[Samba] smb_auth problem
Vinicius Ruoso
I'm having a problem with the smb_auth authentication method. Everything
looks like normal, but everytime I try to use smb_auth it returns ERR.
I will show here some commands output to secure that all configuration is
correct, and if anyone can help me to investigate what's happend I'll
thanks.
I'm using: Debian lenny, updated.
ii samba 2:3.2.3-1
ii squid 2.7.STABLE3-1
XXXXXXXXXX its the correct password.
8<----------------------------------
sek:/home# /usr/lib/squid/smb_auth -W SEKPLASTICOS -U 127.0.0.1 -d
vinicius XXXXXXXXXXX
Domain name: SEKPLASTICOS
Pass-through authentication: no
Query address options: -U 127.0.0.1 -R
Domain controller IP address: 10.0.0.1
Domain controller NETBIOS name: SEK
Contents of //SEK/NETLOGON/proxyauth:
ERR
8<----------------------------------
But, look at the smbclient command.
vinicius@sek:~$ smbclient "//SEK/netlogon" XXXXXXXXXXX -c "get proxyauth -"
Domain=[SEKPLASTICOS] OS=[Unix] Server=[Samba 3.2.3]
allow
getting file \proxyauth of size 6 as - (5,9 kb/s) (average 5,9 kb/s)
Running smb_auth with user "vinicius" don't work too.
8<----------------------------------
Some permission and configs:
8<----------------------------------
The smb_auth permissions
sek:/usr/lib/squid# ls -l /usr/lib/squid/
total 284
-rwxr-xr-x 1 root root 15212 Jul 6 06:28 digest_pw_auth
-rwxr-xr-x 1 root root 11636 Jul 6 06:26 diskd-daemon
-rwxr-sr-- 1 proxy shadow 7988 Jul 6 06:28 getpwnam_auth
-rwxr-xr-x 1 root root 10312 Jul 6 06:28 ip_user_check
-rwxr-xr-x 1 root root 17544 Jul 6 06:28 ldap_auth
-rwxr-xr-x 1 root root 5464 Jul 6 06:26 logfile-daemon
-rwxr-xr-x 1 root root 32828 Jul 6 06:28 msnt_auth
-rwxr-xr-x 1 root root 15748 Jul 6 06:28 ncsa_auth
-rwxr-xr-x 1 root root 42216 Jul 6 06:28 ntlm_auth
-rwxr-sr-- 1 proxy shadow 10696 Jul 6 06:28 pam_auth
-rwxr-xr-x 1 root root 9552 Jul 6 06:28 smb_auth
-rwxr-xr-x 1 root root 2287 Jul 6 06:23 smb_auth.sh
-rwxr-xr-x 1 root root 22848 Jul 6 06:28 squid_kerb_auth
-rwxr-xr-x 1 root root 19000 Jul 6 06:28 squid_ldap_group
-rwxr-xr-x 1 root root 5996 Jul 6 06:28 squid_session
-rwxr-xr-x 1 root root 10248 Jul 6 06:28 squid_unix_group
-rwxr-xr-x 1 root root 3732 Jul 6 06:26 unlinkd
-rwxr-xr-x 1 root root 2359 Abr 9 2007 wbinfo_group.pl
-rwxr-xr-x 1 root root 8776 Jul 6 06:28 yp_auth
8<----------------------------------
The SMB configuration
sek:/usr/lib/squid# cat /etc/samba/smb.conf
# Samba config file created using SWAT
# from 192.168.0.2 (192.168.0.2)
# Date: 2008/04/04 23:07:20
[global]
workgroup = sekplasticos
netbios name = sek
server string = sek
security = user
null passwords = No
encrypt passwords = true
unix password sync = No
unix charset = iso8859-1
display charset = cp850
log level = 3
log file = /var/log/samba_log.%u
keepalive = 20
socket options = IPTOS_LOWDELAY TCP_NODELAY
logon path = \\sek\sysvol\%U
logon drive = P
domain logons = Yes
os level = 100
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
ldap ssl = no
comment = Servidor Sek
admin users = vinicius
time server = Yes
hosts allow = 127., 192.168.0., 10.0.0.
[homes]
comment = Pastas dos Usuarios
browseable = No
writable = Yes
create mask = 0600
directory mask = 0700
valid users = %S
[netlogon]
comment = Compartilhamento de Scripts
path = /home/netlogon
public = Yes
browseable = Yes
writable = Yes
[sysvol]
comment = System Volume
path = /home/sysvol
writable = Yes
guest ok = Yes
share modes = No
browseable = No
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
[publico]
comment = publico
path = /home/publico
guest ok = No
writable = Yes
create mask = 0644
directory mask = 0777
public = Yes
[aplicativos]
comment = aplicativos
path = /home/aplicativos
guest ok = No
writable = Yes
browseable = Yes
create mask = 0600
directory mask = 0700
valid users = gilberto
sek:/usr/lib/squid#
8<----------------------------------
The NETLOGON permissions and proxyauth
sek:/home/netlogon# ls -l
total 4
-rwxrwxrwx 1 root root 6 Ago 31 17:35 proxyauth
sek:/home/netlogon# ls -ld
drwxrwxrwx 2 root root 22 Ago 31 17:35 .
sek:/home/netlogon# cat proxyauth
allow
8<----------------------------------
Really thanks if someone could help me.
--
Vinicius Ruoso - vk...@c3sl.ufpr.br
C3SL: http://www.c3sl.ufpr.br
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Jon Wilson
lanman auth = yes
in my smb.conf
(thats from memory - you may want to check the man page)
It fixed it for me.
Jon
2008/8/31 Vinicius Ruoso <vk...@c3sl.ufpr.br>:
Vinicius Ruoso
Really thanks for your fast response. But the "lanman auth = yes" added
to global directive of my smb.conf don't make any effect on smb_auth
authentication process. The response still the same. :(
Do you have any other idea of what can be done to fix it?
Any hope is very welcome. I'm trying to get this work a long time.
8<-------------------------------------------------------------------
The following are the man entry to lanman auth:
It looks like that this option don't affect smbclient requests.
lanman auth (G)
This parameter determines whether or not smbd(8) will attempt to
authenticate users or permit password changes using the LANMAN
password hash. If disabled, only clients which support NT password
hashes (e.g. Windows NT/2000 clients, smbclient, but not Windows
95/98 or the MS DOS network client) will be able to connect to the
Samba host.
The LANMAN encrypted response is easily broken, due to it愀
case-insensitive nature, and the choice of algorithm. Servers
without Windows 95/98/ME or MS DOS clients are advised to disable
this option.
Unlike the encrypt passwords option, this parameter cannot alter
client behaviour, and the LANMAN response will still be sent over
the network. See the client lanman auth to disable this for
Samba愀
clients (such as smbclient)
If this option, and ntlm auth are both disabled, then only NTLMv2
logins will be permited. Not all clients support NTLMv2, and most
will require special configuration to use it.
Default: lanman auth = no
8<-------------------------------------------------------------------
Jon Wilson
I use censornet and that stopped authenticating to the domain when I
did the upgrade to 3.2.x - I thought you might be suffering the same
issue.
Jon
2008/9/1 Vinicius Ruoso <vk...@c3sl.ufpr.br>:
> Hi Jon Wilson,
>
> Really thanks for your fast response. But the "lanman auth = yes" added
> to global directive of my smb.conf don't make any effect on smb_auth
> authentication process. The response still the same. :(
>
> Do you have any other idea of what can be done to fix it?
> Any hope is very welcome. I'm trying to get this work a long time.
>
> 8<-------------------------------------------------------------------
> The following are the man entry to lanman auth:
> It looks like that this option don't affect smbclient requests.
>
> lanman auth (G)
>
> This parameter determines whether or not smbd(8) will attempt to
> authenticate users or permit password changes using the LANMAN
> password hash. If disabled, only clients which support NT password
> hashes (e.g. Windows NT/2000 clients, smbclient, but not Windows
> 95/98 or the MS DOS network client) will be able to connect to the
> Samba host.
>
> The LANMAN encrypted response is easily broken, due to it´s
> case-insensitive nature, and the choice of algorithm. Servers
> without Windows 95/98/ME or MS DOS clients are advised to disable
> this option.
>
> Unlike the encrypt passwords option, this parameter cannot alter
> client behaviour, and the LANMAN response will still be sent over
> the network. See the client lanman auth to disable this for
> Samba´s
VINICIUS KWIECIEN RUOSO
some time before, but this time it's not working.
An I missing something crusial here?
For me all looks normal. :(
Thanks a lot
--
---
Vinicius Kwiecien Ruoso - vk...@c3sl.ufpr.br