On Mon, 27 May 2013 11:02:15 +0200 steve <steve@xxxxxxxxxxxx> wrote: > Hi > I have a s3 fileserver joined to a s4 DC > Here is smb.conf on the fileserver: > [global] > workgroup = HH3 > realm = HH3.SITE > security = ADS > kerberos method = system keytab > winbind enum users = Yes > winbind enum groups = Yes > idmap config *:backend = tdb > idmap config *:range = 3000-4000 > idmap config HH3:backend = ad > idmap config HH3:range = 20000-40000000 > idmap config HH3:schema_mode = rfc2307 > winbind nss info = rfc2307 > winbind expand groups = 2 > winbind nested groups = yes > winbind use default domain = Yes > > [users] > path = /home/users > read only = No > > getent passwd works fine and shows AD users. But cifs mount fails: > sudo mount -t cifs //oliva/users --verbose /mnt -osec=krb5 > mount.cifs kernel mount options: ip=127.0.0.1,unc=\\oliva > \users,sec=krb5,user=root,pass=******** > mount error(13): Permission denied > Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) > > the log gives: > May 26 12:35:05 oliva cifs.upcall: key description: > cifs.spnego;0;0;39010000;ver=0x2;host=oliva;ip4=127.0.0.1;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6f3 > May 26 12:35:05 oliva cifs.upcall: ver=2 > May 26 12:35:05 oliva cifs.upcall: host=oliva > May 26 12:35:05 oliva cifs.upcall: ip=127.0.0.1 > May 26 12:35:05 oliva cifs.upcall: sec=1 > May 26 12:35:05 oliva cifs.upcall: uid=0 > May 26 12:35:05 oliva cifs.upcall: creduid=0 > May 26 12:35:05 oliva cifs.upcall: user=root > May 26 12:35:05 oliva cifs.upcall: pid=1779 > May 26 12:35:05 oliva cifs.upcall: find_krb5_cc: > considering /tmp/krb5cc_0 > May 26 12:35:05 oliva cifs.upcall: find_krb5_cc: FILE:/tmp/krb5cc_0 is > valid ccache > May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: getting service > ticket for oliva > May 26 12:35:05 oliva cifs.upcall: handle_krb5_mech: obtained service > ticket > May 26 12:35:05 oliva kernel: [ 612.342045] Status code returned > 0xc000006d NT_STATUS_LOGON_FAILURE Looks like the server doesn't like your ticket. > May 26 12:35:05 oliva kernel: [ 612.342109] CIFS VFS: Send error in > SessSetup = -13 > May 26 12:35:05 oliva kernel: [ 612.343323] CIFS VFS: cifs_mount failed > w/return code = -13 > > smbd fails with this: > Maximum core file size limits now 16777216(soft) -1(hard) > smbd version 3.6.9 started. > Copyright Andrew Tridgell and the Samba Team 1992-2011 > uid=0 gid=0 euid=0 egid=0 > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > Processing section "[global]" > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) > params.c:pm_process() - Processing configuration file > "/etc/samba/smb.conf" > Processing section "[global]" > Processing section "[users]" > adding IPC service > added interface eth0 ip=fe80::a00:27ff:fe7c:2d50%eth0 > bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff:: > added interface eth0 ip=192.168.1.110 bcast=192.168.1.255 > netmask=255.255.255.0 > loaded services > Initialise the svcctl registry keys if needed. > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Closed policy > Initialise the eventlog registry keys if needed. > Closed policy > get_dc_list: preferred server list: "hh16.hh3.site, *" > Successfully contacted LDAP server 192.168.1.16 > get_dc_list: preferred server list: "hh16.hh3.site, *" > get_dc_list: preferred server list: "hh16.hh3.site, *" > Successfully contacted LDAP server 192.168.1.16 > Connected to LDAP server hh16.hh3.site > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > ads_sasl_spnego_bind: got server principal name = > not_defined_in_RFC4178@please_ignore > ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache > found) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:prtpub_cache] > expiration dom, 26 may 2013 22:46:04 CEST > ads_krb5_mk_req: server marked as OK to delegate to, building > forwardable TGT > reloading printcap cache > reload status: ok > waiting for connections > Unable to connect to CUPS server localhost:631 - Transport endpoint is > not connected > failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL > Could not find child 1808 -- ignoring > Allowed connection from 127.0.0.1 (127.0.0.1) > init_oplocks: initializing messages. > Linux kernel oplocks enabled > Transaction 0 of length 82 (0 toread) > switch message SMBnegprot (pid 1807) conn 0x0 > Requested protocol [LM1.2X002] > Requested protocol [LANMAN2.1] > Requested protocol [NT LM 0.12] > Requested protocol [POSIX 2] > using SPNEGO > Selected protocol NT LM 0.12 > Transaction 1 of length 1450 (0 toread) > switch message SMBsesssetupX (pid 1807) conn 0x0 > wct=12 flg2=0xd801 > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > Doing spnego session setup > NativeOS=[Linux version 3.8.0-22-generic] NativeLanMan=[CIFS VFS Client > for Linux] PrimaryDomain=[] > reply_spnego_negotiate: Got secblob of size 1227 > libads/kerberos_verify.c:267: krb5_rd_req_return_keyblock_from_keytab > succeeded for principal host/oliva.hh3.site@xxxxxxxx > Found account name from PAC: Administrator [] > Kerberos ticket principal name is [Administrator@xxxxxxxx] > Username HH3\Administrator is invalid on this system > error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) > NT_STATUS_LOGON_FAILURE > Server exit (failed to receive smb request) > > Anyone please? In particular, why ntlm authentication? Why Username HH3 > \Administrator is invalid on this system? I've tried without winbind use > default domain = but nada. > I'm not sure I understand the question about NTLM auth. It doesn't look like it's being used here. As far as why Administrator is being rejected, that's probaly a better question for one of the samba lists. If I had to guess though, maybe Samba doesn't know how to map Administrator to a local unix user on the server? -- Jeff Layton <jlayton@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
