MStatman Contributor.
Contributor.
3889 views

CIFS and user aliases

Unable to authenticate to CIFS on OES2SP3 server using a user alias.
Have a user object and an alias to that object in the same container. With NetWare 6.5 SP8, able to authenticate with CIFS using either object, but with OES2SP3 server, only the real user object can successfully authenticate.

For example, authenticating as a 'real' user object to OES2SP3 CIFS:

sled11:~> smbclient -U MyUserName-Real -I=172.16.40.120 //OPS-SHARE_W/VOL1
Enter MyUserName-Real's password:
Domain=[WORKGROUP] OS=[SUSE LINUX 10.1] Server=[SUSE LINUX 10.1]
smb: \>


This succeeds, nothing logged in cifs.log

Authenticating using an alias object (which is aliased to the real object used above):

sled11:~> smbclient -U MyUserName-Alias -I=172.16.40.120 //OPS-SHARE_W/VOL1
Enter MyUserName-Alias's password:
session setup failed: NT_STATUS_LOGON_FAILURE


And cifs.log shows:

Aug 15 15:30:48 ops-share CIFS[31368]: CRITICAL: AUTH: Failed to fetch SEV list for user cn=MyUserName-Alias,ou=OrgU,o=Org [-672].
Aug 15 15:30:50 ops-share CIFS[31368]: CRITICAL: AUTH: Failed to fetch SEV list for user cn=MyUserName-Alias,ou=OrgU,o=Org [-672].
Aug 15 15:30:52 ops-share CIFS[31368]: CRITICAL: AUTH: Failed to fetch SEV list for user cn=MyUserName-Alias,ou=OrgU,o=Org [-672].
Aug 15 15:30:52 ops-share CIFS[31368]: CRITICAL: AUTH: Failed to calculate SEV list for user, error [-672].
Aug 15 15:30:52 ops-share CIFS[31368]: CRITICAL: AUTH: Failed to login into eDir tree
Aug 15 15:30:52 ops-share CIFS[31368]: WARNING: CODIR: SESNotLoggedIn: Failed to authenticate user: MyUserName-Alias from 172.16.170.75, nwErr: -1, cifsErr: 0
Aug 15 15:30:52 ops-share CIFS[31368]: WARNING: AUTH: SessionSetup : Login Failed -nwLoginError is -1, cifslogin err 0, dest ip :172.16.170.75


For comparison purposes, tried the same command as above, but entered an invalid password. Got the same NT_STATUS_LOGON_FAILURE as expected, and the cifs.log shows:

Aug 15 15:31:13 ops-share CIFS[31368]: WARNING: AUTH: Authentication failed due to password mismatch for user cn=MyUserName-Alias.ou=OrgU,o=Org, Err :-1642
Aug 15 15:31:13 ops-share CIFS[31368]: WARNING: CODIR: SESNotLoggedIn: Failed to authenticate user: MyUserName-Alias from 172.16.170.75, nwErr: -1642, cifsErr: 0
Aug 15 15:31:13 ops-share CIFS[31368]: WARNING: AUTH: SessionSetup : Login Failed -nwLoginError is -1642, cifslogin err 0, dest ip :172.16.170.75


Using the alias object to access the NetWare CIFS works just fine:

sled11:~> smbclient -U MyUserName-Alias -I=172.16.41.185 //ops-backup1-w/vol1
Enter MyUserName-Alias's password:
Domain=[WORKGROUP] OS=[NetWare 6.5] Server=[NetWare 6.5]
smb: \>


...and that's the behavior we need on OES2/Linux.
Is this a configuration problem, a bug, or WAD ?

Thanks,
Mike
Labels (1)
0 Likes
9 Replies
Bob-O-Rama
Visitor.

Re: CIFS and user aliases

Hi,

Its a bug. I'm not 100% sure where they are in resolving this. We experienced this issue, and I know its an issue for some others as well. We could get around it via setting the search context higher. The best advice I can give you is to open a SR and see if they can get you a build that fixes this. In the absence of this, you may be able to set a search context above where your ( real ) user accounts live, and it may be able to find them - but that assume a lot about the design of your tree, the name of your users and aliases.

-- Bob
0 Likes
MStatman Contributor.
Contributor.

Re: CIFS and user aliases

Actually, the subcontext searching part seems to work just fine with this OES2SP3 CIFS version when enabled (whereas on NetWare we have to list each and every context). But in our case, the alias object and the real user object are in fact in the same container, so that shouldn't be the issue.
0 Likes
ataubman Absent Member.
Absent Member.

Re: CIFS and user aliases

mstatman;2129006 wrote:
Actually, the subcontext searching part seems to work just fine with this OES2SP3 CIFS version when enabled (whereas on NetWare we have to list each and every context). But in our case, the alias object and the real user object are in fact in the same container, so that shouldn't be the issue.

Erm, what? What's the point of that? Usually folks use aliases to avoid people having to walk the tree to their container, but that's obviously not the case here ...

Andrew C Taubman (Sorry, support is not provided via e-mail) Opinions expressed above are not necessarily those of Micro Focus.
0 Likes
MStatman Contributor.
Contributor.

Re: CIFS and user aliases

ataubman;2129057 wrote:
Erm, what? What's the point of that? Usually folks use aliases to avoid people having to walk the tree to their container, but that's obviously not the case here ...


Not that it affects the issue at hand (the change of functionality on OES2 vs NetWare) but a fair question nonetheless...
We're in the process of absorbing another company. Our original company has user naming convention FLast. The new company's naming convention is X12345, and they use AD. For transition, we create a new userid for the absorbed employee as FLast, give it a GroupWise account, etc. The reason for the alias is that the workstation remains in the separate AD domain, no NCP client. The user logs in locally (and to their domain) as X12345. We want them to be able to map via CIFS to a corporate-wide shared directory. So we create the alias (X12345) in the same container, this way the workstation can do a persistent 'net use' and not get prompted again for credentials.
0 Likes
Bob-O-Rama
Visitor.

Re: CIFS and user aliases

OK, I believe, for your case, that Novell has a fix for this, but you will need to open a SR to get whatever patches they have. I'll inquire. For some customers this is uber-critical and so the effort is worth it. For others its is an annoyance and can be worked around. In our case we flatten our legacy tree via aliases - so sort of a mess... but most of our clients use NCP / Window client - so no big deal.

-- Bob
0 Likes
Highlighted
MStatman Contributor.
Contributor.

Re: CIFS and user aliases

Thanks Bob. We have an SR open. In the mean time, tried to reproduce the issue with OES11 Beta3.6, and there we get the desired results, i.e., authentication using the alias works just fine. So perhaps they can back-port the fix to OES2.
0 Likes
Bob-O-Rama
Visitor.

Re: CIFS and user aliases

I believe that is the plan. But without Novell committing to that plan in public, its all rather malleable. Your engineer can update you with what the real plan is.

-- Bob
0 Likes
MStatman Contributor.
Contributor.

Re: CIFS and user aliases

Oops, spoke too soon... Added a second server to the OES11 test tree and removed it's replica, which better approximates our production environment... and then unable to authenticate CIFS to that server using an alias, get the same errors as above. Partition the test tree, add a replica of the partition containing the test user and alias, then successful authentication. Also works if the replica is read-only.
0 Likes
Knowledge Partner
Knowledge Partner

Re: CIFS and user aliases

On 22/08/2011 21:16, mstatman wrote:

> Oops, spoke too soon... Added a second server to the OES11 test tree
> and removed it's replica, which better approximates our production
> environment... and then unable to authenticate CIFS to that server
> using an alias, get the same errors as above. Partition the test tree,
> add a replica of the partition containing the test user and alias, then
> successful authentication. Also works if the replica is read-only.


If you have access to OES11 beta code then I'll assume you are an
authorised beta tester in which case you should not be discussing it
publicly and instead should post issues to the OES11 beta forums to
which you should have access.
--
Simon
Novell Knowledge Partner (NKP)

------------------------------------------------------------------------
Do you work with Novell technologies at a university, college or school?
If so, your campus could benefit from joining the Novell Technology
Transfer Partner (TTP) program. See novell.com/ttp for more details.
------------------------------------------------------------------------
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.