[Samba] AD Member setup broken after samba upgrade
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 5 13:30:33 UTC 2022
Hai,
Then .. i would like to see the complete config.
Can you run this script and post the content to the list.
Anonimyze where needed.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
All i can see thats off in logs is this part.
> >> [2022/04/05 13:18:28.812920, 1]
> >> ../../source3/auth/token_util.c:1089(create_token_from_sid)
> >> sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed
> >> [2022/04/05 13:18:28.812986, 3]
> >> ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
> >> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> >> status[NT_STATUS_LOGON_FAILURE] || at
> >> ../../source3/smbd/smb2_sesssetup.c:146
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Thibault Roulet via samba
> Verzonden: dinsdag 5 april 2022 15:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD Member setup broken after samba upgrade
>
> Hi,
>
> It's not working either.
>
> Best
>
> On 4/5/22 14:41, L.P.H. van Belle via samba wrote:
> > Try it again with adding in [Global]
> >
> > min domain uid = 0
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Thibault Roulet via samba
> >> Verzonden: dinsdag 5 april 2022 14:05
> >> Aan:samba at lists.samba.org
> >> Onderwerp: [Samba] AD Member setup broken after samba upgrade
> >>
> >> Hi all,
> >>
> >> I'm a bit lost in a samba setup which turned bad after an upgrade
> >> Everything was working fine when running samba
> 2:4.13.5+dfsg-2 and it
> >> broke my setup after upgrade to 2:4.13.13+dfsg-1~deb11u3
> >>
> >> The server is running an up to date debian stable and
> configured as a
> >> domain member only.
> >> - samba 4.13.13+dfsg-1~deb11u3
> >> - winbind 4.13.13+dfsg-1~deb11u3
> >> - libnss-winbind 4.13.13+dfsg-1~deb11u3
> >>
> >> Kerberos is correctly configured and the machine has been
> >> linked to the
> >> domain using net ads join.
> >>
> >> All the domain controllers of the domain are running
> Windows Server.
> >>
> >>
> >> ## SMB conf file ##
> >>
> >> [global]
> >> client signing = required
> >> deadtime = 30
> >> dedicated keytab file = /etc/krb5.keytab
> >> disable spoolss = Yes
> >> dns proxy = No
> >> domain master = No
> >> kerberos method = secrets and keytab
> >> load printers = No
> >> local master = No
> >> log file = /var/log/samba/log.%I
> >> max log size = 3000
> >> panic action = /usr/share/samba/panic-action %d
> >> password server = AD1.DOMAIN.MYDOMAIN.ORG
> >> realm = DOMAIN.MYDOMAIN.ORG
> >> security = ADS
> >> server min protocol = SMB2
> >> server signing = required
> >> server string = srv.MYDOMAIN.ORG
> >> template homedir = /home/%U
> >> template shell = /bin/bash
> >> username map = /etc/samba/smbusers
> >> username map script = /bin/echo
> >> usershare allow guests = Yes
> >> winbind use default domain = Yes
> >> wins server = 123.123.1.2
> >> workgroup = DOMAIN
> >> idmap config DOMAIN:unix_primary_group = no
> >> idmap config DOMAIN:unix_nss_info = no
> >> idmap config DOMAIN:range = 9000 - 90000000
> >> idmap config DOMAIN:backend = ad
> >> idmap config INTRANET:schema_mode = rfc2307
> >> idmap config * : range = 3000 - 8500
> >> idmap config * : backend = tdb
> >> hosts allow = 123.123. 127. 10.95.
> >>
> >>
> >> ## nsswitch.conf ##
> >> passwd: compat winbind ldap systemd
> >> group: compat winbind ldap systemd
> >>
> >>
> >> ## SMB LOGS ##
> >>
> >> When connecting the share using a windows or linux, I have
> >> this result
> >> and can't enter the shared folder.
> >>
> >> [2022/04/05 13:18:28.795040, 3]
> >> ../../auth/ntlmssp/ntlmssp_server.c:509(ntlmssp_server_preauth)
> >> Got user=[myuser] domain=[mydomain] workstation=[machine]
> >> len1=0 len2=142
> >> [2022/04/05 13:18:28.800143, 3]
> >> ../../source3/auth/user_util.c:353(map_username)
> >> Mapped user myuser to myuser
> >> [2022/04/05 13:18:28.800228, 3]
> >> ../../source3/auth/auth.c:200(auth_check_ntlm_password)
> >> check_ntlm_password: Checking password for unmapped user
> >> [mydomain]\[myuser]@[machine] with the new password interface
> >> [2022/04/05 13:18:28.800254, 3]
> >> ../../source3/auth/auth.c:203(auth_check_ntlm_password)
> >> check_ntlm_password: mapped user is:
> [mydomain]\[myuser]@[machine]
> >> [2022/04/05 13:18:28.810026, 3]
> >> ../../source3/auth/user_util.c:353(map_username)
> >> Mapped user mydomain\myuser to mydomain\myuser
> >> [2022/04/05 13:18:28.810155, 3]
> >> ../../source3/auth/auth.c:267(auth_check_ntlm_password)
> >> auth_check_ntlm_password: winbind authentication for
> user [myuser]
> >> succeeded
> >> [2022/04/05 13:18:28.810264, 3]
> >> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> >> Auth: [SMB2,(null)] user [mydomain]\[myuser] at [Tue,
> 05 Apr 2022
> >> 13:18:28.810236 CEST] with [NTLMv2] status [NT_STATUS_OK]
> workstation
> >> [machine] remote host [ipv4:123.123.157.16:50120] became
> >> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
> >> local host [ipv4:123.123.241.3:445]
> >> {"timestamp": "2022-04-05T13:18:28.810420+0200", "type":
> >> "Authentication", "Authentication": {"version": {"major":
> 1, "minor":
> >> 2}, "eventId": 4624, "logonId": "0", "logonType": 3, "status":
> >> "NT_STATUS_OK", "localAddress": "ipv4:123.123.241.3:445",
> >> "remoteAddress": "ipv4:123.123.157.16:50120", "serviceDescription":
> >> "SMB2", "authDescription": null, "clientDomain": "mydomain",
> >> "clientAccount": "myuser", "workstation": "machine",
> "becameAccount":
> >> "myuser", "becameDomain": "mydomain", "becameSid":
> >> "S-1-5-21-12345678-123456789-112233445-142182", "mappedAccount":
> >> "myuser", "mappedDomain": "mydomain", "netlogonComputer": null,
> >> "netlogonTrustAccount": null, "netlogonNegotiateFlags":
> "0x00000000",
> >> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> >> "passwordType": "NTLMv2", "duration": 16317}}
> >> [2022/04/05 13:18:28.810490, 2]
> >> ../../source3/auth/auth.c:323(auth_check_ntlm_password)
> >> check_ntlm_password: authentication for user [myuser] ->
> >> [myuser] ->
> >> [mydomain\myuser] succeeded
> >>
> >>
> >> [2022/04/05 13:18:28.812094, 3]
> >> ../../auth/ntlmssp/ntlmssp_sign.c:623(ntlmssp_sign_reset)
> >> NTLMSSP Sign/Seal - Initialising with flags:
> >> [2022/04/05 13:18:28.812115, 3]
> >> ../../auth/ntlmssp/ntlmssp_util.c:72(debug_ntlmssp_flags)
> >> Got NTLMSSP neg_flags=0xe2088235
> >> [2022/04/05 13:18:28.812920, 1]
> >> ../../source3/auth/token_util.c:1089(create_token_from_sid)
> >> sid_to_gid(S-1-5-21-12345678-123456789-112233445-513) failed
> >> [2022/04/05 13:18:28.812986, 3]
> >> ../../source3/smbd/smb2_server.c:3861(smbd_smb2_request_error_ex)
> >> smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1]
> >> status[NT_STATUS_LOGON_FAILURE] || at
> >> ../../source3/smbd/smb2_sesssetup.c:146
> >>
> >> ==> log.wb-mydomain <==
> >> [2022/04/05 13:18:28.801106, 3]
> >> ../../source3/winbindd/winbindd_pam.c:2698(winbindd_dual_pam_a
> >> uth_crap)
> >> [ 7141]: pam auth crap domain: mydomain user: myuser
> >> [2022/04/05 13:18:28.804698, 3]
> >> ../../auth/auth_log.c:635(log_authentication_event_human_readable)
> >> Auth: [winbind,NTLM_AUTH, smbd, 7141] user
> [mydomain]\[myuser] at
> >> [Tue, 05 Apr 2022 13:18:28.804672 CEST] with [NTLMv2] status
> >> [NT_STATUS_OK] workstation [sbitpc23] remote host [unix:] became
> >> [mydomain]\[myuser] [S-1-5-21-12345678-123456789-112233445-142182].
> >> local host [unix:]
> >> {"timestamp": "2022-04-05T13:18:28.804766+0200", "type":
> >> "Authentication", "Authentication": {"version": {"major":
> 1, "minor":
> >> 2}, "eventId": 4624, "logonId": "123d123fbfb6d8dd", "logonType": 3,
> >> "status": "NT_STATUS_OK", "localAddress": "unix:", "remoteAddress":
> >> "unix:", "serviceDescription": "winbind", "authDescription":
> >> "NTLM_AUTH,
> >> smbd, 7141", "clientDomain": "mydomain", "clientAccount": "myuser",
> >> "workstation": "sbitpc23", "becameAccount": "myuser",
> "becameDomain":
> >> "mydomain", "becameSid":
> >> "S-1-5-21-12345678-123456789-112233445-142182",
> >> "mappedAccount": null, "mappedDomain": null,
> >> "netlogonComputer": null,
> >> "netlogonTrustAccount": null, "netlogonNegotiateFlags":
> "0x00000000",
> >> "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null,
> >> "passwordType": "NTLMv2", "duration": 3685}}
> >>
> >> I did a lot of tests and could finally "fix" the issue by switching
> >> idmap config DOMAIN:backend = ad
> >> to
> >> idmap config DOMAIN:backend = rid
> >>
> >> But then it obviously killed all my UID/GID mappings.
> >>
> >> I can't understand what's wrong in this setup and why the AD
> >> backend is
> >> suddenly not working after this smb upgrade. When I rollback to the
> >> prior version, everything comes back as normal.
> >>
> >> It looks like I have the same issue on a CentOS 7 server
> >> where I could
> >> rollback samba before finding a working solution.
> >>
> >> Any advise would be nice, thanks in advance!
> >>
> >> --
> >>
> >> Thibault
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:https://lists.samba.org/mailman/options/samba
> >>
> >
> --
> Thibault Roulet
> Linux system engineer
> EPFL - ISIC-GE - BCH 1212
> T: +41 21 69 39397
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list