Hi Steve.
I'm not sure how your "passthrough" authentication is working, in that it seems Window should/may attempt to connect
as the currently logged in user for the username portion of authentication, but absent your having stored the password (after
making some initial connection with username and password), it's not clear how the local password is being sent.
Regardless, the log entry shows gssapi errors which would suggest a kerberos-related issue.
In my initial testing with Win XP, I was unable to successfully authenticate to my test install of Lion Server,
until I took some steps to specify my Lion server at/on the XP (VM) using Ksetup.
See my post at https://discussions.apple.com/message/15915509#15915509
and I hope that helps you some/any.
Best,
-- David
On Aug 25, 2011, at 8:54 AM, Steve Maser wrote:
> Well, it's not so much an issue (as I have a working workaround), but I'm trying to get a handle on if this is either a bug or "by design".
>
>
> With 10.6.x server (an OD master): I set up a few Windows 7 workgroup clients so their Windows account/password matched their 10.6 server account/password.
>
> Then, when the Windows clients would connect to my server, they could type: \\<hostname> in an Explorer window and the credentials would pass-through to authenticate to the server and show the share points. Fine and dandy.
>
>
> After upgrading to 10.7 Server -- this breaks. (And, admittedly, I missed this in my testing because on my Windows test box, I don't do pass-through authentication).
>
>
> What I seem to have to do now is log into the server using the netbios name of the server as part of the User Name (ie, instead of "maser", I have to use "SERVER\maser").
>
>
> I've worked around this by setting up the credentials in the Windows 7 Credential Manager "vault" -- and that makes it feel transparent to the user that "pass-through" authentication is still working. But it's really not.
>
>
>
> And the odd thing is that SMB sharing in 10.7 *client* -- doesn't seem to care about the Netbios name when connecting from a Windows 7 machine. *That* works with pass-through authentication (ie, I can connect to my 10.7 client machine using the same login/password on a Windows machine with no issues.)
>
>
> (And, of course, SMB://<hostname> from another Mac works without requiring "SERVER\maser"…)
>
>
> Turning on smbd -debug -stdout will give me a line like:
>
> smb1_dispatch_session_setup [session_setup.cpp:261] FIXME erase existing sessions
> make_gss_attributes [gssapi_mechanism.cpp:30] GSS flags=0 signing=no anonymous=no
> gss_parse_external_name [gssapi.cpp:118] mapped GSS name SPY\Steve Maser to SPY\Steve Maser
> initialize [darwin_token.cpp:297] failed to turn exported name into uuid: No such file or directory
>
>
>
> (with "SPY" being the Windows 7 "Computer Name").
>
>
> If I change the Windows 7 Computer Name to match the server netbios name, then pass-through authentication works:
>
> make_gss_attributes [gssapi_mechanism.cpp:30] GSS flags=0 signing=no anonymous=no
> gss_parse_external_name [gssapi.cpp:118] mapped GSS name SERVER\maser to SERVER\maser
> smb1_dispatch_one [smb_dispatch.cpp:377] dispatching SMB_COM_TREE_CONNECT_ANDX
> connect_to_named_tree [tree_connect.cpp:129] netname=\\<MYSERVERHOSTNAME>\IPC$
> connect_to_named_tree [tree_connect.cpp:150] requested share=IPC$
> INFO [ntvfs_bind.cpp:118] SERVER\maser connected to path /var/rpc/ncacn_np
> smb1_dispatch_one [smb_dispatch.cpp:377] dispatching SMB_COM_NT_CREATE_ANDX
> bind_unix_socket [socket_ipc.cpp:86] bound RPC endpoint /var/rpc/ncacn_np/srvsvc to fd
> (etc…)
>
>
> But I clearly can't change the names of all my Windows 7 client machines to match my server NetBIOS name...
>
>
>
>
> I fiddled about with some of the settings in /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist, but to no avail. (Including trying to match it to a client setup, but my guess is it's a Kerberos/OD matching issue or something…)
>
> Does anybody have any suggestions as to what might be able to be changed to make this work again? Maybe something on the Windows 7 side?
>
>
>
> - Steve
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
