From: grant little on
On Sun, Feb 21, 2010 at 2:32 AM, grant little <grantliddle(a)gmail.com> wrote:

> ~:=) woohoo! I am pleased to report, that samba 3.5.0rc3, just released
> yesterday for debian, appears to have fixed this problem.
> I just installed the experimental version of that and at least on the
> initial test I just did, I can now login to the same share from both
> windows clients and OS X with winbind not running on the samba server. I
> have more tests to do but it is looking good so far. Thanks to all the samba
> and debian teams for making my life a little easier.
>
> I was previously stuck in a rut between using centos 5.4 with samba 3.0.33
> that worked from both clients but centos 5.4 would not support having the
> operating system on GPT hard drives and ubuntu 9.10 which would support GPT
> hard drives but had a buggy version of samba as previously described.
> So thanks for lifting me out of the rut and I look forward to the 3.5.0
> final release version.
>
>
> On Sat, Feb 20, 2010 at 1:31 PM, grant little <grantliddle(a)gmail.com>wrote:
>
>> Thanks Alex.
>> I'm not using winbind, just kerberos and LDAP and I have in all cases
>> tried both domain\username as well as username.
>>
>> Here's a better dump of the ip log that appens on a failed login attempt
>> that seems to show that the authentication is OK from os x:
>> [2010/02/20 13:13:17, 3] smbd/process.c:1453(process_smb)
>> Transaction 2 of length 366 (0 toread)
>> [2010/02/20 13:13:17, 3] smbd/process.c:1272(switch_message)
>> switch message SMBsesssetupX (pid 6039) conn 0x0
>> [2010/02/20 13:13:17, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/20 13:13:17, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
>> wct=12 flg2=0xc801
>> [2010/02/20 13:13:17, 3]
>> smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
>> Doing spnego session setup
>> [2010/02/20 13:13:17, 3]
>> smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>> NativeOS=[Mac OS X 10.6] NativeLanMan=[SMBFS 1.6.0] PrimaryDomain=[]
>> [2010/02/20 13:13:17, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
>> Got user=[grant] domain=[AD] workstation=[GRANT] len1=24 len2=126
>> [2010/02/20 13:13:19, 3] smbd/oplock.c:911(init_oplocks)
>> init_oplocks: initializing messages.
>> [2010/02/20 13:13:19, 3]
>> smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
>> Linux kernel oplocks enabled
>> [2010/02/20 13:13:19, 3] smbd/process.c:1453(process_smb)
>>
>> Transaction 0 of length 51 (0 toread)
>> [2010/02/20 13:13:19, 3] smbd/process.c:1272(switch_message)
>> switch message SMBnegprot (pid 6040) conn 0x0
>> [2010/02/20 13:13:19, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/20 13:13:19, 3] smbd/negprot.c:567(reply_negprot)
>>
>> Requested protocol [NT LM 0.12]
>> [2010/02/20 13:13:19, 3] smbd/negprot.c:387(reply_nt1)
>> using SPNEGO
>> [2010/02/20 13:13:19, 3] smbd/negprot.c:672(reply_negprot)
>>
>> Selected protocol NT LM 0.12
>> [2010/02/20 13:13:21, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/20 13:13:21, 3] smbd/connection.c:31(yield_connection)
>> Yielding connection to
>> [2010/02/20 13:13:21, 3] smbd/server.c:848(exit_server_common)
>>
>> Server exit (failed to receive smb request)
>> ------
>> what's weird is that there's no sign of the login in auth.log only the
>> test via windows cleint a few seconds before:
>> Feb 20 13:12:14 servername smbd[6033]: pam_unix(samba:session): session
>> opened for user grant by (uid=0)
>> Feb 20 13:12:24 servername smbd[6033]: pam_unix(samba:session): session
>> closed for user grant
>> after that nothing...
>>
>>
>> On Sat, Feb 20, 2010 at 11:17 AM, Alex Ferrara <alex(a)receptiveit.com.au>wrote:
>>
>>> I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree
>>> on Ubuntu 9.10
>>>
>>> Try using domain\username for the username
>>>
>>> To me, it appears to be a bug in winbind not using the default domain,
>>> but I could be wrong.
>>>
>>> Sent from my iPhone
>>>
>>>
>>> On 20/02/2010, at 8:29 PM, grant little <grantliddle(a)gmail.com> wrote:
>>>
>>> Hello,
>>>> having spent many hours scouring archives, docs, books and googling
>>>> without
>>>> finding an answer I need to ask your help on this.
>>>>
>>>> running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can
>>>> login
>>>> to the share from windows clients but the same users is denied access
>>>> when
>>>> connecting from OS X via GO/Connect To Server in format
>>>> smb://fqdnofserver
>>>>
>>>> user authentication is to active directory using kerberos and LDAP and
>>>> am
>>>> not running winbind
>>>>
>>>> pam.d/samba is set to allow smb logins, that is shell logins are not
>>>> permitted for active directory authenticated users. here's that snippet:
>>>> # /etc/pam.d/samba
>>>> auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass
>>>> account sufficient pam_ldap.so use_first_pass
>>>> session sufficient pam_ldap.so
>>>>
>>>>
>>>> I have tested my configs on samba 3.0.33 on CENTOS and it works fine
>>>> there
>>>> for both OS X and windows
>>>>
>>>> the share is setup on
>>>> /shares/asgs
>>>> with these permissions:
>>>> drwxrwsrwx 8 root root 87 2010-02-20 00:17 shares
>>>> drwxrws--- 2 grant ASGSFileUsers 18 2010-02-20 00:21 asgs
>>>>
>>>> here's smb.conf:
>>>> [global]
>>>> unix extensions = no
>>>> disable spoolss = Yes
>>>> disable netbios = yes
>>>> name resolve order = hosts
>>>> workgroup = AD
>>>> realm = AD.UCSD.EDU
>>>> server string = %h server (Samba, Ubuntu)
>>>> dns proxy = no
>>>> log file = /var/log/samba/log.%m
>>>> max log size = 1000
>>>> syslog = 0
>>>> log level = 3
>>>> panic action = /usr/share/samba/panic-action %d
>>>> security = ads
>>>> encrypt passwords = true
>>>> passdb backend = tdbsam
>>>> obey pam restrictions = yes
>>>> unix password sync = yes
>>>> pam password change = no
>>>> map to guest = bad user
>>>> usershare allow guests = no
>>>> [asgs]
>>>> comment = ASGS
>>>> path = /shares/asgs
>>>> browsable = Yes
>>>> valid users = @ad\ASGSFileUsers
>>>> write list = @ad\ASGSFileUsers
>>>> create mask = 2660
>>>> directory mask = 2770
>>>>
>>>> The tail n20 of the log of the conecting ip shows this for an OS X
>>>> attempt:
>>>> [2010/02/20 00:56:16, 3]
>>>> smbd/oplock_linux.c:219(linux_init_kernel_oplocks)
>>>> Linux kernel oplocks enabled
>>>> [2010/02/20 00:56:16, 3] smbd/process.c:1453(process_smb)
>>>> Transaction 0 of length 51 (0 toread)
>>>> [2010/02/20 00:56:16, 3] smbd/process.c:1272(switch_message)
>>>> switch message SMBnegprot (pid 5658) conn 0x0
>>>> [2010/02/20 00:56:16, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>> [2010/02/20 00:56:16, 3] smbd/negprot.c:567(reply_negprot)
>>>> Requested protocol [NT LM 0.12]
>>>> [2010/02/20 00:56:16, 3] smbd/negprot.c:387(reply_nt1)
>>>> using SPNEGO
>>>> [2010/02/20 00:56:16, 3] smbd/negprot.c:672(reply_negprot)
>>>> Selected protocol NT LM 0.12
>>>> [2010/02/20 00:56:18, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>>>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>>>> [2010/02/20 00:56:18, 3] smbd/connection.c:31(yield_connection)
>>>> Yielding connection to
>>>> [2010/02/20 00:56:18, 3] smbd/server.c:848(exit_server_common)
>>>> Server exit (failed to receive smb request)
>>>>
>>>>
>>>>
>>>> Hope someone can give me a pointer where to look next or what to tweak.
>>>> Let
>>>> me know if you need other log snippets.
>>>>
>>>> Thanks,
>>>> Grant
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>
For the record it turns out I was mistaken:
samba 3.4.7 works just fine on Ubuntu 9.10 with AD/LDAP/Kerberos as-long-as
you have winbind stopped. I guess I must of had winbind stopped on 3.5.x
wben it was working as I tried recently with 3.5.4 on Ubuntu and with
winbind running it gives the same strange permission errors I previously had
with 3.4.7 but once winbind is halted everything comes right.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba