windows users can login but OS X users cannot
in [Samba]
|
Prev: [Samba] Samba 3.4.5 - rights for /etc/samba/private and smbusermap
Next: [Announce] Samba 3.5.0rc3 Available for Download
From: Alex Ferrara on 20 Feb 2010 14:30 I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree on Ubuntu 9.10 Try using domain\username for the username To me, it appears to be a bug in winbind not using the default domain, but I could be wrong. Sent from my iPhone On 20/02/2010, at 8:29 PM, grant little <grantliddle(a)gmail.com> wrote: > Hello, > having spent many hours scouring archives, docs, books and googling > without > finding an answer I need to ask your help on this. > > running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users > can login > to the share from windows clients but the same users is denied > access when > connecting from OS X via GO/Connect To Server in format > smb://fqdnofserver > > user authentication is to active directory using kerberos and LDAP > and am > not running winbind > > pam.d/samba is set to allow smb logins, that is shell logins are not > permitted for active directory authenticated users. here's that > snippet: > # /etc/pam.d/samba > auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass > account sufficient pam_ldap.so use_first_pass > session sufficient pam_ldap.so > > > I have tested my configs on samba 3.0.33 on CENTOS and it works fine > there > for both OS X and windows > > the share is setup on > /shares/asgs > with these permissions: > drwxrwsrwx 8 root root 87 2010-02-20 00:17 shares > drwxrws--- 2 grant ASGSFileUsers 18 2010-02-20 00:21 asgs > > here's smb.conf: > [global] > unix extensions = no > disable spoolss = Yes > disable netbios = yes > name resolve order = hosts > workgroup = AD > realm = AD.UCSD.EDU > server string = %h server (Samba, Ubuntu) > dns proxy = no > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > log level = 3 > panic action = /usr/share/samba/panic-action %d > security = ads > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yes > pam password change = no > map to guest = bad user > usershare allow guests = no > [asgs] > comment = ASGS > path = /shares/asgs > browsable = Yes > valid users = @ad\ASGSFileUsers > write list = @ad\ASGSFileUsers > create mask = 2660 > directory mask = 2770 > > The tail n20 of the log of the conecting ip shows this for an OS X > attempt: > [2010/02/20 00:56:16, 3] smbd/oplock_linux.c:219 > (linux_init_kernel_oplocks) > Linux kernel oplocks enabled > [2010/02/20 00:56:16, 3] smbd/process.c:1453(process_smb) > Transaction 0 of length 51 (0 toread) > [2010/02/20 00:56:16, 3] smbd/process.c:1272(switch_message) > switch message SMBnegprot (pid 5658) conn 0x0 > [2010/02/20 00:56:16, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/02/20 00:56:16, 3] smbd/negprot.c:567(reply_negprot) > Requested protocol [NT LM 0.12] > [2010/02/20 00:56:16, 3] smbd/negprot.c:387(reply_nt1) > using SPNEGO > [2010/02/20 00:56:16, 3] smbd/negprot.c:672(reply_negprot) > Selected protocol NT LM 0.12 > [2010/02/20 00:56:18, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/02/20 00:56:18, 3] smbd/connection.c:31(yield_connection) > Yielding connection to > [2010/02/20 00:56:18, 3] smbd/server.c:848(exit_server_common) > Server exit (failed to receive smb request) > > > > Hope someone can give me a pointer where to look next or what to > tweak. Let > me know if you need other log snippets. > > Thanks, > Grant > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: grant little on 20 Feb 2010 16:40 Thanks Alex. I'm not using winbind, just kerberos and LDAP and I have in all cases tried both domain\username as well as username. Here's a better dump of the ip log that appens on a failed login attempt that seems to show that the authentication is OK from os x: [2010/02/20 13:13:17, 3] smbd/process.c:1453(process_smb) Transaction 2 of length 366 (0 toread) [2010/02/20 13:13:17, 3] smbd/process.c:1272(switch_message) switch message SMBsesssetupX (pid 6039) conn 0x0 [2010/02/20 13:13:17, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/02/20 13:13:17, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X) wct=12 flg2=0xc801 [2010/02/20 13:13:17, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego) Doing spnego session setup [2010/02/20 13:13:17, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) NativeOS=[Mac OS X 10.6] NativeLanMan=[SMBFS 1.6.0] PrimaryDomain=[] [2010/02/20 13:13:17, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) Got user=[grant] domain=[AD] workstation=[GRANT] len1=24 len2=126 [2010/02/20 13:13:19, 3] smbd/oplock.c:911(init_oplocks) init_oplocks: initializing messages. [2010/02/20 13:13:19, 3] smbd/oplock_linux.c:219(linux_init_kernel_oplocks) Linux kernel oplocks enabled [2010/02/20 13:13:19, 3] smbd/process.c:1453(process_smb) Transaction 0 of length 51 (0 toread) [2010/02/20 13:13:19, 3] smbd/process.c:1272(switch_message) switch message SMBnegprot (pid 6040) conn 0x0 [2010/02/20 13:13:19, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/02/20 13:13:19, 3] smbd/negprot.c:567(reply_negprot) Requested protocol [NT LM 0.12] [2010/02/20 13:13:19, 3] smbd/negprot.c:387(reply_nt1) using SPNEGO [2010/02/20 13:13:19, 3] smbd/negprot.c:672(reply_negprot) Selected protocol NT LM 0.12 [2010/02/20 13:13:21, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/02/20 13:13:21, 3] smbd/connection.c:31(yield_connection) Yielding connection to [2010/02/20 13:13:21, 3] smbd/server.c:848(exit_server_common) Server exit (failed to receive smb request) ------ what's weird is that there's no sign of the login in auth.log only the test via windows cleint a few seconds before: Feb 20 13:12:14 servername smbd[6033]: pam_unix(samba:session): session opened for user grant by (uid=0) Feb 20 13:12:24 servername smbd[6033]: pam_unix(samba:session): session closed for user grant after that nothing... On Sat, Feb 20, 2010 at 11:17 AM, Alex Ferrara <alex(a)receptiveit.com.au>wrote: > I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree > on Ubuntu 9.10 > > Try using domain\username for the username > > To me, it appears to be a bug in winbind not using the default domain, but > I could be wrong. > > Sent from my iPhone > > > On 20/02/2010, at 8:29 PM, grant little <grantliddle(a)gmail.com> wrote: > > Hello, >> having spent many hours scouring archives, docs, books and googling >> without >> finding an answer I need to ask your help on this. >> >> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can >> login >> to the share from windows clients but the same users is denied access when >> connecting from OS X via GO/Connect To Server in format >> smb://fqdnofserver >> >> user authentication is to active directory using kerberos and LDAP and am >> not running winbind >> >> pam.d/samba is set to allow smb logins, that is shell logins are not >> permitted for active directory authenticated users. here's that snippet: >> # /etc/pam.d/samba >> auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass >> account sufficient pam_ldap.so use_first_pass >> session sufficient pam_ldap.so >> >> >> I have tested my configs on samba 3.0.33 on CENTOS and it works fine there >> for both OS X and windows >> >> the share is setup on >> /shares/asgs >> with these permissions: >> drwxrwsrwx 8 root root 87 2010-02-20 00:17 shares >> drwxrws--- 2 grant ASGSFileUsers 18 2010-02-20 00:21 asgs >> >> here's smb.conf: >> [global] >> unix extensions = no >> disable spoolss = Yes >> disable netbios = yes >> name resolve order = hosts >> workgroup = AD >> realm = AD.UCSD.EDU >> server string = %h server (Samba, Ubuntu) >> dns proxy = no >> log file = /var/log/samba/log.%m >> max log size = 1000 >> syslog = 0 >> log level = 3 >> panic action = /usr/share/samba/panic-action %d >> security = ads >> encrypt passwords = true >> passdb backend = tdbsam >> obey pam restrictions = yes >> unix password sync = yes >> pam password change = no >> map to guest = bad user >> usershare allow guests = no >> [asgs] >> comment = ASGS >> path = /shares/asgs >> browsable = Yes >> valid users = @ad\ASGSFileUsers >> write list = @ad\ASGSFileUsers >> create mask = 2660 >> directory mask = 2770 >> >> The tail n20 of the log of the conecting ip shows this for an OS X >> attempt: >> [2010/02/20 00:56:16, 3] >> smbd/oplock_linux.c:219(linux_init_kernel_oplocks) >> Linux kernel oplocks enabled >> [2010/02/20 00:56:16, 3] smbd/process.c:1453(process_smb) >> Transaction 0 of length 51 (0 toread) >> [2010/02/20 00:56:16, 3] smbd/process.c:1272(switch_message) >> switch message SMBnegprot (pid 5658) conn 0x0 >> [2010/02/20 00:56:16, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/02/20 00:56:16, 3] smbd/negprot.c:567(reply_negprot) >> Requested protocol [NT LM 0.12] >> [2010/02/20 00:56:16, 3] smbd/negprot.c:387(reply_nt1) >> using SPNEGO >> [2010/02/20 00:56:16, 3] smbd/negprot.c:672(reply_negprot) >> Selected protocol NT LM 0.12 >> [2010/02/20 00:56:18, 3] smbd/sec_ctx.c:310(set_sec_ctx) >> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >> [2010/02/20 00:56:18, 3] smbd/connection.c:31(yield_connection) >> Yielding connection to >> [2010/02/20 00:56:18, 3] smbd/server.c:848(exit_server_common) >> Server exit (failed to receive smb request) >> >> >> >> Hope someone can give me a pointer where to look next or what to tweak. >> Let >> me know if you need other log snippets. >> >> Thanks, >> Grant >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: grant little on 21 Feb 2010 04:40
~:=) woohoo! I am pleased to report, that samba 3.5.0rc3, just released yesterday for debian, appears to have fixed this problem. I just installed the experimental version of that and at least on the initial test I just did, I can now login to the same share from both windows clients and OS X with winbind not running on the samba server. I have more tests to do but it is looking good so far. Thanks to all the samba and debian teams for making my life a little easier. I was previously stuck in a rut between using centos 5.4 with samba 3.0.33 that worked from both clients but centos 5.4 would not support having the operating system on GPT hard drives and ubuntu 9.10 which would support GPT hard drives but had a buggy version of samba as previously described. So thanks for lifting me out of the rut and I look forward to the 3.5.0 final release version. On Sat, Feb 20, 2010 at 1:31 PM, grant little <grantliddle(a)gmail.com> wrote: > Thanks Alex. > I'm not using winbind, just kerberos and LDAP and I have in all cases tried > both domain\username as well as username. > > Here's a better dump of the ip log that appens on a failed login attempt > that seems to show that the authentication is OK from os x: > [2010/02/20 13:13:17, 3] smbd/process.c:1453(process_smb) > Transaction 2 of length 366 (0 toread) > [2010/02/20 13:13:17, 3] smbd/process.c:1272(switch_message) > switch message SMBsesssetupX (pid 6039) conn 0x0 > [2010/02/20 13:13:17, 3] smbd/sec_ctx.c:310(set_sec_ctx) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/02/20 13:13:17, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X) > wct=12 flg2=0xc801 > [2010/02/20 13:13:17, 3] > smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego) > Doing spnego session setup > [2010/02/20 13:13:17, 3] > smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego) > NativeOS=[Mac OS X 10.6] NativeLanMan=[SMBFS 1.6.0] PrimaryDomain=[] > [2010/02/20 13:13:17, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) > Got user=[grant] domain=[AD] workstation=[GRANT] len1=24 len2=126 > [2010/02/20 13:13:19, 3] smbd/oplock.c:911(init_oplocks) > init_oplocks: initializing messages. > [2010/02/20 13:13:19, 3] > smbd/oplock_linux.c:219(linux_init_kernel_oplocks) > Linux kernel oplocks enabled > [2010/02/20 13:13:19, 3] smbd/process.c:1453(process_smb) > > Transaction 0 of length 51 (0 toread) > [2010/02/20 13:13:19, 3] smbd/process.c:1272(switch_message) > switch message SMBnegprot (pid 6040) conn 0x0 > [2010/02/20 13:13:19, 3] smbd/sec_ctx.c:310(set_sec_ctx) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/02/20 13:13:19, 3] smbd/negprot.c:567(reply_negprot) > > Requested protocol [NT LM 0.12] > [2010/02/20 13:13:19, 3] smbd/negprot.c:387(reply_nt1) > using SPNEGO > [2010/02/20 13:13:19, 3] smbd/negprot.c:672(reply_negprot) > > Selected protocol NT LM 0.12 > [2010/02/20 13:13:21, 3] smbd/sec_ctx.c:310(set_sec_ctx) > > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2010/02/20 13:13:21, 3] smbd/connection.c:31(yield_connection) > Yielding connection to > [2010/02/20 13:13:21, 3] smbd/server.c:848(exit_server_common) > > Server exit (failed to receive smb request) > ------ > what's weird is that there's no sign of the login in auth.log only the test > via windows cleint a few seconds before: > Feb 20 13:12:14 servername smbd[6033]: pam_unix(samba:session): session > opened for user grant by (uid=0) > Feb 20 13:12:24 servername smbd[6033]: pam_unix(samba:session): session > closed for user grant > after that nothing... > > > On Sat, Feb 20, 2010 at 11:17 AM, Alex Ferrara <alex(a)receptiveit.com.au>wrote: > >> I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree >> on Ubuntu 9.10 >> >> Try using domain\username for the username >> >> To me, it appears to be a bug in winbind not using the default domain, but >> I could be wrong. >> >> Sent from my iPhone >> >> >> On 20/02/2010, at 8:29 PM, grant little <grantliddle(a)gmail.com> wrote: >> >> Hello, >>> having spent many hours scouring archives, docs, books and googling >>> without >>> finding an answer I need to ask your help on this. >>> >>> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can >>> login >>> to the share from windows clients but the same users is denied access >>> when >>> connecting from OS X via GO/Connect To Server in format >>> smb://fqdnofserver >>> >>> user authentication is to active directory using kerberos and LDAP and >>> am >>> not running winbind >>> >>> pam.d/samba is set to allow smb logins, that is shell logins are not >>> permitted for active directory authenticated users. here's that snippet: >>> # /etc/pam.d/samba >>> auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass >>> account sufficient pam_ldap.so use_first_pass >>> session sufficient pam_ldap.so >>> >>> >>> I have tested my configs on samba 3.0.33 on CENTOS and it works fine >>> there >>> for both OS X and windows >>> >>> the share is setup on >>> /shares/asgs >>> with these permissions: >>> drwxrwsrwx 8 root root 87 2010-02-20 00:17 shares >>> drwxrws--- 2 grant ASGSFileUsers 18 2010-02-20 00:21 asgs >>> >>> here's smb.conf: >>> [global] >>> unix extensions = no >>> disable spoolss = Yes >>> disable netbios = yes >>> name resolve order = hosts >>> workgroup = AD >>> realm = AD.UCSD.EDU >>> server string = %h server (Samba, Ubuntu) >>> dns proxy = no >>> log file = /var/log/samba/log.%m >>> max log size = 1000 >>> syslog = 0 >>> log level = 3 >>> panic action = /usr/share/samba/panic-action %d >>> security = ads >>> encrypt passwords = true >>> passdb backend = tdbsam >>> obey pam restrictions = yes >>> unix password sync = yes >>> pam password change = no >>> map to guest = bad user >>> usershare allow guests = no >>> [asgs] >>> comment = ASGS >>> path = /shares/asgs >>> browsable = Yes >>> valid users = @ad\ASGSFileUsers >>> write list = @ad\ASGSFileUsers >>> create mask = 2660 >>> directory mask = 2770 >>> >>> The tail n20 of the log of the conecting ip shows this for an OS X >>> attempt: >>> [2010/02/20 00:56:16, 3] >>> smbd/oplock_linux.c:219(linux_init_kernel_oplocks) >>> Linux kernel oplocks enabled >>> [2010/02/20 00:56:16, 3] smbd/process.c:1453(process_smb) >>> Transaction 0 of length 51 (0 toread) >>> [2010/02/20 00:56:16, 3] smbd/process.c:1272(switch_message) >>> switch message SMBnegprot (pid 5658) conn 0x0 >>> [2010/02/20 00:56:16, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>> [2010/02/20 00:56:16, 3] smbd/negprot.c:567(reply_negprot) >>> Requested protocol [NT LM 0.12] >>> [2010/02/20 00:56:16, 3] smbd/negprot.c:387(reply_nt1) >>> using SPNEGO >>> [2010/02/20 00:56:16, 3] smbd/negprot.c:672(reply_negprot) >>> Selected protocol NT LM 0.12 >>> [2010/02/20 00:56:18, 3] smbd/sec_ctx.c:310(set_sec_ctx) >>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 >>> [2010/02/20 00:56:18, 3] smbd/connection.c:31(yield_connection) >>> Yielding connection to >>> [2010/02/20 00:56:18, 3] smbd/server.c:848(exit_server_common) >>> Server exit (failed to receive smb request) >>> >>> >>> >>> Hope someone can give me a pointer where to look next or what to tweak. >>> Let >>> me know if you need other log snippets. >>> >>> Thanks, >>> Grant >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |