From: Gaiseric Vandal on
First of all, I am not familiar with using Samba with AD so none of this
my apply

- Should security = domain ?
- technically, I think the Windows clients in the domain are
authenticating against the AD DC not the samba server. If the client
machine is not in the domain you would have provide user id and password
when connecting to the samba server.

I noticed with Windows 2008 (presumably the same with Windows 7) that
the network settings for browsing the network neighborhood are a lot
more locked down. I don't think this is a samba issue. On Windows
2008, "Network and Sharing" control panel there is an option for
"network discovery." On of my colleagues reported that he had to make
a similar change at home so his Vista PC could see XP machines.






On 02/25/2010 12:33 PM, Clif Smith wrote:
> I'm running 3.4.6 (was running 3.0.28a but upgraded in hopes to fix this issue). Clients running Windows 7 that are NOT joined to the AD domain (samba authenticates against it via "security = server") cannot authenticate to access the server. Clients running Windows 7 that are on the domain as well as Windows XP, Windows 2003 on and off the domain work as expected.
>
> Any help would be greatly appreciated!
>
> Thanks, Clif
>
> smb.conf:
> ========================
> [global]
> workgroup = XXXXXX
> netbios name = XXXXXX
> security = server
> password server = XXXXXX
> wins server = XXXXXX
> smb passwd file = /etc/samba/smbpasswd
> server string = ausfs1
> smb ports = 139
> lanman auth = no
> ntlm auth = no
> client ntlmv2 auth = yes
> client lanman auth = no
> client plaintext auth = no
> max protocol = smb2
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> restrict anonymous = 2
> local master = no
> domain master = no
> dns proxy = no
> log file = /var/log/samba/%m.log
> max log size = 500
> log level = 3
> syslog = 1
> veto files = /.DS_Store/Thumbs.db/
>
> Debug log:
> ========================
> [2010/02/25 11:23:41, 3] smbd/process.c:1459(process_smb)
> Transaction 0 of length 159 (0 toread)
> [2010/02/25 11:23:41, 3] smbd/process.c:1273(switch_message)
> switch message SMBnegprot (pid 3179) conn 0x0
> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
> Requested protocol [LANMAN1.0]
> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
> Requested protocol [Windows for Workgroups 3.1a]
> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
> Requested protocol [LM1.2X002]
> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
> Requested protocol [LANMAN2.1]
> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
> Requested protocol [NT LM 0.12]
> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
> Requested protocol [SMB 2.002]
> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
> Requested protocol [SMB 2.???]
> [2010/02/25 11:23:41, 3] smbd/negprot.c:387(reply_nt1)
> using SPNEGO
> [2010/02/25 11:23:41, 3] smbd/negprot.c:672(reply_negprot)
> Selected protocol NT LM 0.12
> [2010/02/25 11:23:41, 3] smbd/process.c:1459(process_smb)
> Transaction 1 of length 142 (0 toread)
> [2010/02/25 11:23:41, 3] smbd/process.c:1273(switch_message)
> switch message SMBsesssetupX (pid 3179) conn 0x0
> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
> wct=12 flg2=0xc807
> [2010/02/25 11:23:41, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
> reply_spnego_negotiate: Got secblob of size 40
> [2010/02/25 11:23:41, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0xe2088297
> [2010/02/25 11:23:41, 3] lib/util_sock.c:1033(open_socket_out_send)
> Connecting to XXXXXX at port 445
> [2010/02/25 11:23:41, 3] auth/auth_server.c:86(server_cryptkey)
> connected to password server XXXXXX
> [2010/02/25 11:23:41, 3] auth/auth_server.c:113(server_cryptkey)
> got session
> [2010/02/25 11:23:41, 3] auth/auth_server.c:149(server_cryptkey)
> password server OK
> [2010/02/25 11:23:41, 3] auth/auth_server.c:233(auth_get_challenge_server)
> using password server validation
> [2010/02/25 11:23:41, 3] smbd/process.c:1459(process_smb)
> Transaction 2 of length 592 (0 toread)
> [2010/02/25 11:23:41, 3] smbd/process.c:1273(switch_message)
> switch message SMBsesssetupX (pid 3179) conn 0x0
> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
> wct=12 flg2=0xc807
> [2010/02/25 11:23:41, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
> Doing spnego session setup
> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
> [2010/02/25 11:23:41, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
> Got user=[XXXXXX] domain=[XXXXXX] workstation=[WIN7] len1=24 len2=330
> [2010/02/25 11:23:41, 3] auth/auth.c:222(check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user [XXXXXX]\[XXXXXX]@[WIN7] with the new password interface
> [2010/02/25 11:23:41, 3] auth/auth.c:225(check_ntlm_password)
> check_ntlm_password: mapped user is: [XXXXXX]\[XXXXXX]@[WIN7]
> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:210(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2010/02/25 11:23:41, 3] smbd/uid.c:428(push_conn_ctx)
> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/02/25 11:23:41, 3] auth/auth_sam.c:282(check_sam_security)
> check_sam_security: Couldn't find user 'XXXXXX' in passdb.
> [2010/02/25 11:23:41, 3] libsmb/cliconnect.c:1187(cli_session_setup)
> cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE
> [2010/02/25 11:23:41, 3] libsmb/cliconnect.c:1187(cli_session_setup)
> cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE
> [2010/02/25 11:23:41, 1] auth/auth_server.c:413(check_smbserver_security)
> password server XXXXXX rejected the password: NT_STATUS_LOGON_FAILURE
> [2010/02/25 11:23:41, 2] auth/auth.c:320(check_ntlm_password)
> check_ntlm_password: Authentication for user [XXXXXX] -> [XXXXXX] FAILED with error NT_STATUS_LOGON_FAILURE
> [2010/02/25 11:23:41, 3] smbd/error.c:60(error_packet_set)
> error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
> [2010/02/25 11:23:54, 3] smbd/sec_ctx.c:310(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/02/25 11:23:54, 3] smbd/connection.c:31(yield_connection)
> Yielding connection to
> [2010/02/25 11:23:54, 3] smbd/server.c:845(exit_server_common)
> Server exit (failed to receive smb request)
>

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Clif Smith on
Correct, authentication is handled by the AD DC via the Samba server. When users try to access the server they're asked for user/password, but authentication fails for Windows 7 clients not on the domain. I can get by this by having each client update their registry to use NTLM as well as NTLMv2 but that's a hassle for the number of users I have.

cjs

On Feb 25, 2010, at 12:56 PM, Gaiseric Vandal wrote:

> First of all, I am not familiar with using Samba with AD so none of this my apply
>
> - Should security = domain ?
> - technically, I think the Windows clients in the domain are authenticating against the AD DC not the samba server. If the client machine is not in the domain you would have provide user id and password when connecting to the samba server.
>
> I noticed with Windows 2008 (presumably the same with Windows 7) that the network settings for browsing the network neighborhood are a lot more locked down. I don't think this is a samba issue. On Windows 2008, "Network and Sharing" control panel there is an option for "network discovery." On of my colleagues reported that he had to make a similar change at home so his Vista PC could see XP machines.
>
>
>
>
>
>
> On 02/25/2010 12:33 PM, Clif Smith wrote:
>> I'm running 3.4.6 (was running 3.0.28a but upgraded in hopes to fix this issue). Clients running Windows 7 that are NOT joined to the AD domain (samba authenticates against it via "security = server") cannot authenticate to access the server. Clients running Windows 7 that are on the domain as well as Windows XP, Windows 2003 on and off the domain work as expected.
>>
>> Any help would be greatly appreciated!
>>
>> Thanks, Clif
>>
>> smb.conf:
>> ========================
>> [global]
>> workgroup = XXXXXX
>> netbios name = XXXXXX
>> security = server
>> password server = XXXXXX
>> wins server = XXXXXX
>> smb passwd file = /etc/samba/smbpasswd
>> server string = ausfs1
>> smb ports = 139
>> lanman auth = no
>> ntlm auth = no
>> client ntlmv2 auth = yes
>> client lanman auth = no
>> client plaintext auth = no
>> max protocol = smb2
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> restrict anonymous = 2
>> local master = no
>> domain master = no
>> dns proxy = no
>> log file = /var/log/samba/%m.log
>> max log size = 500
>> log level = 3
>> syslog = 1
>> veto files = /.DS_Store/Thumbs.db/
>>
>> Debug log:
>> ========================
>> [2010/02/25 11:23:41, 3] smbd/process.c:1459(process_smb)
>> Transaction 0 of length 159 (0 toread)
>> [2010/02/25 11:23:41, 3] smbd/process.c:1273(switch_message)
>> switch message SMBnegprot (pid 3179) conn 0x0
>> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
>> Requested protocol [PC NETWORK PROGRAM 1.0]
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
>> Requested protocol [LANMAN1.0]
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
>> Requested protocol [Windows for Workgroups 3.1a]
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
>> Requested protocol [LM1.2X002]
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
>> Requested protocol [LANMAN2.1]
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
>> Requested protocol [NT LM 0.12]
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
>> Requested protocol [SMB 2.002]
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:567(reply_negprot)
>> Requested protocol [SMB 2.???]
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:387(reply_nt1)
>> using SPNEGO
>> [2010/02/25 11:23:41, 3] smbd/negprot.c:672(reply_negprot)
>> Selected protocol NT LM 0.12
>> [2010/02/25 11:23:41, 3] smbd/process.c:1459(process_smb)
>> Transaction 1 of length 142 (0 toread)
>> [2010/02/25 11:23:41, 3] smbd/process.c:1273(switch_message)
>> switch message SMBsesssetupX (pid 3179) conn 0x0
>> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
>> wct=12 flg2=0xc807
>> [2010/02/25 11:23:41, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
>> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
>> Doing spnego session setup
>> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
>> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:786(reply_spnego_negotiate)
>> reply_spnego_negotiate: Got secblob of size 40
>> [2010/02/25 11:23:41, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
>> Got NTLMSSP neg_flags=0xe2088297
>> [2010/02/25 11:23:41, 3] lib/util_sock.c:1033(open_socket_out_send)
>> Connecting to XXXXXX at port 445
>> [2010/02/25 11:23:41, 3] auth/auth_server.c:86(server_cryptkey)
>> connected to password server XXXXXX
>> [2010/02/25 11:23:41, 3] auth/auth_server.c:113(server_cryptkey)
>> got session
>> [2010/02/25 11:23:41, 3] auth/auth_server.c:149(server_cryptkey)
>> password server OK
>> [2010/02/25 11:23:41, 3] auth/auth_server.c:233(auth_get_challenge_server)
>> using password server validation
>> [2010/02/25 11:23:41, 3] smbd/process.c:1459(process_smb)
>> Transaction 2 of length 592 (0 toread)
>> [2010/02/25 11:23:41, 3] smbd/process.c:1273(switch_message)
>> switch message SMBsesssetupX (pid 3179) conn 0x0
>> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1404(reply_sesssetup_and_X)
>> wct=12 flg2=0xc807
>> [2010/02/25 11:23:41, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
>> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
>> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1160(reply_sesssetup_and_X_spnego)
>> Doing spnego session setup
>> [2010/02/25 11:23:41, 3] smbd/sesssetup.c:1202(reply_sesssetup_and_X_spnego)
>> NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
>> [2010/02/25 11:23:41, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth)
>> Got user=[XXXXXX] domain=[XXXXXX] workstation=[WIN7] len1=24 len2=330
>> [2010/02/25 11:23:41, 3] auth/auth.c:222(check_ntlm_password)
>> check_ntlm_password: Checking password for unmapped user [XXXXXX]\[XXXXXX]@[WIN7] with the new password interface
>> [2010/02/25 11:23:41, 3] auth/auth.c:225(check_ntlm_password)
>> check_ntlm_password: mapped user is: [XXXXXX]\[XXXXXX]@[WIN7]
>> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:210(push_sec_ctx)
>> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
>> [2010/02/25 11:23:41, 3] smbd/uid.c:428(push_conn_ctx)
>> push_conn_ctx(0) : conn_ctx_stack_ndx = 0
>> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
>> [2010/02/25 11:23:41, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
>> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/25 11:23:41, 3] auth/auth_sam.c:282(check_sam_security)
>> check_sam_security: Couldn't find user 'XXXXXX' in passdb.
>> [2010/02/25 11:23:41, 3] libsmb/cliconnect.c:1187(cli_session_setup)
>> cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE
>> [2010/02/25 11:23:41, 3] libsmb/cliconnect.c:1187(cli_session_setup)
>> cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE
>> [2010/02/25 11:23:41, 1] auth/auth_server.c:413(check_smbserver_security)
>> password server XXXXXX rejected the password: NT_STATUS_LOGON_FAILURE
>> [2010/02/25 11:23:41, 2] auth/auth.c:320(check_ntlm_password)
>> check_ntlm_password: Authentication for user [XXXXXX] -> [XXXXXX] FAILED with error NT_STATUS_LOGON_FAILURE
>> [2010/02/25 11:23:41, 3] smbd/error.c:60(error_packet_set)
>> error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
>> [2010/02/25 11:23:54, 3] smbd/sec_ctx.c:310(set_sec_ctx)
>> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2010/02/25 11:23:54, 3] smbd/connection.c:31(yield_connection)
>> Yielding connection to
>> [2010/02/25 11:23:54, 3] smbd/server.c:845(exit_server_common)
>> Server exit (failed to receive smb request)
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba