From: Damien Dye on
how are you supplying the server with the username from the failing client

the username should be sambaservername\username so that the samba
server can authenticate against it's local sam.

regards

--
Damien Dye BSC(hon)




On 5 May 2010 03:01, <osp(a)aloha.com> wrote:
> On 2010-05-04 16:16:49 GMT osp(a)aloha.com (that's me) wrote:
>
>>> I think I can run a test using plain, out-of-the-box Vista. Maybe even XP.
>>> Will post results when I have them.
>>
>>It works with out-of-the-box Vista. I'll examine the logs and post what
>>falls out tomorrow.
>
> I compared the log from the successful Vista connect to the one from the
> failed connect. Below are several excerpts. Lines that begin with "S" are
> from the successful log, and lines that begin with "F" are from the failed
> log. I can post the entire log if that will help.
>
> To reiterate, both client computers are running Vista. The one that cannot
> connect (F) is a member of a domain and has security settings pushed down
> from the domain controller. It can connect to servers in its domain. The
> one that can connect (S) is out-of-the-box Vista and is not a member of a
> domain ... it is still in the WORKGROUP workgroup.
>
> The first notable deviation appears at line 99. (I added the asterisks.)
> The F log has "smbd/process.c:smbd_process" while the S log has
> "smbd/process.c:process_smb." The next line of the F log suggests that it
> is out of input, while the S log indicates it has more process. About 60
> lines later both show a successful authentication. About 50 lines later
> (F=235, S=261) we see identical entries about SIDs and permissions. A bit
> later, while connecting to the IPC$ service, we see a similar divergence as
> at line 99, the F client gets "NT_STATUS_END_OF_FILE" while the S client
> keeps on going.
>
> I hope that is enough to shed some light on this issue, and I hope the
> result is a way to connect from the F client without having to modify its
> security settings.
>
> Is there a simpler way to connect, one that does not trip over the
> authentication step? Username/password accesses control is sort of overkill
> given that the hand full of people who connect will be at the same table
> working together. Physical security should be enough.
>
>
> F = failed session
> S = successful session
>
> F  98     error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> F  99   [2010/04/29 15:06:48,  3] smbd/process.c:smbd_process(1930) *********
> F 100     receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
> F 101   [2010/04/29 15:06:48,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> F 102     setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> F 103   [2010/04/29 15:06:48,  3] smbd/connection.c:yield_connection(31)
> F 104     Yielding connection to
> F 105   [2010/04/29 15:06:48,  3] smbd/server.c:exit_server_common(974)
> F 106     Server exit (normal exit)
>
> S  98     error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> S  99   [2010/05/04 15:20:57,  3] smbd/process.c:process_smb(1554) ***********
> S 100     Transaction 3 of length 142 (0 toread)
> S 101   [2010/05/04 15:20:57,  3] smbd/process.c:switch_message(1378)
> S 102     switch message SMBsesssetupX (pid 1180) conn 0x0
> S 103   [2010/05/04 15:20:57,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> S 104     setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> S 105   [2010/05/04 15:20:57,  3] smbd/sesssetup.c:reply_sesssetup_and_X(1412)
> S 106     wct=12 flg2=0xc807
> S 107   [2010/05/04 15:20:57,  2] smbd/sesssetup.c:setup_new_vc_session(1368)
> S 108     setup_new_vc_session: New VC == 0, if NT4.x compatible we would
> close all old resources.
>
> -----
>
> F 167   [2010/04/29 15:06:56,  3] auth/auth.c:check_ntlm_password(269)
> F 168     check_ntlm_password: sam authentication for user [g8team] succeeded
>
> S 193   [2010/05/04 15:20:57,  3] auth/auth.c:check_ntlm_password(269)
> S 194     check_ntlm_password: sam authentication for user [g8team] succeeded
>
> -----
>
> F 235   [2010/04/29 15:06:56,  3] lib/privileges.c:get_privileges(63)
> F 236     get_privileges: No privileges assigned to SID
> [S-1-5-21-1265442170-81825414-2419232721-501]
> F 237   [2010/04/29 15:06:56,  3] lib/privileges.c:get_privileges(63)
> F 238     get_privileges: No privileges assigned to SID [S-1-22-2-1002]
> F 239   [2010/04/29 15:06:56,  3] lib/privileges.c:get_privileges(63)
> F 240     get_privileges: No privileges assigned to SID [S-1-5-2]
> F 241   [2010/04/29 15:06:56,  3] lib/privileges.c:get_privileges(63)
> F 242     get_privileges: No privileges assigned to SID [S-1-5-11]
>
> S 261   [2010/05/04 15:20:57,  3] lib/privileges.c:get_privileges(63)
> S 262     get_privileges: No privileges assigned to SID
> [S-1-5-21-1265442170-81825414-2419232721-501]
> S 263   [2010/05/04 15:20:57,  3] lib/privileges.c:get_privileges(63)
> S 264     get_privileges: No privileges assigned to SID [S-1-22-2-1002]
> S 265   [2010/05/04 15:20:57,  3] lib/privileges.c:get_privileges(63)
> S 266     get_privileges: No privileges assigned to SID [S-1-5-2]
> S 267   [2010/05/04 15:20:57,  3] lib/privileges.c:get_privileges(63)
> S 268     get_privileges: No privileges assigned to SID [S-1-5-11]
>
> -----
>
> F 346     shafp09wk102123 (10.0.1.10) connect to service IPC$ initially as
> user g8team (uid=1002, gid=1002) (pid 1224)
> F 347   [2010/04/29 15:06:56,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> F 348     setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> F 349   [2010/04/29 15:06:56,  3] smbd/reply.c:reply_tcon_and_X(794)
> F 350     tconX service=IPC$
> F 351   [2010/04/29 15:06:56,  3] smbd/process.c:smbd_process(1930)
> *************
> F 352     receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
>
> S 372     g864001 (10.0.1.12) connect to service IPC$ initially as user
> g8team (uid=1002, gid=1002) (pid 1180)
> S 373   [2010/05/04 15:20:57,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> S 374     setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> S 375   [2010/05/04 15:20:57,  3] smbd/reply.c:reply_tcon_and_X(794)
> S 376     tconX service=IPC$
> S 377   [2010/05/04 15:20:57,  3] smbd/process.c:process_smb(1554)
> **************
> S 378     Transaction 6 of length 112 (0 toread)
> S 379   [2010/05/04 15:20:57,  3] smbd/process.c:switch_message(1378)
> S 380     switch message SMBtrans2 (pid 1180) conn 0x21d66330
> S 381   [2010/05/04 15:20:57,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> S 382     setting sec ctx (1002, 1002) - sec_ctx_stack_ndx = 0
>
>
>
> Gary Dunn
> Open Slate
> Project
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: osp on
> how are you supplying the server with the username from the failing client
>
> the username should be sambaservername\username so that the samba
> server can authenticate against it's local sam.
>
> regards
>
> --
> Damien Dye BSC(hon)

You are correct, and I have tried it both ways. I have also tried using the
IP addess, as in

net use x: \\10.0.1.1\work-clear /user:10.0.1.1\g8team

I get the password promt, then a long pause, then the error 67 network name
could not be found.

I am thinking that the Vista client has been locked down so that it can
only connect to domain members. Is that even possible? Is there a command I
can use to list the GPOs in effect? Moot point, because the users will not
be able to change those.

Thanks again,

Gary Dunn
Open Slate Project


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Michael Leone on
To see GPOs in effect, type GPRESULT.



On 5/14/10, osp(a)aloha.com <osp(a)aloha.com> wrote:
>> how are you supplying the server with the username from the failing client
>>
>> the username should be sambaservername\username so that the samba
>> server can authenticate against it's local sam.
>>
>> regards
>>
>> --
>> Damien Dye BSC(hon)
>
> You are correct, and I have tried it both ways. I have also tried using the
> IP addess, as in
>
> net use x: \\10.0.1.1\work-clear /user:10.0.1.1\g8team
>
> I get the password promt, then a long pause, then the error 67 network name
> could not be found.
>
> I am thinking that the Vista client has been locked down so that it can
> only connect to domain members. Is that even possible? Is there a command I
> can use to list the GPOs in effect? Moot point, because the users will not
> be able to change those.
>
> Thanks again,
>
> Gary Dunn
> Open Slate Project
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

--
Sent from my mobile device

Michael J. Leone, <mailto:turgon(a)mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba