Samba browsing does not use my user id (OpenSuse 12.3)

branestawm · December 7, 2013, 5:15pm

I have a problem browsing Samba shares on an old but very reliable Samba v2 server (an old Red Hat based distro) from my OpenSuse v12.3 client XFCE with Thunar 1.6.1. I can see all shares immediately except my own home share and when I try to open any share I get a password prompt (which is accepted OK for access).

My problem is that browsing and access works OK without any challenge/password entry from a range of Windoze o/s (8.1, 7, Vista, XP and even lower) - just not with OpenSuse!

The Windoze o/s all have a registry mod to enable NTLM1 authentication because the server does not support NTLM2 (I did say it was old). Server log shows that NTLM1 authentication is negotiated and selected as the authentication protocol but also that my OpenSuse browser is sending userid ‘public’ and a blank password, not my user id and my password. Hence the password challenge.

Client password backend is tdbsam. Output from pdbedit -L -w seems OK:

jeremy:500:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:EF59BD4725E86C8468BCB7631AFF320C::LCT-52A3238D:

Having google’d all over without success, I would welcome suggestions, first as to whether this is a Thunar issue or a Samba client issue or even a pam.d/samba issue?

Thanks in advance - details below.

smb.conf global stanza on OpenSuse client:

[global]
    passdb backend = tdbsam
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    map to guest = Bad User
    logon path = \\%L\profiles\.msprofile
    logon home = \\%L\%U\.9xprofile
    logon drive = P:
    usershare allow guests = No
    domain logons = No
    domain master = No
#    password server = *
    security = user
    wins support = Yes
    client lanman auth = Yes
    client ntlmv2 auth = No
    netbios name = JEREMY
    usershare max shares = 100
    log file = /var/log/samba/log.smbd
    debug timestamp = Yes
    max log size = 1024
    workgroup = CHAMPION
    encrypt passwords = Yes

Samba server log (debug level 4):

[2013/12/07 14:26:05, 3] smbd/process.c:process_smb(837)
  Transaction 1 of length 194
[2013/12/07 14:26:05, 3] smbd/process.c:switch_message(650)
  switch message SMBnegprot (pid 19954)
[2013/12/07 14:26:05, 3] smbd/sec_ctx.c:set_sec_ctx(316)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/12/07 14:26:05, 3] smbd/negprot.c:reply_negprot(349)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2013/12/07 14:26:05, 3] smbd/negprot.c:reply_negprot(349)
  Requested protocol [MICROSOFT NETWORKS 1.03]
[2013/12/07 14:26:05, 3] smbd/negprot.c:reply_negprot(349)
  Requested protocol [MICROSOFT NETWORKS 3.0]
[2013/12/07 14:26:05, 3] smbd/negprot.c:reply_negprot(349)
  Requested protocol [LANMAN1.0]
[2013/12/07 14:26:05, 3] smbd/negprot.c:reply_negprot(349)
  Requested protocol [LM1.2X002]
[2013/12/07 14:26:05, 3] smbd/negprot.c:reply_negprot(349)
  Requested protocol [DOS LANMAN2.1]
[2013/12/07 14:26:05, 3] smbd/negprot.c:reply_negprot(349)
  Requested protocol [LANMAN2.1]
[2013/12/07 14:26:05, 3] smbd/negprot.c:reply_negprot(349)
  Requested protocol [Samba]
[2013/12/07 14:26:05, 3] smbd/negprot.c:reply_negprot(433)
  Selected protocol NT LANMAN 1.0
[2013/12/07 14:26:05, 3] smbd/process.c:process_smb(837)
  Transaction 2 of length 78
[2013/12/07 14:26:05, 3] smbd/process.c:switch_message(650)
  switch message SMBsesssetupX (pid 19954)
[2013/12/07 14:26:05, 3] smbd/sec_ctx.c:set_sec_ctx(316)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/12/07 14:26:05, 3] smbd/reply.c:reply_sesssetup_and_X(865)
  Domain=]  NativeOS=[Unix] NativeLanMan=[Samba]
[2013/12/07 14:26:05, 3] smbd/reply.c:reply_sesssetup_and_X(876)
  sesssetupX:name=]
[2013/12/07 14:26:05, 3] smbd/sec_ctx.c:push_sec_ctx(284)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2013/12/07 14:26:05, 3] smbd/sec_ctx.c:set_sec_ctx(316)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2013/12/07 14:26:05, 3] smbd/sec_ctx.c:get_current_groups(167)
  get_current_groups: uid 0 is in 1 groups: 5005
[2013/12/07 14:26:05, 3] smbd/sec_ctx.c:pop_sec_ctx(423)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/12/07 14:26:05, 3] smbd/sec_ctx.c:get_current_groups(167)
  get_current_groups: uid 0 is in 1 groups: 5005
[2013/12/07 14:26:05, 3] smbd/password.c:register_vuid(322)
  uid 5003 registered to name public
[2013/12/07 14:26:05, 3] smbd/password.c:register_vuid(324)
  Clearing default real name
[2013/12/07 14:26:05, 3] smbd/password.c:register_vuid(326)
  User name: public    Real name: 
[2013/12/07 14:26:05, 3] smbd/process.c:process_smb(837)
  Transaction 3 of length 72
[2013/12/07 14:26:05, 3] smbd/process.c:switch_message(650)
  switch message SMBtconX (pid 19954)
[2013/12/07 14:26:05, 3] smbd/sec_ctx.c:set_sec_ctx(316)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/12/07 14:26:05, 4] smbd/reply.c:reply_tcon_and_X(328)
  Got device type ?????
[2013/12/07 14:26:05, 3] smbd/service.c:find_service(141)
  checking for home directory jeremy gave /home/e-smith/files/users/jeremy
[2013/12/07 14:26:05, 3] param/loadparm.c:lp_add_home(1825)
  adding home directory jeremy at /home/e-smith/files/users/jeremy
[2013/12/07 14:26:05, 3] lib/access.c:check_access(307)
  check_access: no hostnames in host allow/deny list.
[2013/12/07 14:26:05, 2] lib/access.c:check_access(316)
  Allowed connection from  (192.168.150.11)
[2013/12/07 14:26:05, 4] smbd/password.c:password_ok(601)
  Null passwords not allowed.
[2013/12/07 14:26:05, 4] smbd/password.c:password_ok(601)
  Null passwords not allowed.
[2013/12/07 14:26:05, 4] smbd/password.c:password_ok(601)
  Null passwords not allowed.
[2013/12/07 14:26:05, 2] smbd/service.c:make_connection(318)
  Invalid username/password for jeremy [public]
[2013/12/07 14:26:05, 3] smbd/error.c:error_packet(136)
  error packet at line 169 cmd=117 (SMBtconX) eclass=2 ecode=2
[2013/12/07 14:26:05, 3] smbd/process.c:timeout_processing(1062)
  end of file from client
[2013/12/07 14:26:05, 3] smbd/sec_ctx.c:set_sec_ctx(316)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2013/12/07 14:26:05, 2] smbd/server.c:exit_server(448)
  Closing connections
[2013/12/07 14:26:05, 3] smbd/connection.c:yield_connection(50)
  Yielding connection to 
[2013/12/07 14:26:05, 3] smbd/server.c:exit_server(483)
  Server exit (normal exit)

branestawm · December 7, 2013, 7:20pm

Just thought to check - same issue when browsing a Samba share on the OpenSuse client.

jdmcdaniel3 · December 7, 2013, 8:31pm

You need to read my blog on Samba and get my bash script which you will find useful:

https://forums.opensuse.org/blogs/jdmcdaniel3/s-c-t-samba-automated-configuration-tool-version-1-02-124/

Thank You,

branestawm · December 12, 2013, 2:17am

Thanks, jdmcdaniel3. I have checked my Samba setup carefully against your blog and concluded that my problem lay elsewhere. It was a useful exercise but I could find nothing wrong with Samba, and it works OK when credentials are supplied.

So I then looked at Thunar but as this is just a front end, I focused on the authentication processes used by Thunar - and discovered that gnome-keyring login was empty! This turned out to be part of the common “gnome keyring socket is not owned with the same credentials as the user login” syndrome by which the keyring was never unlocked, for which I have adopted a trial mod to pam.d/common-auth. This has resolved the problem, thus far without side effects.

I suppose that it is better security for credentials to be managed via a keyring or equivalent for each server, rather than have the user’s login details supplied directly to any server share that asks for them.

Problem solved ;).