[Solved] SMB needs to authenticate twice

Questions about software.
User avatar
bas_otten
Posts: 185
Joined: 19 Oct 2013 12:22
Location: Netherlands

[Solved] SMB needs to authenticate twice

Postby bas_otten » 22 Feb 2015 20:42

I have a long-running issue that mounting a share hosted by the SMB daemon on my Solydk64HE machine requires me to authenticate twice within a timeframe of say 1 minute.

Code: Select all

root@bashost:/ #>>> date
zo feb 22 21:05:34 CET 2015

root@bashost:/ #>>> mount -t cifs //bashost/zData /mnt -o credentials=/etc/nc
mount error(5): Input/output error
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

root@bashost:/ #>>> date
zo feb 22 21:05:39 CET 2015

root@bashost:/ #>>> mount -t cifs //bashost/zData /mnt -o credentials=/etc/nc

root@bashost:/ #>>> df /mnt
Bestandssysteem 1K-blokken  Gebruikt Beschikbaar Geb% Aangekoppeld op
//bashost/zData  163127292 108627464    54499828  67% /mnt
This example shows a 'local' mount for demonstration. When I access the share from my old WinXP machine, I see the same symptom, need to supply credentials in the dialog box twice.

There is nothing out of the ordinary in my smb.conf, as far as I'm aware. I have been searching like everywhere but cannot find a clue as to what is the underlying cause of this behaviour.

If I enable 'log level = 3', it shows the following during the first failure attempt:

Code: Select all

[2015/02/22 21:17:53.801363,  3] ../source3/auth/auth.c:177(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user [BASHOST]\[otten]@[] with the new password interface
[2015/02/22 21:17:53.801416,  3] ../source3/auth/auth.c:180(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [BASHOST]\[otten]@[]
[2015/02/22 21:17:53.803065,  3] ../source3/passdb/lookup_sid.c:1560(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for otten
[2015/02/22 21:17:53.835472,  3] ../source3/auth/auth.c:226(auth_check_ntlm_password)
  check_ntlm_password: sam authentication for user [otten] succeeded
[2015/02/22 21:17:53.844305,  2] ../source3/auth/auth.c:278(auth_check_ntlm_password)
  check_ntlm_password:  authentication for user [otten] -> [otten] -> [otten] succeeded
[2015/02/22 21:17:53.844441,  3] ../auth/ntlmssp/ntlmssp_sign.c:547(ntlmssp_sign_init)
  NTLMSSP Sign/Seal - Initialising with flags:
[2015/02/22 21:17:53.844506,  3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xa0080205
[2015/02/22 21:17:53.846493,  1] ../source3/auth/token_util.c:430(add_local_groups)
  SID S-1-5-21-2191492929-1326288371-2158566674-1010 -> getpwuid(4294967295) failed
[2015/02/22 21:17:53.846604,  3] ../source3/auth/token_util.c:316(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2015/02/22 21:17:53.846660,  1] ../source3/smbd/sesssetup.c:276(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session setup: NT_STATUS_UNSUCCESSFUL
[2015/02/22 21:17:53.846829,  3] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/sesssetup.c(279) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL
[2015/02/22 21:17:53.977629,  3] ../source3/smbd/server_exit.c:221(exit_server_common)
  Server exit (failed to receive smb request)
Typically 'getpwuid(4294967295) failed' occurs, which is absent during the second successful attempt.
By the way, the mysterious 4294967295 is not the uid of user otten, nor of any other user.

Can anyone reproduce this, or tell me what I am doing wrong?

Thanks in advance,
Bas.

Refugee
Posts: 47
Joined: 17 Apr 2014 00:32

Re: SMB needs to authenticate twice

Postby Refugee » 24 Feb 2015 03:22

You should probably post your smb.conf but I have a hunch this has more to do with XP than Linux. Is this XP with SP3? Pro or Home? Geez, this brings back bad memories.

During the XP era, Microsoft used to intentionally break smb to make life difficult for Linux users. Not to mention, early versions of NetBios were poorly implemented to begin with. And every new Linux release of smb would cause an entirely different set of problems. I think you may have an uphill battle to to fight here even if you are doing everything correctly.


By the way, the mysterious 4294967295 is not the uid of user otten, nor of any other user.


"SID S-1-5-21-2191492929-1326288371-2158566674-1010" is a user on the XP box. I would guess that "4294967295" is the Linux notation for the Windows SID.

Don't get me wrong, there may well be a fix for your issue. But it may cost you one heck of a headache. I hope, for your sake, I am wrong.

User avatar
bas_otten
Posts: 185
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: SMB needs to authenticate twice

Postby bas_otten » 25 Feb 2015 09:59

Well, the problem is not caused by XP, in this case :-) I just noticed the same behaviour when accessing the share from there. (When I start the old Windblows up though - still need it for some occasions like scanning or reading an encrypted USB from work - I am SO happy now to be on Linux / SolydK!)

The issue is completely self-contained - so to speak - inside Linux. I set up a very basic scenario to reproduce it:

1. Boot Live from the latest ISO (SolydK64HE)

2. Issue the following set of commands as root:

Code: Select all

useradd anyuser
echo -e "anyuser:anypassword" | chpasswd
echo -e "anypassword\nanypassword" | smbpasswd -a anyuser
echo -e "[etc]\npath=/etc\nbrowseable=yes\nvalid users=anyuser" >> /etc/samba/smb.conf
3. Mount the local share and see what happens:

Code: Select all

mount -t cifs //localhost/etc /mnt -o username=anyuser,password=anypassword
mount -t cifs //localhost/etc /mnt -o username=anyuser,password=anypassword

teigaff
Posts: 6
Joined: 11 Jun 2015 23:12

Re: SMB needs to authenticate twice

Postby teigaff » 11 Jun 2015 23:19

Same problem on my samba server on Debian 8.
I recently made an upgrade from Debian 7.

I've the same log output as in the first post.
Folder structure is:

Code: Select all

ls -lah /mnt/
total 24K
drwxr-xr-x  6 root   root    4.0K Jun 11 09:00 .
drwxr-xr-x 21 root   root    4.0K Jun 11 08:29 ..
drwxr-xr-x  3 andrea andrea  4.0K Jun 11 21:57 andrea
drwxr-xr-x  3 marco  marco   4.0K Jun 11 21:58 marco
drwxrwxrwx  2 nobody nogroup 4.0K Jun 11 09:00 public
drwxrwxrwx  3 nobody nogroup 4.0K Jun 12 00:19 tools


smb.conf

Code: Select all

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes


load printers = no
printing = bsd
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects

# Not needed - 25.05.2015, marco
   log file = /var/log/samba/log.%m

# Not needed - 25.05.2015, marco
# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# Not needed - 25.05.2015, marco
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
#   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


# More information on /var/log/samba/log.<Client-IP>
log level = 3


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using. 
   passdb backend = tdbsam

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This maps any unknown username to the specified guest user, so login always succeeds. 25.05.2015, marco
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad password

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe. 
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe. 
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

# Disable sharing of home. - 25.05.2015, marco
#[homes]
#   comment = Home Directories
#   browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
#   read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
#   create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
#   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
#  valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700


# Not needed - 25.05.2015, marco
#[printers]
#   comment = All Printers
#   browseable = no
#   path = /var/spool/samba
#   printable = yes
#   guest ok = no
#   read only = yes
#   create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
#[print$]
#   comment = Printer Drivers
#   path = /var/lib/samba/printers
#   browseable = yes
#   read only = yes
#   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin



[public]
   comment = Public stuff (read & write)
   path = /mnt/public
   public = yes
   browseable = yes
   guest ok = yes
   writable = yes
   force user = nobody
   force group = nogroup
   create mask = 0777
   directory mask = 0777
   force create mode = 0777
   force directory mode = 0777

[tools]
   comment = Tools (read only)
   path = /mnt/tools
   public = yes
   browseable = yes
   guestok = yes
   writable = no
   write list = @users

[marco]
   comment = Marco's data
   path = /mnt/marco
   valid users = marco
   writeable = yes
   browseable = yes

[andrea]
   comment = Andrea's data
   path = /mnt/andrea
   valid users = andrea
   writeable = yes
   browseable = yes

User avatar
Schoelje
Site Admin
Posts: 8446
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: SMB needs to authenticate twice

Postby Schoelje » 15 Jun 2015 07:00

Hi teigaff, and welcome to our forums.

You mention you're running Debian 8. These are the forums for SolydXK users.
I know there are similarities as SolydXK is based on Debian but it's not the same and Samba configuration is one of them.

I can give you our default smb.conf, perhaps it is of any use:

Code: Select all

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.

#======================= Global Settings =======================

[global]
  ## SOLYDXK

  follow symlinks = yes
  wide links = yes
  unix extensions = no
  client lanman auth = yes
  client ntlmv2 auth = no


## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using. 
   passdb backend = tdbsam

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe. 
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe. 
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin


You can also use testparm on your smb.conf to check if it is correct.


SolydXK needs you!
Development | Testing | Translations

User avatar
bas_otten
Posts: 185
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: SMB needs to authenticate twice

Postby bas_otten » 15 Jun 2015 18:06

@Schoelje,
Indeed, teigaff may not be on SolydXK, but that does not alter the fact that the issue as I originally posted on SolydXK is still present in today's solydk64_201506.iso. I just reran the reproduction scenario as I presented in the 3rd post of 25Feb on a clean live running SolydK64 system and see the identical behaviour as before. That this phenomenon is confirmed on plain Debian 8 as well (assuming teigaff is), may indicate that this is a samba issue in the first place.

User avatar
bas_otten
Posts: 185
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: SMB needs to authenticate twice

Postby bas_otten » 19 Jun 2015 21:53

I discovered what the problem is here! Really happy! :D

After teigaff, being supposedly on plain Debian 8.1, mentioned he had this problem as well, I started thinking: how come this nasty issue has not caught more attention on Linux forums than it has apparently done so far? I justed wanted to know for sure myself whether this problem exists in the default Debian 8.1 Live KDE ISO. So I downloaded it and fired it up, installed samba and cifs. Guess what: the issue is NOT there, a samba share mounts right away at the first mount command. So then what? First I compared and exchanged the smb.conf file, restarted smbd many times. But NO difference in behaviour on either side: Debian still OK, SolydK having the issue. Then I started comparing package versions: cifs-utils, samba-<whatever> and so. But no difference whatsoever: no wonder because I'm in fact facing the exact same repositories. Then I started checking for installed package differences in the samba surrouding area and that is when libnss-winbind caught my eye, being one of the supporting libraries of the winbind daemon. These are not preinstalled on plain Debian. When I installed them, however, on plain Debian the issue emerged. So that's the big fish! Then I removed first the libnss-winbind - not sufficient yet - and later the whole winbind package on SolydK: issue solved! I bet teigaff has/had for whatever direct or indirect reason also winbind installed.

I have done some reading on the winbind daemon and the service it provides. Briefly it allows for authentication not being done on the local Linux/Unix's /ect/passwd+group where the authentication requestor (like samba in this example) resides but to step out and let authentication be done by a Windows NT Domain Controller (called ADS nowadays if I'm correct). This would typically be used in an environment where Linux acts as a server providing services (like samba, but can be more) in a network where people use Windows workstations and are centrally authenticated on ADS. The winbind daemon can then be used to prevent a mirror user/group repository to be maintained on the Linux level as well. I don't see much of an application for this when Linux acts mostly as a workstation, like SolydXK. Maybe I overlook something? But otherwise I would suggest not to include the winbind package by default in the ISO, to avoid complications like this one. It also consumes - probably unnecessary - resources by means of 4 processes running. Should anyone really need it, it can always be installed afterwards easily by apt-get. I will mark this thread as solved shortly.

User avatar
Schoelje
Site Admin
Posts: 8446
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: SMB needs to authenticate twice

Postby Schoelje » 20 Jun 2015 12:07

Thanks Bas, that was some very extensive research you did there!

I ran this command on the ISOs and am now building the next nightlies:

Code: Select all

apt purge $(apt search winbind | grep ^i | awk '{print $2}')
I will post in the nightlies topic when they're done.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 1885
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: SMB needs to authenticate twice

Postby grizzler » 20 Jun 2015 13:07

Far too complicated. I just did an apt purge winbind and got the same result. :lol:

I'll build some ce ISOs later today.

Edit 15:40 CEST
32-bit ISOs built. Currenlty uploading to http://downloads.solydxk.com/ce/testing/
Beware! They're untested!

I'll do the EEs this evening or tomorrow.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
bas_otten
Posts: 185
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: [Solved] SMB needs to authenticate twice

Postby bas_otten » 21 Jun 2015 19:51

Thanks Arjen and Frank, for the swift consolidation of the solution!

teigaff
Posts: 6
Joined: 11 Jun 2015 23:12

Re: [Solved] SMB needs to authenticate twice

Postby teigaff » 21 Jul 2015 13:46

Thank you very much for the solution. I need winbind for pinging hostnames instead of IP addresses. But I'm not sure if I need the libnss-winbind.
Next step is to purge it or adjust the winbind config. This could be done by adjusting the file: /etc/nsswitch.conf

teigaff

User avatar
Schoelje
Site Admin
Posts: 8446
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: [Solved] SMB needs to authenticate twice

Postby Schoelje » 21 Jul 2015 14:55

teigaff wrote:Thank you very much for the solution. I need winbind for pinging hostnames instead of IP addresses. But I'm not sure if I need the libnss-winbind.
Next step is to purge it or adjust the winbind config. This could be done by adjusting the file: /etc/nsswitch.conf

teigaff
I was confused. So, I checked:

Code: Select all

arjen@solydk64 ~ $ apt policy winbind
winbind:
  Installed: (none)
  Candidate: 2:4.1.17+dfsg-2
  Version table:
     2:4.1.17+dfsg-2 0
        500 http://ftp.debian.org/debian/ jessie/main amd64 Packages
arjen@solydk64 ~ $ ping solydxk.com
PING solydxk.com (208.113.148.53) 56(84) bytes of data.
64 bytes from apache2-ogle.ash.dreamhost.com (208.113.148.53): icmp_seq=1 ttl=47 time=222 ms
64 bytes from apache2-ogle.ash.dreamhost.com (208.113.148.53): icmp_seq=2 ttl=47 time=245 ms
64 bytes from apache2-ogle.ash.dreamhost.com (208.113.148.53): icmp_seq=3 ttl=47 time=268 ms
^C
--- solydxk.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 222.018/245.249/268.578/19.012 ms
arjen@solydk64 ~ $ ping osmc
PING osmc.WORKGROUP (192.168.1.131) 56(84) bytes of data.
64 bytes from osmc.WORKGROUP (192.168.1.131): icmp_seq=1 ttl=64 time=2.10 ms
64 bytes from osmc.WORKGROUP (192.168.1.131): icmp_seq=2 ttl=64 time=1.81 ms
64 bytes from osmc.WORKGROUP (192.168.1.131): icmp_seq=3 ttl=64 time=1.83 ms
64 bytes from osmc.WORKGROUP (192.168.1.131): icmp_seq=4 ttl=64 time=3.25 ms
^C
--- osmc.WORKGROUP ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 1.819/2.252/3.252/0.587 ms
So, no windbind and able to ping on host name.


SolydXK needs you!
Development | Testing | Translations

User avatar
bas_otten
Posts: 185
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: [Solved] SMB needs to authenticate twice

Postby bas_otten » 21 Jul 2015 17:22

@Schoelje, That is what I thought too. Perhaps teigaff refers to Windows' "computername", which is netbios communication, but even that is not managed by winbind, I assume. Cannot check out for sure, cause I'm on the camping.

teigaff
Posts: 6
Joined: 11 Jun 2015 23:12

Re: [Solved] SMB needs to authenticate twice

Postby teigaff » 21 Jul 2015 20:47

If I purge winbind, the problem is solved, too. Best thanks for this help. First I searched the smb.conf for old entries but didn't find some or errors...

I've a mixed environment. Most computers are windows. The twice authenticate problem is on my debian server. I use the server only when needed. So wake it up via wake on lan. For shutting down by itself, I use a script which ping all computers every 10min. If no computer reply the server shut down.
Note: Computers use DHCP. They don't have the same IP address all the time. But the same hostname of course.

If I install winbind, I can ping the computers by name. Otherwise not. Is there another solution without winbind?

teigaff
Posts: 6
Joined: 11 Jun 2015 23:12

Re: [Solved] SMB needs to authenticate twice

Postby teigaff » 21 Jul 2015 22:49

Solved by myself. I'm very very happy!

Package libnss-winbind is used to ping windows computers. Unfortunately this package also installs winbind.
To avoid the "authenticate twice" problem, simply deactivate the winbind service

Code: Select all

update-rc.d winbind remove


and in the file /etc/nsswitch.conf add wins to the end of the line.

Code: Select all

hosts:          files mdns4_minimal [NOTFOUND=return] dns wins

User avatar
Schoelje
Site Admin
Posts: 8446
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: [Solved] SMB needs to authenticate twice

Postby Schoelje » 22 Jul 2015 05:22

Thank you, teigaff, for posting your solution here.

I will implement it in the nightly builds for people to try it out.


SolydXK needs you!
Development | Testing | Translations

User avatar
bas_otten
Posts: 185
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: [Solved] SMB needs to authenticate twice

Postby bas_otten » 22 Jul 2015 10:44

Thanks teigaff. Personally I don't need Netbios name resolution, but it would be a good thing if that works with SoldXK out of the box. Just wondering: Is this issue http://ubuntuforums.org/showthread.php?t=1496488 introduced by the proposed solution? Being on holiday without laptop, cannot play/test myself.

User avatar
Schoelje
Site Admin
Posts: 8446
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: [Solved] SMB needs to authenticate twice

Postby Schoelje » 22 Jul 2015 11:19

With

Code: Select all

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 wins
I don't have a ping delay. Would this work?


SolydXK needs you!
Development | Testing | Translations

teigaff
Posts: 6
Joined: 11 Jun 2015 23:12

Re: [Solved] SMB needs to authenticate twice

Postby teigaff » 25 Jul 2015 21:22

If I remove the wins entry from /etc/nsswitch.conf I can't ping my debian server anymore. I've a ping delay of about 10s.

How is it possible to ping from debian client to debian server without wins?

User avatar
bas_otten
Posts: 185
Joined: 19 Oct 2013 12:22
Location: Netherlands

Re: [Solved] SMB needs to authenticate twice

Postby bas_otten » 04 Aug 2015 15:39

Being back from holiday I experimented with the proposed solution.

- (Re)install package libnss-winbind because it is used to ping Windows computers: CONFIRM/AGREE
- Deactivate (re)installed winbind using update-rc.d to avoid double authentication: CONFIRM/AGREE
- @/etc/nsswitch.conf: append ' wins' to the end of the existing hosts line: CONFIRM/AGREE

With these changes, I can now ping my old Windows computer and the local Debian samba server by their NetBios names (the latter by a specified name different from the default /etc/hostname).
I do luckily not experience any increase in delay when pinging any host by any protocol or when browing the internet using Firefox.

@teigaff: Can you elaborate more on the configuration where you get the 10s delay? I cannot reproduce it :) And, for the server, wouldn't you rather pick a fixed IP-address? Then add an entry for it in /etc/hosts, or for Windows in C:\Windows\System32\drivers\etc\hosts. This way you can ping the server by name without relying on WINS.


Return to “Software”

Who is online

Users browsing this forum: No registered users and 6 guests