[cifs-discuss] not able to connect to cifs share from os 10.5 (works fine in windows)

Natalie Li Natalie.Li at Sun.COM
Mon Jun 30 06:37:13 PDT 2008 

The Solaris CIFS server should behave like Windows with regards to how 
username is specified at connect time. We'll look into the problem.

Thanks for bringing this to our attention!

Natalie

HUGE | Rob Terhaar wrote:
> Hi Natalie, 
> Is there any plans to allow users to change this behavior? How Solaris CIFS
> currently authenticates users by assuming that <username> means a non-domain
> user is very different from how Samba/Linux and Windows CIFS/SMB servers
> authenticate users. In Windows <SERVERHOSTNAME>\<USERNAME> means a local
> user. (I'm not sure how samba authenticates local users by default...)
>
> Samba handles this situation with the following parameter:
>
> winbind use default domain (G)
> This parameter specifies whether the winbindd(8) daemon should operate on
> users without domain  component  in their  username. Users without a domain
> component are treated as is part of the winbindd server's own domain. While
> this does not benifit Windows users, it makes SSH, FTP and e-mail function
> in a way much closer to  the way they would in a native unix system.
>
>              Default: winbind use default domain = no
>
>              Example: winbind use default domain = yes
>
>
>
>
> On 6/27/08 2:23 PM, "Natalie Li" <Natalie.Li at Sun.COM> wrote:
>
>   
>> When our CIFS server operates in domain mode, both local users and
>> domain users can connect to  a share from any CIFS clients.  If the
>> client sends <domainname>\<username>, the user will be interpreted as a
>> domain user.  As a result, the authentication will be done via a domain
>> controller.  If the client sends either <CIFS server
>> hostname>\<username> or simple <username>, the user will be interpreted
>> as a local user - local authentication will take place.
>>
>> According to the trace, your MAC client, unlike any Windows clients,
>> sent only the username to our CIFS server even when it's in the AD
>> domain.  Thus, the CIFS server failed to authenticate the user locally.
>> You're right that you'd always need to map a CIFS share by specifying
>> <domainname>\<username> from the MAC client to indicate domain user
>> login.  Just to clarify, this has nothing to do with the NetBIOS scope
>> that you mentioned the other day.
>>
>> Regards,
>>
>> Natalie
>>
>> HUGE | Rob Terhaar wrote:
>>     
>>> Hi All,
>>> I've done some more debugging and wiresharking and found a less-then-idea
>>> workaround.
>>>
>>> Although my OS X 10.5.3 machine is a Domain Member, I still need to prefix
>>> my username with the local netbios scope when connecting to my opensolaris
>>> cifs share.
>>>
>>> E.g., my domain name is ad.hugeinc.com, so for my username I need to type in
>>> HUGEINC\rterhaar
>>>
>>> The netbios prefix is not required on my linux or windows domain members.
>>> Additionally, entering the username in this format is not required when I
>>> connect to windows or linux/samba shares from OS X 10.5.3 domain members.
>>>
>>> This inconsistency will enviably be annoying to the users; anyone know of a
>>> fix?
>>>
>>> # idmap list
>>> add -d  winuser:*@*     unixuser:*
>>> add -d  wingroup:*@*    unixgroup:*
>>>
>>> # sharectl get smb
>>> system_comment=
>>> max_workers=64
>>> netbios_scope=hugeinc (tried several iterations, nothing helped)
>>> lmauth_level=4
>>> keep_alive=5400
>>> wins_server_1=xx.xx.xx.xx
>>> wins_server_2=xx.xx.xx.xx
>>> wins_exclude=
>>> signing_enabled=false
>>> signing_required=false
>>> restrict_anonymous=false
>>> pdc=
>>> ads_site=LA
>>> ddns_enable=false
>>> autohome_map=/etc
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 6/24/08 2:47 PM, "Natalie Li" <Natalie.Li at Sun.COM> wrote:
>>>
>>>  
>>>       
>>>> I'll ask the testing team to do some NETBIOS scope testing to see if we
>>>> can reproduce the problem here.
>>>>
>>>> The CIFS server derives the NETBIOS domain name from the FQDN that you
>>>> specified during domain join. There isn't a way to change the netbios
>>>> domain name at least for now.  You can specify the netbios_scope via
>>>> sharectl CLI.  Would it make any difference if you set that via sharectl?
>>>>
>>>> Natalie
>>>>
>>>> HUGE | Rob Terhaar wrote:
>>>>
>>>>    
>>>>         
>>>>> Think I may have figured out part of the problem. I tried connecting
>>>>> from an OS X 10.4 machine, and the default domain was set to AD. Our
>>>>> domain is ad.hugeinc.com, netbios scope is just hugeinc.
>>>>>
>>>>> When I changed this setting to ad.hugeinc.com in OS X 10.4 I was able
>>>>> to connect.
>>>>>
>>>>> So the question is, how can I change the default netbios domain name
>>>>> in the cifs server?
>>>>>
>>>>>
>>>>> Sent from my BlackBerry
>>>>>
>>>>> ----- Original Message -----
>>>>> From: Natalie.Li at Sun.COM <Natalie.Li at Sun.COM>
>>>>> To: HUGE | Rob Terhaar
>>>>> Cc: cifs-discuss at opensolaris.org <cifs-discuss at opensolaris.org>
>>>>> Sent: Tue Jun 24 15:17:15 2008
>>>>> Subject: Re: [cifs-discuss] not able to connect to cifs share from os
>>>>> 10.5 (works fine in windows)
>>>>>
>>>>> Could you run `sharectl get smb` and send us the output?
>>>>> When you said "turning signing on and off in cifs", are you referring to
>>>>> the Mac client, Solaris CIFS server, or domain controller?
>>>>>
>>>>> Natalie
>>>>>
>>>>> HUGE | Rob Terhaar wrote:
>>>>>
>>>>>      
>>>>>           
>>>>>> Yes, mac os X.
>>>>>>
>>>>>> I've included four snoop files, and full daemon debug logs. 3 are
>>>>>>        
>>>>>>             
>>>>> from snoop
>>>>>      
>>>>>           
>>>>>> on the server, and the 4th is on my local machine with wireshark.
>>>>>>
>>>>>> I've also tried turning signing on and off in cifs.
>>>>>>
>>>>>> I just did a clean install to make sure that I'm not crazy, that didn't
>>>>>> help.
>>>>>>
>>>>>> Not sure where else to look? I've done quite a bit of testing with cifs,
>>>>>> this problem is new though.
>>>>>>
>>>>>> The only thing that has changed recently is that we added ladc1 as a
>>>>>>        
>>>>>>             
>>>>> domain
>>>>>      
>>>>>           
>>>>>> controller. This domain controller is in a different site, and is
>>>>>>        
>>>>>>             
>>>>> currently
>>>>>      
>>>>>           
>>>>>> offline.
>>>>>>
>>>>>> I've tried setting the site in sharectl to my local site name, that's no
>>>>>> help ether, it still trying to talk to ladc1.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 6/24/08 11:03 AM, "Natalie Li" <Natalie.Li at Sun.COM> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>        
>>>>>>             
>>>>>>> Just want to clarify, are you referring to Mac OS?
>>>>>>> There aren't any errors in the syslog.  Could you please send us the
>>>>>>> entire syslog file?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Natalie
>>>>>>>
>>>>>>> Rob wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>          
>>>>>>>               
>>>>>>>> Hi All,
>>>>>>>>
>>>>>>>> Hoping that you can give me some help connecting to a opensolaris
>>>>>>>>            
>>>>>>>>                 
>>>>> 2008.5
>>>>>      
>>>>>           
>>>>>>>> snv_91 share from an os x (10.5.3) box.
>>>>>>>>
>>>>>>>> The server is bound to a 2003 r2 domain, idmap is working
>>>>>>>>            
>>>>>>>>                 
>>>>> correctly, and I
>>>>>      
>>>>>           
>>>>>>>> can connect from a windows machine.
>>>>>>>>
>>>>>>>> When I connect from an os x machine (tried several) I get a
>>>>>>>>            
>>>>>>>>                 
>>>>> password denied,
>>>>>      
>>>>>           
>>>>>>>> and see this in the daemon.debug logs:
>>>>>>>> Jun 23 22:42:13 nynas1 smbd[611]: [ID 775558 daemon.debug]
>>>>>>>>            
>>>>>>>>                 
>>>>> smb_door_srv_func:
>>>>>      
>>>>>           
>>>>>>>> execute server routine(opcode=3)
>>>>>>>> Jun 23 22:42:14 nynas1 smbd[611]: [ID 775558 daemon.debug]
>>>>>>>>            
>>>>>>>>                 
>>>>> smb_door_srv_func:
>>>>>      
>>>>>           
>>>>>>>> execute server routine(opcode=0)
>>>>>>>> Jun 23 22:42:14 nynas1 smbd[611]: [ID 395423 daemon.debug]
>>>>>>>>            
>>>>>>>>                 
>>>>> smbrdr_ntcreatex:
>>>>>      
>>>>>           
>>>>>>>> 18 \NETLOGON
>>>>>>>> Jun 23 22:42:14 nynas1 smbd[611]: [ID 528497 daemon.debug]
>>>>>>>>            
>>>>>>>>                 
>>>>> SmbRdrNtCreate:
>>>>>      
>>>>>           
>>>>>>>> fid=32780
>>>>>>>>
>>>>>>>> any idea?
>>>>>>>> --
>>>>>>>> This messages posted from opensolaris.org
>>>>>>>> _______________________________________________
>>>>>>>> cifs-discuss mailing list
>>>>>>>> cifs-discuss at opensolaris.org
>>>>>>>> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
>>>>>>>>
>>>>>>>>
>>>>>>>>   
>>>>>>>>
>>>>>>>>            
>>>>>>>>                 
>>>>>>> _______________________________________________
>>>>>>> cifs-discuss mailing list
>>>>>>> cifs-discuss at opensolaris.org
>>>>>>> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
>>>>>>>
>>>>>>>
>>>>>>>          
>>>>>>>               
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> cifs-discuss mailing list
>>>>> cifs-discuss at opensolaris.org
>>>>> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
>>>>>
>>>>>
>>>>>      
>>>>>           
>>> _______________________________________________
>>> cifs-discuss mailing list
>>> cifs-discuss at opensolaris.org
>>> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
>>>  
>>>       
>
>

More information about the cifs-discuss mailing list