0.2 iQA/AwUBP7trSjM+X4ldyO1GEQJ74ACg2V2AAomcNIUFLPvNEjZJcw0rHu8AoM3M a/XteRJBpR+9THhbXtSYCqdk =Z2g0 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Auth problem
Linuxbox with Samba 3.0 has been joined Win2k domain with command "net ads join" & "net rpc join". winbindd & smbd & nmbd started successfully without any error messages. I could use "wbinfo -u" & "wbinfo -g" to get domain user/group list. But I cannot use "genent passwd" to get New mapped uid, it only returned local linux accounts. When I connected to Samba from Windows 2k/xp client, I got a error message - 'cannot found computer 192.168.0.227'. And I got a lot error message in /var/log/messages: Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: [2003/11/14 15:42:52, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: [2003/11/14 15:42:52, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: [2003/11/14 15:42:52, 0] auth/auth_domain.c:check_trustdomain_security(367) Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: check_trustdomain_security: could not fetch trust account password for domain DOMAIN Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: [2003/11/14 15:42:52, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: [2003/11/14 15:42:52, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: [2003/11/14 15:42:52, 0] auth/auth_domain.c:check_trustdomain_security(367) Nov 14 15:42:52 maorui 11?? 14 15:42:52 smbd[3960]: check_trustdomain_security: could not fetch trust account password for domain DOMAIN Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: [2003/11/14 15:42:54, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: [2003/11/14 15:42:54, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: [2003/11/14 15:42:54, 0] auth/auth_domain.c:check_trustdomain_security(367) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: check_trustdomain_security: could not fetch trust account password for domain DOMAIN Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: [2003/11/14 15:42:54, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: [2003/11/14 15:42:54, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: [2003/11/14 15:42:54, 0] auth/auth_domain.c:check_trustdomain_security(367) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3961]: check_trustdomain_security: could not fetch trust account password for domain DOMAIN Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3962]: [2003/11/14 15:42:54, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3962]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3962]: [2003/11/14 15:42:54, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3962]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3962]: [2003/11/14 15:42:54, 0] auth/auth_domain.c:check_trustdomain_security(367) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3962]: check_trustdomain_security: could not fetch trust account password for domain DOMAIN Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3963]: [2003/11/14 15:42:54, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3963]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3963]: [2003/11/14 15:42:54, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3963]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3963]: [2003/11/14 15:42:54, 0] auth/auth_domain.c:check_trustdomain_security(367) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3963]: check_trustdomain_security: could not fetch trust account password for domain DOMAIN Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3963]: [2003/11/14 15:42:54, 0] auth/auth_util.c:make_server_info_info3(1017) Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[3963]: make_server_info_info3: pdb_init_sam failed! Nov 14 15:42:54 maorui 11?? 14 15:42:54 smbd[