[Samba] CentOS update broke Samba
Alex Moen
alexm at ndtel.com
Sat Oct 19 20:28:42 UTC 2019
On 10/19/19 2:57 PM, Rowland penny via samba wrote:
> On 19/10/2019 20:18, Alex Moen via samba wrote:
>> Running CentOS Linux release 7.7.1908. Have Samba running as our fileserver on our (mostly) Windows network. Ran my "normal" yum updates today, and Samba was upgraded (last updates were on 8/10/2019). I was on 4.8.3 before; now it's 4.9.1:
>>
>> Updated samba-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-client-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-client-libs-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-common-4.8.3-6.el7_6.noarch @updates
>> Updated samba-common-libs-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-common-tools-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-libs-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-winbind-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-winbind-modules-4.8.3-6.el7_6.x86_64 @updates
>>
>> samba-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:43:13 AM CDT
>> samba-winbind-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:43:00 AM CDT
>> samba-client-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:43:00 AM CDT
>> samba-winbind-modules-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:42:29 AM CDT
>> samba-common-tools-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:54 AM CDT
>> samba-libs-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:53 AM CDT
>> samba-client-libs-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:52 AM CDT
>> samba-common-libs-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:51 AM CDT
>> samba-common-4.9.1-6.el7.noarch Sat 19 Oct 2019 09:40:51 AM CDT
>>
>> Initially, smbd wouldn't even start. nmbd and winbind were fine, but smbd was spouting an error about "nobody is a group name" and "Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?"
>>
>> After lots of googling, I finally got the process to start properly, and (from the limited testing I can do on Saturdays) Windows clients can connect (this is the only Samba/CIFS server on the network). (FFR: I added the "username map script" and the two "idmap config A36561" stanzas in the smb.conf file below to get smbd restarted. I also needed to create a new guest user, and add "guest account = guest".) However, my Linux clients are not able to connect using CIFS. I am encountering the following errors in the log file for the Linux PC:
>>
>> "gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER"
>> "NT error packet at ../source3/smbd/sesssetup.c(247) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE"
>>
>> even though, earlier in the log file, I have this (encouraging) entry:
>>
>> "Auth: [SMB,(null)] user [A36561]\[alexm] at [Sat, 19 Oct 2019 13:58:12.577574 CDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [ALEXM-SURFACE-PRO] remote host [ipv4:192.168.254.191:56314] mapped to [A36561]\[alexm]. local host [ipv4:192.168.255.5:445]"
>>
>> So, my usermap seems to be working, as my login should be alexm.
>>
>> I have been working on this for four hours now, and am completely out of ideas.
>>
>> smb.conf:
>> # Global parameters
>> [global]
>> interfaces = lo eno16780032
>> netbios name = NDTC-FS
>> server string = NDTC File Server 2017
>> #server max protocol = SMB2
>> workgroup = A36561
>> domain master = Yes
>> preferred master = yes
>> local master = yes
>> ldap admin dn = cn=admin,o=ndtc
>> ldap passwd sync = yes
>> ldap ssl = no
>> ldap suffix = ou=ndtel,o=ndtc
>> ldap debug level = 1
>> ldap debug threshold = 5
>> log file = /var/log/samba/log.%m
>> log level = 3
>> max log size = 50000
>> domain logons = Yes
>> nt pipe support = No
>> lanman auth = Yes
>> passdb backend = ldapsam:"ldap://66.163.128.204"
>> security = user
>> guest account = guest
>> username map = /etc/samba/usermap.txt
>> username map script = /bin/echo
>> wins support = Yes
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000-1999999
>> idmap config A36561 : backend = autorib
>> idmap config A36561 : range = 2000000-4000000
>> cups options = raw
>> ntlm auth = yes
>>
>> [homes]
>> comment = Home Directories
>> browseable = No
>> read only = No
>>
>> [groups]
>> comment = Group Directories
>> path = /cust/ndtel/groups
>> blocking locks = No
>> force create mode = 0660
>> force directory mode = 0770
>> read only = No
>>
>> [officeview]
>> comment = The Office View
>> path = /cust/ndtel/officeview
>> force create mode = 0777
>> force directory mode = 0777
>> guest ok = Yes
>> read only = No
>> write list = +users
>>
>> [docvault]
>> comment = Document Vault
>> path = /cust/ndtel/groups/business/docvault
>> browseable = No
>> force create mode = 0777
>> force directory mode = 0777
>> force group = +business
>> read only = No
>> write list = +business
>>
>> [share]
>> comment = Share space
>> path = /cust/ndtel/share
>> force create mode = 0777
>> force directory mode = 0777
>> guest ok = Yes
>> read only = No
>> write list = +users
>>
>> [archive]
>> comment = Archive area
>> path = /archive
>> force create mode = 0777
>> force directory mode = 0777
>> force group = +internet
>> read only = no
>> write list = +internet
>>
>> [printers]
>> comment = All Printers
>> path = /var/spool/samba
>> browseable = No
>> printable = Yes
>>
>>
>>
>>
> First a few comments about your smb.conf:
>
> nt pipe support = No
>
> You really shouldn't set the above line.
>
> Is there a Unix user called 'guest' ?
>
> Having said that, there isn't much point in having the 'guest account' and the 'guest ok = yes' lines, because you haven't set 'map to guest = bad user', so you will not have guest access.
>
> You also seem to have a typo 'backend = autorib' should be 'backend = autorid'
>
> Finally, to fix your main problem, check if winbind is running.
>
> Rowland
On 10/19/19 2:57 PM, Rowland penny via samba wrote:
> On 19/10/2019 20:18, Alex Moen via samba wrote:
>> Running CentOS Linux release 7.7.1908. Have Samba running as our fileserver on our (mostly) Windows network. Ran my "normal" yum updates today, and Samba was upgraded (last updates were on 8/10/2019). I was on 4.8.3 before; now it's 4.9.1:
>>
>> Updated samba-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-client-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-client-libs-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-common-4.8.3-6.el7_6.noarch @updates
>> Updated samba-common-libs-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-common-tools-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-libs-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-winbind-4.8.3-6.el7_6.x86_64 @updates
>> Updated samba-winbind-modules-4.8.3-6.el7_6.x86_64 @updates
>>
>> samba-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:43:13 AM CDT
>> samba-winbind-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:43:00 AM CDT
>> samba-client-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:43:00 AM CDT
>> samba-winbind-modules-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:42:29 AM CDT
>> samba-common-tools-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:54 AM CDT
>> samba-libs-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:53 AM CDT
>> samba-client-libs-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:52 AM CDT
>> samba-common-libs-4.9.1-6.el7.x86_64 Sat 19 Oct 2019 09:40:51 AM CDT
>> samba-common-4.9.1-6.el7.noarch Sat 19 Oct 2019 09:40:51 AM CDT
>>
>> Initially, smbd wouldn't even start. nmbd and winbind were fine, but smbd was spouting an error about "nobody is a group name" and "Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED! Can Winbind allocate gids?"
>>
>> After lots of googling, I finally got the process to start properly, and (from the limited testing I can do on Saturdays) Windows clients can connect (this is the only Samba/CIFS server on the network). (FFR: I added the "username map script" and the two "idmap config A36561" stanzas in the smb.conf file below to get smbd restarted. I also needed to create a new guest user, and add "guest account = guest".) However, my Linux clients are not able to connect using CIFS. I am encountering the following errors in the log file for the Linux PC:
>>
>> "gensec_spnego_server_negTokenTarg_step: SPNEGO(ntlmssp) login failed: NT_STATUS_NO_SUCH_USER"
>> "NT error packet at ../source3/smbd/sesssetup.c(247) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE"
>>
>> even though, earlier in the log file, I have this (encouraging) entry:
>>
>> "Auth: [SMB,(null)] user [A36561]\[alexm] at [Sat, 19 Oct 2019 13:58:12.577574 CDT] with [NTLMv2] status [NT_STATUS_NO_SUCH_USER] workstation [ALEXM-SURFACE-PRO] remote host [ipv4:192.168.254.191:56314] mapped to [A36561]\[alexm]. local host [ipv4:192.168.255.5:445]"
>>
>> So, my usermap seems to be working, as my login should be alexm.
>>
>> I have been working on this for four hours now, and am completely out of ideas.
>>
>> smb.conf:
>> # Global parameters
>> [global]
>> interfaces = lo eno16780032
>> netbios name = NDTC-FS
>> server string = NDTC File Server 2017
>> #server max protocol = SMB2
>> workgroup = A36561
>> domain master = Yes
>> preferred master = yes
>> local master = yes
>> ldap admin dn = cn=admin,o=ndtc
>> ldap passwd sync = yes
>> ldap ssl = no
>> ldap suffix = ou=ndtel,o=ndtc
>> ldap debug level = 1
>> ldap debug threshold = 5
>> log file = /var/log/samba/log.%m
>> log level = 3
>> max log size = 50000
>> domain logons = Yes
>> nt pipe support = No
>> lanman auth = Yes
>> passdb backend = ldapsam:"ldap://66.163.128.204"
>> security = user
>> guest account = guest
>> username map = /etc/samba/usermap.txt
>> username map script = /bin/echo
>> wins support = Yes
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000-1999999
>> idmap config A36561 : backend = autorib
>> idmap config A36561 : range = 2000000-4000000
>> cups options = raw
>> ntlm auth = yes
>>
>> [homes]
>> comment = Home Directories
>> browseable = No
>> read only = No
>>
>> [groups]
>> comment = Group Directories
>> path = /cust/ndtel/groups
>> blocking locks = No
>> force create mode = 0660
>> force directory mode = 0770
>> read only = No
>>
>> [officeview]
>> comment = The Office View
>> path = /cust/ndtel/officeview
>> force create mode = 0777
>> force directory mode = 0777
>> guest ok = Yes
>> read only = No
>> write list = +users
>>
>> [docvault]
>> comment = Document Vault
>> path = /cust/ndtel/groups/business/docvault
>> browseable = No
>> force create mode = 0777
>> force directory mode = 0777
>> force group = +business
>> read only = No
>> write list = +business
>>
>> [share]
>> comment = Share space
>> path = /cust/ndtel/share
>> force create mode = 0777
>> force directory mode = 0777
>> guest ok = Yes
>> read only = No
>> write list = +users
>>
>> [archive]
>> comment = Archive area
>> path = /archive
>> force create mode = 0777
>> force directory mode = 0777
>> force group = +internet
>> read only = no
>> write list = +internet
>>
>> [printers]
>> comment = All Printers
>> path = /var/spool/samba
>> browseable = No
>> printable = Yes
>>
>>
>>
>>
> First a few comments about your smb.conf:
>
> nt pipe support = No
>
> You really shouldn't set the above line.
>
> Is there a Unix user called 'guest' ?
>
> Having said that, there isn't much point in having the 'guest account' and the 'guest ok = yes' lines, because you haven't set 'map to guest = bad user', so you will not have guest access.
>
> You also seem to have a typo 'backend = autorib' should be 'backend = autorid'
>
> Finally, to fix your main problem, check if winbind is running.
>
> Rowland
This config has been brought forward for around 15 years. So, I wonder if some of this isn't legacy stuff.
I took the "nt pipe support" line out. And, I fixed the typo (though, it's really strange that it seemed to fix the issue previously...)
Guest account: There isn't a Unix user per se, but there is an LDAP user named guest that I created for this purpose... I don't really want guest access. Again, something legacy?
As far as I can tell, winbind is running:
[root at ndtc-fs ~]# systemctl status winbind
● winbind.service - Samba Winbind Daemon
Loaded: loaded (/usr/lib/systemd/system/winbind.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-10-19 15:19:55 CDT; 2min 17s ago
Docs: man:winbindd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 7460 (winbindd)
Status: "winbindd: ready to serve connections..."
CGroup: /system.slice/winbind.service
├─7460 /usr/sbin/winbindd --foreground --no-process-group
├─7498 /usr/sbin/winbindd --foreground --no-process-group
├─7499 /usr/sbin/winbindd --foreground --no-process-group
└─7547 /usr/sbin/winbindd --foreground --no-process-group
Oct 19 15:19:54 ndtc-fs systemd[1]: Stopped Samba Winbind Daemon.
Oct 19 15:19:54 ndtc-fs systemd[1]: Starting Samba Winbind Daemon...
Oct 19 15:19:55 ndtc-fs winbindd[7460]: [2019/10/19 15:19:55.019096, 0] ../source3/winbindd/winbindd_cache.c:3160(init...cache)
Oct 19 15:19:55 ndtc-fs winbindd[7460]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
Oct 19 15:19:55 ndtc-fs winbindd[7460]: [2019/10/19 15:19:55.024290, 0] ../lib/util/become_daemon.c:138(daemon_ready)
Oct 19 15:19:55 ndtc-fs systemd[1]: Started Samba Winbind Daemon.
Oct 19 15:19:55 ndtc-fs winbindd[7460]: daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serv...ctions
Oct 19 15:20:23 ndtc-fs winbindd[7499]: [2019/10/19 15:20:23.939396, 0] ../source3/winbindd/idmap_autorid.c:822(idmap_...alize)
Oct 19 15:20:23 ndtc-fs winbindd[7499]: idmap_autorid_initialize: Error: autorid configured for domain 'a36561'. But ...ation.
Hint: Some lines were ellipsized, use -l to show in full.
As well as SMB and NMB:
[root at ndtc-fs ~]# systemctl status nmb
● nmb.service - Samba NMB Daemon
Loaded: loaded (/usr/lib/systemd/system/nmb.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-10-19 15:20:19 CDT; 2min 3s ago
Docs: man:nmbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 7483 (nmbd)
Status: "nmbd: ready to serve connections..."
CGroup: /system.slice/nmb.service
├─7483 /usr/sbin/nmbd --foreground --no-process-group
└─7484 /usr/sbin/nmbd --foreground --no-process-group
Oct 19 15:20:27 ndtc-fs nmbd[7483]:
Oct 19 15:20:27 ndtc-fs nmbd[7483]: Samba server NDTC-FS is now a domain master browser for workgroup A36561 on subne...8.255.5
Oct 19 15:20:27 ndtc-fs nmbd[7483]:
Oct 19 15:20:27 ndtc-fs nmbd[7483]: *****
Oct 19 15:20:42 ndtc-fs nmbd[7483]: [2019/10/19 15:20:42.367309, 0] ../source3/nmbd/nmbd_become_lmb.c:397(become_local...stage2)
Oct 19 15:20:42 ndtc-fs nmbd[7483]: *****
Oct 19 15:20:42 ndtc-fs nmbd[7483]:
Oct 19 15:20:42 ndtc-fs nmbd[7483]: Samba name server NDTC-FS is now a local master browser for workgroup A36561 on s...8.255.5
Oct 19 15:20:42 ndtc-fs nmbd[7483]:
Oct 19 15:20:42 ndtc-fs nmbd[7483]: *****
Hint: Some lines were ellipsized, use -l to show in full.
[root at ndtc-fs ~]# systemctl status sm
● smb.service - Samba SMB Daemon
Loaded: loaded (/usr/lib/systemd/system/smb.service; enabled; vendor preset: disabled)
Active: active (running) since Sat 2019-10-19 15:20:23 CDT; 2min 4s ago
Docs: man:smbd(8)
man:samba(7)
man:smb.conf(5)
Main PID: 7493 (smbd)
Status: "smbd: ready to serve connections..."
CGroup: /system.slice/smb.service
├─7493 /usr/sbin/smbd --foreground --no-process-group
├─7495 /usr/sbin/smbd --foreground --no-process-group
├─7496 /usr/sbin/smbd --foreground --no-process-group
├─7500 /usr/sbin/smbd --foreground --no-process-group
├─7502 /usr/sbin/smbd --foreground --no-process-group
├─7508 /usr/sbin/smbd --foreground --no-process-group
├─7510 /usr/sbin/smbd --foreground --no-process-group
└─7512 /usr/sbin/smbd --foreground --no-process-group
Oct 19 15:20:23 ndtc-fs systemd[1]: Stopped Samba SMB Daemon.
Oct 19 15:20:23 ndtc-fs systemd[1]: Starting Samba SMB Daemon...
Oct 19 15:20:23 ndtc-fs smbd[7493]: [2019/10/19 15:20:23.953291, 0] ../lib/util/become_daemon.c:138(daemon_ready)
Oct 19 15:20:23 ndtc-fs systemd[1]: Started Samba SMB Daemon.
Oct 19 15:20:23 ndtc-fs smbd[7493]: daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve connections
I still cannot connect with Linux machines. It's really not that big of a deal (since I can use SSH/SFTP), but I just am concerned that there may be other issues if it isn't "fully functional", and that other clients may be affected.
Thanks,
Alex
More information about the samba
mailing list