Prev: [Samba] Getent passwd and getent group fail / Samba 3.5.2
Next: Getent passwd and getent group fail / Samba 3.5.2
From: osp on 4 May 2010 22:20

> I think I can run a test using plain, out-of-the-box Vista. Maybe even XP.
> Will post results when I have them.

It works with out-of-the-box Vista. I'll examine the logs and post what
falls out tomorrow.

Gary Dunn
Open Slate Project


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: osp on 5 May 2010 16:10
On 2010-05-04 16:16:49 GMT osp(a)aloha.com (that's me) wrote:

>> I think I can run a test using plain, out-of-the-box Vista. Maybe even XP.
>> Will post results when I have them.
>
>It works with out-of-the-box Vista. I'll examine the logs and post what
>falls out tomorrow.

I compared the log from the successful Vista connect to the one from the
failed connect. Below are several excerpts. Lines that begin with "S" are
from the successful log, and lines that begin with "F" are from the failed
log. I can post the entire log if that will help.

To reiterate, both client computers are running Vista. The one that cannot
connect (F) is a member of a domain and has security settings pushed down
from the domain controller. It can connect to servers in its domain. The
one that can connect (S) is out-of-the-box Vista and is not a member of a
domain ... it is still in the WORKGROUP workgroup.

The first notable deviation appears at line 99. (I added the asterisks.)
The F log has "smbd/process.c:smbd_process" while the S log has
"smbd/process.c:process_smb." The next line of the F log suggests that it
is out of input, while the S log indicates it has more process. About 60
lines later both show a successful authentication. About 50 lines later
(F=235, S=261) we see identical entries about SIDs and permissions. A bit
later, while connecting to the IPC$ service, we see a similar divergence as
at line 99, the F client gets "NT_STATUS_END_OF_FILE" while the S client
keeps on going.

I hope that is enough to shed some light on this issue, and I hope the
result is a way to connect from the F client without having to modify its
security settings.

Is there a simpler way to connect, one that does not trip over the
authentication step? Username/password accesses control is sort of overkill
given that the hand full of people who connect will be at the same table
working together. Physical security should be enough.


F = failed session
S = successful session

F 98 error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
F 99 [2010/04/29 15:06:48, 3] smbd/process.c:smbd_process(1930) *********
F 100 receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
F 101 [2010/04/29 15:06:48, 3] smbd/sec_ctx.c:set_sec_ctx(324)
F 102 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
F 103 [2010/04/29 15:06:48, 3] smbd/connection.c:yield_connection(31)
F 104 Yielding connection to
F 105 [2010/04/29 15:06:48, 3] smbd/server.c:exit_server_common(974)
F 106 Server exit (normal exit)

S 98 error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
S 99 [2010/05/04 15:20:57, 3] smbd/process.c:process_smb(1554) ***********
S 100 Transaction 3 of length 142 (0 toread)
S 101 [2010/05/04 15:20:57, 3] smbd/process.c:switch_message(1378)
S 102 switch message SMBsesssetupX (pid 1180) conn 0x0
S 103 [2010/05/04 15:20:57, 3] smbd/sec_ctx.c:set_sec_ctx(324)
S 104 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
S 105 [2010/05/04 15:20:57, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1412)
S 106 wct=12 flg2=0xc807
S 107 [2010/05/04 15:20:57, 2] smbd/sesssetup.c:setup_new_vc_session(1368)
S 108 setup_new_vc_session: New VC == 0, if NT4.x compatible we would
close all old resources.

-----

F 167 [2010/04/29 15:06:56, 3] auth/auth.c:check_ntlm_password(269)
F 168 check_ntlm_password: sam authentication for user [g8team] succeeded

S 193 [2010/05/04 15:20:57, 3] auth/auth.c:check_ntlm_password(269)
S 194 check_ntlm_password: sam authentication for user [g8team] succeeded

-----

F 235 [2010/04/29 15:06:56, 3] lib/privileges.c:get_privileges(63)
F 236 get_privileges: No privileges assigned to SID
[S-1-5-21-1265442170-81825414-2419232721-501]
F 237 [2010/04/29 15:06:56, 3] lib/privileges.c:get_privileges(63)
F 238 get_privileges: No privileges assigned to SID [S-1-22-2-1002]
F 239 [2010/04/29 15:06:56, 3] lib/privileges.c:get_privileges(63)
F 240 get_privileges: No privileges assigned to SID [S-1-5-2]
F 241 [2010/04/29 15:06:56, 3] lib/privileges.c:get_privileges(63)
F 242 get_privileges: No privileges assigned to SID [S-1-5-11]

S 261 [2010/05/04 15:20:57, 3] lib/privileges.c:get_privileges(63)
S 262 get_privileges: No privileges assigned to SID
[S-1-5-21-1265442170-81825414-2419232721-501]
S 263 [2010/05/04 15:20:57, 3] lib/privileges.c:get_privileges(63)
S 264 get_privileges: No privileges assigned to SID [S-1-22-2-1002]
S 265 [2010/05/04 15:20:57, 3] lib/privileges.c:get_privileges(63)
S 266 get_privileges: No privileges assigned to SID [S-1-5-2]
S 267 [2010/05/04 15:20:57, 3] lib/privileges.c:get_privileges(63)
S 268 get_privileges: No privileges assigned to SID [S-1-5-11]

-----

F 346 shafp09wk102123 (10.0.1.10) connect to service IPC$ initially as
user g8team (uid=1002, gid=1002) (pid 1224)
F 347 [2010/04/29 15:06:56, 3] smbd/sec_ctx.c:set_sec_ctx(324)
F 348 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
F 349 [2010/04/29 15:06:56, 3] smbd/reply.c:reply_tcon_and_X(794)
F 350 tconX service=IPC$
F 351 [2010/04/29 15:06:56, 3] smbd/process.c:smbd_process(1930)
*************
F 352 receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting

S 372 g864001 (10.0.1.12) connect to service IPC$ initially as user
g8team (uid=1002, gid=1002) (pid 1180)
S 373 [2010/05/04 15:20:57, 3] smbd/sec_ctx.c:set_sec_ctx(324)
S 374 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
S 375 [2010/05/04 15:20:57, 3] smbd/reply.c:reply_tcon_and_X(794)
S 376 tconX service=IPC$
S 377 [2010/05/04 15:20:57, 3] smbd/process.c:process_smb(1554)
**************
S 378 Transaction 6 of length 112 (0 toread)
S 379 [2010/05/04 15:20:57, 3] smbd/process.c:switch_message(1378)
S 380 switch message SMBtrans2 (pid 1180) conn 0x21d66330
S 381 [2010/05/04 15:20:57, 3] smbd/sec_ctx.c:set_sec_ctx(324)
S 382 setting sec ctx (1002, 1002) - sec_ctx_stack_ndx = 0



Gary Dunn
Open Slate
Project

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: osp on 7 May 2010 16:00
On 2010-05-05 10:01:45 GMT osp <at> aloha.com (that's me) wrote:

> On 2010-05-04 16:16:49 GMT osp <at> aloha.com (that's me) wrote:
>
>>> I think I can run a test using plain, out-of-the-box Vista. Maybe even XP.
>>> Will post results when I have them.
>>
>>It works with out-of-the-box Vista. I'll examine the logs and post what
>>falls out tomorrow.
>
>I compared the log from the successful Vista connect to the one from the
>failed connect. Below are several excerpts. Lines that begin with "S" are
>from the successful log, and lines that begin with "F" are from the failed
>log. I can post the entire log if that will help.

[snip]

No replies to that post, so I tried to simplify by changing from "security
= user" to "security = share." I also simplified the share settings as
given in the handbook under "Reference Documentation Server." My thinking
was that is was user authentication that was failing, so an old fashioned
share with no access controls might work.

Almost, but not quite.

The FreeBSD smbclient connects fine without specifying -U. I could "get"
the sample file just fine. In Vista the drive will connect but when I try
to access I get "An unexpected network error occurred." No error number (59
seems to be most often associated). Interesting that the occurs when
accessing, not when connecting, suggesting a permissions issue. I did not
see anything about the failure in the log for that client, so it looks as
though the access request never made it to smbd.

Could this be a firewall issue? But then why does smbclient succeed?

Should I try Samba 4.0?

--
Gary Dunn
Open Slate Project




--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: osp on 13 May 2010 20:20
On 2010-05-12 05:12:12 GMT Gary Dunn <osp <at> aloha.com> wrote:
> On Fri, 2010-05-07 at 09:57 +0000, osp <at> aloha.com wrote:

...

> > Should I try Samba 4.0?

I had been using Samba 3.3 so I installed the 3.4 port and got the same
result. Yesterday I installed samba4. It's like a whole new ball game!
Sorry to report no improvement. I have a few notes and questions.

I had to add a "users" group to /etc/group, did not see that mentioned
anywhere. Figured it out from provision errors.

I used server role = standalone
I added my share to /usr/local/etc/smb4.conf
I added my g8team user with net newuser g8team

I can connect to the share from the console, and using smbclient on a
separate FreeBSD box. Gnome's places/network stopped working, so I
installed the samba4wins port but Gnome is still unhappy. Vista still gives
error 67 and refuses to connect.

I recommend having the provision script suggest renaming the existing
smb4.conf file instead of just giving errors as it does now. (I tried
running it several times while figuring out how it worked.)

Two questions:

1. Is printer sharing working? What syntax do I use in the [printers] section?

2. This is running on a nat gateway. I only want the samba service to
appear on the private network. My old smb.conf file had

hosts allow = 10.0.1. 127.
interfaces = 10.0.1.1

How do I specify this in Samba4?

Overall I rate the installation process very good for alpha software. Wiki
howto was a big help. For what I need, though, all that support for
kerberos and dns and ldap seems like overkill. Samba 3 with security =
share is all I need. Physical access to the Ethernet switch is all the
access control this application requires. A generic username and password
is as far as I want to go. I am absolutely certain that client workstations
will not be joining my domain, and I do not want to authenticate against
any other directory.

Gary Dunn
Open Slate Project


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Michael Wood on 14 May 2010 04:10
On 13 May 2010 08:13, <osp(a)aloha.com> wrote:
[...]
> Overall I rate the installation process very good for alpha software. Wiki
> howto was a big help. For what I need, though, all that support for
> kerberos and dns and ldap seems like overkill. Samba 3 with security  =
> share is all I need. Physical access to the Ethernet switch is all the
> access control this application requires. A generic username and password
> is as far as I want to go. I am absolutely certain that client workstations
> will not be joining my domain, and I do not want to authenticate against
> any other directory.

I think you'll want to stick with Samba 3. Maybe try 3.5.2?

I haven't really followed this thread, though, so I don't know if
3.5.2 will help.

--
Michael Wood <esiotrot(a)gmail.com>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: [Samba] Getent passwd and getent group fail / Samba 3.5.2
Next: Getent passwd and getent group fail / Samba 3.5.2