Problem with file sharing on 10.6 server to SMB

Question

Problem with file sharing on 10.6 server to SMB

Hi

I have problems with a 10.6 server connected to our AD as a Domain Member.

I have set up users and groups from the AD in the file-sharing, and if I connect to the server with my AD account on a Mac it works flawless. The share mounts and I have all the right privileges.

If I try to connect from a PC I cant log in and the SMB log says as follow:

[2011/02/01 15:40:25, 2, pid=10854] /SourceCache/samba/samba-235.5/samba/source/smbd/sesssetup.c:setup new_vcsession(1273)
setup new_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2011/02/01 15:40:25, 2, pid=10854] /SourceCache/samba/samba-235.5/samba/source/lib/module.c:do smb_loadmodule(64)
Module '/usr/lib/samba/auth/odsam.dylib' loaded
[2011/02/01 15:40:25, 2, pid=10854] /SourceCache/samba/samba-235.5/samba/source/smbd/sesssetup.c:setup new_vcsession(1273)
setup new_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2011/02/01 15:40:25, 2, pid=10854] /SourceCache/samba/samba-235.5/samba/source/auth/auth.c:check ntlmpassword(319)
check ntlmpassword: Authentication for user [] -> [] FAILED with error NT STATUS_NO_SUCHUSER
[2011/02/01 15:40:25, 2, pid=10854] /SourceCache/samba/samba-235.5/samba/source/smbd/sesssetup.c:setup new_vcsession(1273)
setup new_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2011/02/01 15:40:25, 2, pid=10854] /SourceCache/samba/samba-235.5/samba/source/smbd/sesssetup.c:setup new_vcsession(1273)
setup new_vcsession: New VC == 0, if NT4.x compatible we would close all old resources.
[2011/02/01 15:40:25, 0, pid=10854] /SourceCache/samba/samba-235.5/samba/source/lib/opendirectory.c:get opendirectoryauthenticator(247)
failed to read DomainAdmin credentials, err=67 fd=26 errno=2
[2011/02/01 15:40:25, 0, pid=10854] /SourceCache/samba/samba-235.5/samba/source/lib/opendirectory.c:opendirectory user_auth_and_sessionkey(580)
dsDoDirNodeAuthOnRecordType gave -14091 [eDSAuthMethodNotSupported]
[2011/02/01 15:40:25, 0, pid=10854] /SourceCache/samba/samba-235.5/samba/source/auth/auth odsam.c:opendirectory_smb_pwd_checkntlmv1(387)
opendirectory user_auth_and_sessionkey gave -14091 [eDSAuthMethodNotSupported]
[2011/02/01 15:40:25, 0, pid=10854] /SourceCache/samba/samba-235.5/samba/source/auth/auth odsam.c:opendirectory_authuser(235)
dsDoNodeAuth gave -14090 [eDSAuthFailed]
[2011/02/01 15:40:25, 0, pid=10854] /SourceCache/samba/samba-235.5/samba/source/auth/auth odsam.c:opendirectory_smb_pwd_checkntlmv1(397)
opendirectory authuser gave -14090 [eDSAuthFailed]
[2011/02/01 15:40:25, 0, pid=10854] /SourceCache/samba/samba-235.5/samba/source/lib/opendirectory.c:get opendirectoryauthenticator(247)
failed to read DomainAdmin credentials, err=67 fd=27 errno=2
[2011/02/01 15:40:25, 0, pid=10854] /SourceCache/samba/samba-235.5/samba/source/auth/auth odsam.c:opendirectory_smb_pwd_checkntlmv1(406)
opendirectory user_sessionkey gave -14090 [eDSAuthFailed]
[2011/02/01 15:40:25, 0, pid=10854] /SourceCache/samba/samba-235.5/samba/source/auth/auth odsam.c:opendirectory_opendirectory_ntlm_passwordcheck(602)
opendirectory smb_pwd_checkntlmv1 gave -14090 [eDSAuthFailed]
[2011/02/01 15:40:25, 2, pid=10854] /SourceCache/samba/samba-235.5/samba/source/auth/auth.c:check ntlmpassword(319)
check ntlmpassword: Authentication for user [myadaccount] -> [myadaccount] FAILED with error NT STATUS_WRONGPASSWORD

I get no error message at all on the PC, it just re open the window for putting my account. If I try to connect from a Mac with smb:// it says wrong password.

Something I noticed is that in the log it first says: Authentication for user [] -> [] FAILED with error NT STATUS_NO_SUCHUSER

Dont know why..

If I connect from a PC with the server local admin account it works it mounts the share flawless.

We have tried to change all settings possible with no luck.

Hope anyone has a good idea

Thanx Nicklas

Xserve 10.6 Server, Mac OS X (10.6.6)

Posted on Feb 1, 2011 7:01 AM

Reply

Answer 1

Feb 2, 2011 6:10 AM in response to Nicklas Ulander

Just noticed another strange behavior.

If I try to connect to the share using smb: with a Mac bound to the AD then it works after i put the group from the AD in the POSIX group field. Mac not bound doesn't work.

But cant connect from a PC at all. Doesn't matter if it is bound or not to the AD.

help....

Reply

Answer 2

Feb 3, 2011 1:35 AM in response to Nicklas Ulander

Problem solved:

Is was the AD DNS:es that gave the server another name than expected.

DNS strikes again...

Reply

Answer 3

jcny123

Level 1

0 points

Mar 2, 2011 1:07 PM in response to Nicklas Ulander

Nicklas im having the same issue.
What exactly do you mean by DNS:es.

Checked my DNS and the name looks correct i have the same error you have in the logs.

Thanks in advanced.

Reply

Answer 4

eLud

Level 1

0 points

Mar 17, 2011 2:25 AM in response to jcny123

I've got the same issue here, with a 10.6.6 Server bound to an AD domain. Users from PC or Mac can't log in using their AD accounts using SMB.

However, it works great using AFP on Mac.

Logs says :

[2011/03/17 10:24:08, 0, pid=26379] /SourceCache/samba/samba-235.5/samba/source/auth/auth odsam.c:opendirectory_opendirectory_ntlm_passwordcheck(572)
opendirectory smb_pwd_checkntlmv2 gave -14090 [eDSAuthFailed]
[2011/03/17 10:24:08, 2, pid=26379] /SourceCache/samba/samba-235.5/samba/source/auth/auth.c:check ntlmpassword(319)
check ntlmpassword: Authentication for user [3100001] -> [3100001] FAILED with error NT STATUS_WRONGPASSWORD

Reply

Answer 5

Jan 12, 2012 2:20 PM in response to Nicklas Ulander

I also had this sort of issue. I was able to connect via AFP with AD users and could kinit from the machine just fine. However, WinXP/Vista/7 would not connect via SMB. I had used usernames in the form of user@domain on non-domain-bound PCs. I had a hunch it was a problem with kerberos, seeing as AD uses kerberos to auth for everything. I could not find anything wrong with my kerberos config - further reinforced by OK kinits. Turns out the problem was on the AD server side for me. Changeip -checkhostname reported no errors. DNS resolved fine, including SRV records. WGM showed all my AD users. I really started to tear my hair out, as most everything seemed 100% OK.

I dug around and found a post that helped me:

http://web.archiveorange.com/archive/v/zFVVmNV1zN0KbT3tYKO1

The crux of the issue was that I had a DNS name that contained a hyphen: server-name.fqdn.com

When binding, the AD connector added a default machine record as server_name

AD then created all the Kerberos SPNs using the name "server_name" and added the corresponding DNS entries, as well as DNS entries for "server-name". Kerberos would use the local, correct machine name and look for SPNs from AD, which referenced the wrong name. Kerberos would fail.

The command that helped me identify this was:

smbclient -k -d9 //server-name/Mount

It originally failed, listing errors.

I manually used ADSI edit to go into the computer record in AD and add a SPN for cifs, which fixed the immediate problem.

I did this by launching ADSI Edit, browsing to the container housing the Mac server's computer record, right-clicking the server's CN, and selecting properties. The sever principal name attribute had a listing of the servce-by-service SPNs. I simply added a SPN for cifs/server-name.fqdn.com, and bang - SMB from Windows clients worked fine again.

I ultimately went back, unbound, then rebound to create SPNs and computer records only referencing the right DNS name. 100% working. Not sure why the hyphen was converted to an underscore via the network logins AD connector, but hey - I know what to look out for now.

Reply

Answer 6

Jan 12, 2012 2:23 PM in response to squaredot

I also had checked out the registry/policy edits to make sure NTLM1 was not being used - things were OK in that department - it did NOT apply to my case at all. This was apparent due to the NTLMv2 requests in the error messages for eDSSAuthFailed in my logs, unlike what the original poster had noticed.

Reply