EX4 and Active Directory

warpitaly · April 24, 2014, 12:51pm

Just finished setting up my new EX4; I struggled and finally managed to join a domain, hopefully correctly:

I can confirm that asking for a workgroup to join a domain is quite strange
The only acceptable value for the workgroup was the domain name without the final “.int” (i.e. Domain = “ABC.INT”, Workgroup = “ABC”)
WHY are you saving the administrator password used to join the domain???
I can see all the users I need on the users account
I shared a folders with both users and groups but…nothing happens, I always get an authentication error on the client (windows) side when accessing the share.
moreovero, I can not access anymore even the Public share

Looking at smb.conf, I see something strange: the valid users list shows “+ABC+username”, while I would have been expecting “+ABC.INT+username”.

Anyhow, it is not working—and log files are silent.

Any hints?

thanks,

Giorgio

Ichigo · April 25, 2014, 5:43pm

Check page 118 of the manual for more information, if the problem continues I recommend you to contact support directly for further assistance.

http://www.wdc.com/wdproducts/library/UM/ENG/4779-705113.pdf#page=123

http://support.wd.com/contact/index.asp?lang=en

warpitaly · April 26, 2014, 1:31pm

Nope, I already read the manual without finding a solution.

workgroup: “Enter the name of the workgroup associated with the AD”. That is???
despite joining the domain, I am still unable to access any share using AD credentials; smb logs the fail access attempt as an unauthorized access

warpitaly · April 30, 2014, 9:15am

Still not working.

On log.smbd:

[2014/04/30 11:09:17.985596, 0] auth/auth.c:329(check_ntlm_password)
CIFS: Authentication for user [xxxx] has FAILED.

…and nothing on the DC side.

By the way: is there a way to restart samba from the shell?

warpitaly · April 30, 2014, 1:21pm

For anyone interested: to manually restart SMB: /usr/sbin/smb restart (I am wondering why there is not a nice link in /etc/init.d)

Further investigations:

* The device is a domain member:

net ads tesjoin

Join is OK

wbinfo -u

…list of domain users

wbinfo -g

…list of domain groups

* I raised the logging verbosity to 3, obtaining the following output:

[2014/04/30 15:09:55.664952, 3] ../libcli/auth/ntlmssp.c:34(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0x60088215
[2014/04/30 15:09:55.666789, 3] smbd/process.c:1662(process_smb)
  Transaction 2 of length 352 (0 toread)
[2014/04/30 15:09:55.666985, 3] smbd/process.c:1467(switch_message)
  switch message SMBsesssetupX (pid 10797) conn 0x0
[2014/04/30 15:09:55.667174, 3] smbd/sesssetup.c:1340(reply_sesssetup_and_X)
  wct=12 flg2=0xc801
[2014/04/30 15:09:55.667326, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2014/04/30 15:09:55.667471, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
  NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2014/04/30 15:09:55.667725, 3] ../libcli/auth/ntlmssp_server.c:348(ntlmssp_server_preauth)
  Got user=[warpitaly] domain=[MYDOMAIN.INT] workstation=[warpitaly] len1=24 len2=102
[2014/04/30 15:09:55.669900, 3] auth/auth.c:223(check_ntlm_password)
  check_ntlm_password: Checking password for unmapped user [MYDOMAIN.INT]\[warpitaly]@[warpitaly] with the new password interface
[2014/04/30 15:09:55.670105, 3] auth/auth.c:226(check_ntlm_password)
  check_ntlm_password: mapped user is: [MYDOMAIN.INT]\[warpitaly]@[warpitaly]
[2014/04/30 15:09:55.684569, 3] auth/auth_util.c:1121(check_account)
  Failed to find authenticated user MYDOMAIN+warpitaly via getpwnam(), denying access.
[2014/04/30 15:09:55.684782, 2] auth/auth.c:323(check_ntlm_password)
  check_ntlm_password: Authentication for user [warpitaly] -> [warpitaly] FAILED with error NT_STATUS_NO_SUCH_USER
[2014/04/30 15:09:55.685130, 0] auth/auth.c:329(check_ntlm_password)
  CIFS: Authentication for user [warpitaly] has FAILED.
[2014/04/30 15:09:55.685761, 3] smbd/sesssetup.c:63(do_map_to_guest)
  No such user warpitaly [MYDOMAIN.INT] - using guest account
[2014/04/30 15:09:55.686000, 3] smbd/password.c:298(register_existing_vuid)
  register_existing_vuid: User name: nobody	Real name: 
[2014/04/30 15:09:55.686175, 3] smbd/password.c:308(register_existing_vuid)
  register_existing_vuid: UNIX uid 501 is UNIX user nobody, and will be vuid 100
[2014/04/30 15:09:55.687096, 3] smbd/process.c:1662(process_smb)
  Transaction 3 of length 92 (0 toread)
[2014/04/30 15:09:55.687292, 3] smbd/process.c:1467(switch_message)
  switch message SMBtconX (pid 10797) conn 0x0
[2014/04/30 15:09:55.687611, 3] lib/access.c:338(allow_access)
  Allowed connection from 192.168.0.100 (192.168.0.100)
[2014/04/30 15:09:55.687911, 3] smbd/service.c:890(make_connection_snum)
  Connect path is '/tmp' for service [IPC$]
[2014/04/30 15:09:55.688231, 3] smbd/vfs.c:102(vfs_init_default)
  Initialising default vfs hooks
[2014/04/30 15:09:55.688422, 3] smbd/vfs.c:128(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2014/04/30 15:09:55.689203, 3] smbd/service.c:1132(make_connection_snum)
  warpitaly (192.168.0.100) connect to service IPC$ initially as user nobody (uid=501, gid=1000) (pid 10797)
[2014/04/30 15:09:55.689488, 3] smbd/reply.c:871(reply_tcon_and_X)
  tconX service=IPC$ 
[2014/04/30 15:09:55.690061, 3] smbd/process.c:1662(process_smb)
  Transaction 4 of length 116 (0 toread)
[2014/04/30 15:09:55.690243, 3] smbd/process.c:1467(switch_message)
  switch message SMBtrans2 (pid 10797) conn 0xe0ec28
[2014/04/30 15:09:55.690643, 3] smbd/msdfs.c:891(get_referred_path)
  get_referred_path: |ammin| in dfs path \192.168.0.17\ammin is not a dfs root.
[2014/04/30 15:09:55.690835, 3] smbd/error.c:81(error_packet_set)
  error packet at smbd/trans2.c(8393) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND
[2014/04/30 15:09:55.691386, 3] smbd/process.c:1662(process_smb)
  Transaction 5 of length 39 (0 toread)
[2014/04/30 15:09:55.691577, 3] smbd/process.c:1467(switch_message)
  switch message SMBtdis (pid 10797) conn 0xe0ec28
[2014/04/30 15:09:55.691793, 3] smbd/service.c:1410(close_cnum)
  warpitaly (192.168.0.100) closed connection to service IPC$
[2014/04/30 15:09:55.691984, 3] smbd/connection.c:35(yield_connection)
  Yielding connection to IPC$
[2014/04/30 15:09:55.692643, 3] smbd/process.c:1662(process_smb)
  Transaction 6 of length 96 (0 toread)
[2014/04/30 15:09:55.692821, 3] smbd/process.c:1467(switch_message)
  switch message SMBtconX (pid 10797) conn 0x0
[2014/04/30 15:09:55.693061, 3] lib/access.c:338(allow_access)
  Allowed connection from 192.168.0.100 (192.168.0.100)
[2014/04/30 15:09:55.693477, 2] smbd/service.c:627(create_connection_session_info)
  guest user (from session setup) not permitted to access this share (Ammin)
[2014/04/30 15:09:55.693650, 1] smbd/service.c:823(make_connection_snum)
  create_connection_session_info failed: NT_STATUS_ACCESS_DENIED
[2014/04/30 15:09:55.693813, 3] smbd/error.c:81(error_packet_set)
  error packet at smbd/reply.c(803) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED
[2014/04/30 15:09:55.694605, 3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)

warpitaly · May 6, 2014, 10:27am

It looks like the problem is in Samba versions >= 3.6.10 (my nas is running 3.6.12) when authenticating over windows 2000 domains, as reported in this bug:

https://bugzilla.samba.org/show_bug.cgi?id=9615