Bug 1036 - samba ads member server does _NOT_ accept userid/pw but only kerberos auth.
samba ads member server does _NOT_ accept userid/pw but only kerberos auth.
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool
3.0.2
All Linux
: P3 major
: none
Assigned To: Andrew Bartlett
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-02-04 07:50 UTC by Stefan Beck
Modified: 2005-11-14 09:28 UTC (History)
0 users

See Also:


Attachments
samba server logfile with loglevel 10 (35.87 KB, text/plain)
2004-02-05 11:02 UTC, Stefan Beck
no flags Details
ethereal dump of traffic between samba server and ads pdc (9.42 KB, application/octet-stream)
2004-02-05 11:05 UTC, Stefan Beck
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Beck 2004-02-04 07:50:10 UTC
samba ads member server does _NOT_ accept userid/pw but only kerberos auth.
win2k server accept both ...



I set up samba 3.0.2rc2 (also tried 3.0.1 which had other problems) on Debian
sid as an ADS member server:

- joining the domain works flawlessly

- browsing the samba server via 'smbclient -k -L //samba' works flawlessly

- browsing an Win2k member server via 'smbclient -L //win2k -U user%pw' works
flawlessly


- browsing the samba server via 'smbclient -L //samba -U user%pw' fails with
'session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE' (browsing via
'net view \\samba * /user:user' from XP yields the same: system errror 1789)
Tracing the network connection from the samba server to the ADS PDC with
ethereal shows that the samba server tries to connect \\PDC\IPC$ as anonymous
and this fails ...  



Any sugesstions/hints on this from the samba gurus ?
More debug info is available if required.


btw. there is an interessting little thing:

samba client and samba server negotiated as smb dialect: 'Samba'
according to http://www.ubiqx.org/cifs/SMB.html#SMB.6 this is not used anymore ...

samba client and win2k negotiated as smb dialect: 'NT LANMAN 1.0'
(as expected I would say).


my smb.conf:
[global]
        workgroup = ITER
        realm = ITEREU.DE
        server string = %h server (Samba %v)
        security = DOMAIN
        password server = 192.168.2.10
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        client NTLMv2 auth = Yes
        log level = 10
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        server signing = auto
        deadtime = 15
        keepalive = 0
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
        load printers = No
        lm announce = No
        preferred master = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = 192.168.2.10
        ldap ssl = no
        utmp = Yes
        panic action = /usr/share/samba/panic-action %d
        invalid users = root
        hide special files = Yes
        delete veto files = Yes
        veto files = /.AppleDouble/.bin/.AppleDesktop/Network Trash Folder/
        map archive = No
Comment 1 Stefan Beck 2004-02-04 23:28:09 UTC
Of course I was using security = ADS. The snipplet from my smb.conf 
with 'security = domain' was the setting from another desperate testing 
session. Sorry for confusion.
Comment 2 Stefan Beck 2004-02-05 11:02:30 UTC
Created attachment 382 [details]
samba server logfile with loglevel 10

this is the output generated by the samba server when the client does
'smbclient //GFS1 -U user%pw'

loglevel was 10
Comment 3 Stefan Beck 2004-02-05 11:05:59 UTC
Created attachment 383 [details]
ethereal dump of traffic between samba server and ads pdc

this is the network trace  of the traffic between the samba server (gfs1,
194.59.170.5 and the ads pdc (iws82328, 192.168.2.10).
Comment 4 Volker Lendecke 2004-02-09 09:45:07 UTC
This is a case of RestrictAnonymous == 2, Windows member servers obviously
do DCERPC over TCP in this case.
Comment 5 Gerald (Jerry) Carter 2005-08-24 10:17:58 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 6 Gerald (Jerry) Carter 2005-11-14 09:28:16 UTC
database cleanup