Prev: [Samba] Getent passwd and getent group fail / Samba 3.5.2
Next: Getent passwd and getent group fail / Samba 3.5.2
From: Damien Dye on 14 May 2010 06:50
how are you supplying the server with the username from the failing client

the username should be sambaservername\username so that the samba
server can authenticate against it's local sam.

regards

--
Damien Dye BSC(hon)




On 5 May 2010 03:01, <osp(a)aloha.com> wrote:
> On 2010-05-04 16:16:49 GMT osp(a)aloha.com (that's me) wrote:
>
>>> I think I can run a test using plain, out-of-the-box Vista. Maybe even XP.
>>> Will post results when I have them.
>>
>>It works with out-of-the-box Vista. I'll examine the logs and post what
>>falls out tomorrow.
>
> I compared the log from the successful Vista connect to the one from the
> failed connect. Below are several excerpts. Lines that begin with "S" are
> from the successful log, and lines that begin with "F" are from the failed
> log. I can post the entire log if that will help.
>
> To reiterate, both client computers are running Vista. The one that cannot
> connect (F) is a member of a domain and has security settings pushed down
> from the domain controller. It can connect to servers in its domain. The
> one that can connect (S) is out-of-the-box Vista and is not a member of a
> domain ... it is still in the WORKGROUP workgroup.
>
> The first notable deviation appears at line 99. (I added the asterisks.)
> The F log has "smbd/process.c:smbd_process" while the S log has
> "smbd/process.c:process_smb." The next line of the F log suggests that it
> is out of input, while the S log indicates it has more process. About 60
> lines later both show a successful authentication. About 50 lines later
> (F=235, S=261) we see identical entries about SIDs and permissions. A bit
> later, while connecting to the IPC$ service, we see a similar divergence as
> at line 99, the F client gets "NT_STATUS_END_OF_FILE" while the S client
> keeps on going.
>
> I hope that is enough to shed some light on this issue, and I hope the
> result is a way to connect from the F client without having to modify its
> security settings.
>
> Is there a simpler way to connect, one that does not trip over the
> authentication step? Username/password accesses control is sort of overkill
> given that the hand full of people who connect will be at the same table
> working together. Physical security should be enough.
>
>
> F = failed session
> S = successful session
>
> F  98     error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> F  99   [2010/04/29 15:06:48,  3] smbd/process.c:smbd_process(1930) *********
> F 100     receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
> F 101   [2010/04/29 15:06:48,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> F 102     setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> F 103   [2010/04/29 15:06:48,  3] smbd/connection.c:yield_connection(31)
> F 104     Yielding connection to
> F 105   [2010/04/29 15:06:48,  3] smbd/server.c:exit_server_common(974)
> F 106     Server exit (normal exit)
>
> S  98     error packet at smbd/sesssetup.c(127) cmd=115 (SMBsesssetupX)
> NT_STATUS_LOGON_FAILURE
> S  99   [2010/05/04 15:20:57,  3] smbd/process.c:process_smb(1554) ***********
> S 100     Transaction 3 of length 142 (0 toread)
> S 101   [2010/05/04 15:20:57,  3] smbd/process.c:switch_message(1378)
> S 102     switch message SMBsesssetupX (pid 1180) conn 0x0
> S 103   [2010/05/04 15:20:57,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> S 104     setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> S 105   [2010/05/04 15:20:57,  3] smbd/sesssetup.c:reply_sesssetup_and_X(1412)
> S 106     wct=12 flg2=0xc807
> S 107   [2010/05/04 15:20:57,  2] smbd/sesssetup.c:setup_new_vc_session(1368)
> S 108     setup_new_vc_session: New VC == 0, if NT4.x compatible we would
> close all old resources.
>
> -----
>
> F 167   [2010/04/29 15:06:56,  3] auth/auth.c:check_ntlm_password(269)
> F 168     check_ntlm_password: sam authentication for user [g8team] succeeded
>
> S 193   [2010/05/04 15:20:57,  3] auth/auth.c:check_ntlm_password(269)
> S 194     check_ntlm_password: sam authentication for user [g8team] succeeded
>
> -----
>
> F 235   [2010/04/29 15:06:56,  3] lib/privileges.c:get_privileges(63)
> F 236     get_privileges: No privileges assigned to SID
> [S-1-5-21-1265442170-81825414-2419232721-501]
> F 237   [2010/04/29 15:06:56,  3] lib/privileges.c:get_privileges(63)
> F 238     get_privileges: No privileges assigned to SID [S-1-22-2-1002]
> F 239   [2010/04/29 15:06:56,  3] lib/privileges.c:get_privileges(63)
> F 240     get_privileges: No privileges assigned to SID [S-1-5-2]
> F 241   [2010/04/29 15:06:56,  3] lib/privileges.c:get_privileges(63)
> F 242     get_privileges: No privileges assigned to SID [S-1-5-11]
>
> S 261   [2010/05/04 15:20:57,  3] lib/privileges.c:get_privileges(63)
> S 262     get_privileges: No privileges assigned to SID
> [S-1-5-21-1265442170-81825414-2419232721-501]
> S 263   [2010/05/04 15:20:57,  3] lib/privileges.c:get_privileges(63)
> S 264     get_privileges: No privileges assigned to SID [S-1-22-2-1002]
> S 265   [2010/05/04 15:20:57,  3] lib/privileges.c:get_privileges(63)
> S 266     get_privileges: No privileges assigned to SID [S-1-5-2]
> S 267   [2010/05/04 15:20:57,  3] lib/privileges.c:get_privileges(63)
> S 268     get_privileges: No privileges assigned to SID [S-1-5-11]
>
> -----
>
> F 346     shafp09wk102123 (10.0.1.10) connect to service IPC$ initially as
> user g8team (uid=1002, gid=1002) (pid 1224)
> F 347   [2010/04/29 15:06:56,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> F 348     setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> F 349   [2010/04/29 15:06:56,  3] smbd/reply.c:reply_tcon_and_X(794)
> F 350     tconX service=IPC$
> F 351   [2010/04/29 15:06:56,  3] smbd/process.c:smbd_process(1930)
> *************
> F 352     receive_message_or_smb failed: NT_STATUS_END_OF_FILE, exiting
>
> S 372     g864001 (10.0.1.12) connect to service IPC$ initially as user
> g8team (uid=1002, gid=1002) (pid 1180)
> S 373   [2010/05/04 15:20:57,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> S 374     setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> S 375   [2010/05/04 15:20:57,  3] smbd/reply.c:reply_tcon_and_X(794)
> S 376     tconX service=IPC$
> S 377   [2010/05/04 15:20:57,  3] smbd/process.c:process_smb(1554)
> **************
> S 378     Transaction 6 of length 112 (0 toread)
> S 379   [2010/05/04 15:20:57,  3] smbd/process.c:switch_message(1378)
> S 380     switch message SMBtrans2 (pid 1180) conn 0x21d66330
> S 381   [2010/05/04 15:20:57,  3] smbd/sec_ctx.c:set_sec_ctx(324)
> S 382     setting sec ctx (1002, 1002) - sec_ctx_stack_ndx = 0
>
>
>
> Gary Dunn
> Open Slate
> Project
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: osp on 14 May 2010 18:30
> how are you supplying the server with the username from the failing client
>
> the username should be sambaservername\username so that the samba
> server can authenticate against it's local sam.
>
> regards
>
> --
> Damien Dye BSC(hon)

You are correct, and I have tried it both ways. I have also tried using the
IP addess, as in

net use x: \\10.0.1.1\work-clear /user:10.0.1.1\g8team

I get the password promt, then a long pause, then the error 67 network name
could not be found.

I am thinking that the Vista client has been locked down so that it can
only connect to domain members. Is that even possible? Is there a command I
can use to list the GPOs in effect? Moot point, because the users will not
be able to change those.

Thanks again,

Gary Dunn
Open Slate Project


--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Michael Leone on 14 May 2010 19:00
To see GPOs in effect, type GPRESULT.



On 5/14/10, osp(a)aloha.com <osp(a)aloha.com> wrote:
>> how are you supplying the server with the username from the failing client
>>
>> the username should be sambaservername\username so that the samba
>> server can authenticate against it's local sam.
>>
>> regards
>>
>> --
>> Damien Dye BSC(hon)
>
> You are correct, and I have tried it both ways. I have also tried using the
> IP addess, as in
>
> net use x: \\10.0.1.1\work-clear /user:10.0.1.1\g8team
>
> I get the password promt, then a long pause, then the error 67 network name
> could not be found.
>
> I am thinking that the Vista client has been locked down so that it can
> only connect to domain members. Is that even possible? Is there a command I
> can use to list the GPOs in effect? Moot point, because the users will not
> be able to change those.
>
> Thanks again,
>
> Gary Dunn
> Open Slate Project
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>

--
Sent from my mobile device

Michael J. Leone, <mailto:turgon(a)mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
First  |  Prev  | 
Pages: 1 2 3
Prev: [Samba] Getent passwd and getent group fail / Samba 3.5.2
Next: Getent passwd and getent group fail / Samba 3.5.2