subject:"\[Samba\] disable NTLM on Fedora samba\-3.0.9"

Re: [Samba] disable NTLM on Fedora samba-3.0.9

2004-12-06 Thread Nir L

In addition to my last email (the one with my smb.conf)
I also found out that:
if I connect the share using \\\
I get access to the share after NTLM has been used.
and
if I connect using \\\
I get access denied (NTLM is still used...)

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Nir L wrote:
> 
> | smb.conf:
> | security = ADS
> | I also configured /etc/krb5.conf and used net ads join
> | - successfully.
> |
> | However, I can see that NTLM is the chosen protocol for
> | each client machine (WinXP) accessing samba, and kerberos
> | is not used (from the log):
> | using SPNEGO
> | Selected protocol NT LM 0.12
> 
> This is the smb protocol dialect and has nothing to do
> with the authentication chosen (not directly at least).
> 
> | even though I tried to set "client use spnego = no"
> 
> The applies only to Samba's client code and not the
> capability bits set by the server when replying to
> clients.  Besides, you really should not disable spnego.
> Generally if it doesn't work it would be considered a bug.
> 
> | How can I force samba to use kerberos ?
> 
> Look for thew SPNEGO communication in the level 10 log.
> Hint: search for the string 'OID' and see what mechanism
> is being negotiated.
> 
> 
> 
> 
> 
> cheers, jerry
> - -
> Alleviating the pain of Windows(tm)  --- http://www.samba.org
> GnuPG Key- http://www.plainjoe.org/gpg_public.asc
> "If we're adding to the noise, turn off this song"--Switchfoot (2003)
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.4 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFBtIaZIR7qMdg1EfYRAmtkAKDc2777bMGrmvw3RAEnC3DhYkTYQACeN2fy
> tMgCGnfpxdChut+G3BGX+do=
> =4ywm
> -END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] disable NTLM on Fedora samba-3.0.9

2004-12-06 Thread Nir L


> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Nir L wrote:
>
> | smb.conf:
> | security = ADS
> | I also configured /etc/krb5.conf and used net ads join
> | - successfully.
> |
> | However, I can see that NTLM is the chosen protocol for
> | each client machine (WinXP) accessing samba, and kerberos
> | is not used (from the log):
> | using SPNEGO
> | Selected protocol NT LM 0.12
>
> This is the smb protocol dialect and has nothing to do
> with the authentication chosen (not directly at least).
>
> | even though I tried to set "client use spnego = no"
>
> The applies only to Samba's client code and not the
> capability bits set by the server when replying to
> clients.  Besides, you really should not disable spnego.
> Generally if it doesn't work it would be considered a bug.
>
> | How can I force samba to use kerberos ?
>
> Look for thew SPNEGO communication in the level 10 log.

I tried...
I finaliy got "not using SPNEGO", but still - got
Using protocol NT LM 0.12 after the SPNEGO message.

> Hint: search for the string 'OID' and see what mechanism

no OID strings in my log.

> is being negotiated.

here is my smb.conf.
[global]
workgroup = domain2003
netbios name = defconn2Logs
server string = Major Samba
encrypt passwords = Yes
log level = 10
log file = /var/samba/logs/log.%m
lock dir = /var/samba/locks
pid directory = /var/run
max log size = 5
preferred master = False
local master = No
domain master = False
dns proxy = No
guest account = pacifsconn
create mask = 0775
dead time = 15
debug pid = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
oplocks = Yes
kernel oplocks = Yes
level2 oplocks = Yes
defer sharing violations = No
name resolve order = lmhosts wins bcast host
debug hires timestamp = Yes
wins server = 192.168.41.108
realm = DOMAIN2003.com
security = ADS
domain logons = No
client use spnego = No
use spnego = No
map to guest = bad password
map hidden = Yes
map system = Yes
force group = 1
bind interfaces only = Yes
interfaces = 192.168.41.139
smb passwd file = /var/samba/private/
private dir = /var/samba/private
winbind separator = +
idmap uid = 1-3
idmap gid = 1-3
winbind enum users = Yes
winbind enum groups = Yes
template homedir = /home/winnt/%D/%U
template shell = /bin/bash
use sendfile = No
strict locking = Yes
disable spoolss = Yes
mangling method = hash2

[Logs]
comment = Share for Logs
path = /var/log
browseable = Yes
read only = Yes
available = Yes
writeable = No
valid users = NONE EXCEPT  domain2003+user2
map archive = Yes
hide dot files = No
directory mask = 751
dos filemode = Yes

and part of the logfile:
challenge is:
[2004/12/06 20:03:36.498409, 5, pid=4142] lib/util.c:dump_data(1899)
  [000] AB 02 01 6F AA E3 15 2F   ...o.../
[2004/12/06 20:03:36.498603, 3, pid=4142] smbd/negprot.c:reply_nt1(327)
  not using SPNEGO
[2004/12/06 20:03:36.498710, 3, pid=4142] smbd/negprot.c:reply_negprot(549)
  Selected protocol NT LM 0.12
[2004/12/06 20:03:36.498811, 5, pid=4142] smbd/negprot.c:reply_negprot(555)
  negprot index=5
[2004/12/06 20:03:36.498918, 5, pid=4142] lib/util.c:show_msg(461)
[2004/12/06 20:03:36.498982, 5, pid=4142] lib/util.c:show_msg(471)
  size=99
  smb_com=0x72
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=136
  smb_flg2=49153
  smb_tid=0
  smb_pid=65279
  smb_uid=0
  smb_mid=0
  smt_wct=17
  smb_vwv[ 0]=5 (0x5)
  smb_vwv[ 1]=12803 (0x3203)
  smb_vwv[ 2]=  256 (0x100)
  smb_vwv[ 3]= 1024 (0x400)
  smb_vwv[ 4]=   65 (0x41)
  smb_vwv[ 5]=0 (0x0)
  smb_vwv[ 6]=  256 (0x100)
  smb_vwv[ 7]=11776 (0x2E00)
  smb_vwv[ 8]=   16 (0x10)
  smb_vwv[ 9]=64768 (0xFD00)
  smb_vwv[10]=32995 (0x80E3)
  smb_vwv[11]=0 (0x0)
  smb_vwv[12]=62284 (0xF34C)
  smb_vwv[13]=48615 (0xBDE7)
  smb_vwv[14]=50395 (0xC4DB)
  smb_vwv[15]=34817 (0x8801)
  smb_vwv[16]= 2303 (0x8FF)
  smb_bcc=30
[2004/12/06 20:03:36.500113, 10, pid=4142] lib/util.c:dump_data(1899)
  [000] AB 02 01 6F AA E3 15 2F  44 00 4F 00 4D 00 41 00  ...o.../ D.O.M.A.
  [010] 49 00 4E 00 32 00 30 00  30 00 33 00 00 00I.N.2.0. 0.3...
[2004/12/06 20:03:36.500380, 6, pid=4142] lib/util_sock.c:write_socket(449)
  write_socket(22,103)
[2004/12/06 20:03:36.500758, 6, pid=4142] lib/util_sock.c:write_socket(452)
  write_socket(22,103) wrote 103
[2004/12/06 20:03:36.513975, 10, pid=4142]
lib/util_sock.c:read_smb_length_return_keepalive(505)
  got smb length of 308
[2004/12/06 20:03:36.514150, 6, pid=4142] smbd/process.c:process_smb(1091)
  got message type 0x0 of len 0x134
[2004/12/06 20:03:36.514264, 3

Re: [Samba] disable NTLM on Fedora samba-3.0.9

2004-12-06 Thread Gerald (Jerry) Carter

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Nir L wrote:
| smb.conf:
| security = ADS
| I also configured /etc/krb5.conf and used net ads join
| - successfully.
|
| However, I can see that NTLM is the chosen protocol for
| each client machine (WinXP) accessing samba, and kerberos
| is not used (from the log):
| using SPNEGO
| Selected protocol NT LM 0.12
This is the smb protocol dialect and has nothing to do
with the authentication chosen (not directly at least).
| even though I tried to set "client use spnego = no"
The applies only to Samba's client code and not the
capability bits set by the server when replying to
clients.  Besides, you really should not disable spnego.
Generally if it doesn't work it would be considered a bug.
| How can I force samba to use kerberos ?
Look for thew SPNEGO communication in the level 10 log.
Hint: search for the string 'OID' and see what mechanism
is being negotiated.


cheers, jerry
- -
Alleviating the pain of Windows(tm)  --- http://www.samba.org
GnuPG Key- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot (2003)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBtIaZIR7qMdg1EfYRAmtkAKDc2777bMGrmvw3RAEnC3DhYkTYQACeN2fy
tMgCGnfpxdChut+G3BGX+do=
=4ywm
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] disable NTLM on Fedora samba-3.0.9

2004-12-06 Thread Nir L

Hi all,

I have successfully configured a samba server as a domain member in my 2003
domain (native mode 2003).
I also configured winbind, and my domain users successfully can access
shares in the samba server.
smb.conf:
security = ADS
I also configured /etc/krb5.conf and used net ads join - successfully.

However, I can see that NTLM is the chosen protocol for each client machine
(WinXP) accessing samba, and kerberos is not used:
from the log:
using SPNEGO
Selected protocol NT LM 0.12

even though I tried to set "client use spnego = no"

How can I force samba to use kerberos ?

Thanks,
Nir

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] disable NTLM on Fedora samba-3.0.9

Re: [Samba] disable NTLM on Fedora samba-3.0.9

Re: [Samba] disable NTLM on Fedora samba-3.0.9

[Samba] disable NTLM on Fedora samba-3.0.9

4 matches

Site Navigation

Mail list logo

Footer information