Vista Authentication

[chigley]

OK, my problem is this.

I have an ubuntu box running samba 3.23. Vista can see the box, and prompts me for user name and password. I know I am typing correctly, yet Vista will not authenticate. I have added the following line to the smb.conf file

client ntlmv2 auth = yes

and I have also hacked the registry on the Vista box as suggested in other forums

HKLM/CurrentControlSet/LMAuthenticationMode or some such other, but I remember I had to change it from a 3 to a 1 to get it to use NTLM rather than NTLMV2.

Anywho, despite all the advice I have researched on the web it STILL doesn't work. Does anyone know how to track this down via the SAMBA log files. Can you give me some pointers?

thanks in advance

Charlie

 

[clonny2]

You can try using the domain name before the username.

username=SAMBASERVER\myuser

The same concept as passing the domain name in a net use

net use * \\sambaserver\share /uOMAINNAME\username *

 

[chigley]

Yup. Tried that. It is workgroup and not a domain, but alas I still tried. The user name is charlie and the workgroup is PCEL so I tried

\\PCEL\charlie as well as just 'charlie'.

Vista seems to want to prefix it with the machine name as well! So the laptop is called charlie-laptop, and if I try and log in as charlie it rejects the log in and prefills the user name box with charlie-laptop\charlie. Even though the connection properties show it is part of the PCEL workgroup.

I have since set the logging level under Samba to 4, and it appears to be trying to authenticate me as guest ("nobody") account.

Below is an excerpt from the samba log file

[2007/03/28 00:00:10, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [PCEL]\[]@[CHARLIE-LAPTOP]
[2007/03/28 00:00:10, 4] lib/substitute.c:automount_server(359)
Home server: charlie-desktop
[2007/03/28 00:00:10, 4] lib/substitute.c:automount_server(359)
Home server: charlie-desktop
[2007/03/28 00:00:10, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: guest authentication for user [] succeeded

The log file also has

Requested protocol [LANMAN1.0]

So at least the registry hack on the Vista box did the trick. Still doesn't work though!

 

[clonny2]

You need to use CHARLIE-LAPTOP\charlie.

That should do the trick.

 

[chigley]

No. Sadly not. I wasn't clear in my last post but all keys have been tried at the door I'm afraid. The clue is in the log files I'm sure. Why is Samba receiving [] as the user name? It wouldn't matter who I typed in as a user name if Samba is not getting it.

The question remains, why is Samba not correctly authenticating Vista?

 

[coffeysm]

What does your smb.conf look like?

 

[chigley]

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = PCEL

# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
; wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
; name resolve order = lmhosts host wins bcast

# For compatibility with Windows Vista
client lanman auth = no

client ntlmv2 auth = yes

domain logons = yes

guest account = nobody

netbios name = charlie-desktop

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = true



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
; syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d

#log level
log level = 4

####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba-HOWTO-Collection/ServerType.html
# in the samba-doc package for details.
security = user

# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = false

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam

obey pam restrictions = yes

; guest account = nobody
invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
; unix password sync = no

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
; pam password change = no

########## Domains ###########

# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#
domain logons = yes
#
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of the user's profile directory
# from the client point of view)
# The following required a [profiles] share to be setup on the
# samba server (see below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
; logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
; logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes

# lpr(ng) printing. You may wish to override the location of the
# printcap file
; printing = bsd
; printcap name = /etc/printcap

# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
; printing = cups
; printcap name = cups

# When using [print$], root is implicitly a 'printer admin', but you can
# also give this right to other users to add drivers and set printer
# properties
; printer admin = @lpadmin


############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY

# The following parameter is useful only if you have the linpopup package
# installed. The samba maintainer and the linpopup maintainer are
# working to ease installation and configuration of linpopup and samba.
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
; domain master = auto

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash

#======================= Share Definitions =======================

# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
;[homes]
comment = Home Directories
browseable = yes

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server. Un-comment the following parameter
# to make sure that only "username" can connect to \\server\username
valid users = %S

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = yes

# File creation mask is set to 0600 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0664.
; create mask = 0600

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
; directory mask = 0700

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; writable = no
; share modes = no

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700

wins support = no
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
; write list = root, @ntadmin

# A sample share for sharing your CD-ROM with others.
;[cdrom]
; comment = Samba server's CD-ROM
; writable = no
; locking = no
; path = /cdrom
; public = yes

# The next two parameters show how to auto-mount a CD-ROM when the
# cdrom share is accesed. For this to work /etc/fstab must contain
# an entry like this:
#
# /dev/scd0 /cdrom iso9660 defaults,noauto,ro,user 0 0
#
# The CD-ROM gets unmounted automatically after the connection to the
#
# If you don't want to use auto-mounting/unmounting make sure the CD
# is mounted on /cdrom
#
; preexec = /bin/mount /cdrom
; postexec = /bin/umount /cdrom


[Data]
path = /home/charlie/Data
comment = SATA RAID
available = yes
browsable = yes
public = yes
writable = yes

 

[coffeysm]

Do you have any users in your smbpasswd file?

 

[chigley]

I guess not as I haven't edited this file. I did consider this but from what I had been reading the following section of the log file basically says use the linux user account info

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba-HOWTO-Collection/ServerType.html
# in the samba-doc package for details.
security = user

 

[smah]

If you have no samba users defined, your user's won't connect. A samba user is not the same as the unix user.

 

[coffeysm]

I believe if you set the security = user, you do need to add user's to the smbpasswd file. Try running: smbpasswd -a <user>, it will then ask you for a password. That is probably why you were trying to connect as nobody when you were on the share.

 

[chigley]

OK So I did that. It still won't connect :=(

But I am getting different errors in the Samba log file, so that must be progress.

The errors on connection are listed below.

[2007/04/05 19:15:48, 3] smbd/password.c:register_vuid(257)
User name: charlie-laptop Real name: laptop,,,,
[2007/04/05 19:15:48, 3] smbd/password.c:register_vuid(276)
UNIX uid 1002 is UNIX user charlie-laptop, and will be vuid 101
[2007/04/05 19:15:48, 4] auth/pampass.c:smb_pam_start(459)
smb_pam_start: PAM: Init user: charlie-laptop
[2007/04/05 19:15:48, 4] auth/pampass.c:smb_pam_start(476)
smb_pam_start: PAM: setting rhost to: 192.168.1.4
[2007/04/05 19:15:48, 4] auth/pampass.c:smb_pam_start(485)
smb_pam_start: PAM: setting tty
[2007/04/05 19:15:48, 4] auth/pampass.c:smb_pam_start(493)
smb_pam_start: PAM: Init passed for user: charlie-laptop
[2007/04/05 19:15:48, 4] auth/pampass.c:smb_internal_pam_session(630)
smb_internal_pam_session: PAM: tty set to: smb/21897/101
[2007/04/05 19:15:48, 4] auth/pampass.c:smb_pam_end(440)
smb_pam_end: PAM: PAM_END OK.
[2007/04/05 19:15:48, 3] smbd/password.c:register_vuid(305)
Adding homes service for user 'charlie-laptop' using home directory: '/home/laptop'
[2007/04/05 19:15:48, 3] smbd/process.crocess_smb(1194)
Transaction 3 of length 92
[2007/04/05 19:15:48, 3] smbd/process.c:switch_message(993)
switch message SMBtconX (pid 21897) conn 0x0
[2007/04/05 19:15:48, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/04/05 19:15:48, 4] smbd/reply.c:reply_tcon_and_X(660)
Client requested device type [?????] for share [IPC$]
[2007/04/05 19:15:48, 2] smbd/service.c:make_connection_snum(327)
user 'charlie-laptop' (from session setup) not permitted to access this share (IPC$)
[2007/04/05 19:15:48, 3] smbd/error.c:error_packet(146)
error packet at smbd/reply.c(668) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED


Any ideas?

thanks in advance

 

[coffeysm]

Do the usernames and user id's match up correctly in /etc/passwd and your smbpasswd?

 

[chigley]

How do you tell? The smbpasswd file appears to be encrypted. I have used the sudo smbpasswd -a <user> for all of the user accounts I have tried, and used this to set them to the same as the linux password. I also changed the samba config to

user=share

and still no joy. Really running out of ideas....

 

[coffeysm]

You should still be able to view the smbpasswd file as root. It would have username:uid:samba password or something like that.