[Samba] Samba AD Auth Stops After Patches

Popp, Casey A SGT USARMY NG NEARNG (US) casey.a.popp.mil at mail.mil
Wed Jan 16 14:30:07 MST 2013

Hello, I have an issue that I can't sort out.

Issue: Just applied the latest round of patches that brought me up to this
Samba version and
suddenly end-users are being prompted for authentication when attempting to
access shares
on this CentOS box from their Windows Vista, 7x86, and 7x64 workstations.

Problem: I am new to Samba and seem to not be connecting the dots

Layer 1: I can ping local host, Samba server name and IP from the Samaba
Server and from a Win7x64 client

Here is my research and observations:

1. cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.9 (Tikanga)


2. smbstatus
Samba version 3.6.6-0.129.el5


3. There are no permission problems on the shared directories nor the parent


4. (Symptom) There is an apparent group ownership problem on the shares.
Where it used to resolve the
  active directory security group, now there is only a numerical string.
Attempting to reassign the
  proper group ownsership fails as follows:

4a. ll | grep 12345

drwxrwxrwx  4 comp          1488701  4096 Jan 31  2006 12345

4b. chown -R comp:orrfo12345 12345

chown: `comp:orrfo12345': invalid group

4e. Ok, this is a big problem but what is causing it?


5. From the server hosting Samba, I looked to see if it could resolve the
groups. (A Factor) One concern
   regarding this process is that we collapsed into a much larger domain
about a year ago. As a result,
   what is retrieved for a data set is rather large. Also, it takes some
time. That is why I grep in the

5a. wbinfo -g | grep -i ORRFO
5b. getent group OR+ORRFO12345 | awk -F: '{print $4}' | sed 's/OR+//g' | sed

5c. Both commands return a valid list after several seconds


6. Checking the winbind user:

6a. net help getauthuser

6b. The command returns the credentails of a active directory account that
is present, unlocked, and set
    with the correct password.


7. Checking if it can resolve the domain controller

7a. wbinfo -I IPAddrOfDC

7b. It resolves correctly


8. Check to see if can get sid of windbind user

8a. wbinfo -n OR+linux.samba.svc

8b. The command returns the SID


9. Checked on services

9a. wbinfo -p

Ping to winbindd succeeded

9b. wbinfo -t

checking the trust secret for domain OR via RPC calls succeeded

9c. service --status-all | egrep "winbindd|nmbd|smbd"

nmbd (pid 15246) is running...

smbd (pid 28397 26486 21186 20942 20941 20940 20939 20938 20937 
20936 20935 20934 20933 20930 20929 20927 20926 20925 20924 20923 
20922 20921 20920 20917 20916 18027 14885 14878 6418) is running...

winbindd (pid 9208 9187 9185 9184 9182) is running...

9d. wbinfo --online-status
BUILTIN : online
OR-CENTSAMBA-01 : online
OR : online

9e. (Problem) Not sure if it is an issue but nmbd was not started initially.
    The results above come after having started it.


10. Verifying smb.conf. I cut out all but one of the shares to keep it
simple. The allow connections section
    was also trimmed but all were ok.

10a. testparm /etc/samba/smb.conf MyWorkstationName MyWorkstationIP

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[12345]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the
'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
'winbind separator = +' might cause problems with group membership.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Allow connection from MyWorkstationName (MyWorkstationIP) to 12345

10b. (Don't Know) I am not sure if these warnings had been on the system
before or 
     if they are the result of patching.


11. I created a new user on the Samba server and added it to smbusers. An
    named account exists on another CentOS server that rides the backbone. I
am able to
    access the directories from that server using without being prompted for

11a. smb://OR-CENTSAMBA-01


12. I checked the time on the DC against that on the Samba server and they
are within seconds.


13. I refreshed the Kerberos ticket. It is good.


14. (Problem) Here is one I can't explain. I came accross this as a check
but never found what to
    do if this didn't work.

14a. smbclient -L localhost

WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Enter root's password:
Connection to localhost failed (Error NT_STATUS_CONNECTION_REFUSED)


15. Here is my smb.conf

15b. more /etc/samba/smb.conf

        workgroup = OR
        realm = OR.SOME.THING.COM
        netbios name = OR-CENTSAMBA-01
        server string = OR Cent Samba
        interfaces = MyServerIP
        bind interfaces only = Yes
        security = ADS
        client schannel = No
        allow trusted domains = No
        password server = IPforDC1 IPforDC2
        syslog = 0
        ;log level = 10
        log file = /var/log/samba/log.%m
        max log size = 20480
        ;socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        server signing = auto
        ;client use spnego = No
        local master = No
        domain master = No
        dns proxy = No
        wins server = IPforWINSsvr1 IPforWINSsvr2
        name resolve order = host wins bcast
        pid directory = /var/run/samba
        idmap backend = rid:OR=1000000-3000000
        idmap uid = 1000000-3000000
        idmap gid = 1000000-3000000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 10
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind offline logon = false
        read only = No
        hosts allow = hostname, octet1.octet2., 127.
        short preserve case = No
        veto oplock files = /*.xls/
        dos filetime resolution = Yes

################## SHARE DEFINITIONS

comment =  12345
valid users =  @OR+ORRFO12345
path = /parent/12345
public = no
writeable = yes
force group = @OR+ORRFO12345

   comment = Test Share
   valid users =  "@OR+SecGrpName"
   path = /parent/test
   public = no
   writeable = yes
   force group = "@OR+SecGrpName"
   create mask = 0770
   directory mask = 0770

comment = PDF Generator
valid users = @OR+"Domain Users"
printing = sysv
path = /var/spool/samba
printable = yes
print command = /usr/sbin/pdfprint %s %U %I %a
lpq command = #
lprm command = #
lppause command = #
lpresume command = #
queuepause command = #
queueresume command = #
use client driver = yes

comment = TIFF Generator
valid users = @OR+"Domain Users"
printing = sysv
path = /var/spool/samba
printable = yes
print command = /usr/sbin/tiffprint %s %U %I %a
lpq command = #
lprm command = #
lppause command = #
lpresume command = #
queuepause command = #
queueresume command = #
use client driver = yes

15c. I have validated that the first listed Wins server is online and that
it contains the following active records


15d. All of the shares prompt for authentication


16. Latest patches that might fit into the time frame when this was first

16a. cat /var/log/yum.log | egrep "winbind|nmb|smb|samba"

Jan 11 09:33:45 Updated: samba3x-winbind-3.6.6-0.129.el5.i386
Jan 11 09:33:49 Updated: samba3x-common-3.6.6-0.129.el5.i386
Jan 11 09:33:52 Updated: samba3x-doc-3.6.6-0.129.el5.i386
Jan 11 09:33:52 Updated: samba3x-winbind-devel-3.6.6-0.129.el5.i386
Jan 11 09:33:56 Updated: samba3x-3.6.6-0.129.el5.i386
Jan 11 09:34:02 Updated: samba3x-client-3.6.6-0.129.el5.i386


So, the big things I see is that I can access AD from the Samaba server and
query, however, whatever is supposed to
be resolving the group names on the shares is not working. I am left to
assume that this is the cause for the auth
prompts on windows explorer on the windows client PCs as well. But what
mechanisim is it?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5634 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20130116/eb3d1fe9/attachment.bin>

More information about the samba mailing list